Latest Changes
Mar 17, 2019
Operating System
Windows 10
Windows Edition
Pro
Build
Version 1809 OS Build 17763.379
System Architecture
64-bit OS
Security Updates
Automatic Updates - All security and feature updates
User Access Control
Always Notify
Firewall
Windows Firewall - Network security provided by Microsoft
Device Security
Windows Defender SmartScreen (Windows 10)
User Account
Administrator - User has complete control over the device
Recent Security Incidents
No malware or privacy issues
Malware Testing
None - No Malware on host PC or VM
Real-time Web & Malware Protection
Emsisoft Anti-Malware 2019.2.0.9269 and Hard_Configurator 4.0.0.2
Custom Settings For Real-Time Protection
Custom - Minor changes for Increased Security
Custom Settings For Real-Time Protection Details
1) Install H_C (ConfigureDefender is already in H_C). Press <ConfigureDefender> button and apply <Defender High> settings.

Change the four Audit settings in ConfigureDefender to Disabled.

Close ConfigureDefender.

2) Use <Load Profile> option in Hard_Configurator and apply "Windows_10_Recommended_Enhanced" profile.

3) Use <Block Sponsors> button to block mshta.exe and iexplore.exe.

Press <APPLY CHANGES> button.

4) Configure browsers:

a) Disable IE11 in Windows10 (programs and features)

b) Add AdGuard extension to Microsoft Edge (enable malware protection to add chrome's + Yandex safe browsing).

c) Install Google Chrome and add the extension AdGuard and I don’t care about cookies.

d) Set the chrome flag "Extension Content Verification" to "Enforce strict.

5) Install Emsisoft Anti-Malware.
Virus and Malware Removal Tools
Windows Defender periodic scanning, HitmanPro and Zemana AntiMalware,
Browsers and Extensions
Google Chrome with AdGuard, I don’t care about cookies, Emsisoft Browser Security, Windows Defender Browser Protection and LastPass.
Microsoft Edge with AdGuard, Emsisoft Browser Security and LastPass.
Web Privacy
AdGuard Browser extension
Cloudflare and APNIC 1.1.1.1 DNS
Password Management
LastPass
Default Web Search
Google
System Utilities
Hard_Configurator, O&O ShutUp10, O&O AppBuster, Patch My PC, Autoruns, PrivaZer and Disk Cleanup
Data Backup
OneDrive, File History
Frequency of Data backups
Always-on Sync
System Backup
Windows system image
Frequency of System backups
Occasionally
Computer Activity
Banking
Browsing Internet and email
Watch movies and other video content on the Internet
Device is used by family members
Office and work related tasks
Video or photography editing
Computer Specifications
Acer Aspire VN7-791G-576X
Intel Core i5-4210H
Intel HD Graphics 4600 / NVIDIA GeForce GTX 860M
Kingston 16GB Dual-Channel DDR3 PC3-12800 RAM
Samsung SSD 850 EVO M.2 250GB
Seagate HDD ST1000LM014-1EJ164 1TB
Realtek High Definition Audio

Gandalf_The_Grey

Level 13
Verified
Yes, H_C thread is best place for questions. BTW: you copied my config! :LOL: except for VoodooShield. Nice setup! (y)

Edit: Whitelisting is easy by process or hash. My main gripe is CFA. Exclusions are possible but don't always seem to work. I'm on the fence with enabling it or not.
Yeah, like your setup. Went away from VS because Dan got himself banned from almost everywhere. It's still a great program.
Any tips where to do the whitelisting in H_C?
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.(y)
What do you want to whitelist? Is something blocked?
Please read the help about whitelisting buttons, and let me know if anything is not clear (the help files are written in Polish-English).:giggle:
 
Last edited:

Gandalf_The_Grey

Level 13
Verified
There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.
What do you want to whitelist? Is something blocked?
Okay, thanks. Do I have to to press APPLY CHANGES after that?
A block I see at the moment:
Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.
I also have a lot of lsass.exe messages like this one:
Windows Defender Antivirus audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2019-01-18T18:12:47.683Z
User: xxx\xxx
Path: C:\Windows\System32\lsass.exe
Process Name: C:\Windows\System32\Taskmgr.exe
Signature Version: 1.283.3241.0
Engine Version: 1.1.15500.2
Product Version: 4.18.1812.3
I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
Okay, thanks. Do I have to to press APPLY CHANGES after that?
A block I see at the moment:

I also have a lot of lsass.exe messages like this one:

I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.
You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
 

Gandalf_The_Grey

Level 13
Verified
You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
Thank again for your great support (y)
I have put the 4 audit settings in ConfigureDefender to disabled.
Will see tomorrow if there are still any blocks and/or warnings.
 

Windows_Security

Level 21
Content Creator
Trusted
Verified
@Gandalf_The_Grey

What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

My name is Kees and I am . . .
 

Gandalf_The_Grey

Level 13
Verified
@Gandalf_The_Grey

What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

My name is Kees and I am . . .
Sorry Kees. It just looked so cool and shiny.... :oops: Have to be more careful when posting these things :D
Maybe @Jack can block those posts especially for you :unsure:
 

Windows_Security

Level 21
Content Creator
Trusted
Verified
@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
1547856904931.png

Regards Kees
 

oldschool

Level 23
Verified
@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
View attachment 206684

Regards Kees
:LOL::LOL::LOL:
 

Gandalf_The_Grey

Level 13
Verified
You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
The only warning left on my system after setting the 4 audit settings to disabled is for the software_reporter_tool.exe. (y)
Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.
I don't want to block it.
Should I Whitelist it by hash?
What is the best option here?
 

Windows_Security

Level 21
Content Creator
Trusted
Verified
Options
1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
...
I don't want to block it.
Should I Whitelist it by hash?
What is the best option here?
You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
 
Last edited:

Gandalf_The_Grey

Level 13
Verified
You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
Thank you, that seems to work and learned something new about using wildcards. (y)
 

Gandalf_The_Grey

Level 13
Verified
Options
1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.
Did option 2 with wildcards (and the help from Andy) and set the chrome flag "Extension Content Verification" to "Enforce strict.
Using currently 4 extensions (AdGuard, Emsisoft, Windows Defender and LastPass) and try hard to keep that number... ;)
 

Handsome Recluse

Level 19
Verified
@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
View attachment 206684

Regards Kees
What does it have over the original version other than Stealth Mode and a new UI?
 

Gandalf_The_Grey

Level 13
Verified
What does it have over the original version other than Stealth Mode and a new UI?
From: AdguardTeam/AdguardBrowserExtension :
Improved] Renewed design
Fresh icon and menu designs that make interface more natural and user-friendly, with a big "On/Off" switch. Brand-new “Statistics” tab creates charts based on your blocked ads statistics, with the ability to show different types of data: total, filter-specific etc.
What's more, user filter editor has undergone a few changes too. Luminous element highlighting and auto-save function as well as unified filtering rules' text field should make editing more convinient.
[Improved] Get rid of the tabs in the filters settings
Now, each filter category (group of filters with similar purpose e.g. Ad blocking, Social Widgets etc.) has an icon and is easier to access. In addition, it can be turned on/off at once, thus making filter management smoother.
[Added] Merge StealthMode Extension code
We took online privacy protection in our extension to the next level by adding the Privacy module, which until this day existed only in the standalone AdGuard for Windows app. Although it doesn’t have the full capabilities of its desktop parent yet, it still makes the extension all the more effective for protecting privacy against trackers and analytical systems.
[Added] "Filters update period" setting
Before, filters were automatically updated every 48 hours (default period), now you can adjust the frequency of automatic updates (by choosing from options: every 1/6/12/24/48 hours) or disable them completely, in case you prefer to update them manually.
[Added] An option to disable integration mode while keeping the extension up
If you already have the AdGuard app, our browser extension may become a very useful additional tool, which can completely replace the browser-based “AdGuard Assistant” module (learn more). It’s called Integration mode and now you can turn it on or off in the “Other settings” tab.
And lots more added, changed, fixed and improved (under Common)
[*][Added] Notifications for various actions, e.g. filter updates #1167
[*][Added] A notification with changelog after an update #1025
[*][Added] "About" screen #1135
[*][Added] $cookie modifier support #961
[*][Added] "Submit a complaint" item to the right-click menu #1072
[*][Added] Update filter after enabling it #1181
[*][Added] Show notify when checking for filters update using context menu #1073
[*][Changed] Wording for manual blocking tool options #1169
[*][Changed] A forwarder is now used for all links #1109
[*][Changed] Localizations have been updated #1174
[*][Fixed] Assistant advanced settings button doesn't respond #1091
[*][Fixed] $extension modifier prevents first-party URL blocking #1122
[*][Fixed] Invalid exclusions are created using Filtering Log #1131
[*][Fixed] "Third-party" icon size in Filtering Log #1069
[*][Fixed] Some hidden elements are not shown in the Filtering Log #1123
[*][Fixed] Some requests are not visible in the Filtering Log #1138
[*][Fixed] While in integration mode, new rules are not imported to the desktop AG User filter #10
[*][Fixed] Incorrect file types are accepted when you try to import a User filter #1039
[*][Fixed] AdGuard settings are not fully visible when accessing them from the overflow menu #970
[*][Improved] $csp rules are now disabled if there's a document-level exception applied to the website #1093
[*][Improved] Extension is now more friendly towards visually impaired users #953
[*][Improved] Multiple $replace rules can be applied to a single web request now #1092
[*][Improved] Network requests excluded by a rule in a custom filter can now be blocked #1044
[*][Improved] "abp:subscribe" links are now intercepted properly #1149
50401638-46c5ad80-07a1-11e9-9dca-95aa8ef2eb06.png50401666-7674b580-07a1-11e9-8de8-ece53875daa9.png50424262-8b6d4980-0872-11e9-8053-ba4c68f189f6.png50424316-cd968b00-0872-11e9-8b20-e46a414f564c.png
 
Last edited:

notabot

Level 8
You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
Why for a targeted attack this shouldn’t be whitelisted ?
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
Why for a targeted attack this shouldn’t be whitelisted ?
The path of the software_reporter_tool.exe is writable. If there is a danger of targeted attacks (like in organizations), then any writable path should not be executable, except the files whitelisted by hash.
If not, then the attacker could get the information or simply guess the whitelisted path to replace silently the whitelisted file with the malware, and then he could successfully execute the malware. Furthermore, the malware could be started with Windows.
In the home environment with default deny setup, such scenario is rather improbable.
 

Similar Threads

Similar Threads