Hard_Configurator - Windows Hardening Configurator

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy, I am getting a few of these lately
Code:
Access to C:\WINDOWS\System32\Wbem\wmic.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3155} placed on path Wmic.exe.
Any idea what might be trying to use Wmic?
Is it possibly connected to Office 365?
Because Office stopped working this morning, I am in the middle of an online repair of it right now.
Maybe it uses Wmic to validate itself, or something?
It is Office 365 ProPlus.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Andy, I am getting a few of these lately
Code:
Access to C:\WINDOWS\System32\Wbem\wmic.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3155} placed on path Wmic.exe.
Any idea what might be trying to use Wmic?
Is it possibly connected to Office 365?
Because Office stopped working this morning, I am in the middle of an online repair of it right now.
Maybe it uses Wmic to validate itself, or something?
It is Office 365 ProPlus.
Sometimes, the wmic.exe is used in scripts to uninstall MS Office applications, for example:
wmic product where name ="<PROGRAM NAME HERE>" call uninstall /nointeractive

It can be also useful to get information about the system and installed applications, updates, etc.:
Code:
wmic product where "Name like '%office%'" get Name, IdentifingNumber, PackageName, Vendor 
wmic qfe list > InstalledUpdatesList.txt
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Sometimes, the wmic.exe is used in scripts to uninstall MS Office applications, for example:
wmic product where name ="<PROGRAM NAME HERE>" call uninstall /nointeractive

It can be also useful to get information about the system and installed applications, updates, etc.:
Code:
wmic product where "Name like '%office%'" get Name, IdentifingNumber, PackageName, Vendor
wmic qfe list > InstalledUpdatesList.txt
Ah, yes, I uninstalled and reinstalled Office, so that must have been it. Thanks!
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Hard_Configurator beta ver. 5.0.0.1
The installation executables are accepted by SmartScreen and whitelisted by WD and Avast. I have sent them for whitelisting also to Bitdefender, Emsisoft, and Norton.

The new version includes some important changes in Recommended Settings on Windows 8+. These changes make H_C twice as convenient (probably more) and still, the user has 99% of the old H_C security. The old Recommended Settings are included in H_C profiles as Strict_Recommended_Settings.

In Recommended Settings on Windows 8+, most applications can now auto-update and most new application installations in UserSpace do not require whitelisting. The application installation is the same on Admin account and on SUA.
The user can see the difference when installing applications from CD/DVD drives, CD/DVD images, and other non-standalone installers. In such cases, the protection should be temporarily switched off via SwitchDefaultDeny tool.

This is a working beta. Please let me know if there will be any problem.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
The full changelog:
Version 5.0.0.1
  1. The new version of ConfigureDefender 2.1.1.1
    Extended the maximal number of entries in the Log to 300.
    Corrected a bug related to the error when "Defender Security Log" is empty. Removed event Id=1117 from Defender Security Log.
    Extended the "Cloud Time Check Limit" in <HIGH Protection Level> from 10s to 20s.
  2. The new version of FirewallHardening 1.0.1.1
    Added curl.exe to FirewallHardening LolBins, and curl.exe, certutil.exe to FirewallHardening 'Recommended H_C' rules. Removed the bug related to displaying the last blocked event.
  3. The new version of DocumentsAntiExploit tool - improved/corrected the Outlook macro protection.
  4. The new version of SwitchDefaultDeny 2.0.0.1 - adjusted to work with <Update Mode>.
  5. Changed the name of the H_C option <Run As SmartScreen> to <Forced SmartScreen>.
  6. Changed the name "Run As SmartScreen" (of the entry in the Explorer context menu) to "Install By SmartScreen".
  7. Added prevention against SmartScreen DLL hijacking (included in "Install By SmartScreen" and "Run By SmartScreen").
  8. Added three new options <Update Mode>, <Harden Archivers>, and <Harden Email Clients>.
    *** The <Update Mode> allows the execution of EXE (TMP) and MSI files in ProgramData and AppData folders. These folders are hidden for the users in the Explorer default settings.
    *** The <Harden Archivers> and <Harden Email Clients> support the <Update Mode> to prevent bypassing the Hard_Configurator Recommended Settings. The setting <Update Mode> = ON is added to the H_C Recommended Settings on Windows 8+, which allows the applications to auto-update without losing much of the H_C protection.
    *** The <Update Mode> = ON setting still blocks the EXE (TMP) and MSI files in other folders from UserSpace like: Desktop, Documents, Downloads, Music, Movies, Pictures, non-system partitions, and USB drives. The user has to use "Install By SmartScreen" entry to run standalone application installers.
  9. Added some new H_C setting profiles. For example:
    Windows_8_Strict_Recommended_Settings
    Windows_10_Strict_Recommended_Settings
    They apply for Recommended Settings used in H_C 5.0.0.0 and prior versions, which did not use the <Update Mode> feature.
  10. Whitelisted the folder ImplicitAppShortcuts (only for shortcuts).
  11. Whitelisted the shortcuts in the user Desktop, when the Desktop location is redirected. This can happen when the user chooses the Desktop backup in OneDrive or manually changes the path to the Desktop. After changing the path to the user Desktop, it is required to sign off from the account or refresh the Explorer. After that, the shortcuts on the Desktop in the new location will be automatically whitelisted.
  12. Added to the H_C manual many details related to Recommended Settings and Avast profiles, which can use now the <Update Mode> feature.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
The funny thing about the new version is that If @askalan would test this version one year ago, then the results could be probably even better.

The only one sample which bypassed SmartScreen App Rep (and so H_C) in five months of testing (January - May 2019) would be probably mitigated. Simply, in the test from the year 2019, the RunAsSmartScreen was used, which ran the malicious file with high privileges after the SmartScreen check. The malware could use scripting to infect the computer.

The new Recommended Settings on Windows 8+ use InstallBySmartScreen which runs the executable (EXE, MSI) with standard rights and still, H_C can block/restrict scripting.
 
Last edited:

gonza

Level 2
Sep 10, 2019
63
Hello. It seems like Norton also whitelisted the executable.

Image 1.jpg


"De confianza" means "Trusted"
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Norton has probably whitelisted it after my request, but I did not get the confirmation by email. Kaspersky whitelisted H_C without my request, probably due to the trusted certificate - similarly as SmartScreen App Rep.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,872
Andy, manually adding firewall rules from firewall hardening tool is not working. It's not a bug of the beta version because I remember this happened before too. What could be the issue here?
Rules added from Windows Firewall itself works as expected.
1.PNG
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,872
Adding one more thing in addition to my previous comment. I just noticed the firewall hardening rules shows it has created a block rule which is expected of course but why does the explorer window that opens after clicking Add Rule says "Select the files to be whitelisted" above! :unsure:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Andy, manually adding firewall rules from firewall hardening tool is not working. It's not a bug of the beta version because I remember this happened before too. What could be the issue here?
Rules added from Windows Firewall itself works as expected.
View attachment 234538
The added rules work for me (computer restart is required to apply the new rules). The rules are added first at the end of the list, but after restarting the computer and running FirewallHardening, the rules are visible in alphabetical order:
FirewallAdd.png

But, I noticed for the first time that some blocked connections are not logged, if they do not try to send packets.
For example, I added the rules for three email clients (Claws-mail, eM Client, and Postbox). The blocked events for two email clients were added to the Log. But, not for eM Client which was blocked too (I tried to download an attachment without success).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Adding one more thing in addition to my previous comment. I just noticed the firewall hardening rules shows it has created a block rule which is expected of course but why does the explorer window that opens after clicking Add Rule says "Select the files to be whitelisted" above! :unsure:
Thanks. The code was copied from H_C and adjusted to FirewallHardening. I did not notice it.:(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top