Andy Ful

Level 60
Verified
Trusted
Content Creator
@Andy Ful Thanks (y)
...
So my guess is that in stead of trying to work out granular exceptions for AppData, it would be easier and simpler to whitelist AppData and offer an option to enable Validate Admin Signatures in the advanced options.
...
AppData and ProgramData are hidden folders, so the average user cannot run executables directly from these folders. But, AppData is commonly used by exploits to drop/run scripts and next EXE or DLL payloads. This can be done with standard rights (no elevation required)!

Whitelisting AppData and ProgramData for all files would not invalidate the H_C default-deny protection on the pre-execution stage, but there would be close to 0 protection on the post-exploitation stage. For example, when you open a weaponized document and click an embedded malicious OLE (usually script or scriptlet) then the malicious file is copied to AppData\Local\Temp and executed from there. A similar thing is done when executing something from archives (without unpacking it). The UAC setting Validate Admin Signatures is pretty much useless on the post-exploitation stage due to UAC bypasses (an easy task for scripts). It can be useful only on the pre-execution stage to prevent users from running & elevate unsigned malicious applications that pretend to be the legal applications.

So, if you would like to whitelist AppData for all files, then you would have to block scripts by Windows Policies or block scripting Interpreters by SRP - both do not allow whitelisting. The biggest problem would be probably with Command Prompt (cmd.exe and BAT, CMD scripts).
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
...
HARDENED mode
Configure defender on MAX
The MAX Protection Level in ConfigureDefender is very strong and could work in the scenario of your HARDENED mode. But, these WD settings produce too many false positives due to some ASR rules, like blocking WMI, LSASS, and blocking applications with low prevalence. The last will block many updates if the application is not popular. Also, Controlled Folder Access can give many alerts and false positives.
So, the MAX Protection Level in ConfigureDefender could be used only with the help of the advanced user. In CUP, there are DEFAULT, HIGH, and MAX levels available.
Firewall hardening enable LOLbins block rules.
Software Restriction policies on DISALLOWED, but allow EXE, TMP, MSI and MSU,
Enforcement Skip DLLs,, Designated File types default + Windows Script Hist + Powershell,
Block sponsors Script Interpreters + DotNet compilers, Protect Windowss Folders ON, Protect shortcuts ON,
Documents Anti-Exploit ON, Block remote access ON, Disable 16 bits ON, Disable SMB ON, Disable Cached Logons ON
These features are included in CUP. Of course, some features can be integrated into one feature to make it simpler. (y)
 

SeriousHoax

Level 28
Verified
Malware Tester
Hi Andy, one question. Do you have any experience with WFC? I'm using it in Medium Filtering mode and also added recommended Firewall hardening from Hard Configurator but when I was installing an app with .msi extension, msiexec asked for internet connection but it is already covered by firewall hardening. Is it normal behavior with WFC?
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
Hi Andy, one question. Do you have any experience with WFC? I'm using it in Medium Filtering mode and also added recommended Firewall hardening from Hard Configurator but when I was installing an app with .msi extension, msiexec asked for internet connection but it is already covered by firewall hardening. Is it normal behavior with WFC?
Unfortunately, I never used WFC.
By the way, did this .msi application install properly despite the firewall blocking of msiexec.exe?
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
...
I suggest a zero config version with just two settings Default and Hardened mode (like an ON=hardened and OFF=default switch).
...
The problem with ON/OFF simple protection based on restrictions is that it cannot be sufficiently restrictive to be sufficiently strong for most users. If you do not want to adjust it via whitelisting and analyzing security Logs, then everything you can do was already done with SysHardener on default settings. If someone wants something stronger then he/she have to learn how to whitelist and analyze security Logs.:unsure:
 

bribon77

Level 33
Verified
Hi Andy, one question. Do you have any experience with WFC? I'm using it in Medium Filtering mode and also added recommended Firewall hardening from Hard Configurator but when I was installing an app with .msi extension, msiexec asked for internet connection but it is already covered by firewall hardening. Is it normal behavior with WFC?
I am using WFC together with H_C, when something wants to connect, it alerts me, I think it's normal.
 
F

ForgottenSeer 823865

If someone wants something stronger then he/she have to learn how to whitelist and analyze security Logs.:unsure:
That is the recurrent issue security vendors face since ages, users requesting (not saying being demanding) maximum security without any user interaction, aka "one button to rule them all" LOL
Not happening, sorry.

Maximum security is by learning and wisely applying knowledge . "This is The Way"
 

Lenny_Fox

Level 11
@Andy Ful

Sorry I was totally wrong. First I mentioned AppData while I intended ProgamData. Secondly even when I referred to ProgramData, that (hidden) folder is not protected by UAC either. Thirdly with exe, tmp, msu, msi excluded all user space folders should not block program execution (except for WD blocking programs with its cloud whitelist).

I had been working long and late on a website, while drinking loads of coffee. When I was ready I played with Access Control Lists (had read about dangers of Owner/Creator rights). Probably fell in my own brain farts, trying to remove full rights for Owner/Creator (I thought I had seen an UAC elevation request when adding something to ProgramData). So I apologize for posting a lot of nonsense in my "thank-you-post-with-never-mind-appdata-remarks' 😔
 
Last edited:

SeriousHoax

Level 28
Verified
Malware Tester
I am using WFC together with H_C, when something wants to connect, it alerts me, I think it's normal.
Yeah it's normal of course but since the rule to block msiexec was already there created by firewall hardening in Windows Firewall I thought I wouldn't see any prompt from WFC for that file.
Unfortunately, I never used WFC.
By the way, did this .msi application install properly despite the firewall blocking of msiexec.exe?
The application didn't require any internet connection so it installed fine. Anyway, no problem. I'll manually create firewall hardening rules in WFC.
 

Freki123

Level 7
Verified
@Andy Ful Checked my HC logs and I'm a bit confused:
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1

I didn't change any Defender Settings afaik so it shouldn't be me. EEK/WD scans are clean and since I seemed to search for the wrong terms with my internet search engine my guess would be that WD applied an update and that counts as a change? Windows 10 pro 1809, HC 5.0
Untitled - Copy.jpgUntitled2 - Copy.jpg
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
@Andy Ful Checked my HC logs and I'm a bit confused:
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1

I didn't change any Defender Settings afaik so it shouldn't be me. EEK/WD scans are clean and since I seemed to search for the wrong terms with my internet search engine my guess would be that WD applied an update and that counts as a change? Windows 10 pro 1809, HC 5.0
View attachment 231143View attachment 231144
Yes, it is the effect related to the WD update. I have got the same alert today.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
MS says not:
"Since deployment, the behavior-based machine learning models have blocked attacker techniques like the following used by attacks in the wild:
  • Credential dumping from LSASS
  • Cross-process injection
  • Process hollowing
  • UAC bypass
  • Tampering with antivirus (such as disabling it or adding the malware as exclusion)
  • Contacting C&C to download payloads
  • Coin mining
  • Boot record modification
  • Pass-the-hash attacks
  • Installation of root certificate
  • Exploitation attempt for various vulnerabilities"
In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks - Microsoft Security

But, the malware with Acronis certificate could probably bypass such detection.(y)
 

oldschool

Level 53
Verified
But, the malware with Acronis certificate could probably bypass such detection.(y)
True, but I don't know exactly how you mean this? Are you joking? :unsure:

This is kind of worrying though. It would've been better if it was possible to know why Acronis was allowed to do that. Maybe they have a mutual agreement with Microsoft regarding this or something! It's pretty unusual you know.
Stupid question of mine maybe, but did you scan it for malware? :)
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
This is kind of worrying though. It would've been better if it was possible to know why Acronis was allowed to do that. Maybe they have a mutual agreement with Microsoft regarding this or something! It's pretty unusual you know.
Such an agreement would not be unusual, bearing in mind the reputation of Acronis software. The false-positive could make your system unusable.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
True, but I don't know exactly how you mean this? Are you joking? :unsure:
...
No, I am serious.:)
The file reputation is taken into account in behavior detections. If the file is digitally signed with a reputable certificate, then it is less suspicious as compared to the unsigned one. That is true for most AVs.
Of course, the malware cannot look very suspicious to machine learning models.
 
Last edited:
Top