Hard_Configurator - January 2019 Report

Status
Not open for further replies.

AlanOstaszewski

Level 16
Thread author
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
Disclaimer: Experimental setup for testing the effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with more knowledge about Windows built-in security features.

1. Containment: VirtualBox 5.1.38
2. Windows: 10 Home
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice 6.0 (lowest Macro protection level)

changed configuration from 7 January 2019:
1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice (standard settings)
January 2019Amount of samplesSamples that have harmed the system/ changed system configurationFiles aren't touched/encryptedThread link

1.1.2019 - 3.1.2019

Nothing tested, since I had no access yet.

-

-

-

4.1.2019

6

0

yes

link

5.1.2019

3

0

yes

link

6.1.2019

1

0

yes

link

6.1.2019

1

0

yes

link

7.1.2019

14

0

yes

link

8.1.2019

9

0

yes

link

8.1.2019

1

0

yes

link

9.1.2019

8

0

yes

link

10.1.2019

13

0

yes

link

11.1.2019

1

0

yes

link

11.1.2019

1

0

yes

link

12.1.2019

1

0

yes

link






































































 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
By an accident, the H_C setup is especially well suited to the Malware Hub tests. It will give the best results for the most fresh samples, as compared to any antivirus protection. Those settings assume that the user starts the infection chain, so the malware files start running with the medium rights, and are blocked by the Windows build-in protection activated by H_C settings. That is the scenario related to the home user environment, where the users are well protected against the network attacks (NAT router).
If someone wanted to compare this with AV results, then it is worth mentioning that real-time AV protection is more universal, because it is intended not only for the home user scenario, but also for users in organizations and businesses.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
By an accident, the H_C setup is especially well suited to the Malware Hub tests. It will give the best results for the most fresh samples, as compared to any antivirus protection. Those settings assume that the user starts the infection chain, so the malware files start running with the medium rights, and are blocked by the Windows build-in protection activated by H_C settings. That is the scenario related to the home user environment, where the users are well protected against the network attacks (NAT router).
If someone wanted to compare this with AV results, then it is worth mentioning that real-time AV protection is more universal, because it is intended not only for the home user scenario, but also for users in organizations and businesses.
No need for caveats. H_C does well in Malware Hub testing because it protects well.
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,260
Hello! I have created a survey so that you can give me tips for improvement. This poll is anonymous.

If you have time, you can answer a few questions that might help me to improve my tests with Hard_Configurator:
Survey regarding tests with Hard_Configurator

I would like to thank you in advance!
Answered the questions.
I don't understand the test and what protects the system. Just the smart screen?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Answered the questions.
I don't understand the test and what protects the system. Just the smart screen?
@askalan explained this here:
Update - Hard_Configurator - Windows Hardening Configurator

So, there is no AV (Windows Defender is disabled), only SmartScreen and Windows built-in, hidden security options (activated by Hard_Configurator settings).

When you look at the test video, you can see that EXE files are always run via "Run As SmartScreen", and after SmartScreen check they are mostly flagged as Unrecognized and blocked. If @askalan tried to run the EXE file normally, then it would be blocked by Software Restriction Policies.
The script samples are blocked by SRP. The weaponized documents are allowed to run (also other media files, photos, etc.), but usually the malicious content cannot automatically run in Libre Office.

So far, the malicious code was not even executed on @askalan testing machine.
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Hello! I have created a survey so that you can give me tips for improvement. This poll is anonymous.

If you have time, you can answer a few questions that might help me to improve my tests with Hard_Configurator:
Survey regarding tests with Hard_Configurator

I would like to thank you in advance!
I responded to the survey.(y)
Thank you for trying this great program.:giggle:
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top