Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Testing Windows Hybrid Hardening (new hardening application).
Message
<blockquote data-quote="Andy Ful" data-source="post: 1064853" data-attributes="member: 32260"><p>In the log, we can see: "WDAC blocked events for EXE and DLL files". So it is not the SWH Log but the WDAC Log.</p><p>The WDAC Log in WHHLight can show events blocked by Windows native policies and events blocked by WHHLight WDAC policy. In the second case we can see the entry:</p><p><span style="color: rgb(0, 168, 133)"><strong>PolicyName = UserSpace Lock</strong></span></p><p>The example posted by you is related to the WHHLight WDAC policy (UserSpace Lock).</p><p></p><p>The block is caused by Microsoft's recommendations, for LOLBins that can bypass WDAC. Those LOLBins are blocked in WHHLight WDAC policy.</p><p><span style="color: rgb(184, 49, 47)"><strong>One of the blocked LOLBins is WMIC.exe.</strong></span></p><p><span style="color: rgb(184, 49, 47)"><strong>Windscribe whitelisting is not necessary and cannot remove this block.</strong></span></p><p></p><p>I think that the long time needed to connect the server was unrelated to your whitelisting. You can check it by removing from the WDAC Whitelist any of the possible paths:</p><p>C:\Windows\System32\wbem\WMIC.exe</p><p>C::\Program Files\Windscribe\WindscribeService.exe</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1064853, member: 32260"] In the log, we can see: "WDAC blocked events for EXE and DLL files". So it is not the SWH Log but the WDAC Log. The WDAC Log in WHHLight can show events blocked by Windows native policies and events blocked by WHHLight WDAC policy. In the second case we can see the entry: [COLOR=rgb(0, 168, 133)][B]PolicyName = UserSpace Lock[/B][/COLOR] The example posted by you is related to the WHHLight WDAC policy (UserSpace Lock). The block is caused by Microsoft's recommendations, for LOLBins that can bypass WDAC. Those LOLBins are blocked in WHHLight WDAC policy. [COLOR=rgb(184, 49, 47)][B]One of the blocked LOLBins is WMIC.exe. Windscribe whitelisting is not necessary and cannot remove this block.[/B][/COLOR] I think that the long time needed to connect the server was unrelated to your whitelisting. You can check it by removing from the WDAC Whitelist any of the possible paths: C:\Windows\System32\wbem\WMIC.exe C::\Program Files\Windscribe\WindscribeService.exe [/QUOTE]
Insert quotes…
Verification
Post reply
Top