Question Can I trust this script from github?

Please provide comments and solutions that are helpful to the author of this topic.

I

Inzingor

Level 1
Thread author
Oct 15, 2023
27
Hello! I came across the following on the internet, which sounds pretty good in principle. But I'm still wondering whether there might be a backdoor or something hidden somewhere. Do any of you happen to know this or can you please take a look at it?

github.com

simeononsecurity - Overview

Cybersecurity and automation expert, proudly sporting a grey top hat. Ansible, PowerShell, and Docker—what don’t I do? - simeononsecurity
github.com github.com
github.com

GitHub - simeononsecurity/Windows-Optimize-Harden-Debloat: Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of De

Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of Defense ...
github.com github.com
github.com

GitHub - simeononsecurity/Windows-Defender-Hardening: Take advantage of some more advanced Windows Defender settings.

Take advantage of some more advanced Windows Defender settings. - simeononsecurity/Windows-Defender-Hardening
github.com github.com

In theory, the recommendations implemented should provide the best possible protection for my system for home use. But im a bit paranoid i guess :D

What do you guys here think about this?

Best regards Mike
 
  • Like
Reactions: Nevi and ZeroDay
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,354
Hello Mike! I understand your concern about the scripts you found on GitHub. While I can't provide a comprehensive analysis, there are a few steps you can take to evaluate the trustworthiness of a script:

1. Check the author's reputation: Look for information about the author, such as their credentials, contributions to the security community, or any feedback from other users.
2. Code review: Examine the code for any suspicious or potentially harmful functions or behaviors. Look for clear documentation, comments, and regular updates.
3. Community feedback: Check if there are any open issues or discussions on the script's repository. This can give you an idea of the level of engagement and support from the author.
4. Test in a safe environment: Before applying the script on your system, consider testing it in a VM or isolated environment to assess its effects and compatibility.

Ultimately, it's up to you to weigh the pros and cons and decide whether to trust the script. Remember to always exercise caution when executing scripts from unknown sources. I hope this helps!
 
  • Like
Reactions: ZeroDay
I

Inzingor

Level 1
Thread author
Oct 15, 2023
27
thanks!

I will create a script based on the recommendations for my devices using chat gpt. I will also check what I can additionally activate in my windows 10 enterprise versions, as they have more options in this regard.
 
  • Like
Reactions: ZeroDay
SimeonOnSecurity

SimeonOnSecurity

New Member
Oct 26, 2023
6
Inzingor said:
Hello! I came across the following on the internet, which sounds pretty good in principle. But I'm still wondering whether there might be a backdoor or something hidden somewhere. Do any of you happen to know this or can you please take a look at it?

github.com

simeononsecurity - Overview

Cybersecurity and automation expert, proudly sporting a grey top hat. Ansible, PowerShell, and Docker—what don’t I do? - simeononsecurity
github.com github.com
github.com

GitHub - simeononsecurity/Windows-Optimize-Harden-Debloat: Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of De

Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of Defense ...
github.com github.com
github.com

GitHub - simeononsecurity/Windows-Defender-Hardening: Take advantage of some more advanced Windows Defender settings.

Take advantage of some more advanced Windows Defender settings. - simeononsecurity/Windows-Defender-Hardening
github.com github.com

In theory, the recommendations implemented should provide the best possible protection for my system for home use. But im a bit paranoid i guess :D

What do you guys here think about this?

Best regards Mike
Click to expand...
In our readme, we explain you shouldn't run it if you don't understand what it does. However, we do try out best to provide the best tools possible and document any bugs or shortcomings.
You should always verify what scripts are doing. In situations where you can't, asking other professionals is the best thing to do. I congratulate you on doing things correctly. Many of our users don't even read the first sentence of the readme lol.
The scripts you mentioned do make a lot of changes on your system. They are designed for home use. Or, in the defender script, both home and enterprise.
You should test this script on a test system or vm first. It changes a lot of what people know and use in windows.
Things like signing in with microsoft accounts or pins, SMB v1 and v2, telnet, weak encryption ciphers and hashing algos, any TLS version below 1.2, all SSL versions, password saving in browsers, using macros in office, auto connecting to wifi, etc are all disabled. It's primarily a security script and implements many best practices from many organizations. These are significant and not to be taken lightly. There will be a learning curve. But it is all there to make it harder to do things insecurely. You'd have to go out of your way to do that 99% of the time if you run the script.
Now with regards to debloating, debloating can break windows almost as badly, if not worse, than hardening. Most debloating scripts to basically nothing or far far too much.
For instance, you can disable cortana and all of its telemetry without issues. But if you physically remove it, you break windows search, explorer, (the old version of edge), and a few other things. We don't do that in our debloating scripts. We debloat to a level that is good for the majority of people. Now for the extremists. If you're one of those, learn and switch to linux already ;)
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: cryogent, Shadowra, Nevi and 4 others
SimeonOnSecurity

SimeonOnSecurity

New Member
Oct 26, 2023
6
Ultimate Vision said:
VirusTotal can now scan and analyze potentially malicious scripts using AI.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Click to expand...
I still find that it sides on the sides of safety a bit too much. I've had it call basic administration scripts that anyone would use, like to update an email for a user in AD, a virus.
Threat detection is still something that has a lot of false positives and negatives. Because without context a script that updates an email in AD could be used to reset the password of the user and thus become an issue.
If it comes back with no detections, all that means is either it is safe or it's new enough to not be detected. If it has a flag, it could mean that it's safe, will totally wreck your system, or just be not a commonly downloaded file. Unless you're knowledgeable enough to understand how they work and how to interpret the results, I feel that virus scanners of any kind give users a false sense of security. They can help, but they aren't everything. Be careful. DYOR YMMV.
 
  • Like
Reactions: cryogent
F

ForgottenSeer 103564

SimeonOnSecurity said:
I still find that it sides on the sides of safety a bit too much. I've had it call basic administration scripts that anyone would use, like to update an email for a user in AD, a virus.
Threat detection is still something that has a lot of false positives and negatives. Because without context a script that updates an email in AD could be used to reset the password of the user and thus become an issue.
If it comes back with no detections, all that means is either it is safe or it's new enough to not be detected. If it has a flag, it could mean that it's safe, will totally wreck your system, or just be not a commonly downloaded file. Unless you're knowledgeable enough to understand how they work and how to interpret the results, I feel that virus scanners of any kind give users a false sense of security. They can help, but they aren't everything. Be careful. DYOR YMMV.
Click to expand...
Absolutely, tools can be used either way in some circumstances. Running scripts from sources to do odd jobs is indeed a absolute risk no matter how you look at it. A silly one if you ask me. Regardless of authors intentions with them.

For an average user that has no clue as to how to view it and asks "is it safe" giving them something to help judge files is certainly better than stating "sure, go Ahead, the author says it's ok, we all know that it's safe now" I'd rather it be identified unsafe and a user not have something go wrong in their system than blindly say sure, run that script on your system with privileges and see what happens.
 
  • Like
Reactions: Filipe and Nevi
SimeonOnSecurity

SimeonOnSecurity

New Member
Oct 26, 2023
6
Ultimate Vision said:
Absolutely, tools can be used either way in some circumstances. Running scripts from sources to do odd jobs is indeed a absolute risk no matter how you look at it. A silly one if you ask me. Regardless of authors intentions with them.

For an average user that has no clue as to how to view it and asks "is it safe" giving them something to help judge files is certainly better than stating "sure, go Ahead, the author says it's ok, we all know that it's safe now" I'd rather it be identified unsafe and a user not have something go wrong in their system than blindly say sure, run that script on your system with privileges and see what happens.
Click to expand...
I agree with that mostly. It's a weird condition of security and the technology world.
Effectively we tell people to do nothing at all they don't understand. And if they must, run it through a scanner. A scanner that is usually black box and could tell them it's good when it isn't or is bad when it isn't. It is the best option, usually, other than consulting with experts. But even the experts can still be wrong. There are few safe and 100% correct answers in cybersecurity. We're all mostly acting on well educated guesses. I personally just hate to tell people things are absolute, even if to simplify things for them, when they aren't.

I have learned that even when you explain things, most people don't want to learn or understand things. They just want a binary answer to the question, "Is this safe?", when there is hardly ever clean and accurate answer to it. My answer is always going to be educate yourself, review the script (consult professionals if you can't), run a virus scan with virustotal. And that is what I believe both personally and professionally speaking is the best answer. This even goes for my own scripts and I say something akin to this at the top of my READMEs.

Don't let any one source ever tell you something is good or bad. Even with multiple sources, you're just making a educated and statistical guess on if something is likely good or bad. The more sources you consult, the better.

My personal issue with virus total is complex. Virustotal utilizes many virus scanning and detection engines, some of which are a laughable in the security community. The only times I find it accurate in detecting malware are signature based. For the rest, it's scanning engines, are going off behavior and how many times the engines have seen the file downloaded before. I don't have a better answer to replace this. But saying something is bad just because it isn't a commonly downloaded file is just stupid. It's a security first mentality that is guaranteed to block more work than the issues it solves. Behavior is something that often requires context and I have found that they often flag things as viruses or malware just for doing practically anything with administrative privileges. Again this is a case where the security benefit are likely lower than the amount of work it prevents. IMO and IMPO virus scanners are usually only good and effective at preventing known and common threats from some "X" period of the past. New threats aren't as easy to keep up on and some people have to be infected for the threat to be eventually detected. Because of this I have to say that for anyone other than the most basic of users, virus scanners and antivirus/malware are their own kind of security theater. They practically only prevent the obvious and easy stuff. And that is really only the good AV.
I could also get into the issues on windows where most of the avs have to use the same built in APIs and syscalls as defender itself, rendering them effectively no better than defender to begin with. But that is another issue for another day.
 
  • Like
Reactions: cryogent
F

ForgottenSeer 103564

SimeonOnSecurity said:
I agree with that mostly. It's a weird condition of security and the technology world.
Effectively we tell people to do nothing at all they don't understand. And if they must, run it through a scanner. A scanner that is usually black box and could tell them it's good when it isn't or is bad when it isn't. It is the best option, usually, other than consulting with experts. But even the experts can still be wrong. There are few safe and 100% correct answers in cybersecurity. We're all mostly acting on well educated guesses. I personally just hate to tell people things are absolute, even if to simplify things for them, when they aren't.

I have learned that even when you explain things, most people don't want to learn or understand things. They just want a binary answer to the question, "Is this safe?", when there is hardly ever clean and accurate answer to it. My answer is always going to be educate yourself, review the script (consult professionals if you can't), run a virus scan with virustotal. And that is what I believe both personally and professionally speaking is the best answer. This even goes for my own scripts and I say something akin to this at the top of my READMEs.

Don't let any one source ever tell you something is good or bad. Even with multiple sources, you're just making a educated and statistical guess on if something is likely good or bad. The more sources you consult, the better.

My personal issue with virus total is complex. Virustotal utilizes many virus scanning and detection engines, some of which are a laughable in the security community. The only times I find it accurate in detecting malware are signature based. For the rest, it's scanning engines, are going off behavior and how many times the engines have seen the file downloaded before. I don't have a better answer to replace this. But saying something is bad just because it isn't a commonly downloaded file is just stupid. It's a security first mentality that is guaranteed to block more work than the issues it solves. Behavior is something that often requires context and I have found that they often flag things as viruses or malware just for doing practically anything with administrative privileges. Again this is a case where the security benefit are likely lower than the amount of work it prevents. IMO and IMPO virus scanners are usually only good and effective at preventing known and common threats from some "X" period of the past. New threats aren't as easy to keep up on and some people have to be infected for the threat to be eventually detected. Because of this I have to say that for anyone other than the most basic of users, virus scanners and antivirus/malware are their own kind of security theater. They practically only prevent the obvious and easy stuff. And that is really only the good AV.
I could also get into the issues on windows where most of the avs have to use the same built in APIs and syscalls as defender itself, rendering them effectively no better than defender to begin with. But that is another issue for another day.
Click to expand...
I understand what you are saying, between what consists of false positives with detection of behavior to tools being inert and capable of being used for good or bad depending on the users intentions. Nmap NSE for example, has many tools/scripts that can be used for good or bad, the tool just sitting there is inert as stated, until intentions come along. Does this mean it should be flagged as bad, well that's subjective.

Users with little to no knowledge or experience wanting to use such tools, needing/wanting to know if it is safe. Well generally rule of thumb is, if you have to ask, you probably shouldn't mess with it. Since many take offense to this now days, my default action is to tell them to scan it and see. I can tell them you probably shouldn't mess with that, and then other users will tell them it's harmless and they will go bork their system.

So that pretty much sums up my response above, as anything past that gets messy quickly.

I have no experience with your script, nor have I ever looked at it, so I could not state anything about it and or you, other then your response here was level headed and agreeable, you presented your side in a way I understand and won't deny. That in its self, speaks volumes.
 
  • Like
Reactions: SimeonOnSecurity

Similar threads

SpyNetGirl
    • Like
    • Hundred Points
    • Applause
Serious Discussion Compliance checking + Security score now available for Harden Windows Security script!
Replies
3
Views
999
Other security for Windows, Mac, Linux
SpyNetGirl
SpyNetGirl
M
    • Like
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Replies
0
Views
422
Microsoft Defender
Microsoft Threat Intelligence
M
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,418
News Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top