Hard_Configurator - January 2019 Report

[AlanOstaszewski]

Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.

Spoiler: old configuration

1. Containment: VirtualBox 5.1.38
2. Windows: 10 Home
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice 6.0 (lowest Macro protection level)

changed configuration from 7 January 2019:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice (standard settings)

January 2019	Amount of samples	Samples that have harmed the system/ changed system configuration	Files aren't touched/encrypted	Thread link
1.1.2019 - 3.1.2019	Nothing tested, since I had no access yet.	-	-	-
4.1.2019	6	0	yes	link
5.1.2019	3	0	yes	link
6.1.2019	1	0	yes	link
6.1.2019	1	0	yes	link
7.1.2019	14	0	yes	link
8.1.2019	9	0	yes	link
8.1.2019	1	0	yes	link
9.1.2019	8	0	yes	link
10.1.2019	13	0	yes	link

11.1.2019	1	0	yes	link
11.1.2019	1	0	yes	link
12.1.2019	1	0	yes	link

 

[Andy Ful]

By an accident, the H_C setup is especially well suited to the Malware Hub tests. It will give the best results for the most fresh samples, as compared to any antivirus protection. Those settings assume that the user starts the infection chain, so the malware files start running with the medium rights, and are blocked by the Windows build-in protection activated by H_C settings. That is the scenario related to the home user environment, where the users are well protected against the network attacks (NAT router).
If someone wanted to compare this with AV results, then it is worth mentioning that real-time AV protection is more universal, because it is intended not only for the home user scenario, but also for users in organizations and businesses.

 

[shmu26]

By an accident, the H_C setup is especially well suited to the Malware Hub tests. It will give the best results for the most fresh samples, as compared to any antivirus protection. Those settings assume that the user starts the infection chain, so the malware files start running with the medium rights, and are blocked by the Windows build-in protection activated by H_C settings. That is the scenario related to the home user environment, where the users are well protected against the network attacks (NAT router).
If someone wanted to compare this with AV results, then it is worth mentioning that real-time AV protection is more universal, because it is intended not only for the home user scenario, but also for users in organizations and businesses.

No need for caveats. H_C does well in Malware Hub testing because it protects well.

 

[Andy Ful]

Windows 10 LTSB is a Long Term Servicing Branch for Enterprise edition. It is ideal for Virtual Machines because it supports only security updates, and the trial can be rearmed to 9 months.
https://www.howtogeek.com/273824/windows-10-without-the-cruft-windows-10-ltsb-explained/

 

[bribon77]

Windows 10 LTSB is a Long Term Servicing Branch for Enterprise edition. It is ideal for Virtual Machines because it supports only security updates, and the trial can be rearmed to 9 months.
Windows 10 Without the Cruft: Windows 10 LTSB (Long Term Servicing Branch), Explained

I like it because it's not bloated with unnecessary things. I think I'm a minimalist.

 

[AlanOstaszewski]

Hello! I have created a survey so that you can give me tips for improvement. This poll is anonymous.

If you have time, you can answer a few questions that might help me to improve my tests with Hard_Configurator:
Survey regarding tests with Hard_Configurator

I would like to thank you in advance!

 

[Gandalf_The_Grey]

Hello! I have created a survey so that you can give me tips for improvement. This poll is anonymous.

If you have time, you can answer a few questions that might help me to improve my tests with Hard_Configurator:
Survey regarding tests with Hard_Configurator

I would like to thank you in advance!

Answered the questions.
I don't understand the test and what protects the system. Just the smart screen?

 

[Andy Ful]

Answered the questions.
I don't understand the test and what protects the system. Just the smart screen?

@askalan explained this here:
Update - Hard_Configurator - Windows Hardening Configurator

So, there is no AV (Windows Defender is disabled), only SmartScreen and Windows built-in, hidden security options (activated by Hard_Configurator settings).

When you look at the test video, you can see that EXE files are always run via "Run As SmartScreen", and after SmartScreen check they are mostly flagged as Unrecognized and blocked. If @askalan tried to run the EXE file normally, then it would be blocked by Software Restriction Policies.
The script samples are blocked by SRP. The weaponized documents are allowed to run (also other media files, photos, etc.), but usually the malicious content cannot automatically run in Libre Office.

So far, the malicious code was not even executed on @askalan testing machine.

 

[Moonhorse]

Thanks for adding captions to your videos

 

[bribon77]

Hello! I have created a survey so that you can give me tips for improvement. This poll is anonymous.

If you have time, you can answer a few questions that might help me to improve my tests with Hard_Configurator:
Survey regarding tests with Hard_Configurator

I would like to thank you in advance!

I responded to the survey.
Thank you for trying this great program.

 

[oldschool]

I responded to the survey.
Thank you for trying this great program.

Likewise!

 

[AlanOstaszewski]

Unfortunately I didn't manage to test Hard Configurator every day. I hope it works out for February!
MWT-TEST - Hard_Configurator - February 2019 Report