CLFS Hardening

[varwar]

Instead of trying to validate individual values in logfile data structures, this security mitigation provides CLFS the ability to detect when logfiles have been modified by anything other than the CLFS driver itself. This has been accomplished by adding Hash-based Message Authentication Codes (HMAC) to the end of the logfile.

To disable the mitigation, an Administrator can run the following powershell command:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\CLFS\Authentication” -Name Mode -Value 2

Source:

Security mitigation for the Common Log Filesystem (CLFS) | Microsoft Community Hub

Announcement of a security mitigation for a critical Windows component. Figure 1: Local group policy editor

techcommunity.microsoft.com