Andy Ful

Level 49
Verified
Trusted
Content Creator
Oh ok, thanks. Not sure what it was that was affecting it then. I'll have to re-test it and see what's blocking. The only blocks I can see previously have been svchost, Compatelrunner.exe and Explorer.exe. I'll do a test again. Maybe it was something else affecting it. Will update you in a few.
Compatelrunner.exe and Explorer.exe were blocked by LOLBins rules. Some legal applications and services can use Explorer to make outbound connections.
 

Gandalf_The_Grey

Level 22
Verified
Can somebody help me with this error when clicking a link in Outlook I get an error instead of opening Edge.
Not having that problem with outlook.com on the web.
Windows Defender Exploit Guard heeft een bewerking geblokkeerd die niet is toegestaan door uw IT-beheerder.
Neem voor meer informatie contact op met uw IT-beheerder.
ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
Detectietijd: 2019-11-06T17:56:39.752Z
Gebruiker:
Pad: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Procesnaam: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Outlook_16051.12130.20272.0_x86__8wekyb3d8bbwe\Office16\OUTLOOK.EXE
Versie van beveiligingsinformatie: 1.305.1539.0
Engineversie: 1.1.16500.1
Productversie: 4.18.1910.4
 

Gandalf_The_Grey

Level 22
Verified
What version of Outlook? What level have you set ConfigureDefender to?

No issue with Outlook 2010 at my end with H_C at recommended, ConfigureDefender at High. Tried with several links.

Erz
Outlook 2016 (version 1910 build 12130.20272 Microsoft Store).
H_C at recommended settings, ConfigureDefender at High and Firewall Hardening at recommended H_C.
This issue is not always happening, but very annoying.
Yesterday no problems, today I can't open any link form Outlook anymore... :eek:
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
Can somebody help me with this error when clicking a link in Outlook I get an error instead of opening Edge.
Not having that problem with outlook.com on the web.
This block comes from the ASR rule: "Block only Office communication applications from creating child processes". It is a protection against exploiting Outlook. If you did not have this issue before, then it means that Microsoft did not whitelist your version of Edge Chromium, yet.
Do you use Edge Chromium Dev or another non-stable version?
Do you have the same problem if you change the default web browser to native Edge?
Can you open the web links from Word?
 

Gandalf_The_Grey

Level 22
Verified
This block comes from the ASR rule: "Block only Office communication applications from creating child processes". It is a protection against exploiting Outlook. If you did not have this issue before, then it means that Microsoft did not whitelist your version of Edge Chromium, yet.
Do you use Edge Chromium Dev or another non-stable version?
Do you have the same problem if you change the default web browser to native Edge?
Can you open the web links from Word?
I use Edge Chromium Stable 79.0.309.14.
If I change the default webbrowser to native Edge, links open without any problem in Edge chromium :rolleyes:
I have no problem opening web links from Word with Edge chromium set as default.
So for now native Edge is set as default (y)
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
While working on new H_C features, I realized that adding MOTW to the file can force CyberCapture feature in Avast - similarly to forcing the SmartScreen. CyberCapture is turned on by default, but normally is triggered only for files downloaded from the Internet (just like for Windows SmartScreen Application Reputation).
v1_general_core.png


The suspicious EXE file is blocked, uploaded to the Avast cloud, and detonated in Sandbox. This feature is similar to the WD feature available only on Windows E5 editions.
For now, there are Avast_Hardened_Mode_Aggressive profiles in H_C to work with Avast set to Hardened Mode Aggressive. This setting is not available via modern Avast GUI, because the option "Enable Hardened Mode" can apply only Hardened Mode Moderate settings. The Hardened Mode Aggressive settings can be still activated via:
Menu > Settings > Troubleshooting > Open old settings

I can create an additional H_C profile that will force Avast CyberCapture instead of using Hardened Mode Aggressive settings. This profile will also apply the lowered EXE / MSI Restrictions which will be introduced in the new H_C version, so the applications will be allowed to auto-update without problems. This profile will work with Avast on Windows Vista, 7, 8, 8.1, and 10 as the set-and-forget smart-default-deny setup.
 
Last edited:

Gandalf_The_Grey

Level 22
Verified
While working on new H_C features, I realized that adding MOTW to the file can force CyberCapture feature in Avast - similarly to forcing the SmartScreen. CyberCapture is turned on by default, but normally is triggered only for files downloaded from the Internet (just like for Windows SmartScreen Application Reputation).
View attachment 229427

The suspicious EXE file is blocked, uploaded to the Avast cloud, and detonated in Sandbox. This feature is similar to the WD feature available only on Windows E5 editions.
For now, there are Avast_Hardened_Mode_Aggressive profiles in H_C to work with Avast set to Hardened Mode Aggressive. This setting is not available via modern Avast GUI, because the option "Enable Hardened Mode" can apply only Hardened Mode Moderate settings. The Hardened Mode Aggressive settings can be still activated via:
Menu > Settings > Troubleshooting > Open old settings

I can create an additional H_C profile that will force Avast CyberCapture instead of using Hardened Mode Aggressive settings. This profile will also apply the lowered EXE / MSI Restrictions which will be introduced in the new H_C version, so the applications will be allowed to auto-update without problems. This profile will work with Avast on Windows Vista, 7, 8, 8.1, and 10 as the set-and-forget smart-default-deny setup.
Sounds very interesting. Would Avast be a more secure combo with H_C , better than Windows Defender with H_C?
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Sounds very interesting. Would Avast be a more secure combo with H_C , better than Windows Defender with H_C?
The most advantage will be on Windows Vista and Windows 7, because CyberCapture will work and SmartScreen is not available.
On Windows 8+, the advantage will be for users who use SmartScreen only as a suggestion for further investigation to know if the file is safe. CyberCapture is very strong for EXE files, stronger than WD MAX Protection Level and probably very close to SmartScreen and Avast Harden Mode Aggressive. Yet still, CyberCapture will give much less false positives than Virus Total, SmartScreen, or Avast Harden Mode Aggressive.
On Windows 10, there will be no real difference as compared to WD + H_C (with ConfigureDefender HIGH Protection Level), if the user respects the SmartScreen and does not bypass SmartScreen alert.

Both protections are similar. Forced SmartScreen or forced CyberCapture can prevent users from running malicious EXE installers, which are run via the right-click Explorer entry - otherwise, the files (EXE, scripts, etc.) are blocked in UserSpace by H_C. This is the most important and very strong protection, which can hardly be bypassed in the home environment, except for some exploits.
WD + H_C (no SmartScreen) and Avast + H_C (no CyberCapture) work as post-exploitation protection against all kinds of payloads (EXE, scripts, etc.) downloaded without MOTW by undetected/unblocked exploits.
 
Last edited:

notabot

Level 15
CyberCapture is very strong for EXE files, stronger than WD MAX Protection Level and probably
Are you referring to Windows 8 (it's in the same block as for Windows 8 but it's unclear to me if that's the context) ? On Windows 10 such functionality exists in ASR for runtime checks.
 
  • Like
Reactions: oldschool

Andy Ful

Level 49
Verified
Trusted
Content Creator
Is this feature basically the same as whitelisting the AppData and ProgramData directories?
Not exactly. It can do the below things:
  1. Whitelist AppData and ProgramData folders.
  2. Block execution from archives (also in Appdata in ProgramData).
  3. Add an entry "Install application" to the right-click Explorer context menu on Windows Vista and Windows 7. This entry can add the MOTW to the file and can be used with Avast CyberCapture as a smart-default-deny setup on Windows Vista and Windows 7.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Are you referring to Windows 8 (it's in the same block as for Windows 8 but it's unclear to me if that's the context) ?
If the user respects SmartScreen then there is no real difference in the preventive protection on Windows 8+, because SmartScreen is probably stronger than WD MAX Protection level and Avast CyberCapture.
There will be a difference in the post-exploitation stage for primary EXE/MSI payloads, because WD on Windows 8.1 is stronger than on Windows 8, and WD on Windows 10 is stronger than on Windows 8.1. But, this can be important in the home environment only when the user installs vulnerable/unpatched applications or uses the unpatched system.

On Windows 10 such functionality exists in ASR for runtime checks.
If you mean the ASR rule "Block executable files from running unless they meet a prevalence or trusted list criteria", then no one knows the criteria used by Microsoft for EXE files. So, it is hard to say if it is stronger than the Avast CyberCapture feature (I do not know).
 
Last edited:

plat1098

Level 11
Verified
Hello. Is this a direct result of the work of the Firewall Hardening Tool? :) Have not done anything to the System otherwise.

telemetry block.PNG

Edit: Previously and currently, I use this to block outbound telemetry-related connections. Clearly this method is no longer optimum. Perhaps Microsoft added new paths (wouldn't be a major surprise there)? Re-edit: yes, just checked, this is a "new" one. :rolleyes:
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
Hello. Is this a direct result of the work of the Firewall Hardening Tool? :) Have not done anything to the System otherwise.


Edit: Previously and currently, I use this to block outbound telemetry-related connections. Clearly this method is no longer optimum. Perhaps Microsoft added new paths (wouldn't be a major surprise there)? Re-edit: yes, just checked, this is a "new" one. :rolleyes:
It seems that Intel® RealSense™ SDK Runtime : Lantern Rock, is blocked. But, it is probably not related to FirewallHardening block rules, except when it uses scripts or one of LOLBins.
You can see more by using <Blocked Events> log in FirewallHardening ("Start logging events" has to be set to ON).

You can also remove FirewallHardening rules temporarily (reboot required) and see if Lantern Rock is still blocked.(y)