Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Oh ok, thanks. Not sure what it was that was affecting it then. I'll have to re-test it and see what's blocking. The only blocks I can see previously have been svchost, Compatelrunner.exe and Explorer.exe. I'll do a test again. Maybe it was something else affecting it. Will update you in a few.
Compatelrunner.exe and Explorer.exe were blocked by LOLBins rules. Some legal applications and services can use Explorer to make outbound connections.
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
Compatelrunner.exe and Explorer.exe were blocked by LOLBins rules. Some legal applications and services can use Explorer to make outbound connections.

I think the culprit turned out to be Edge Chromium Stable updating in the background as I had run apps while closed enabled. So far, that's the only thing I can pin it down to ;)
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Can somebody help me with this error when clicking a link in Outlook I get an error instead of opening Edge.
Not having that problem with outlook.com on the web.
Windows Defender Exploit Guard heeft een bewerking geblokkeerd die niet is toegestaan door uw IT-beheerder.
Neem voor meer informatie contact op met uw IT-beheerder.
ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
Detectietijd: 2019-11-06T17:56:39.752Z
Gebruiker:
Pad: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Procesnaam: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Outlook_16051.12130.20272.0_x86__8wekyb3d8bbwe\Office16\OUTLOOK.EXE
Versie van beveiligingsinformatie: 1.305.1539.0
Engineversie: 1.1.16500.1
Productversie: 4.18.1910.4
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
Can somebody help me with this error when clicking a link in Outlook I get an error instead of opening Edge.
Not having that problem with outlook.com on the web.
What version of Outlook? What level have you set ConfigureDefender to?

No issue with Outlook 2010 at my end with H_C at recommended, ConfigureDefender at High. Tried with several links.

Erz
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
What version of Outlook? What level have you set ConfigureDefender to?

No issue with Outlook 2010 at my end with H_C at recommended, ConfigureDefender at High. Tried with several links.

Erz
Outlook 2016 (version 1910 build 12130.20272 Microsoft Store).
H_C at recommended settings, ConfigureDefender at High and Firewall Hardening at recommended H_C.
This issue is not always happening, but very annoying.
Yesterday no problems, today I can't open any link form Outlook anymore... :eek:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Can somebody help me with this error when clicking a link in Outlook I get an error instead of opening Edge.
Not having that problem with outlook.com on the web.
This block comes from the ASR rule: "Block only Office communication applications from creating child processes". It is a protection against exploiting Outlook. If you did not have this issue before, then it means that Microsoft did not whitelist your version of Edge Chromium, yet.
Do you use Edge Chromium Dev or another non-stable version?
Do you have the same problem if you change the default web browser to native Edge?
Can you open the web links from Word?
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
This block comes from the ASR rule: "Block only Office communication applications from creating child processes". It is a protection against exploiting Outlook. If you did not have this issue before, then it means that Microsoft did not whitelist your version of Edge Chromium, yet.
Do you use Edge Chromium Dev or another non-stable version?
Do you have the same problem if you change the default web browser to native Edge?
Can you open the web links from Word?
I use Edge Chromium Stable 79.0.309.14.
If I change the default webbrowser to native Edge, links open without any problem in Edge chromium :rolleyes:
I have no problem opening web links from Word with Edge chromium set as default.
So for now native Edge is set as default (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
While working on new H_C features, I realized that adding MOTW to the file can force CyberCapture feature in Avast - similarly to forcing the SmartScreen. CyberCapture is turned on by default, but normally is triggered only for files downloaded from the Internet (just like for Windows SmartScreen Application Reputation).
v1_general_core.png


The suspicious EXE file is blocked, uploaded to the Avast cloud, and detonated in Sandbox. This feature is similar to the WD feature available only on Windows E5 editions.
For now, there are Avast_Hardened_Mode_Aggressive profiles in H_C to work with Avast set to Hardened Mode Aggressive. This setting is not available via modern Avast GUI, because the option "Enable Hardened Mode" can apply only Hardened Mode Moderate settings. The Hardened Mode Aggressive settings can be still activated via:
Menu > Settings > Troubleshooting > Open old settings

I can create an additional H_C profile that will force Avast CyberCapture instead of using Hardened Mode Aggressive settings. This profile will also apply the lowered EXE / MSI Restrictions which will be introduced in the new H_C version, so the applications will be allowed to auto-update without problems. This profile will work with Avast on Windows Vista, 7, 8, 8.1, and 10 as the set-and-forget smart-default-deny setup.
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
While working on new H_C features, I realized that adding MOTW to the file can force CyberCapture feature in Avast - similarly to forcing the SmartScreen. CyberCapture is turned on by default, but normally is triggered only for files downloaded from the Internet (just like for Windows SmartScreen Application Reputation).
View attachment 229427

The suspicious EXE file is blocked, uploaded to the Avast cloud, and detonated in Sandbox. This feature is similar to the WD feature available only on Windows E5 editions.
For now, there are Avast_Hardened_Mode_Aggressive profiles in H_C to work with Avast set to Hardened Mode Aggressive. This setting is not available via modern Avast GUI, because the option "Enable Hardened Mode" can apply only Hardened Mode Moderate settings. The Hardened Mode Aggressive settings can be still activated via:
Menu > Settings > Troubleshooting > Open old settings

I can create an additional H_C profile that will force Avast CyberCapture instead of using Hardened Mode Aggressive settings. This profile will also apply the lowered EXE / MSI Restrictions which will be introduced in the new H_C version, so the applications will be allowed to auto-update without problems. This profile will work with Avast on Windows Vista, 7, 8, 8.1, and 10 as the set-and-forget smart-default-deny setup.
Sounds very interesting. Would Avast be a more secure combo with H_C , better than Windows Defender with H_C?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Sounds very interesting. Would Avast be a more secure combo with H_C , better than Windows Defender with H_C?
The most advantage will be on Windows Vista and Windows 7, because CyberCapture will work and SmartScreen is not available.
On Windows 8+, the advantage will be for users who use SmartScreen only as a suggestion for further investigation to know if the file is safe. CyberCapture is very strong for EXE files, stronger than WD MAX Protection Level and probably very close to SmartScreen and Avast Harden Mode Aggressive. Yet still, CyberCapture will give much less false positives than Virus Total, SmartScreen, or Avast Harden Mode Aggressive.
On Windows 10, there will be no real difference as compared to WD + H_C (with ConfigureDefender HIGH Protection Level), if the user respects the SmartScreen and does not bypass SmartScreen alert.

Both protections are similar. Forced SmartScreen or forced CyberCapture can prevent users from running malicious EXE installers, which are run via the right-click Explorer entry - otherwise, the files (EXE, scripts, etc.) are blocked in UserSpace by H_C. This is the most important and very strong protection, which can hardly be bypassed in the home environment, except for some exploits.
WD + H_C (no SmartScreen) and Avast + H_C (no CyberCapture) work as post-exploitation protection against all kinds of payloads (EXE, scripts, etc.) downloaded without MOTW by undetected/unblocked exploits.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
How strong is Avast CyberCapture, can be easily tested on Malware Hub, by downloading from the Internet the archive with samples via a web browser, and unpack it via Bandizip (MOTW will be transferred to unpacked EXE files).:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Is this feature basically the same as whitelisting the AppData and ProgramData directories?
Not exactly. It can do the below things:
  1. Whitelist AppData and ProgramData folders.
  2. Block execution from archives (also in Appdata in ProgramData).
  3. Add an entry "Install application" to the right-click Explorer context menu on Windows Vista and Windows 7. This entry can add the MOTW to the file and can be used with Avast CyberCapture as a smart-default-deny setup on Windows Vista and Windows 7.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Are you referring to Windows 8 (it's in the same block as for Windows 8 but it's unclear to me if that's the context) ?
If the user respects SmartScreen then there is no real difference in the preventive protection on Windows 8+, because SmartScreen is probably stronger than WD MAX Protection level and Avast CyberCapture.
There will be a difference in the post-exploitation stage for primary EXE/MSI payloads, because WD on Windows 8.1 is stronger than on Windows 8, and WD on Windows 10 is stronger than on Windows 8.1. But, this can be important in the home environment only when the user installs vulnerable/unpatched applications or uses the unpatched system.

On Windows 10 such functionality exists in ASR for runtime checks.
If you mean the ASR rule "Block executable files from running unless they meet a prevalence or trusted list criteria", then no one knows the criteria used by Microsoft for EXE files. So, it is hard to say if it is stronger than the Avast CyberCapture feature (I do not know).
 
Last edited:

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Hello. Is this a direct result of the work of the Firewall Hardening Tool? :) Have not done anything to the System otherwise.

telemetry block.PNG

Edit: Previously and currently, I use this to block outbound telemetry-related connections. Clearly this method is no longer optimum. Perhaps Microsoft added new paths (wouldn't be a major surprise there)? Re-edit: yes, just checked, this is a "new" one. :rolleyes:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Hello. Is this a direct result of the work of the Firewall Hardening Tool? :) Have not done anything to the System otherwise.


Edit: Previously and currently, I use this to block outbound telemetry-related connections. Clearly this method is no longer optimum. Perhaps Microsoft added new paths (wouldn't be a major surprise there)? Re-edit: yes, just checked, this is a "new" one. :rolleyes:
It seems that Intel® RealSense™ SDK Runtime : Lantern Rock, is blocked. But, it is probably not related to FirewallHardening block rules, except when it uses scripts or one of LOLBins.
You can see more by using <Blocked Events> log in FirewallHardening ("Start logging events" has to be set to ON).

You can also remove FirewallHardening rules temporarily (reboot required) and see if Lantern Rock is still blocked.(y)
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Intel...it seems it likely is the XTU running the cpu undervolt . The error occurs at the same time every morning, so I opened Task Scheduler, found and disabled the related Task. Good, any less telemetry is OK-fine by me. Thank you for solving that mystery, Andy Ful. :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top