Andy Ful

Level 44
Verified
Trusted
Content Creator
I really have no patience for users who don't read manuals or change logs! Oh wait, that's me! :LOL::LOL::LOL: Thanks Andy. I'll see if adding exceptions helps with the two small issues (blocks) I see in the log.
Please, be very careful with adding exclusions for ASR rules. These exclusions will apply for all ASR rules (except 2 rules which do not support exclusions).
 

oldschool

Level 30
Verified
Thanks to both of you for pointing this out. And also for the warning that the exclusions are applied almost globally.

Which are the two rules that don't support exclusions?
"Impede JavaScript and VBScript to launch executables"

"Block process creations originating from PSExe and WMI commands"

And as you said in an earlier post, most of the ASR glitches come from the "lsass.exe" rule. On my system the log shows this rule blocked an operation by Bleachbit but BB seems to be working fine (unless there is some effect I'm not aware of). Same with Brave update. This is puzzling to me. :unsure::emoji_thinking:

Edit: Now that I think of it, it was probably Bleachbit performing its occasional update check.
 

shmu26

Level 81
Verified
Trusted
Content Creator
And as you said in an earlier post, most of the ASR glitches come from the "lsass.exe" rule. On my system the log shows this rule blocked an operation by Bleachbit but BB seems to be working fine (unless there is some effect I'm not aware of). Same with Brave update. This is puzzling to me. :unsure::emoji_thinking:

Edit: Now that I think of it, it was probably Bleachbit performing its occasional update check.
Thanks.
It is common for lsass blocking to fill up the log with entries, but not interfere with functionality of the app involved.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Andy Ful

I updated your excellent program on my ASUS 2-in-1 again and noticed the disable USB execution was greyed out (and automatically turned from on to off). I know it has been reported as not working correctly, but on my Asus 2-in-1 it works fine. Would it be possible to provide an option to enable this (I had forgotten what reg-keys it were, so took me some time to find it again).

Also would you consider to adding rdpshell.exe to the list of sponsors?

** note for myself ** Disable usb-execution (so I find it easily when you keep it switched off :))
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
"Deny_Execute"=dword:00000001


Thanks for all the effort you have put into H_C, ConfigureDefender and documentsanti-exploit). Using your software, WD is the only security I need (y):emoji_clap:
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
@Andy Ful
...
I updated your excellent program on my ASUS 2-in-1 again and noticed the disable USB execution was greyed out (and automatically turned from on to off). I know it has been reported as not working correctly, but on my Asus 2-in-1 it works fine.
...
Thanks for the kind words. I will think about it, although it will be risky for some users.:giggle:
Anyway, if you have installed Windows 10, then there is an ASR rule that blocks untrusted and unsigned processes that run from USB. Furthermore, the execution from USB is blocked by recommended SRP settings. Do you have any problem with applying these restrictions?

Also would you consider to adding rdpshell.exe to the list of sponsors?
...
From what I learned about rdpshell.exe it could work only with opened Remote Desktop session. But, H_C blocks it and some other remote features via <Block Remote Access>.
Do you have in mind the scenario, when the user wants to use some remote features and block only RemoteApp session?
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Andy Ful

Blocking USB unsigned. Have to check that ASR, thanks. Since USB block works on all our devices (a Desktop a Leneovo Yoga and a Asus Transformer) the width/impact of the problem is low in my personal experience. No problem when you don't facilitate, but H_C is actively disabling it now.

RDPshell. not really at the moment, but when Microsoft starts to advice to block some unneeded programs (thx to @shmu26 Discuss - Microsoft Recommends Default-Deny (Sort of)) why not block this unnessecary (when not using remote also). Remote desktop allows access, RDPshell the (possibly malicious) action, so blocking both is a sort of double lock.

Regards Kees
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
@Andy Ful
..
No problem when you don't facilitate, but H_C is actively disabling it now.
...
From the next version, H_C will stop actively disabling this feature. I do not want to enable it in H_C because when it fails, then the computer is bricked even after restarting into Safe Mode.

RDPshell. not really at the moment, but when Microsoft starts to advice to block some unneeded programs (thx to @shmu26 Discuss - Microsoft Recommends Default-Deny (Sort of)) why not block this unnessecary (when not using remote also). Remote desktop allows access, RDPshell the (possibly malicious) action, so blocking both is a sort of double lock.

Regards Kees
I am sure that you do not need to block it. Blocking remote control is very important for home users, so it is applied in H_C by default. The only way to use rdpshell.exe with disabled Remote Desktop could be related to some unknown Windows exploit and installation of some additional modules. But, your requests are always important to me so I will add rdpshell.exe to blocked Sponsors in the next version of H_C.(y):giggle:
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
Is there a way to make the Sponsors list customizable, sort of like the Whitelist By Path list is? Then, extreme security enthusiasts can torture their own systems as they wish.
I am thinking about it for a long time, but still not sure. Blocking more than is actively used by malc0ders is dangerous to the system/software stability (H_C can block over 170 programs and modules from Windows folder).
H_C allows only those tortures which cannot kill the victim for sure.:giggle:
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
You can use OSArmor. It overlaps a little with ASR rules, but can add some useful protection.
You have to remember that some OSArmor advanced settings related to PowerShell may block the actions of ConfigureDefender, so you have to make exclusions in OSArmor.
 
Last edited:

oldschool

Level 30
Verified
Question about "Max" settings: When I get a smartscreen block on a new file, such as a beta version of one of your tools, it seems that I can't click past smartscreen anymore, even if I want to. What is recommended?
That's because Max sets SS > Block in Edge, etc. Please change > 'warn" or "user". I always first choose a protection level and then manually adjust individual features as needed.