Hard_Configurator - Windows Hardening Configurator

[cryogent]

Nothing, for sure.
Why do you seek the cause of breaking microSD cards from your phones in your computer? It is most probably related to the phone. I do not think that investigating the Windows Logs could help you. You probably need a low-level disk diagnostic tool.
It would be good to open a new thread about recovering the RAID - there can be several sources of your problem: malware, driver update, driver corruption, hardware failure, etc.

Thank you, i will check for drivers problem.
For malware allready tested.

 

[shmu26]

Nothing, for sure.
Why do you seek the cause of breaking microSD cards from your phones in your computer? It is most probably related to the phone. I do not think that investigating the Windows Logs could help you. You probably need a low-level disk diagnostic tool.
It would be good to open a new thread about recovering the RAID - there can be several sources of your problem: malware, driver update, driver corruption, hardware failure, etc.


The mobile applications are Universal Windows Platform apps. They can support AppContainer or not. Most of the known 3rd party Office suites prepared for UWP, do not support AppContainer. The free Office Mobile version of Word, Excel, and PowerPoint work in the read mode (blocked macros, OLE, etc) in AppContainer.
I did not see/test the Microsoft Office Desktop Apps, so I do not know the details. Maybe, @Gandalf_The_Grey will help us, to know this.

1 How can you tell if a certain Windows store app runs in AppContainer?
2 If it doesn't, then it has no particular security advantage over a regular Win32 app?

 

[plat]

Hello. Is this the handiwork of Firewall Hardening Tool?

Spoiler

 

[oldschool]

Hello. Is this the handiwork of Firewall Hardening Tool?

Spoiler

View attachment 232149

No. It looks like you've hacked telemetry via privacy tools, etc. ? or opted-out of Lantern Rock telemetry, whatever LR is?

 

[Andy Ful]

If you tell me how to check that, I will do it later today when returning home from work.

1. Download & unzip Process Explorer:
   
   

   Process Explorer - Sysinternals

   Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more.

   docs.microsoft.com
2. Run procexp.exe with admin rights.
3. View >> Select columns >> and tick "Integrity level"
4. Press <OK>
5. Run Word
6. Find winword.exe in Process Explorer and look at the "Integrity" column.

In my computer the free mobile version is in AppContainer:

and the Word from the full MS Office 365 is not (średni = Medium ):

 

[Andy Ful]

1 How can you tell if a certain Windows store app runs in AppContainer?
2 If it doesn't, then it has no particular security advantage over a regular Win32 app?

There are some advantages but not for the malware run by macros, OLE, etc.

 

[Andy Ful]

Hello. Is this the handiwork of Firewall Hardening Tool?

Spoiler

View attachment 232149

Is this the same problem as below?
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-845262
Please send the FirewallHardening LOG.

 

[plat]

Is this the same problem as below?

Discuss - Hard_Configurator - Windows Hardening Configurator

Update @Andy Ful Well, no blockings. Must be something running in the background affecting it instead then. Very odd. Anyway, will investigate further, thanks for the help.

malwaretips.com

Oh shoot, I forgot, yes it is. Therefore I won't bother you with the logs. I took a look at the logs, it is blocking outbound requests from primarily Edge.dev, compattelrunner and ServiceHost, once also from rundll32.exe.

Sorry about that. You were right, oldschool, nothing to do with it.

 

[Gandalf_The_Grey]

You have the "Microsoft Office Desktop Apps" with Office 365 license. This is the full Mobile version of Microsoft Office sometimes preinstalled on laptops. I did not test it.

You can check if DocumentsAntiExploit works by setting it to ON1 and looking at Word options:
Options >> Trust Center >> Trust Center Settings >> Macro settings
The option "Disable all macros without notification" should be ticked.

No, DocumentsAntiExploit is not working, ON1 didn't change that setting:

And winword.exe doesn't run in AppContainer:

The only advantages I see is no extra click and run processes and updates through the Microsoft Store.

 

[Andy Ful]

No, DocumentsAntiExploit is not working, ON1 didn't change that setting:

And winword.exe doesn't run in AppContainer:

The only advantages I see is no extra click and run processes and updates through the Microsoft Store.

It is possible that Windows Policies will work (the ON2 setting). But, this should be checked on the document with macro, because the policy settings are not visible in MS Office 365. Do you have any document with a macro?
If not then you can download one from WD demo webpage:

https://demo.wd.microsoft.com/Content/TestFile_OfficeChildProcess_D4F940AB-401B-4EFC-AADC-AD5F3C50688A.docm

Open it, allow Edit, but do not allow macros in Word (you can but it is not necessary).
If you will see the yellow alert that the macros are disabled or if the cmd.exe will start, then the policies do not work.
If nothing will happen, then policies work.

 

[Gandalf_The_Grey]

It is possible that Windows Policies will work (the ON2 setting). But, this should be checked on the document with macro, because the policy settings are not visible in MS Office 365. Do you have any document with a macro?
If not then you can download one from WD demo webpage:

https://demo.wd.microsoft.com/Content/TestFile_OfficeChildProcess_D4F940AB-401B-4EFC-AADC-AD5F3C50688A.docm

Open it, allow Edit, but do not allow macros in Word (you can but it is not necessary).
If you will see the yellow alert that the macros are disabled or if the cmd.exe will start, then the policies do not work.
If nothing will happen, then policies work.

ON2 does work.
With off I get the yellow alert
With ON2 no alert, nothing happens.

 

[Andy Ful]

ON2 does work.
With off I get the yellow alert
With ON2 no alert, nothing happens.

Thanks.
Do you have enabled the option "Adobe + VBA" in Hard_Configurator?

 

[Andy Ful]

Gandalf_The_Grey,
My Word Mobile requires an Internet connection for some actions. For example, online services are required to open some documents (conversion needed), etc.

Do your MS Office apps require the Internet connection for similar actions?
Can you add manually the rule for Winword.exe via FirewallHardening (<Add Rule> green button)?
I can do it for Word Mobile:

 

[Gandalf_The_Grey]

Thanks.
Do you have enabled the option "Adobe + VBA" in Hard_Configurator?

Yes, I think it's part of the recommended settings?
Why do you ask this?

 

[Gandalf_The_Grey]

Gandalf_The_Grey,
My Word Mobile requires an Internet connection for some actions. For example, online services are required to open some documents (conversion needed), etc.

View attachment 232159

Do your MS Office apps require the Internet connection for similar actions?
Can you add manually the rule for Winword.exe via FirewallHardening (<Add Rule> green button)?
I can do it for Word Mobile:

View attachment 232160

I think internet access is needed for auto-saving on OneDrive, so I won't block it, but it's very easy to do.

 

[plat]

Actually, this feature is still present in build 19541.1000, the latest Insider build. Whether it's enabled or not depends.

This is a more obscure area that needs to be checked by the administrator or have something like H_C take care of. I cleared the check boxes because SMB1 was actually enabled by default back in v. 1903 or thereabouts and prior. I also switch off Internet Explorer here plus other features I don't want running in the background. (Control Panel\Programs and Features\Turn Windows features on or off)

Spoiler

 

[oldschool]

it would be good to allow %temp% which is mostly needed by program installations and would be easier then add first a path whitelist and then remove it again.

There is this profile: Windows10_Security_MT (or whatever it's called) which allows exe and temp files to run. This is a H_C profile and isn't a switch.

 

[Andy Ful]

Yes, I think it's part of the recommended settings?
Why do you ask this?

Because it probably does not work for your UWP version of MS Office.
So, if you set DocumentsAntiExploit tool to OFF and the H_C <DocumentsAntiExploit> = 'Adobe + VBA' then the macro in the test document will not be (probably) blocked.

 

[Andy Ful]

...
At the SwitchDefaultDeny tool it would be good to allow %temp% which is mostly needed by program installations and would be easier then add first a path whitelist and then remove it again.

You do not need whitelisting anything when installing most applications (see "Run As SmartScreen") on Administrator account. Whitelisting is necessary to run applications already installed in UserSpace (for example in %UserProfile%). SwitchDefaultDeny tool can be used on SUA to install applications in UserSpace, because you cannot use "Run As SmartScreen" to bypass SRP.

Anyway, in the new H_C version, the Recommended Settings on Windows 8+ will include something similar - the folders Appdata and ProgramData will allow EXE and MSI files.

Second I wonder why disable SMB 1 is listed in "more restrictions". SMB 1 isn't any longer available in windows 10 since last year if I remember correctly.

if you upgrade to the new Windows 10 version, the SMB settings do not change.

Also wow. Awesome tool!

Thanks.

 

[Gandalf_The_Grey]

Because it probably does not work for your UWP version of MS Office.
So, if you set DocumentsAntiExploit tool to OFF and the H_C <DocumentsAntiExploit> = 'Adobe + VBA' then the macro in the test document will not be (probably) blocked.

Yes, that's correct.