Advice Request Anyone Test WD + Hard_Configurator?

oldschool · Sep 19, 2018

In light of recent discussion here Q&A - Security Software obselete on Windows 10? and elsewhere, has anyone tested WD with Hard_Configurator - specifically with WD High settings and H_C set to Default-Deny/Recommended SRP? I'd be interested to know if anyone has tested this setup, or some variation of it.

I'm fairly certain some other members would like to know as well. Thanks to all who might reply.

Deleted member 178 · Sep 19, 2018

Tested it, more secure than any AV and less prone to bug/issues.
of course, you have to cope with WD resource hunger, but if you don't mind it, it is a very solid combo.

1- Learn to use SRP, means learn about Windows processes.
2- Learn to use Windows Exploit Guard and other Win10's built-in security feature.
Once both point mastered, you will realize that using AVs is not necessary anymore.

Now if, as me, you like some particular mechanisms (full sandboxes, anti-exe, etc...), you may use 3rd party apps.

oldschool · Sep 19, 2018

I've had H_C up and running in @Andy Ful's "set and forget" mode for a short time. No issues so far. Little by little, very slowly, I am learning more about it. Thanks!

shmu26 · Sep 20, 2018

Hard_Configurator at Andy's recommended settings is a default/deny setup, which is a winner by definition. Default/deny is so strong that it makes very boring testing. The only caveat is that with Hard_Configurator, the user needs to flip on the vulnerable process protection (called "sponsors") if he happens to be running abusable apps that need extra protection. MS Office is not much of a threat, because it is already covered, either by WD at high settings, or by the H_C "Documents Anti-Exploit" setting.

About WD at high settings: @Evjl's Rain posted some links to his malware hub testing of it, they are in the thread you mentioned, Q&A - Security Software obselete on Windows 10?.
He found it to be strong but not bullet-proof. But WD at high settings + SmartScreen is very strong.

Andy Ful · Sep 20, 2018

shmu26 · Sep 20, 2018

Andy Ful said:
It was tested with and without WD by @askalan:
https://malwaretips.com/threads/4-06-2018-18.84062/post-740344
https://malwaretips.com/threads/signed-malware-27-05-2018.83819/post-738779
https://malwaretips.com/threads/mixed-threats-14-04-05-2018.82928/#post-733407
https://malwaretips.com/threads/22-9-23-2.75676/post-674148
https://malwaretips.com/threads/locky-variant-ykcol.75541/post-673040
https://malwaretips.com/threads/26-9-17-14.75726/post-674724
https://malwaretips.com/threads/24-9-17-21-with-nransom2.75689/post-674451
https://malwaretips.com/threads/21-9-17-12.75604/post-673330
The tested configurations blocked all malware, but of course, the Malware missed by WD and blocked by Hard_Configurator settings was not removed from the system.
The above does not mean, that WD + Hard_Configurator settings cannot be bypassed. It is simply very hard for the malware in the wild.

As expected. Malware does not infect the system when default/deny protection is applied.

Local Host · Sep 20, 2018

shmu26 said:
As expected. Malware does not infect the system when default/deny protection is applied.

Keep in mind the systems are not clean either, as WD fails to detect the malware it sits there waiting.

509322 · Sep 20, 2018

Local Host said:
Keep in mind the systems are not clean either, as WD fails to detect the malware it sits there waiting.

If malware is present, but doing nothing, then vendors do not care about that. Most don't consider it a big deal. Even running processes that are detected as malware, but do nothing malicious are not a concern.

Andy Ful · Sep 20, 2018

Local Host said:
Keep in mind the systems are not clean either, as WD fails to detect the malware it sits there waiting.

The same situation is with HIPS and BB when one uses any good AV.
Fortunately, that usually last only for a few days, until the AV will get the proper signatures.
WD (or another AV) is still welcome for two reasons:

It will clean (after some time) the blocked (by H_C settings) but previously not detected malware files.
It can detect the more sophisticated malware that could bypass H_C settings.

The sophisticated malware will usually hit first Enterprises and Institutions via targetted attacks, so they are not 0-days when trying to hit home users. Such malware can be detected by something like WD "Block first sight" feature (or Kaspersky KSN).
H_C is not inventing the wheel. This kind of protection is well known from years.
I simply chose the well known security 'lego bricks' which could be useful in the home user environment.
One brick (SmartScreen) required some invention to fit it into the smart-default-deny pattern.
Next, I put all of them into one configurator GUI and gathered the hardly found pieces of information in help files (+ manual) to make all of this more understandable. Furthermore, It was necessary to add the integration with some useful external tools (Sysinternals Autoruns, NirSoft FullEventLogView, 7-ZIP) for troubleshooting. In the end, I made some setting profiles which can be useful in a daily work for inexperienced or advanced users.

Andy Ful · Sep 20, 2018

shmu26 said:
As expected. Malware does not infect the system when default/deny protection is applied.

H_C can be used as the classic default-deny or the smart-default-deny. The Recommended Settings are based on the smart-default-deny setup, and this was tested by @askalan (H_C) and partially by @Evjl's Rain (for WD + forced SmartScreen). The classic default-deny will block the new installations. The smart-default-deny will allow the new installations if the installation file will pass the SmartScreen check.
The classic default-deny is slightly stronger, because some malware files (very rarely) can bypass even the SmartScreen Application Reputation filter.

509322 · Sep 20, 2018

shmu26 said:
As expected. Malware does not infect the system when default/deny protection is applied.

Default Deny is not a panacea. A particular security soft is not one either. Security cannot operate optimally by merely installing security softs. The person using the system matters - implicitly and inherently. Period. If anyone disagrees with that accurate and balanced approach, well...

And this whole expectation that security softs should and must solve all security issues is just plain ignorance.

Andy Ful · Sep 20, 2018

The more usable is the security setup, the more knowledge is required to use it safely. If one will install several usable security applications to be more secure on Windows 10, then usually that will have the impact on the system stability/performance ( = decrease of usability).
The more restricted is the security setup, the more knowledge is required to configure and adjust it on the concrete machine for the concrete user.
So, the experienced (knowledgeable) users can adjust any security setup they like.

The Inexperienced users are not safe when using the usable security setup and are not able to configure properly the highly restricted security setup. Usually, they can use the restricted setup with occasional support from the advanced user or must learn to become advanced (experienced).
In any case, the knowledge is strictly related to the security.
Isn't that why MalwareTips was created for? :emoji_ok_hand:

shmu26 · Sep 20, 2018

Lockdown said:
Default Deny is not a panacea. A particular security soft is not one either. Security cannot operate optimally by merely installing security softs. The person using the system matters - implicitly and inherently. Period. If anyone disagrees with that accurate and balanced approach, well...

And this whole expectation that security softs should and must solve all security issues is just plain ignorance.

You guys know about all kinds of curve-ball malware exploits and worst-case scenarios. Science-fiction come true, like Powershell Empire and the like.
But in real life, if a home user has a decent default/deny setup, properly configured and in good working order, with patched OS and software, well, he is not going to get infected, unless he shoots himself in the foot.

Andy Ful · Sep 20, 2018

shmu26 said:
You guys know about all kinds of curve-ball malware exploits and worst-case scenarios. Science-fiction come true, like Powershell Empire and the like.
But in real life, if a home user has a decent default/deny setup, properly configured and in good working order, with patched OS and software, well, he is not going to get infected, unless he shoots himself in the foot.

There is the known anti-default-deny reasoning:
Experienced (knowledgeable) users can configure/use default-deny but they do not need it. Inexperienced users alone, cannot properly configure default-deny, so they do not use it.
Some knowledge is always involved in using default-deny.

Local Host · Sep 20, 2018

Andy Ful said:
The same situation is with HIPS and BB when one uses any good AV.
Fortunately, that usually last only for a few days, until the AV will get the proper signatures.
WD (or another AV) is still welcome for two reasons:

It will clean (after some time) the blocked (by H_C settings) but previously not detected malware files.

It can detect the more sophisticated malware that could bypass H_C settings.

The sophisticated malware will usually hit first Enterprises and Institutions via targetted attacks, so they are not 0-days when trying to hit home users. Such malware can be detected by something like WD "Block first sight" feature (or Kaspersky KSN).
H_C is not inventing the wheel. This kind of protection is well known from years.
I simply chose the well known security 'lego bricks' which could be useful in the home user environment.
One brick (SmartScreen) required some invention to fit it into the smart-default-deny pattern.
Next, I put all of them into one configurator GUI and gathered the hardly found pieces of information in help files (+ manual) to make all of this more understandable. Furthermore, It was necessary to add the integration with some useful external tools (Sysinternals Autoruns, NirSoft FullEventLogView, 7-ZIP) for troubleshooting. In the end, I made some setting profiles which can be useful in a daily work for inexperienced or advanced users.

BB and HIPS don't leave the files around, after detection the AV will rollback the changes and quarantine the file (if it's something proper like Kaspersky).
Default-Deny will only block the execution of the file, but will leave it there untouched and ready for another round. It's mostly user based as well, if the file is allowed to run it all comes down to nothing when using WD.

shmu26 · Sep 20, 2018

Local Host said:
BB and HIPS don't leave the files around, after detection the AV will rollback the changes and quarantine the file (if it's something proper like Kaspersky).
Default-Deny will only block the execution of the file, but will leave it there untouched and ready for another round. It's mostly user based as well, if the file is allowed to run it all comes down to nothing when using WD.

It is recommended to combine default/deny with a decent AV. There is always the possibility of user error, so your AV is your safety net. The user is usually the weakest link in the security chain.
Windows Defender with ASR is not a bad choice for an AV.

Local Host · Sep 20, 2018

shmu26 said:
It is recommended to combine default/deny with a decent AV.

Is my point, WD is not a decent AV compared to the competition. If it was, wouldn't need to rely on Default-Deny in the first place to block most threats.

shmu26 · Sep 20, 2018

Local Host said:
Is my point, WD is not a decent AV compared to the competition. If it was, wouldn't need to rely on Default-Deny in the first place to block most threats.

We are not discussing WD at default settings. It is not up to the challenge of true zero-days.

Local Host · Sep 20, 2018

shmu26 said:
We are not discussing WD at default settings. It is not up to the challenge of true zero-days.

I'm not even talking 0-days nor unknown malware, WD signatures and cloud are a joke even against known malware compared to the competition. Hence why people rely on Default-Deny with it.

Default-Deny is not for Average Users, and WD can't protect Average Users without Default-Deny so it enters the Paradox. An Experienced User doesn't need an AV, so VoodooShield alone would be enough as Default-Deny without the resource heavy WD in the background.

So it enters my logic that WD shouldn't the recommended even with Custom Settings. It's your choice either way, I'm not here to tell others what to use and do in their own machines, just avoid recommending WD to average users.

shmu26 · Sep 20, 2018

Local Host said:
I'm not even talking 0-days nor unknown malware, WD signatures and cloud are a joke even against known malware compared to the competition. Hence why people rely on Default-Deny with it.

Default-Deny is not for Average Users, and WD can't protect Average Users without Default-Deny so it enters the Paradox. An Experienced User doesn't need an AV, so VoodooShield alone would be enough as Default-Deny without the resource heavy WD in the background.

So it enters my logic that WD shouldn't the recommended even with Custom Settings.

If you don't like WD, you don't have to use it.
Compared to the invasive way that the top AVs rip through your system, and the issues and bugs that often result, WD's sins are relatively minor in comparison. Especially since it usually does well even at default settings in recent commercial AV testing.

Search

Advice Request Anyone Test WD + Hard_Configurator?

oldschool

Level 81

Deleted member 178

oldschool

Level 81

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

shmu26

Level 85

Local Host

509322

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

509322

Andy Ful

From Hard_Configurator Tools

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

Local Host

shmu26

Level 85

Local Host

shmu26

Level 85

Local Host

shmu26

Level 85

Similar threads