Hard_Configurator - Windows Hardening Configurator
- Thread starter Andy Ful
- Start date
Hard_Configurator can also mitigates Wannacry with the option <Disable Command Prompt> = ON , because the malware uses cmd.exe to get persistence and delete the volume shadow copies.
WCry/WanaCry Ransomware Technical Analysis | Endgame
The attack can be stopped by <Block Remote Access> = ON, if the attacker tries to use Remote Shell or Remote Desktop.
Edit1
I corrected my post by removing the info about @WanaDecryptor@.exe - I am not convinced, if it is the encrypting executable.
Edit2
Home users can be infected by Wannacry by running the malware executable.
Hard_Configurator with recommended settings (SRP + <Run As SmartScreen> = Administrator) will stop Wannacry execution by the user, due to forced SmartScreen.
WCry/WanaCry Ransomware Technical Analysis | Endgame
The attack can be stopped by <Block Remote Access> = ON, if the attacker tries to use Remote Shell or Remote Desktop.
Edit1
I corrected my post by removing the info about @WanaDecryptor@.exe - I am not convinced, if it is the encrypting executable.
Edit2
Home users can be infected by Wannacry by running the malware executable.
Hard_Configurator with recommended settings (SRP + <Run As SmartScreen> = Administrator) will stop Wannacry execution by the user, due to forced SmartScreen.
Last edited:
After reading some technical analyses of EternalBlue & DoublePulsar worm (used in the WannaCry attack) I should change my opinion, and admit that it cannot be stopped by SRP or anti-exe.
It is still true that Hard_Configurator with recommended settings (SRP + <Run As SmartScreen> = Administrator) will stop Wannacry execution by the user, due to forced SmartScreen. Furthermore, home users are still well protected, because the home networks are typically under the NAT, and the worm uses port 445 that is closed by default.
The problem arises when the computer is connected to the big local network. See also :
Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?
EDIT
The users that frequently update the system, are also protected, because Microsoft released the patch, many days before the EternalBlue & DoublePulsar worm attack (in the wild).
It is still true that Hard_Configurator with recommended settings (SRP + <Run As SmartScreen> = Administrator) will stop Wannacry execution by the user, due to forced SmartScreen. Furthermore, home users are still well protected, because the home networks are typically under the NAT, and the worm uses port 445 that is closed by default.
The problem arises when the computer is connected to the big local network. See also :
Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?
EDIT
The users that frequently update the system, are also protected, because Microsoft released the patch, many days before the EternalBlue & DoublePulsar worm attack (in the wild).
Last edited:
The WannaCry attacks forced me to rethink the problem of remote attacks in local and public networks. Hard_Configurator was built for home users (desktop computers), who typically do not use such networks. So, I missed the users with laptops. 
I think that it would be sensible to add more options, which could be used temporarily, outside the home network. For example:
I think that it would be sensible to add more options, which could be used temporarily, outside the home network. For example:
- Disabling SMB1,2,3.
- Blocking Sponsors in whitelisted folders (55 executables form Bouncer list)
Last edited:
- Apr 18, 2016
- 3,676
- 28,872
- 4,599
hello @Andy Ful I try to visit you github and it was blocked by norton safe web
Report for github.com/AndyFul | Norton Safe Web
you can contact them to remove this block
Report for github.com/AndyFul | Norton Safe Web
you can contact them to remove this block
Thanks.
Thanks.
hello @Andy Ful I try to visit you github and it was blocked by norton safe web
Report for github.com/AndyFul | Norton Safe Web
you can contact them to remove this block
Thanks.
I have just finished adding executables from the Bouncer blacklist. But, blocking over 50 executables, even temporarily, requires some testing. I am going to block them on my test machine and test for a period of one month. If the tests will go well, then the final version will be released in July.
I registered the Hard_Configurator site in Norton Safe Web, an now can read the below info in my profile:
Please note that github.com/andyful/... is part of github.com. Because of this, the rating that you see next to your site name may be the inherited rating from github.com. Your site github.com/andyful/... will be eligible for independent rating at a later time.
So, it seems that it can take some time.
Please note that github.com/andyful/... is part of github.com. Because of this, the rating that you see next to your site name may be the inherited rating from github.com. Your site github.com/andyful/... will be eligible for independent rating at a later time.
So, it seems that it can take some time.
The test of Hard_Configurator on Windows Vista (SP1) with disabled SMB and blacklisted 57 executables based on Bouncer blacklist.
With the above (maximum) Hard_Configurator settings the Windows was updated (60 updates), and then upgraded from SP1 to SP2. All installed successfully. SRP blocked only one executable from the Bouncer blacklist (without any visible issues): regsvr32.exe .
Edit
Windows Vista installed on VirtualBox.
With the above (maximum) Hard_Configurator settings the Windows was updated (60 updates), and then upgraded from SP1 to SP2. All installed successfully. SRP blocked only one executable from the Bouncer blacklist (without any visible issues): regsvr32.exe .
Edit
Windows Vista installed on VirtualBox.
Please, bear in mind that the above test says nothing about blocking those 57 executables in Bouncer or another program.
Hard_Configurator uses Windows built-in Software Restriction Policies with "All users except local administrators" set to ON. So, the system tasks started with Administrative or higher rights, can execute any executable from SRP blacklist. That is not true in Bouncer and other programs.
Hard_Configurator uses Windows built-in Software Restriction Policies with "All users except local administrators" set to ON. So, the system tasks started with Administrative or higher rights, can execute any executable from SRP blacklist. That is not true in Bouncer and other programs.
The test of Hard_Configurator on Windows 7 with disabled SMB and blacklisted 57 executables based on Bouncer blacklist.
With the above (maximum) Hard_Configurator settings the Windows was updated (220 updates). All installed successfully. I had to change Windows 'Task Bar' settings to 'ALWAYS SHOW ALL ICONS AND NOTIFICAITONS IN THE TASK BAR', because if the update icon is not visible on the 'Task Bar' some updates will fail (error 80243004).
https://support.microsoft.com/en-us...pdate-fails-with-error-0x80243004-or-80243004
After this I checked the Windows Events using <Tools> - <Run SRP/Scripts Event Log View> from Hard_Configurator. SRP blocked only two executables from the Bouncer blacklist (without any visible issues): regsvr32.exe and runonce.exe .
Edit1
Windows 7 installed on the desktop computer.
Edit2
SRP blocked the update of NVIDIA driver (graphic card), so I had to install it manually, using 'Run as administrator' from Explorer context menu.
With the above (maximum) Hard_Configurator settings the Windows was updated (220 updates). All installed successfully. I had to change Windows 'Task Bar' settings to 'ALWAYS SHOW ALL ICONS AND NOTIFICAITONS IN THE TASK BAR', because if the update icon is not visible on the 'Task Bar' some updates will fail (error 80243004).
https://support.microsoft.com/en-us...pdate-fails-with-error-0x80243004-or-80243004
After this I checked the Windows Events using <Tools> - <Run SRP/Scripts Event Log View> from Hard_Configurator. SRP blocked only two executables from the Bouncer blacklist (without any visible issues): regsvr32.exe and runonce.exe .
Edit1
Windows 7 installed on the desktop computer.
Edit2
SRP blocked the update of NVIDIA driver (graphic card), so I had to install it manually, using 'Run as administrator' from Explorer context menu.
Last edited:
Hey @Andy Ful just wanted to let you know, Yandex browser identifies HC being downloaded as malicious and modifies the extension of the downloaded file (to ".infected") without providing options.
Yandex browser (Chromium +...) uses its own Yandex cloud to analyse/verify parts of downloaded zips/executables. You might want to contact them about this blocking.
Yandex browser (Chromium +...) uses its own Yandex cloud to analyse/verify parts of downloaded zips/executables. You might want to contact them about this blocking.
The test of Hard_Configurator on Windows 8, 8.1 and 10 - with disabled SMB and blacklisted 57 executables based on Bouncer blacklist.
Windows Pro: 8, 8.1, and 10 (1607) were installed on VirtualBox.
Windows 8 - 159 updates, all installed successfully - blocked only regsrv32.exe, without any visible issues.
Windows 8.1 - 211 updates, all installed successfully - no blacklisted executables were blocked.
Windows 10 - 6 updates, all installed successfully except one - no blacklisted executables were blocked.
After all updates in Windows 10, the system shows that it is fully updated.
Windows Pro: 8, 8.1, and 10 (1607) were installed on VirtualBox.
Windows 8 - 159 updates, all installed successfully - blocked only regsrv32.exe, without any visible issues.
Windows 8.1 - 211 updates, all installed successfully - no blacklisted executables were blocked.
Windows 10 - 6 updates, all installed successfully except one - no blacklisted executables were blocked.
After all updates in Windows 10, the system shows that it is fully updated.
Final conclusion about applying the Bouncer Blacklist in Hard_Configurator.
Permanently blocking over 50 executables from the System Space, seems to be a bad idea. But surprisingly, the impact to the system is very low. This follows from the fact, that Windows system processes (Windows Updates, Scheduled System Tasks) prefer to operate with elevation of privileges, safely bypassing SRP configured by Hard_Configurator.
I think, that introducing <Block Sponsors> option in Hard_Configurator, will be a good idea to block temporarily vulnerable executables from the System Space, when using the laptop connected to the public network.
Permanently blocking over 50 executables from the System Space, seems to be a bad idea. But surprisingly, the impact to the system is very low. This follows from the fact, that Windows system processes (Windows Updates, Scheduled System Tasks) prefer to operate with elevation of privileges, safely bypassing SRP configured by Hard_Configurator.
I think, that introducing <Block Sponsors> option in Hard_Configurator, will be a good idea to block temporarily vulnerable executables from the System Space, when using the laptop connected to the public network.
@Andy Ful
Great work. When you change something on your system you need elevated rights. This is the reason why Basic User as default level (for all users except for Admin) is a baseline for hardening (at least when registry patch "MSI run as Administrator" is also implemented).
Same applies wih setting UAC to block unsigned elevation. 99% of legitimate applications are signed (and only 5% of malware is signed), so changes of running into trouble are very slim.
Great work. When you change something on your system you need elevated rights. This is the reason why Basic User as default level (for all users except for Admin) is a baseline for hardening (at least when registry patch "MSI run as Administrator" is also implemented).
Same applies wih setting UAC to block unsigned elevation. 99% of legitimate applications are signed (and only 5% of malware is signed), so changes of running into trouble are very slim.
That would be a good idea to add 'block unsigned elevation' setting to Hard_Configurator.
I configured some computers with this setting by registry tweak. But, that must wait, until Hard_Configurator will be signed itself, because it requires elevation to run.
I configured some computers with this setting by registry tweak. But, that must wait, until Hard_Configurator will be signed itself, because it requires elevation to run.
5
509322
One will find that disabling those processes permanently rarely affects the system. And a block of one does not break anything permanently either. On one test system that has been running for over a year with those recommended set to disabled, I've only had to re-enable a few temporarily and one permanently.
It's very low maintenance, very low problems, but a very high protection strategy.
You may also like...
-
-
FAI Tells It Like It Is - Microsoft's Wonky Default Deny Roadmaps, Users as Guinea Pigs, "Dilemmas and Paradoxes," and Why SRP Remains King
- Started by ForgottenSeer 114717
- Replies: 44
-
Microsoft testing Windows 11 batch file security improvements- Started by Parkinsond
- Replies: 0
-
CrySome RAT : An Advanced Persistent .NET Remote Access Trojan- Started by Khushal
- Replies: 3
-
