App Review Beginning test of WHH at max settings per Andy Ful + OSArmor + SysHardener + Sysmon in DMZ

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Product name
WHH, OSArmor, Windows Defender and Windows Firewall
Installation (rating)
5.00 star(s)
User interface (rating)
5.00 star(s)
Accessibility notes
n/a
Performance (rating)
5.00 star(s)
Core Protection (rating)
3.00 star(s)
Proactive protection (rating)
3.00 star(s)
Additional Protection notes
Note that WHH comes with Configure Defender and Firewall hardening. It also comes with Document AntiExplit which I did not use because no MS Office is on the machine.
Browser protection (rating)
1.00 star(s)
Positives
    • Easy to use
    • Great value for money
Negatives
    • Not as many features as some competitors
Time spent using product
Reviewed for less than 24 hours
Computer specs
AMD Ryzen 5, 8 GB ram, 512 GB SSD. Ethernet USB dongle.
Recommended for
  1. All types of users
Overall rating
3.00 star(s)

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
769
Hi Everyone,

Am now performing a test of MS Windows Security Baseline + WHH at max settings per Andy Ful + OSArmor at all protections=ON. I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.

I would say it is a fair test of the capabilities of MS Windows Sec Baseline and WHH and OSArmor and Windows Defender and Defender firewall as if the laptop was at a coffee shop.

To install the MS Sec Baseline 24H2, download it along with LGPO.zip. Extract and place LGPO.exe into \Downloads\Baseline\Final\Scripts\Tools. Then issue these powershell commands from the Script directory:
set-executionpolicy remotesigned
baseline-localinstall.ps1 -win11nondomainjoined
(When script is finished) set-executionpolicy restricted

Then I made one change to the group policy that the baseline set:
gpedit
> Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender AV > MpEngine > set cloud protection level = zero tolerance

Here are Andy's recommended settings:





Additionally:
  • ConfigureDefender set to MAX Protection Level
  • FirewallHardening set to LOLBins block list
The laptop was previously using Linux and no has no previous infections. Windows 11 was installed while offline using the BypassNRO registry setting. WiFi disabled in BIOS. And it was patched with Mar 2025 Cumulative security patch obtained previously from MS Update Catalog web site. So the machine was totaly offline during install & setup.

Since OSArmor has every protection checked, I had to make some exclusions to run Settings and other things. But the exclusions are all removed prior to being online except for the one for Settings. And OSArmor is password protected.

Andy did suggest to enhance WDAC by using WDAC Wizard; but I wanted to test WHH with it's path based WDAC and SRP settings. OSArmor was deployed to provide some hindrance for the attacker.

Lets see how long it survivies. There used to be lots of attack scans on the net looking for various vulnerabilities and Windows default openings. I was feeling a little naked so added NoVirusThanks SysHardener.max settings. I also setup PIN access for the 2 accounts.
 
Last edited:

Bot

AI-powered Bot
Apr 21, 2016
4,798
Sounds like a thorough test setup! It will be interesting to see how the combination of MS Windows Security Baseline, WHH, and OSArmor performs in a DMZ environment. Please keep us updated on the results and any issues you encounter during the testing process. Good luck!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,837
@Victor M,

Thanks for testing. (y)

Applying GPO policies requires attention:

1741950635589.png


From OP it follows that you possibly applied GPO setting for Defender after applying WHHLight settings. In such a case, most of the SWH settings were inactivated.
The features and settings used in the WHHLight package are adjusted to the non-enterprise environment (mainly for Windows Home). Using GPO on Windows Pro and other tools requires caution.

I do not plan to extend WHHLight for use in the enterprise environment. Some policies from the Security Baseline can invalidate the settings in WHHLight (like PowerShell script blocking, etc.).

Some more information about the testing methodology and attack vectors would be welcome. :)

Against targeted attacks (probably used in your test) one should use EDR/MDR solutions instead of Microsoft Defender. In such attacks, administrators must use a console that alerts about correlated suspicious actions. So Administrators can decide (with the possible help of AI) which actions should be blocked. Without such features, the efficient protection would be unusable (too many blocks).

My suggestion about using an additional WDAC policy is related to the scenario when the computer was already compromised. The WDAC policy in Audit Mode which allows only Windows native processes, can help to identify non-native drivers and processes. However, this requires extended knowledge of Windows, so I did not include it in WHHLight.

Post updated.
 
Last edited:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,915
@Victor M I don't follow your logic here because you're combining so many conflicting protections, as @Andy Ful pointed out re: GPO.
you possibly applied GPO setting for Defender after applying WHHLight settings. In such a case, most of the SWH settings were inactivated. ... Using GPO on Windows Pro and other tools requires caution.
Why OSArmor and SysHardener?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,837
Hi Everyone,

I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.

Such a scenario is kinda similar to lateral movement in the enterprise network when the attacker already compromised the local network and tries to infect the computer.
The WHHLight settings are not adjusted to this scenario. They are adjusted to protect the computer from accidental infections initiated by the user.
In other words, WHHLight is a well-trained boxer who can fight in the ring but would need additional training/skills/accessories to fight in the skating ring. :)(y)
It would be possible to apply another set of WDAC policies and increase the resilience in the compromised environment, but this is beyond the scope of WHHLight.

The laptop in DMZ is exposed to tenths of hacker attacks in a short time. I do not know the usable security solution that could be efficient in the scenario from the OP. Even the known EDR/MDR solutions are not especially effective. That is why the Zero Trust security model is now recommended in the enterprise environment.
 
Last edited:

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
769
WHHLight settings are not adjusted to this scenario.
OK I stopped the test.

@Andy Ful No Andy, I applied the MS Security Baseline as the first thing.
But Andy, isn't this test the same as taking your laptop to an internet cafe ? Maybe you can make a WHH version that is suitable for use in internet cafes? ( not a home bound desktop )

@oldschool This is not really a test aimed at testing WHH or anything in particular. I just want to setup a laptop using Free Tools, that has some semblance of security for use in StarBucks.

I know that there are sometimes hackers at cafes. But that's life, and I want to make full use of my laptop's portability. I currently have Qubes on my main laptop which seems to have ok security I think. But I want to use Windows like every joe blow.

Whatever works is good. I selected these free tools for testing mainly because they are easy to setup, it just requires ~30 mins. My hardened setup requires 4-5 hrs of setup and configuring + the cost of paid tools. So I am looking for alternatives.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,837
OK I stopped the test.

Please do not do it. Only such extreme environments can say something interesting about WHHLight MAX settings. In a standard environment, it can be hardly bypassed.

@Andy Ful No Andy, I applied the MS Security Baseline as the first thing.

You also used GPO to set Cloud Protection Level.

But Andy, isn't this test the same as taking your laptop to an internet cafe ?

Yes, if there are 100 experienced hackers in the cafe. :)

Maybe you can make a WHH version that is suitable for use in internet cafes? ( not a home bound desktop )

This can depend on what the attackers could do in your test. It is an interesting thread let's continue with more details.(y)
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,915
You might consider one hardening package using @SpyNetGirl 's
 

Vitali Ortzi

Level 30
Verified
Top Poster
Well-known
Dec 12, 2016
1,920
You might consider one hardening package using @SpyNetGirl 's
Yes that's what you are supposed to use in enterprise like environment like here as Andy tools is more home use optimized and may lack some extra measures an enterprise environment will have to harden too
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,837
@Victor M,

You must be sure what was compromised. Without NAT support, the first suspect is your network device.
How did you create the testing environment (laptop in the DMZ)?
Is your network device exposed to attacks/exploits from the outside of your testing environment?

Other important questions:
  • What indicators of compromise did you notice?
  • Were the settings of WHHLight + tools, changed or disabled?
 
Last edited:
  • +Reputation
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,837
Andy made me nervous when he said WHH is not for this scenario.

So I am adding SysInternals Sysmon with kill exe settings. It kills all exe on drop.

When I wrote that WHHLight is not optimal for this scenario, I had in mind network device exploits, abusing opened ports, DNS poisoning, MITM attacks, firewall exploits, abusing vulnerable protocols or system processes, etc. Hackers often use methods that avoid dropping EXE files. Furthermore, the execution of dropped EXE would be blocked by WHHLight.
Let's find out more about what was compromised in your testing environment. Inspecting the Sysmon Logs and WHHLight tools Logs could help.
 
Last edited:

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
769
Results are in ! HACKED.

\Windows\system32\notepad is not accessible. can't be run when double clicked. When clicking on a txt, it says cannot find the txt.
Explorer seems to have 2 versions, one with tabs, another one without. So the notepad problem may be an replaced/misconfigured explorer.
Defender firewall log is deleted. Should be at \windows\system32\logfiles\firewall. nothing there.
Defender firewall logging setting changed, Deny Logging is no longer specified as Yes

So I installed notepad++ copy to windows\system32, renamed it notepad.exe, still couldnt run. So I thnk it is because of the replaced Explorer.
@Andy Ful . Where are the WHH log files stored ? So I can use notepad++ to view them?

Andy, I PM'd you the full sysmon events evtx.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,837
The WHHLight tools Logs (no installed Hard_Configurator):

EXE/DLL and MSI Logs use the same file which is each time replaced by the new content:
%LocalAppdata%\Temp\WDAC_BlockedEvents.log

PowerShell and SRP Logs use the same file which is each time replaced by the new content::
%LocalAppdata%\Temp\SWH_BlockedEvents.log

FirewallHardening Log
c:\Windows\Temp\??????????????????\0\Firewall.log

ConfigureDefender:
c:\Windows\Temp\??????????????????\0\Defender.log

If H_C is installed:
c:\Windows\Hard_Configurator\Temp\FirewallHardening\0\Firewall.log
 

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
769
in WHH the middle slider fir SmartScreen was turned ON. I had it to off before.

Configure Defender: Admin SmartScreen for Explorer: reduced to Warn

Can't tell if Firewall Hardening was changed because I did not copy down your LoL Bin settings beforehand.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,837
Can't tell if Firewall Hardening was changed because I did not copy down your LoL Bin settings beforehand.

You can count the number of entries.
What about the FirewallHardening Log?
Did you see any alerts when running WHHLight?
 

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
769
Hi Andy,

167 items in FirewallHardening

I forgot to turn on Logging for Firewall Control, I only tried to log Defender firewall, and the log was gone.
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top