Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Hard_Configurator can also mitigates Wannacry with the option <Disable Command Prompt> = ON , because the malware uses cmd.exe to get persistence and delete the volume shadow copies.
WCry/WanaCry Ransomware Technical Analysis | Endgame

The attack can be stopped by <Block Remote Access> = ON, if the attacker tries to use Remote Shell or Remote Desktop.

Edit1
I corrected my post by removing the info about @WanaDecryptor@.exe - I am not convinced, if it is the encrypting executable.

Edit2
Home users can be infected by Wannacry by running the malware executable.
Hard_Configurator with recommended settings (SRP + <Run As SmartScreen> = Administrator) will stop Wannacry execution by the user, due to forced SmartScreen.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
After reading some technical analyses of EternalBlue & DoublePulsar worm (used in the WannaCry attack) I should change my opinion, and admit that it cannot be stopped by SRP or anti-exe.
It is still true that Hard_Configurator with recommended settings (SRP + <Run As SmartScreen> = Administrator) will stop Wannacry execution by the user, due to forced SmartScreen. Furthermore, home users are still well protected, because the home networks are typically under the NAT, and the worm uses port 445 that is closed by default.
The problem arises when the computer is connected to the big local network. See also :
Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?

EDIT
The users that frequently update the system, are also protected, because Microsoft released the patch, many days before the EternalBlue & DoublePulsar worm attack (in the wild).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The WannaCry attacks forced me to rethink the problem of remote attacks in local and public networks. Hard_Configurator was built for home users (desktop computers), who typically do not use such networks. So, I missed the users with laptops. :(
I think that it would be sensible to add more options, which could be used temporarily, outside the home network. For example:
  1. Disabling SMB1,2,3.
  2. Blocking Sponsors in whitelisted folders (55 executables form Bouncer list)
I would appreciate any ideas, from MalwareTips members.:)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I have just finished adding executables from the Bouncer blacklist. But, blocking over 50 executables, even temporarily, requires some testing. I am going to block them on my test machine and test for a period of one month. If the tests will go well, then the final version will be released in July.:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I registered the Hard_Configurator site in Norton Safe Web, an now can read the below info in my profile:

Please note that github.com/andyful/... is part of github.com. Because of this, the rating that you see next to your site name may be the inherited rating from github.com. Your site github.com/andyful/... will be eligible for independent rating at a later time.


So, it seems that it can take some time. :)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The test of Hard_Configurator on Windows Vista (SP1) with disabled SMB and blacklisted 57 executables based on Bouncer blacklist.

With the above (maximum) Hard_Configurator settings the Windows was updated (60 updates), and then upgraded from SP1 to SP2. All installed successfully. SRP blocked only one executable from the Bouncer blacklist (without any visible issues): regsvr32.exe .

Edit
Windows Vista installed on VirtualBox.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Please, bear in mind that the above test says nothing about blocking those 57 executables in Bouncer or another program.
Hard_Configurator uses Windows built-in Software Restriction Policies with "All users except local administrators" set to ON. So, the system tasks started with Administrative or higher rights, can execute any executable from SRP blacklist. That is not true in Bouncer and other programs.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The test of Hard_Configurator on Windows 7 with disabled SMB and blacklisted 57 executables based on Bouncer blacklist.

With the above (maximum) Hard_Configurator settings the Windows was updated (220 updates). All installed successfully. I had to change Windows 'Task Bar' settings to 'ALWAYS SHOW ALL ICONS AND NOTIFICAITONS IN THE TASK BAR', because if the update icon is not visible on the 'Task Bar' some updates will fail (error 80243004).
https://support.microsoft.com/en-us...pdate-fails-with-error-0x80243004-or-80243004

After this I checked the Windows Events using <Tools> - <Run SRP/Scripts Event Log View> from Hard_Configurator. SRP blocked only two executables from the Bouncer blacklist (without any visible issues): regsvr32.exe and runonce.exe .


Edit1
Windows 7 installed on the desktop computer.
Edit2
SRP blocked the update of NVIDIA driver (graphic card), so I had to install it manually, using 'Run as administrator' from Explorer context menu.
 
Last edited:

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Hey @Andy Ful just wanted to let you know, Yandex browser identifies HC being downloaded as malicious and modifies the extension of the downloaded file (to ".infected") without providing options.
Screenshot (1368).png
Yandex browser (Chromium +...) uses its own Yandex cloud to analyse/verify parts of downloaded zips/executables. You might want to contact them about this blocking.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The test of Hard_Configurator on Windows 8, 8.1 and 10 - with disabled SMB and blacklisted 57 executables based on Bouncer blacklist.

Windows Pro: 8, 8.1, and 10 (1607) were installed on VirtualBox.

Windows 8 - 159 updates, all installed successfully - blocked only regsrv32.exe, without any visible issues.
Windows 8.1 - 211 updates, all installed successfully - no blacklisted executables were blocked.
Windows 10 - 6 updates, all installed successfully except one - no blacklisted executables were blocked.
After all updates in Windows 10, the system shows that it is fully updated.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Final conclusion about applying the Bouncer Blacklist in Hard_Configurator.

Permanently blocking over 50 executables from the System Space, seems to be a bad idea. But surprisingly, the impact to the system is very low. This follows from the fact, that Windows system processes (Windows Updates, Scheduled System Tasks) prefer to operate with elevation of privileges, safely bypassing SRP configured by Hard_Configurator.

I think, that introducing <Block Sponsors> option in Hard_Configurator, will be a good idea to block temporarily vulnerable executables from the System Space, when using the laptop connected to the public network.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

Great work. When you change something on your system you need elevated rights. This is the reason why Basic User as default level (for all users except for Admin) is a baseline for hardening (at least when registry patch "MSI run as Administrator" is also implemented).

Same applies wih setting UAC to block unsigned elevation. 99% of legitimate applications are signed (and only 5% of malware is signed), so changes of running into trouble are very slim.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
That would be a good idea to add 'block unsigned elevation' setting to Hard_Configurator. :)
I configured some computers with this setting by registry tweak. But, that must wait, until Hard_Configurator will be signed itself, because it requires elevation to run.:(
 
5

509322

Final conclusion about applying the Bouncer Blacklist in Hard_Configurator.

Permanently blocking over 50 executables from the System Space, seems to be a bad idea. But surprisingly, the impact to the system is very low.

I think, that introducing <Block Sponsors> option in Hard_Configurator, will be a good idea to block temporarily vulnerable executables from the System Space, when using the laptop connected to the public network.

One will find that disabling those processes permanently rarely affects the system. And a block of one does not break anything permanently either. On one test system that has been running for over a year with those recommended set to disabled, I've only had to re-enable a few temporarily and one permanently.

It's very low maintenance, very low problems, but a very high protection strategy.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Thanks for the confirmation.:) I was afraid specially of breaking Windows updates. They can break easily, and sometimes, it is hard to find the fix.
 
  • Like
Reactions: Tiny

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top