Applixure User Ideas

Our customers made these suggestions for improving Applixure, add yours too!

"Kernel DMA protection" info in device data?

Hi! There's a thing called DMA attack available on Windows OS. We can protect it by using Group Policies and preventing certain types of devices of installing or accessing Firewire/Thunderbolt-ports. Here are 2 links about this case:

https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

https://support.microsoft.com/en-us/topic/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-dma-and-thunderbolt-dma-threats-to-bitlocker-bf0ef10b-f563-5cfc-9740-8340b1d86a0c

From the latter link the first sentence however states that:

"For Windows version 1803 and later versions, if your platform supports the new Kernel DMA Protection feature, we recommend that you leverage that feature to mitigate Thunderbolt DMA attacks. "


The info about OS supporting Kernel DMA protection can be found as easily as running System Information and on the System Summary page there's a flag for Kernel DMA Protection (On | Off)


This would help to see the status of the DMA Protection and could help to either evaluate the need of Group Policy or make a decission if a device can be excluded from the the Group Policy made for restricting DMA.

  • Guest
  • Jan 17 2022
  • Shipped
  • Attach files
  • Admin
    Kalle Saunamäki commented
    27 Jan 06:59am

    This is now available in the agent's security state data in new WindowsSecurity -subobject, along with number of other new attributes related to Windows -specific security features (App Control, App Guard, Memory Integrity etc.)

  • Admin
    Kalle Saunamäki commented
    18 Jan 02:41pm

    Thanks, that looks like the one that would be needed. The Powershell script referenced contains the actual API call.

  • Guest commented
    18 Jan 02:11pm

    Hi!


    You mean like this? There's at least a Powershell way to check it.


    https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6878

  • Admin
    Kalle Saunamäki commented
    18 Jan 11:31am

    Thank you for the suggestion.

    While the information can be found from msinfo32 application for human consumption, in order to include this datapoint in Applixure device data we would need to find programmatic interface (API, WMI etc.) where Applixure could read that information. If such location is available, then having the information in the data could be added.