Latest Changes
Jul 29, 2019
Operating System
  • Windows 10
  • Windows Edition
    Pro
    Version or Build no.
    Version 1903 OS Build 18362.267
    System type
    64-bit operating system; x64-based processor
    Security Updates
    Automatic Updates (recommended)
    User Access Control
    Always Notify
    Network Security (Firewall)
    Windows Defender Firewall
    Device Security
  • Windows Defender SmartScreen (Windows 10)
  • User Account
    Administrator
    Sign-in Accounts
    Microsoft (@outlook.com)
    Sign-in Options
  • Password
  • Windows Hello PIN (recommended)
  • Windows Hello Fingerprint
  • Malware Testing
    I do not participate in downloading malware samples
    Real-time Web & Malware Protection
    Windows Defender and Hard_Configurator beta ver. 4.1.1.1
    RTP - Custom security settings
  • Major changes for Increased security
  • RTP - Details of Custom security settings
    Removed Internet Explorer 11.
    Hard_Configurator Beta 4.1.1.1 with Windows 10 Recommended Enhanced profile.
    ConfigureDefender 2.0.1.0 at High protection level.
    FirewallHardening 1.0.1.0 added Recommended H_C.
    Exploit Protection for Edge Dev (App & Browser Control of Windows Defender).

    I enabled Windows Defender Sandbox by running:
    Code:
    setx /M MP_FORCE_USE_SANDBOX 1
    Virus and Malware Removal Tools
    HitmanPro, Zemana AntiMalware and AdwCleaner (for the kids)
    Browsers and Extensions
    Microsoft Edge Dev with uBlock Origin, Bitdefender TrafficLight and Bitwarden
    Google Chrome with uBlock Origin, Bitdefender TrafficLight and Bitwarden
    Privacy-focused Apps and Extensions
    uBlock 0rigin in Medium mode for Lighter and Stronger Protection, with Less websites breakage and hassle:
    Discuss - uBlock0rigin in Medium mode for Lighter and Stronger Protection, with Less websites breakage and hassle
    Password Managers
  • Bitwarden
  • Web Search
  • Google
  • System Utilities
    O&O ShutUp10, Patch My PC, Autoruns, CCleaner Pro, HDCleaner and Disk Cleanup
    Data Backup
    OneDrive, File History
    Frequency of Data backups
    Always-on Sync
    System Backup
    Windows system image
    Frequency of System backups
    Occasionally
    Computer Activity
  • Online banking
  • Browsing web and email
  • Watch movies and other entertainment content on the Internet
  • Shared device is used by family members
  • Office and work related tasks
  • Video or photography editing
  • Computer Specifications
    Acer Aspire VN7-791G-576X
    Intel Core i5-4210H
    Intel HD Graphics 4600 / NVIDIA GeForce GTX 860M
    Kingston 16GB Dual-Channel DDR3 PC3-12800 RAM
    Samsung SSD 850 EVO M.2 250GB
    Seagate HDD ST1000LM014-1EJ164 1TB
    Realtek High Definition Audio

    Gandalf_The_Grey

    Level 20
    Verified
    Yes, H_C thread is best place for questions. BTW: you copied my config! :LOL: except for VoodooShield. Nice setup! (y)

    Edit: Whitelisting is easy by process or hash. My main gripe is CFA. Exclusions are possible but don't always seem to work. I'm on the fence with enabling it or not.
    Yeah, like your setup. Went away from VS because Dan got himself banned from almost everywhere. It's still a great program.
    Any tips where to do the whitelisting in H_C?
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.(y)
    What do you want to whitelist? Is something blocked?
    Please read the help about whitelisting buttons, and let me know if anything is not clear (the help files are written in Polish-English).:giggle:
     
    Last edited:

    Gandalf_The_Grey

    Level 20
    Verified
    There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.
    What do you want to whitelist? Is something blocked?
    Okay, thanks. Do I have to to press APPLY CHANGES after that?
    A block I see at the moment:
    Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.
    I also have a lot of lsass.exe messages like this one:
    Windows Defender Antivirus audited an operation that is not allowed by your IT administrator.
    For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2019-01-18T18:12:47.683Z
    User: xxx\xxx
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Windows\System32\Taskmgr.exe
    Signature Version: 1.283.3241.0
    Engine Version: 1.1.15500.2
    Product Version: 4.18.1812.3
    I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    Okay, thanks. Do I have to to press APPLY CHANGES after that?
    A block I see at the moment:

    I also have a lot of lsass.exe messages like this one:

    I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.
    You have to apply changes - they will require log off from the account.

    You probably do not need the blocked application software_reporter_tool.exe, see there:
    How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
    This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

    You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
     

    Gandalf_The_Grey

    Level 20
    Verified
    You have to apply changes - they will require log off from the account.

    You probably do not need the blocked application software_reporter_tool.exe, see there:
    How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
    This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

    You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
    Thank again for your great support (y)
    I have put the 4 audit settings in ConfigureDefender to disabled.
    Will see tomorrow if there are still any blocks and/or warnings.
     

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    @Gandalf_The_Grey

    What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

    My name is Kees and I am . . .
     

    Gandalf_The_Grey

    Level 20
    Verified
    @Gandalf_The_Grey

    What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

    My name is Kees and I am . . .
    Sorry Kees. It just looked so cool and shiny.... :oops: Have to be more careful when posting these things :D
    Maybe @Jack can block those posts especially for you :unsure:
     

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    @oldschool,

    Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

    Stealth mode really impressive
    1547856904931.png

    Regards Kees
     

    oldschool

    Level 32
    Verified
    @oldschool,

    Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

    Stealth mode really impressive
    View attachment 206684

    Regards Kees
    :LOL::LOL::LOL:
     

    Gandalf_The_Grey

    Level 20
    Verified
    You have to apply changes - they will require log off from the account.

    You probably do not need the blocked application software_reporter_tool.exe, see there:
    How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
    This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

    You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
    The only warning left on my system after setting the 4 audit settings to disabled is for the software_reporter_tool.exe. (y)
    Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.
    I don't want to block it.
    Should I Whitelist it by hash?
    What is the best option here?
     

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    Options
    1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
    2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
    3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

    I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    ...
    I don't want to block it.
    Should I Whitelist it by hash?
    What is the best option here?
    You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
    Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
    C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
     
    Last edited:

    Gandalf_The_Grey

    Level 20
    Verified
    You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
    Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
    C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
    Thank you, that seems to work and learned something new about using wildcards. (y)
     

    Gandalf_The_Grey

    Level 20
    Verified
    Options
    1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
    2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
    3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

    I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.
    Did option 2 with wildcards (and the help from Andy) and set the chrome flag "Extension Content Verification" to "Enforce strict.
    Using currently 4 extensions (AdGuard, Emsisoft, Windows Defender and LastPass) and try hard to keep that number... ;)
     

    Handsome Recluse

    Level 19
    Verified
    @oldschool,

    Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

    Stealth mode really impressive
    View attachment 206684

    Regards Kees
    What does it have over the original version other than Stealth Mode and a new UI?
     

    Gandalf_The_Grey

    Level 20
    Verified
    What does it have over the original version other than Stealth Mode and a new UI?
    From: AdguardTeam/AdguardBrowserExtension :
    Improved] Renewed design
    Fresh icon and menu designs that make interface more natural and user-friendly, with a big "On/Off" switch. Brand-new “Statistics” tab creates charts based on your blocked ads statistics, with the ability to show different types of data: total, filter-specific etc.
    What's more, user filter editor has undergone a few changes too. Luminous element highlighting and auto-save function as well as unified filtering rules' text field should make editing more convinient.
    [Improved] Get rid of the tabs in the filters settings
    Now, each filter category (group of filters with similar purpose e.g. Ad blocking, Social Widgets etc.) has an icon and is easier to access. In addition, it can be turned on/off at once, thus making filter management smoother.
    [Added] Merge StealthMode Extension code
    We took online privacy protection in our extension to the next level by adding the Privacy module, which until this day existed only in the standalone AdGuard for Windows app. Although it doesn’t have the full capabilities of its desktop parent yet, it still makes the extension all the more effective for protecting privacy against trackers and analytical systems.
    [Added] "Filters update period" setting
    Before, filters were automatically updated every 48 hours (default period), now you can adjust the frequency of automatic updates (by choosing from options: every 1/6/12/24/48 hours) or disable them completely, in case you prefer to update them manually.
    [Added] An option to disable integration mode while keeping the extension up
    If you already have the AdGuard app, our browser extension may become a very useful additional tool, which can completely replace the browser-based “AdGuard Assistant” module (learn more). It’s called Integration mode and now you can turn it on or off in the “Other settings” tab.
    And lots more added, changed, fixed and improved (under Common)
    [*][Added] Notifications for various actions, e.g. filter updates #1167
    [*][Added] A notification with changelog after an update #1025
    [*][Added] "About" screen #1135
    [*][Added] $cookie modifier support #961
    [*][Added] "Submit a complaint" item to the right-click menu #1072
    [*][Added] Update filter after enabling it #1181
    [*][Added] Show notify when checking for filters update using context menu #1073
    [*][Changed] Wording for manual blocking tool options #1169
    [*][Changed] A forwarder is now used for all links #1109
    [*][Changed] Localizations have been updated #1174
    [*][Fixed] Assistant advanced settings button doesn't respond #1091
    [*][Fixed] $extension modifier prevents first-party URL blocking #1122
    [*][Fixed] Invalid exclusions are created using Filtering Log #1131
    [*][Fixed] "Third-party" icon size in Filtering Log #1069
    [*][Fixed] Some hidden elements are not shown in the Filtering Log #1123
    [*][Fixed] Some requests are not visible in the Filtering Log #1138
    [*][Fixed] While in integration mode, new rules are not imported to the desktop AG User filter #10
    [*][Fixed] Incorrect file types are accepted when you try to import a User filter #1039
    [*][Fixed] AdGuard settings are not fully visible when accessing them from the overflow menu #970
    [*][Improved] $csp rules are now disabled if there's a document-level exception applied to the website #1093
    [*][Improved] Extension is now more friendly towards visually impaired users #953
    [*][Improved] Multiple $replace rules can be applied to a single web request now #1092
    [*][Improved] Network requests excluded by a rule in a custom filter can now be blocked #1044
    [*][Improved] "abp:subscribe" links are now intercepted properly #1149
    50401638-46c5ad80-07a1-11e9-9dca-95aa8ef2eb06.png50401666-7674b580-07a1-11e9-8de8-ece53875daa9.png50424262-8b6d4980-0872-11e9-8053-ba4c68f189f6.png50424316-cd968b00-0872-11e9-8b20-e46a414f564c.png
     
    Last edited:

    notabot

    Level 8
    You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
    Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
    C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
    Why for a targeted attack this shouldn’t be whitelisted ?
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    Why for a targeted attack this shouldn’t be whitelisted ?
    The path of the software_reporter_tool.exe is writable. If there is a danger of targeted attacks (like in organizations), then any writable path should not be executable, except the files whitelisted by hash.
    If not, then the attacker could get the information or simply guess the whitelisted path to replace silently the whitelisted file with the malware, and then he could successfully execute the malware. Furthermore, the malware could be started with Windows.
    In the home environment with default deny setup, such scenario is rather improbable.