Advice Request Avast Hardened Mode: still the same?

[RoboMan]

Hello guys,

Can anybody here explain to me how Avast Hardened mode works at this moment?

It used to be moderate and agressive, now it's just one option. People say the remaining option is the agressive one... Does this mean Hardened Mode still works as Agressive Mode used to work? If enabled, should Avast block execution of all unknown executable?

I'm still trying to figure it out... spent a generous 45 minutes launching all the unknown, unsigned executables I could find around and got no alert from Hardened Mode (and no blocking, of course).

So, if anybody would be so kind to explain to me how Hardened Mode is working nowadays, I would be grateful.

Thanks!

 

[Sorrento]

I have hardened mode enabled, just looked again and it actually says 'recommended for inexperienced users' which I think is new as never read that before? I rarely if ever get any flags whatever from AVAST, I don't use the AVAST extension though.

 

[Moonhorse]

In finnish it says literally this: '' With avast defensive mode you can lockdown your computer, this is recommended for inexperienced users''

I have only seen one block, with adguard, but now days later i dont even get that > whitelisted by avast

 

[Andy Ful]

Hardened Mode still blocks unknown (by Avast) files.
I compiled a totally innocent file in Autoit:

#include <GUIConstantsEx.au3>
Example()

Func Example()
    GUICreate("test GUISetTextColor", 100, 100) ; will create a dialog box that when displayed is centered
    GUICtrlSetDefBkColor(0xFF0000) ; will change text color for all defined controls
    GUICtrlCreateLabel("label", 10, 5)
    GUICtrlCreateRadio("radio", 10, 25, 50)
    GUICtrlSetBkColor(-1, 0x0000FF) ; will change text color for specified control
    GUICtrlCreateButton("button", 10, 55)
    GUISetState(@SW_SHOW) ; will display an empty dialog box

    ; Loop until the user exits.
    While 1
        Switch GUIGetMsg()
            Case $GUI_EVENT_CLOSE
                ExitLoop
        EndSwitch
    WEnd
EndFunc   ;==>Example

It simply displays the below window:

After executing it with enabled Hardened Mode, Avast displayed the alert:

 

[Andy Ful]

Anybody can check Hardened Mode in this way:

1. Copy the wordpad (write.exe) from Windows folder to another folder.
2. Use hex editor to change a few bytes.
3. Run the modified write.exe.

 

[ForgottenSeer 92963]

@Andy Ful

A respected member of this forum has written a program called Configure Defender which unleashes corporate strength capabilities of Microsoft Defender.

Regards Kees

 

[Andrew3000]

Yes, it blocks any executable that is unknown to Avast

 

[Andy Ful]

@Andy Ful

A respected member of this forum has written a program called Configure Defender which unleashes corporate strength capabilities of Microsoft Defender.

Regards Kees

I like Avast too.

 

[RoboMan]

Thank you @Andy Ful, we can always count on your knowledge regards security.

Do you think Avast Hardened Mode can be considered as strong as H_C "disallowed" regarding to blocking unknown files? Always thinking on the scenario where we're just trying to block unknown things, not block everything regarding the vendor.

 

[Andy Ful]

It is worth remembering that without the Internet connection, Avast Hardened Mode works as follows:

First scenario:

1. The file was downloaded but not executed, and then the Internet connection has been lost. If we execute this file (still not Internet access), then it will not be blocked.
2. After connecting to the Internet again, the already executed file will not be blocked.

Second scenario:

1. If the file is executed for the first time and Avast is connected to the Internet, then the file can be blocked.
2. If the file was blocked by Hardened Mode, then it will be also blocked without the Internet connection.

 

[Andy Ful]

Do you think Avast Hardened Mode can be considered as strong as H_C "disallowed" regarding to blocking unknown files? Always thinking on the scenario where we're just trying to block unknown things, not block everything regarding the vendor.

No. The Hardened Mode works only for COM, EXE, and SCR files. Its strength is kinda similar in practice to the Defender ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
There are some differences too. For example, the ASR rule can also block unknown DLLs dropped to disk and executed via rundll32.exe.

For files downloaded from the Internet (files with MOTW), the SmartScreen AppRep works with COM, EXE, and SCR files similarly to the Avast Hardened Mode. But, SmartScreen can also block MSI files. The advantage of Hardened Mode over SmartScreen follows from the fact that it can block payloads dropped without MOTW.

 

[Parkinsond]

Anybody can check Hardened Mode in this way:

1. Copy the wordpad (write.exe) from Windows folder to another folder.
2. Use hex editor to change a few bytes.
3. Run the modified write.exe.

View attachment 262753

Can flag a modified system process (by injected malicious code)?

 

[Andy Ful]

Can flag a modified system process (by injected malicious code)?

No.

 

[Trident]

Can flag a modified system process (by injected malicious code)?

Avast hardened mode prevents executables with low reputation from running and forming a process. Once an executable is approved and already running, hardened mode doesn't deal with it, there is the AVG/Avast/Norton IDP and additional mitigation layers that prevent credentials theft, block access to malicious domains and so on. This can prevent the secondary payload from being pulled or injected.

Injected malicious code can only be blocked by:

• Proactively: Any technology that generically prevents suspicious spawning of LOLBins, hence injection never occurs and this is what ASR is all about! For example, there is very little reason why an admin will write a script that will start with Wscript, but will then call PowerShell. Whilst there may be valid reason why an admin may want to call additional LOLBins (for example through VBA), more often than not this is used for malicious purposes. Some security solutions (Vipre, DeepInstinct) and others have very aggressive anti-injection, even WatchGuard in their Panda rebrand added something similar recently.
• Proactively, bordering with reactively: behavioural monitoring can be designed to look for specific LOLBin calls (from this one to that one), specific API cals related to process hollowing, anomalous file system characteristics, anomalous DLL to exe relationships, mismatched timestamps and so on. There is a lot that can be monitored, of course it all has to be balanced with accuracy. This works even better with AMSI integration.
• Reactively: an antivirus with a true memory scanner (not one that just gets the loaded images paths and goes to scan them on disk), this is further accelerated and optimised through Hyper-V/TDT, will be able to see the malicious code that has been injected already. To answer your next question, many AVs are starting to use TDT for one reason or another, Defender does make use of TDT (though it comes with poor behavioural blocking unless a bunch of ASR rules are enabled). Trend Micro, CrowdStrike, Kaspersky, Eset, Bitdefender (paid) all have true memory scanning. Others that haven’t got it may be good at the other methods to block injection.

Hardened mode can prevent suspicious PEBIN-based droppers and loaders, which can also perform injection. Whilst it doesn’t care about injections per se, it can indirectly block that, by blocking executable trying to perform them, without dwelling on the executable and thinking whether or not it wants to inject. Avast hardened mode is a type of ASR.

 

[Andy Ful]

Shortly:

1. Hardened Mode cannot block injections to system processes.
2. It can prevent EXE malware via file reputation, including a specific kind of EXE malware that would like to inject code into system processes.

Edit.
As an addition to @Trident's post, some code injections can be also blocked by Code Integrity (like in AppLocker, WDAC, or SAC). This is kinda similar to Hardened Mode, but includes also DLLs.

 

[Trident]

As an addition to @Trident's post, some code injections can be also blocked by Code Integrity (like in AppLocker, WDAC, or SAC). This is kinda similar to Hardened Mode, but includes also DLLs

Yes, and these fall into the first group of proactively blocking the injection. As injection happens in memory, it will often be accompanied by persistence indicator (creation of scheduled tasks, specific registry entries in at least 10 sections can be added, files in start menu/startup, service creation, WMI filter + consumer + binding and so on).

These persistence indicators by some vendors are very aggressively used to trigger remediation and then the process in which injection was performed can be terminated. Of course, attackers can also seek ephemeral presence without persistence, these are smash-and-grab attacks that haven’t got much value and are not too frequent.

 

[Andy Ful]

Yes, and these fall into the first group of proactively blocking the injection.

WDAC blocks can be partially included in the first group (LOLBin Blocklist, script restrictions). However, many blocks can occur via insufficient file reputation.
I would rather include CI in another proactive group.