Andy Ful

Level 52
Verified
Trusted
Content Creator
It would be awesome if the following Windows features can be added to your tool:
Memory integrity (HVCI) - can be configured with registry
This feature will block many drivers. The user cannot also use virtual machines (VirtualBox, VMware, etc.). It can be easily turn ON from the Windows Security Center (it is part of Core isolation). It requires hardware support.
The user cannot also use virtual machines. It can be easily turn ON from the Windows Security Center (it is part of Core isolation). It requires hardware support. There were serious issues reported.
enable sandboxing for Windows Defender Antivirus
It is not finished. Why doesn't Microsoft turned it ON by default? It is so important for security.
enforce DEP (Data Execution Prevention) for all processes and not only for system which is default.
This setting can break many 32-bit applications. For 64-bit applications, DEP is turned ON by default on Windows 10. It can be easily turned ON (for concrete application) from the Windows Security Center (Windows Defender Exploit Protection).

So, I will wait until these features will be more mature or less problematic. (y)
It is probable that some of them will be included in WD Tamper protection, and then I will not include these features in H_C.
 
Last edited:

Andy Ful

Level 52
Verified
Trusted
Content Creator
Last edited:

Andy Ful

Level 52
Verified
Trusted
Content Creator
I wonder if this 1year old "unpredictable and exotic bug" issue is fixed.
I think so. The problem is that Windows 10 security evolves too quickly. Even without these low-level security features, there are still problems with Windows Updates.
Anyway, all Core Isolation features are important in enterprises. For example, System Guard Secure Launch is directed to protect the system against abused firmware drivers, because they are not protected by standard security solutions.
 

Andy Ful

Level 52
Verified
Trusted
Content Creator
@Andy Ful did you plan to disable the Windows internal EFS feature do to the new ransomware?
...
I do not know. If this feature is not required then it should be disabled.
But, this feature does not work on Windows Home (EFS service is disabled by default) and most AVs including WD will detect this method very soon. It will not be especially popular in widespread attacks. Furthermore, the H_C Recommended Settings already prevents ransomware delivery or execution.
This service can be used by some applications that encrypt files/folders so I am not sure if it would be safe to disable it.
 

SeriousHoax

Level 18
Verified
Malware Tester
It would be fine if the website could work on mobile devices too, but it is probably not a big issue because H_C does not support mobile devices. That is why no one reported such a problem until now. :)
Btw, I have 3rd party scripts disabled and when I load the site it doesn't show anything for about 10 seconds everytime I load the page but if I enable the script it loads instantly. Is this what google shamelessly does to amp sites when the script is disabled? I may have read somewhere a year ago about this 10 seconds delay. I can understand images not loading since the script is blocked but the 10 seconds delay is bad.
 

Andy Ful

Level 52
Verified
Trusted
Content Creator
Btw, I have 3rd party scripts disabled and when I load the site it doesn't show anything for about 10 seconds everytime I load the page but if I enable the script it loads instantly. Is this what google shamelessly does to amp sites when the script is disabled? I may have read somewhere a year ago about this 10 seconds delay. I can understand images not loading since the script is blocked but the 10 seconds delay is bad.
The browser probably does not recognize that the script is blocked and give it some time to load. I think that there is an option somewhere in the browser that allows the website to load without waiting for scripts.
 

Andy Ful

Level 52
Verified
Trusted
Content Creator
Yes you're right. Just now I found another example and it only happens to sites which are dependent on cdn.ampproject.org so based on AMP of google. Some sites gives a warring like this but note on your site.
View attachment 232802
Anyway, no problem.
I think that @askalan, who is the creator of the H_C website, knows the details of the blocked script.:)(y)
 

shmu26

Level 84
Verified
Trusted
Content Creator
H_C in any predefined profile (except All_OFF) blocks shortcuts in UserSpace (also for USB drives), except some whitelisted locations on hard disk like Desktop, Start Menu, etc.
Shortcuts are blocked when SRP is set properly:
  1. <(Re)Install SRP> = Installed
  2. LNK extension is on <Designated File Types>
  3. <Default Security Level> = Disallowed
  4. <Enforcement> = Skip Dlls (also All Files)
  5. <More SRP ...> <Protect Shortcuts> = ON
People who do not like default-deny setup can use the predefined profile: Windows_10_MT_Windows_Security_hardening
which works similarly to SysHardener settings, but additionally block shortcuts, more file extensions, and some dangerous sponsors (mshta.exe, mstsc.exe, wmic.exe).
If the user needs to run unsigned applications with elevation or install/update unsigned applications, then the option <Validate Admin C.S.> must be set to OFF.

You may be sure that shortcuts are blocked by creating a shortcut on USB drive (or anywhere in the UserSpace) and trying to run it.
This is a little late, but I think I figured out why SRP wasn't working on the wife's laptop. There is a user account on that computer that is a member of Microsoft Family. You already told me that Microsoft Family interferes with SRP.
 

RKRN3

Level 3
Verified
Yes you're right. Just now I found another example and it only happens to sites which are dependent on cdn.ampproject.org so based on AMP of google. Some sites gives a warring like this but note on your site.
View attachment 232802
Anyway, no problem.
You can use this extension to bypass AMP sites and open the full site.
 

Andy Ful

Level 52
Verified
Trusted
Content Creator
This is a little late, but I think I figured out why SRP wasn't working on the wife's laptop. There is a user account on that computer that is a member of Microsoft Family. You already told me that Microsoft Family interferes with SRP.
Yes, and SRP will not work even If you would remove this account. I tried this and the only method is refreshing the Windows.
 

Andy Ful

Level 52
Verified
Trusted
Content Creator

shmu26

Level 84
Verified
Trusted
Content Creator
Yes, and SRP will not work even If you would remove this account. I tried this and the only method is refreshing the Windows.
That's not always necessary. I fixed it one time just by removing the user from Microsoft family.