The hash in the rule is the part of the file that is calculated？

[L0yy]

I can't match the vuln-driven file hash to any format hash in the rule, but it's definitely the same file. So I want to know where the hash value in the rule comes from and how it is calculated.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 6e8740b8-c1f2-4b88-3d4d-66cdbf20215f
• Version Independent ID: 7986a684-b35d-06bd-be30-dfca9923cb9c
• Content: Microsoft recommended driver block rules (Windows) - Windows security
• Content Source: windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
• Product: m365-security
• GitHub Login: @jgeurten
• Microsoft Alias: dansimp

[jgeurten]

Hi @L0yy, the hashes in the rules are PE/Authenticode hash rules. More info on these hashes are found here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-hashes

[yogkumgit]

@jgeurten Thank you very much for sharing this explanation. @L0yy Hope this comment is helpful for you. If you see a documentation update is required, please feel free to open an issue for the same. We proceed here to close it. Thanks for taking out some time to open the issue. Appreciate and encourage you to do the same in future also.