Implemented ISG based Supplemental policy in the AppControl Manager (#…

…520) This is a new type of supplemental policy that doesn't explicitly allow anything, instead it only activates the usage of the ISG, Intelligent Security Graph, on the system so reputable files can be automatically authorized.
HotCakeX · Jan 12, 2025 · 78434ad · 78434ad
1 parent c60910d
commit 78434ad
Show file tree

Hide file tree

Showing 22 changed files with 654 additions and 303 deletions.
diff --git a/AppControl Manager/AppControl Manager.csproj b/AppControl Manager/AppControl Manager.csproj
@@ -214,6 +214,7 @@
     <None Remove="Pages\ViewCurrentPolicies.xaml" />
     <None Remove="Pages\ViewFileCertificates.xaml" />
     <None Remove="Resources\AppControlManagerSupplementalPolicy.xml" />
+    <None Remove="Resources\ISGBasedSupplementalPolicy.xml" />
   </ItemGroup>
   <ItemGroup>
     <Content Include="Assets\SplashScreen.scale-200.png" />
@@ -225,6 +226,9 @@
     <Content Include="Resources\AppControlManagerSupplementalPolicy.xml">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </Content>
+    <Content Include="Resources\ISGBasedSupplementalPolicy.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </Content>
   </ItemGroup>
   <ItemGroup>
     <Manifest Include="$(ApplicationManifest)" />

diff --git a/AppControl Manager/CustomUIElements/MenuFlyoutV2.cs b/AppControl Manager/CustomUIElements/MenuFlyoutV2.cs
@@ -4,7 +4,7 @@
 namespace AppControlManager.CustomUIElements;
 
 /// <summary>
-/// A custom implementation of MenuFlyout that prevents the flyout from automatically closing 
+/// A custom implementation of MenuFlyout that prevents the flyout from automatically closing
 /// when a menu item is selected. This is achieved by tracking pointer interactions on the flyout items.
 /// </summary>
 internal sealed partial class MenuFlyoutV2 : MenuFlyout
@@ -35,7 +35,7 @@ private void MenuFlyoutV2_Opened(object? sender, object e)
 		// Loop through each menu item in the flyout's Items collection
 		foreach (MenuFlyoutItemBase menuItem in Items)
 		{
-			// Ensure existing handlers are removed to avoid multiple attachments 
+			// Ensure existing handlers are removed to avoid multiple attachments
 			// (to prevent duplicate event triggers if the flyout is opened multiple times)
 			menuItem.PointerEntered -= MenuItem_PointerEntered;
 			menuItem.PointerEntered += MenuItem_PointerEntered;

diff --git a/AppControl Manager/CustomUIElements/SigningDetailsDialog.xaml b/AppControl Manager/CustomUIElements/SigningDetailsDialog.xaml
@@ -90,7 +90,7 @@
                 </controls:SettingsCard>
 
                 <controls:SettingsCard Header="Certificate Common Name"
-                 Description="Used during the signing operation"                      
+                 Description="Used during the signing operation"
                  HeaderIcon="{ui:FontIcon Glyph=&#xEA86;}">
 
                     <controls:WrapPanel Orientation="Vertical" HorizontalSpacing="10" VerticalSpacing="10">
@@ -142,7 +142,7 @@
                             <TextBlock x:Name="VerifyButtonContentTextBlock" VerticalAlignment="Center" FontWeight="SemiBold" Text="Verify"/>
                         </StackPanel>
                     </Button.Content>
-                    
+
                 </Button>
 
 

diff --git a/AppControl Manager/CustomUIElements/SigningDetailsDialogForRemoval.xaml b/AppControl Manager/CustomUIElements/SigningDetailsDialogForRemoval.xaml
@@ -90,7 +90,7 @@
                 </controls:SettingsCard>
 
                 <controls:SettingsCard Header="Certificate Common Name"
-                 Description="Used during the signing operation"                      
+                 Description="Used during the signing operation"
                  HeaderIcon="{ui:FontIcon Glyph=&#xEA86;}">
 
                     <controls:WrapPanel Orientation="Vertical" HorizontalSpacing="10" VerticalSpacing="10">
@@ -138,7 +138,7 @@
                     <controls:WrapPanel VerticalSpacing="10" HorizontalSpacing="10" Orientation="Vertical">
 
                         <Button x:Name="XMLPolicyFileBrowseButton" Click="XMLPolicyFileBrowseButton_Click" HorizontalAlignment="Center" Content="Browse"/>
-                      
+
                         <TextBox MaxWidth="700" x:Name="XMLPolicyFileTextBox" PlaceholderText="XML file path" TextWrapping="Wrap"/>
 
                     </controls:WrapPanel>

diff --git a/AppControl Manager/Logic/GlobalVars.cs b/AppControl Manager/Logic/GlobalVars.cs
@@ -49,9 +49,12 @@ internal static class GlobalVars
 	// Name of the special automatic supplemental policy
 	internal const string AppControlManagerSpecialPolicyName = "AppControlManagerSupplementalPolicy";
 
-	// Get the base directory where the app is running
+	// Path to the AppControlManagerSpecialPolicyName.xml file
 	internal static readonly string AppControlManagerSpecialPolicyPath = Path.Combine(AppContext.BaseDirectory, "Resources", $"{AppControlManagerSpecialPolicyName}.xml");
 
+	// Path to the ISGBasedSupplementalPolicy.xml file
+	internal static readonly string ISGOnlySupplementalPolicyPath = Path.Combine(AppContext.BaseDirectory, "Resources", "ISGBasedSupplementalPolicy.xml");
+
 	// Get the current OS version
 	private static readonly Version CurrentOSVersion = Environment.OSVersion.Version;
 

diff --git a/AppControl Manager/Logic/SupplementalForSelf.cs b/AppControl Manager/Logic/SupplementalForSelf.cs
@@ -144,7 +144,7 @@ internal static void DeploySigned(string basePolicyID, string CertPath, string S
 		// Sign the CIP
 		SignToolHelper.Sign(new FileInfo(CIPFilePath), new FileInfo(SignToolPath), CertCN);
 
-		// Rename the .p7 signed file to .cip 
+		// Rename the .p7 signed file to .cip
 		File.Move(CIPp7SignedFilePath, CIPFilePath, true);
 
 		// Deploy the signed CIP file

diff --git a/AppControl Manager/Logic/Types And Definitions/CodeIntegrityPolicy.cs b/AppControl Manager/Logic/Types And Definitions/CodeIntegrityPolicy.cs
@@ -223,16 +223,5 @@ internal CodeIntegrityPolicy(string? xmlFilePath, XmlDocument? xmlDocument)
 
 		#endregion
 
-
-		// TODO: The TESTCiPolicy must accept XML Document
-		/*
-
-            // Validate the XML file at the end
-            if (!(bool)CiPolicyTest.TestCiPolicy(filePath, null)!)
-            {
-                throw new InvalidOperationException("The XML file created at the end is not compliant with the CI policy schema");
-            }
-            */
-
 	}
 }
diff --git a/AppControl Manager/MainWindow.xaml b/AppControl Manager/MainWindow.xaml
@@ -10,7 +10,7 @@
     xmlns:controls="using:CommunityToolkit.WinUI.Controls"
     xmlns:tk7controls="using:CommunityToolkit.WinUI.UI.Controls"
     xmlns:animations="using:CommunityToolkit.WinUI.Animations"
-    xmlns:AnimatedVisuals="using:Microsoft.UI.Xaml.Controls.AnimatedVisuals"    
+    xmlns:AnimatedVisuals="using:Microsoft.UI.Xaml.Controls.AnimatedVisuals"
     mc:Ignorable="d"
     xmlns:animatedvisuals="using:AnimatedVisuals"
     Title="AppControl Manager">
@@ -108,23 +108,23 @@
            Margin="8,0,4,0"/>
 
             <!-- App title bar -->
-            <TextBlock x:Name="TitleBarTextBlock"                       
+            <TextBlock x:Name="TitleBarTextBlock"
                        Style="{StaticResource CaptionTextBlockStyle}"
                        Grid.Column="4"
                        VerticalAlignment="Center" />
 
             <!-- Main search area at the top -->
-            <AutoSuggestBox x:Name="TitleBarSearchBox" 
-                            Grid.Column="6" 
-                            QueryIcon="Find"                        
+            <AutoSuggestBox x:Name="TitleBarSearchBox"
+                            Grid.Column="6"
+                            QueryIcon="Find"
                             VerticalAlignment="Center"
                             MaxWidth="600" TextChanged="SearchBox_TextChanged"
                             SuggestionChosen="SearchBox_SuggestionChosen"
                             PlaceholderText="Search menu items..." Margin="0"/>
 
 
             <!-- Sidebar access point -->
-            <Button x:Name="SidebarButton" Click="SidebarButton_Click" Grid.Column="8" 
+            <Button x:Name="SidebarButton" Click="SidebarButton_Click" Grid.Column="8"
                     Height="32" Margin="5,0,30,0">
 
                 <Button.Content>
@@ -149,7 +149,7 @@
                     IsTabStop="True"
                     ItemInvoked="MainNavigation_ItemInvoked"
                     IsBackButtonVisible="Collapsed"
-                    IsBackEnabled="False"                    
+                    IsBackEnabled="False"
                     AlwaysShowHeader="False"
                     Grid.Row="1"
                     IsTitleBarAutoPaddingEnabled="False"
@@ -176,7 +176,7 @@
                         SuggestionChosen="SearchBox_SuggestionChosen"
                         PlaceholderText="Search menu items..."/>
             </NavigationView.AutoSuggestBox>
-            
+
            -->
 
 
@@ -253,7 +253,7 @@
             </NavigationView.FooterMenuItems>
 
             <!-- Split view to create the sidebar -->
-            <SplitView x:Name="MainSidebar" PaneBackground="Transparent" 
+            <SplitView x:Name="MainSidebar" PaneBackground="Transparent"
                  IsPaneOpen="False" OpenPaneLength="256"
                  CompactPaneLength="48" DisplayMode="Inline" PanePlacement="Right">
                 <SplitView.Pane>
@@ -295,8 +295,8 @@
                                         <TextBlock Grid.Row="0" Grid.ColumnSpan="2" Margin="0,0,0,15" TextWrapping="Wrap" Text="Unsigned Base Policy" Style="{ThemeResource BodyStrongTextBlockStyle}" />
 
 
-                                        <TextBox Grid.Row="1" Grid.ColumnSpan="2" Margin="0,0,0,15" IsReadOnly="True"                                                
-                                        x:Name="SidebarBasePolicyPathTextBox" PlaceholderText="Base Policy Path" TextWrapping="Wrap"                                                 
+                                        <TextBox Grid.Row="1" Grid.ColumnSpan="2" Margin="0,0,0,15" IsReadOnly="True"
+                                        x:Name="SidebarBasePolicyPathTextBox" PlaceholderText="Base Policy Path" TextWrapping="Wrap"
                                         Width="150" />
 
                                         <Button Grid.Column="0" Margin="0,0,10,0" Grid.ColumnSpan="1" Grid.Row="2" x:Name="SidebarBasePolicyBrowseButton" Click="SidebarBasePolicyBrowseButton_Click" Content="Browse" Style="{ThemeResource AccentButtonStyle}" />
@@ -323,8 +323,9 @@
                                             <Button.Flyout>
                                                 <Flyout Placement="Bottom">
                                                     <StackPanel Orientation="Vertical" Spacing="10">
-                                                        <Button x:Name="SidebarUnsignedBasePolicyConnect1" Content="Select 1" Visibility="Collapsed" />
-                                                        <Button x:Name="SidebarUnsignedBasePolicyConnect2" Content="Select 2" Visibility="Collapsed" />
+                                                        <Button x:Name="SidebarUnsignedBasePolicyConnect1" HorizontalAlignment="Stretch" Content="Select 1" Visibility="Collapsed" />
+                                                        <Button x:Name="SidebarUnsignedBasePolicyConnect2" HorizontalAlignment="Stretch" Content="Select 2" Visibility="Collapsed" />
+                                                        <Button x:Name="SidebarUnsignedBasePolicyConnect3" HorizontalAlignment="Stretch" Content="Select 3" Visibility="Collapsed" />
                                                     </StackPanel>
                                                 </Flyout>
                                             </Button.Flyout>
@@ -359,10 +360,10 @@
 
                     <!-- BreadCrumBar that that also acts as a sticky header -->
                     <BreadcrumbBar x:Name="BreadcrumbBar" VerticalAlignment="Top"
-                        Grid.Row="0" 
-                        Padding="10" 
+                        Grid.Row="0"
+                        Padding="10"
                         Margin="20,10,0,10"
-                        ItemsSource="{x:Bind Breadcrumbs}" 
+                        ItemsSource="{x:Bind Breadcrumbs}"
                         ItemClicked="BreadcrumbBar_ItemClicked">
 
                         <BreadcrumbBar.ItemTemplate>

diff --git a/AppControl Manager/MainWindow.xaml.cs b/AppControl Manager/MainWindow.xaml.cs
@@ -454,7 +454,7 @@ private static RectInt32 GetRect(Rect bounds, double scale)
 
 
 	/*
-	 
+
 	 This will make keep the title bar text white even on light theme, making it unreadable
 	 It's not even necessary to change the text based on Window being in focus or not
 
@@ -1569,7 +1569,7 @@ private void AffectPagesAnimatedIconsVisibilities(bool on)
 
 		if (ContentFrame.Content is IAnimatedIconsManager currentPage)
 		{
-			currentPage.SetVisibility(visibility, SidebarBasePolicyPathTextBox.Text, SidebarUnsignedBasePolicyConnect1, SidebarUnsignedBasePolicyConnect2);
+			currentPage.SetVisibility(visibility, SidebarBasePolicyPathTextBox.Text, SidebarUnsignedBasePolicyConnect1, SidebarUnsignedBasePolicyConnect2, SidebarUnsignedBasePolicyConnect3);
 
 			// Set the visibility of the AnimatedIcon on Sidebar's Select button for Unsigned policy
 			SidebarBasePolicySelectButtonLightAnimatedIcon.Visibility = visibility;
@@ -1597,16 +1597,22 @@ internal void AffectPagesAnimatedIconsVisibilities(Frame contentFrame)
 		{
 			SidebarUnsignedBasePolicyConnect2.Click -= EventHandlersTracking.SidebarUnsignedBasePolicyConnect2EventHandler;
 		}
+		if (EventHandlersTracking.SidebarUnsignedBasePolicyConnect3EventHandler is not null)
+		{
+			SidebarUnsignedBasePolicyConnect3.Click -= EventHandlersTracking.SidebarUnsignedBasePolicyConnect3EventHandler;
+		}
 
 		// Remove the content of the sidebar buttons
 		SidebarUnsignedBasePolicyConnect1.Content = null;
 		SidebarUnsignedBasePolicyConnect2.Content = null;
+		SidebarUnsignedBasePolicyConnect3.Content = null;
 
 		// Collapse the sidebar buttons
 		// The following actions happen because we don't know the next page user visits implements the interface or not
 		// Not all pages are eligible for this augmentation
 		SidebarUnsignedBasePolicyConnect1.Visibility = Visibility.Collapsed;
 		SidebarUnsignedBasePolicyConnect2.Visibility = Visibility.Collapsed;
+		SidebarUnsignedBasePolicyConnect3.Visibility = Visibility.Collapsed;
 
 		// Check if the currently displayed content (page) in the ContentFrame implements the IAnimatedIconsManager interface.
 		// If it does, cast ContentFrame.Content to IAnimatedIconsManager
@@ -1615,12 +1621,12 @@ internal void AffectPagesAnimatedIconsVisibilities(Frame contentFrame)
 		{
 			if (isUnsignedBasePolicyPathAvailable)
 			{
-				currentPage.SetVisibility(Visibility.Visible, SidebarBasePolicyPathTextBox.Text, SidebarUnsignedBasePolicyConnect1, SidebarUnsignedBasePolicyConnect2);
+				currentPage.SetVisibility(Visibility.Visible, SidebarBasePolicyPathTextBox.Text, SidebarUnsignedBasePolicyConnect1, SidebarUnsignedBasePolicyConnect2, SidebarUnsignedBasePolicyConnect3);
 				SidebarBasePolicySelectButtonLightAnimatedIcon.Visibility = Visibility.Visible;
 			}
 			else
 			{
-				currentPage.SetVisibility(Visibility.Collapsed, SidebarBasePolicyPathTextBox.Text, SidebarUnsignedBasePolicyConnect1, SidebarUnsignedBasePolicyConnect2);
+				currentPage.SetVisibility(Visibility.Collapsed, SidebarBasePolicyPathTextBox.Text, SidebarUnsignedBasePolicyConnect1, SidebarUnsignedBasePolicyConnect2, SidebarUnsignedBasePolicyConnect3);
 				SidebarBasePolicySelectButtonLightAnimatedIcon.Visibility = Visibility.Collapsed;
 			}
 		}

diff --git a/AppControl Manager/Pages/AllowNewApps/AllowNewApps.xaml.cs b/AppControl Manager/Pages/AllowNewApps/AllowNewApps.xaml.cs
@@ -58,7 +58,7 @@ protected override void OnNavigatedFrom(NavigationEventArgs e)
 
 
 	// Implement the SetVisibility method required by IAnimatedIconsManager
-	public void SetVisibility(Visibility visibility, string? unsignedBasePolicyPath, Button button1, Button button2)
+	public void SetVisibility(Visibility visibility, string? unsignedBasePolicyPath, Button button1, Button button2, Button button3)
 	{
 		// Light up the local page's button icons
 		AllowNewAppsStart.Instance.BrowseForXMLPolicyButtonLightAnimatedIconPub.Visibility = visibility;

diff --git a/AppControl Manager/Pages/AllowNewApps/AllowNewAppsStart.xaml.cs b/AppControl Manager/Pages/AllowNewApps/AllowNewAppsStart.xaml.cs
@@ -146,7 +146,7 @@ public AllowNewAppsStart()
 
 
 	// Implement the SetVisibility method required by IAnimatedIconsManager
-	public void SetVisibility(Visibility visibility, string? unsignedBasePolicyPath, Button button1, Button button2)
+	public void SetVisibility(Visibility visibility, string? unsignedBasePolicyPath, Button button1, Button button2, Button button3)
 	{
 		// Light up the local page's button icons
 		BrowseForXMLPolicyButtonLightAnimatedIcon.Visibility = visibility;
@@ -405,7 +405,7 @@ await Task.Run(() =>
 					// Sign the CIP
 					SignToolHelper.Sign(new FileInfo(AuditModeCIP), new FileInfo(_SignToolPath!), _CertCN!);
 
-					// Rename the .p7 signed file to .cip 
+					// Rename the .p7 signed file to .cip
 					File.Move(CIPp7SignedFilePathAudit, AuditModeCIP, true);
 
 
@@ -423,7 +423,7 @@ await Task.Run(() =>
 					// Sign the CIP
 					SignToolHelper.Sign(new FileInfo(tempEnforcedModeCIPPath), new FileInfo(_SignToolPath!), _CertCN!);
 
-					// Rename the .p7 signed file to .cip 
+					// Rename the .p7 signed file to .cip
 					File.Move(CIPp7SignedFilePathEnforced, EnforcedModeCIP, true);
 
 				}
@@ -982,7 +982,7 @@ await Task.Run(() =>
 						// Sign the CIP
 						SignToolHelper.Sign(new FileInfo(CIPPath), new FileInfo(_SignToolPath!), _CertCN!);
 
-						// Rename the .p7 signed file to .cip 
+						// Rename the .p7 signed file to .cip
 						File.Move(CIPp7SignedFilePath, CIPPath, true);
 					}
 

diff --git a/AppControl Manager/Pages/ConfigurePolicyRuleOptions.xaml.cs b/AppControl Manager/Pages/ConfigurePolicyRuleOptions.xaml.cs
@@ -49,7 +49,7 @@ public ConfigurePolicyRuleOptions()
 
 
 	// Implement the SetVisibility method required by IAnimatedIconsManager
-	public void SetVisibility(Visibility visibility, string? unsignedBasePolicyPath, Button button1, Button button2)
+	public void SetVisibility(Visibility visibility, string? unsignedBasePolicyPath, Button button1, Button button2, Button button3)
 	{
 		// Light up the local page's button icons
 		PickPolicyFileButtonAnimatedIconLight.Visibility = visibility;

diff --git a/AppControl Manager/Pages/CreateDenyPolicy.xaml b/AppControl Manager/Pages/CreateDenyPolicy.xaml
@@ -52,7 +52,7 @@
                 <TextBlock
                     TextWrapping="WrapWholeWords"
                     Style="{StaticResource BodyTextBlockStyle}">
-                    
+
                     <Span>
                         Create a <Bold>Deny</Bold> <Underline>base</Underline> policy that will <Run Foreground="{ThemeResource SystemAccentColor}">explicitly deny</Run> files or applications. Keep in mind that Application Control is fundamentally based on allow-listing, which means anything that is not allowed by a policy is <Bold>already automatically denied.</Bold>
                     </Span>
@@ -170,7 +170,7 @@ Header="Policy Name" IsClickEnabled="False" IsActionIconVisible="False">
 
                             <TextBox x:Name="FilesAndFoldersPolicyNameTextBox" TextChanged="FilesAndFoldersPolicyNameTextBox_TextChanged" PlaceholderText="Deny Policy Name"/>
 
-                        </controls:SettingsCard>                       
+                        </controls:SettingsCard>
 
                         <controls:SettingsCard Description="Select the level based on which the detected files will be scanned."
                         Header="Select Scan Level" Click="ScanLevelComboBoxSettingsCard_Click" x:Name="ScanLevelComboBoxSettingsCard" IsClickEnabled="True" IsActionIconVisible="False">