Gangelo

Level 2
One question about the Firewall Hardening tool. The Firewall "H_C Recommended settings" are not applied automatically upon installation of H_C when you click "Apply recommended settings" right? I will need to apply them manually in the Firewall Hardening module?
I ask that because the rules windows at the moment is empty on my PC.
 

Gandalf_The_Grey

Level 22
Verified
One question about the Firewall Hardening tool. The Firewall "H_C Recommended settings" are not applied automatically upon installation of H_C when you click "Apply recommended settings" right? I will need to apply them manually in the Firewall Hardening module?
I ask that because the rules windows at the moment is empty on my PC.
Yes that's correct. HC recommended settings are only for the main program and not for Configure Defender or Firewall hardening.
Those are separate programs and must be configured if needed separate.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
One question about the Firewall Hardening tool. The Firewall "H_C Recommended settings" are not applied automatically upon installation of H_C when you click "Apply recommended settings" right? I will need to apply them manually in the Firewall Hardening module?
I ask that because the rules windows at the moment is empty on my PC.
Yes. Both FirewallHardening and ConfigureDefender settings are not visible in the main H_C window and they have to be configured in FirewallHardening and ConfigureDefender.
So, if you will change some settings from the main H_C window or load any H_C profile, then only the settings visible in H_C will change - the FirewallHardenind and ConfigureDefender settings do not change.

To avoid the confusion the below information is displayed when installing/updating H_C:
------------------------------------------------------------------------------
QUICK CONFIGURATION (after the fresh installation).
  1. Run Hard_Configurator and follow the instructions which are displayed on the first run.
  2. It is recommended to allow Hard_Configurator making the System Restore Point, whitelisting the autoruns and applying Recommended Settings. The restore point can be skipped when the kind of rollback software was installed.
  3. After those actions, Windows restart will be required.
  4. If Windows Defender is primary real-time protection, then <ConfigureDefender> option in Hard_Configurator (left violet button) can be used to activate advanced Windows Defender settings.
  5. The firewall hardening is also possible by using <FirewallHardening> option (right violet button).
  6. Please read the help files to get info about Hard_Configurator options. Full information about the program and SRP can be accessed using <Documentation> button, available after pressing <General Help> button.
It is recommended to visit hard-configurator.com website for detailed information.
--------------------------------------------------------------------------------

The information about it can be also displayed from H_C by pressing <General Help> button.
  1. The actual status of all restrictions is shown in 2 panels, on the left and the right side of GUI window. Please, do not forget to press <APPLY CHANGES> red button to finally apply the changes in the configuration settings.
  2. Press <Recommended Settings> green button to recover Hard_Configurator default-deny protection. This will delete all previous settings except entries added by the user to the Whitelist (by path or by hash). You can adjust SRP settings when pressing buttons in the left panel, and non-SRP settings by pressing buttons in the right panel.
  3. Press <ConfigureDefender> violet button to configure Windows Defender advanced settings.
  4. Press <Firewall Hardening> to harden Windows Firewall, by preventing the Internet access to some Windows programs.
  5. There are two 3-D buttons visible on the bottom of Main Menu Window: <Load Profile> and <Save Profile>, which can be used to load other hardcoded program settings, or save user favorite settings (except White List profiles and Designated File Types).
__________________________________________________

Thanks for testing H_C. Please let me know if something is unclear or should be added there.:giggle:(y)
 
Last edited:

ErzCrz

Level 2
Verified
Quick question. There's an expansion today for Star Wars The Old Republic. I should be fine with the patch installation with default settings right?
 
  • Like
Reactions: oldschool

ErzCrz

Level 2
Verified
If the game and the expansion are installed in userspace, you may need to whitelist the folder before proceeding.
If everything is in the Program Files folder, then it should install without an issue.
Thanks. The only user folder bit is the screenshot folder but I'll double check before patching.

Thanks again for your help.
 
  • Like
Reactions: Gangelo

Andy Ful

Level 49
Verified
Trusted
Content Creator
I am testing now the new H_C option <Lower EXE Restrictions>.
It allows EXE files and TMP images in ProgramData and AppData folders which are hidden in Explorer by default. Most applications which install in UserSpace are located in ProgramData or Appdata subfolders, and also use these folders when performing updates.
The <Lower EXE Restrictions> setting still blocks, the EXE files and TMP images in UserSpace folders which are not hidden (including Desktop, Documents, Downloads, Music, Movies, Pictures), non-system partitions, and USB drives. So, the user is forced to install applications by using the safe "Install by SmartScreen" feature (formerly "Run As SmartScreen"), and after installation, the applications do not require whitelisting and can auto-update without problems.
The <Lower EXE Restrictions> setting does not lower the pre-execution prevention strength of H_C settings. If it was used in the @askalan's malware tests, the results would be the same as for the H_C Recommended Settings. So, where is the difference? It can be visible in the post-exploitation phase, but only in the rare cases of primary EXE payloads. It is good, because the primary payloads are usually scripts which are still blocked when using <Lower EXE Restrictions> feature.
I think that this new setting will be optimal for most of H_C users.(y)
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
It seems that <Lower EXE Restrictions> feature can solve the issue of installing applications on SUA in UserSpace. For now, the user has to use SwitchDefaultDeny and turn OFF the protection temporarily. Next, "Run By SmartScreen" can be used to safely install the application. Finally, the user has to turn ON the protection again.
I can extend "Install By SmartScreen" capabilities for the setting <Lower EXE Restrictions>.
T
he application installer will be simply copied to "AppData\Local\Temp\(random name)" folder to run with SmartScreen check and with standard rights from this (whitelisted) location.
No need to use SwitchDefaultDeny and the application installations/updates on SUA will be as easy as on Admin Account.
I like <Lower EXE Restrictions> feature more and more...:giggle:
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
It seems that <Lower EXE Restrictions> feature can solve the issue of installing applications on SUA in UserSpace. For now, the user has to use SwitchDefaultDeny and turn OFF the protection temporarily. Next, "Run By SmartScreen" can be used to safely install the application. Finally, the user has to turn ON the protection again.
I can extend "Install By SmartScreen" capabilities for the setting <Lower EXE Restrictions>.
T
he application installer will be simply copied to "AppData\Local\Temp\(random name)" folder to run with SmartScreen check and with standard rights from this (whitelisted) location.
No need to use SwitchDefaultDeny and the application installations/updates on SUA will be as easy as on Admin Account.
I like <Lower EXE Restrictions> feature more and more...:giggle:
It sounds like a killer feature to me. I can deal with whitelisting my userspace apps, but when they want to update, that's what kills me. Sometimes they just fail to update without any warning or even a log entry, and then I can't figure out why they don't work anymore. So I think this new feature is for me. :)
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
For optimal security, the <Lower EXE Restrictions> feature has to be complemented by blocking EXE/MSI files when executed directly from the archive (without manual unpacking).
Most archiving applications display the warning alert in such cases, but this will not stop many users from running the EXE / MSI files from the archive.
I such cases the default archiver application unpacks the file in Appdata\Local\Temp folder (like most installers/updaters do) and the file is executed from this location - usually without SmartScreen check. For now, I included some well-known applications:

Explorer - blocking pattern: Temp*_*.zip
WinZip - blocking pattern: wz????
WinRar
- blocking pattern: Rar$EX*
7-Zip - blocking pattern: 7z?????????
PeaZip - blocking pattern: .ptmp??????
PowerArchiver - blocking pattern: _PA*
B1 Free Archiver - blocking pattern: B1FreeArchiver-*-*-*-*-*
Bandizip - blocking pattern: BNZ.???????????????
IArc - blocking pattern: $$_????
ALZip - blocking pattern: _AZTMP*_
ExpressZip - blocking pattern: ExpressZip-*-*
PKZip - blocking pattern: PK????.tmp
 

ErzCrz

Level 2
Verified
Just using Recommended FirewallHardening rules now with recommended configuration. Seems some of the svchost blocks from the LOLbins rules might have caused lag / slows in playing SWTOR and other online games. Not a big deal, Recommended rules are sufficient with my config as Andy Ful already indicated ;)
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
...
Seems some of the svchost blocks from the LOLbins rules might have caused lag / slows in playing SWTOR and other online games. Not a big deal, Recommended rules are sufficient with my config as Andy Ful already indicated ;)
The executables can be blocked by the FirewallHardening tool, only if they are on the list displayed in the FirewallHardening window. LOLBins in the FirewallHardening tool does not include Svchost. So, LOLBins' rules should not trigger Svchost.
If you can see the blocked events for Svchost, then they usually come from some web-based applications which run as service. They are not blocked by FirewallHardening rules, but come from the other rules applied in Windows Firewall.
(y)
 

ErzCrz

Level 2
Verified
Oh ok, thanks. Not sure what it was that was affecting it then. I'll have to re-test it and see what's blocking. The only blocks I can see previously have been svchost, Compatelrunner.exe and Explorer.exe. I'll do a test again. Maybe it was something else affecting it. Will update you in a few.