Hard_Configurator - Windows Hardening Configurator

Andy, I am getting a few of these lately
Code: 
Access to C:\WINDOWS\System32\Wbem\wmic.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3155} placed on path Wmic.exe.
Any idea what might be trying to use Wmic?
Is it possibly connected to Office 365?
Because Office stopped working this morning, I am in the middle of an online repair of it right now.
Maybe it uses Wmic to validate itself, or something?
It is Office 365 ProPlus.
 
  • Like
Reactions: Andy Ful, Protomartyr, silversurfer and 2 others
shmu26 said:
Andy, I am getting a few of these lately
Code: 
Access to C:\WINDOWS\System32\Wbem\wmic.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3155} placed on path Wmic.exe.
Any idea what might be trying to use Wmic?
Is it possibly connected to Office 365?
Because Office stopped working this morning, I am in the middle of an online repair of it right now.
Maybe it uses Wmic to validate itself, or something?
It is Office 365 ProPlus.
Click to expand...
Sometimes, the wmic.exe is used in scripts to uninstall MS Office applications, for example:
wmic product where name ="<PROGRAM NAME HERE>" call uninstall /nointeractive

It can be also useful to get information about the system and installed applications, updates, etc.:
Code: 
wmic product where "Name like '%office%'" get Name, IdentifingNumber, PackageName, Vendor 
wmic qfe list > InstalledUpdatesList.txt
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Protomartyr, silversurfer, Gandalf_The_Grey and 3 others
Andy Ful said:
Sometimes, the wmic.exe is used in scripts to uninstall MS Office applications, for example:
wmic product where name ="<PROGRAM NAME HERE>" call uninstall /nointeractive

It can be also useful to get information about the system and installed applications, updates, etc.:
Code: 
wmic product where "Name like '%office%'" get Name, IdentifingNumber, PackageName, Vendor
wmic qfe list > InstalledUpdatesList.txt
Click to expand...
Ah, yes, I uninstalled and reinstalled Office, so that must have been it. Thanks!
 
  • Like
Reactions: Protomartyr, silversurfer, Gandalf_The_Grey and 2 others
Andy Ful said:
Someone made a video clip about H_C in French (I think):



I am not sure why did the author disable SmartScreen in Explorer?
Click to expand...


Yes, in French. I think he may have disabled RAS by accident because it was a video demonstration of H_C's features and not a test.
 
  • Like
Reactions: Venustus, [correlate], Andy Ful and 2 others
Hard_Configurator beta ver. 5.0.0.1
The installation executables are accepted by SmartScreen and whitelisted by WD and Avast. I have sent them for whitelisting also to Bitdefender, Emsisoft, and Norton.

The new version includes some important changes in Recommended Settings on Windows 8+. These changes make H_C twice as convenient (probably more) and still, the user has 99% of the old H_C security. The old Recommended Settings are included in H_C profiles as Strict_Recommended_Settings.

In Recommended Settings on Windows 8+, most applications can now auto-update and most new application installations in UserSpace do not require whitelisting. The application installation is the same on Admin account and on SUA.
The user can see the difference when installing applications from CD/DVD drives, CD/DVD images, and other non-standalone installers. In such cases, the protection should be temporarily switched off via SwitchDefaultDeny tool.

This is a working beta. Please let me know if there will be any problem.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: stefanos, Solarquest, RKRN3 and 15 others
The full changelog:
Version 5.0.0.1
  1. The new version of ConfigureDefender 2.1.1.1
    Extended the maximal number of entries in the Log to 300.
    Corrected a bug related to the error when "Defender Security Log" is empty. Removed event Id=1117 from Defender Security Log.
    Extended the "Cloud Time Check Limit" in <HIGH Protection Level> from 10s to 20s.
  2. The new version of FirewallHardening 1.0.1.1
    Added curl.exe to FirewallHardening LolBins, and curl.exe, certutil.exe to FirewallHardening 'Recommended H_C' rules. Removed the bug related to displaying the last blocked event.
  3. The new version of DocumentsAntiExploit tool - improved/corrected the Outlook macro protection.
  4. The new version of SwitchDefaultDeny 2.0.0.1 - adjusted to work with <Update Mode>.
  5. Changed the name of the H_C option <Run As SmartScreen> to <Forced SmartScreen>.
  6. Changed the name "Run As SmartScreen" (of the entry in the Explorer context menu) to "Install By SmartScreen".
  7. Added prevention against SmartScreen DLL hijacking (included in "Install By SmartScreen" and "Run By SmartScreen").
  8. Added three new options <Update Mode>, <Harden Archivers>, and <Harden Email Clients>.
    *** The <Update Mode> allows the execution of EXE (TMP) and MSI files in ProgramData and AppData folders. These folders are hidden for the users in the Explorer default settings.
    *** The <Harden Archivers> and <Harden Email Clients> support the <Update Mode> to prevent bypassing the Hard_Configurator Recommended Settings. The setting <Update Mode> = ON is added to the H_C Recommended Settings on Windows 8+, which allows the applications to auto-update without losing much of the H_C protection.
    *** The <Update Mode> = ON setting still blocks the EXE (TMP) and MSI files in other folders from UserSpace like: Desktop, Documents, Downloads, Music, Movies, Pictures, non-system partitions, and USB drives. The user has to use "Install By SmartScreen" entry to run standalone application installers.
  9. Added some new H_C setting profiles. For example:
    Windows_8_Strict_Recommended_Settings
    Windows_10_Strict_Recommended_Settings
    They apply for Recommended Settings used in H_C 5.0.0.0 and prior versions, which did not use the <Update Mode> feature.
  10. Whitelisted the folder ImplicitAppShortcuts (only for shortcuts).
  11. Whitelisted the shortcuts in the user Desktop, when the Desktop location is redirected. This can happen when the user chooses the Desktop backup in OneDrive or manually changes the path to the Desktop. After changing the path to the user Desktop, it is required to sign off from the account or refresh the Explorer. After that, the shortcuts on the Desktop in the new location will be automatically whitelisted.
  12. Added to the H_C manual many details related to Recommended Settings and Avast profiles, which can use now the <Update Mode> feature.
 
  • Like
  • +Reputation
  • Applause
Reactions: eonline, stefanos, Solarquest and 16 others
The funny thing about the new version is that If @askalan would test this version one year ago, then the results could be probably even better.
malwaretips.com

Hard_Configurator - February 2019 Report

Containment: VirtualBox 5.1.38 Windows: 10 LTSB VPN: CyberGhost Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions) Office: LibreOffice (standard settings) Disclaimer: Experimental setup for testing effectiveness of Windows SmartScreen and script...
malwaretips.com malwaretips.com

The only one sample which bypassed SmartScreen App Rep (and so H_C) in five months of testing (January - May 2019) would be probably mitigated. Simply, in the test from the year 2019, the RunAsSmartScreen was used, which ran the malicious file with high privileges after the SmartScreen check. The malware could use scripting to infect the computer.

The new Recommended Settings on Windows 8+ use InstallBySmartScreen which runs the executable (EXE, MSI) with standard rights and still, H_C can block/restrict scripting.
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: Solarquest, Gandalf_The_Grey, Venustus and 14 others
Hello. It seems like Norton also whitelisted the executable.

Image 1.jpg


"De confianza" means "Trusted"
 
  • Like
Reactions: Gandalf_The_Grey, Venustus, harlan4096 and 7 others
Norton has probably whitelisted it after my request, but I did not get the confirmation by email. Kaspersky whitelisted H_C without my request, probably due to the trusted certificate - similarly as SmartScreen App Rep.
 
  • Like
Reactions: Gandalf_The_Grey, Venustus, harlan4096 and 7 others
Adding one more thing in addition to my previous comment. I just noticed the firewall hardening rules shows it has created a block rule which is expected of course but why does the explorer window that opens after clicking Add Rule says "Select the files to be whitelisted" above! :unsure:
 
  • Like
Reactions: silversurfer, Venustus, Andy Ful and 2 others
SeriousHoax said:
Andy, manually adding firewall rules from firewall hardening tool is not working. It's not a bug of the beta version because I remember this happened before too. What could be the issue here?
Rules added from Windows Firewall itself works as expected.
View attachment 234538
Click to expand...
The added rules work for me (computer restart is required to apply the new rules). The rules are added first at the end of the list, but after restarting the computer and running FirewallHardening, the rules are visible in alphabetical order:
FirewallAdd.png

But, I noticed for the first time that some blocked connections are not logged, if they do not try to send packets.
For example, I added the rules for three email clients (Claws-mail, eM Client, and Postbox). The blocked events for two email clients were added to the Log. But, not for eM Client which was blocked too (I tried to download an attachment without success).
 
Last edited:
  • Like
Reactions: silversurfer, SeriousHoax, DDE_Server and 5 others
SeriousHoax said:
Adding one more thing in addition to my previous comment. I just noticed the firewall hardening rules shows it has created a block rule which is expected of course but why does the explorer window that opens after clicking Add Rule says "Select the files to be whitelisted" above! :unsure:
Click to expand...
Thanks. The code was copied from H_C and adjusted to FirewallHardening. I did not notice it.:(
 
  • Like
Reactions: harlan4096, silversurfer, SeriousHoax and 8 others

You may also like...