5

509322

Thanks for the confirmation.:) I was afraid specially of breaking Windows updates. They can break easily, and sometimes, it is hard to find the fix.
Don't restrict msiexec.exe (it is on Florian's old lists).

You can restrict wusa.exe for home Windows versions (the command line Windows Update utility - it is on Florian's oldest list).

The last time that I saw Windows Update use an interpreter was the GWX Windows 10 Upgrade utility; it used powershell.

powershell is used when installing (but not updating) a small number of softs like Microsoft Office and DropBox.

The rationale for items that Florian removes from his list:

1. disabling them caused too many issues (very rare, and even then not always the case); and\or
2. rarely abused
3. with everything else on the list disabled, there is very little to almost no probability of persistent infection

SRP that disables the bulk of vulnerable processes on home versions of Windows, very little to no problem. On a test system I have 99% of them disabled and only run into to one being blocked once in a great while. Most of the stuff just is not used on a routine basis.

The incidence of blockages increases with the number of software installed on a system. However, something being blocked is not critical as it can be allowed temporarily or permanently as needed. Disabling the stuff that we are talking about does not kill Windows.
 
Last edited by a moderator:
5

509322

Thanks for the confirmation.:) I was afraid specially of breaking Windows updates. They can break easily, and sometimes, it is hard to find the fix.
Just by looking at it I know Florian's list breaks Windows Updates on Windows Server versions, but you need not worry about it.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
I use the blacklist from May 2017 (there are not wusa.exe and msiexec.exe on it).
I think that updates should bypass SRP in Hard_Configurator settings, so even blocking msiexec.exe, should not break Windows updates. I will test this today on Vista 32-bit.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
I made the test with blocked executables from the Bouncer Blacklist (including msiexec.exe and wusa.exe) on Windows Vista 32-bit (installed on VirtualBox):

Vista installed > Hard_Configurator installed (Block Sponsors) > Updated > SP1> Updated > SP2 > Updated

With the above (maximum) Hard_Configurator settings the Windows was updated (171 updates). All updates were installed successfully. SRP blocked only one executable from the Bouncer blacklist (four times, without any visible issues): regsvr32.exe.

As I mentioned in my previous post, msiexec.exe and many more system executables can safely bypass Hard_Configurator SRP settings, because they are running elevated. Only processes starting with medium (or lower) integrity level are stopped by such configured SRP.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
Hi Andy,
since the tests seem to run fine...do you already know when the update of HC will arrive? :)
I am working on a video clip about changes between versions 3.0.1.0 and 3.0.0.1.
There are some important changes (blocked Sponsors, configuration profiles). I would publish a beta version in July, but it seems to me that it would be better to publish a complete version (in September maybe). I must rethink a backup of Hard_Configurator settings, when someone wants to make a fresh Windows installation.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
@Andy Ful: Thank you very much for the update!

If you need betatester just let me / us know ;)
Thanks. Independent tests are very important.
I will prepare the beta version. It has to be sent first to Microsoft, because Windows Defender behavior monitoring and other heuristics, will soon think that it is a malware program. I think that I could finally upload the Hard_Configurator v.3.0.1.0 beta to GitHub in the next week.:)
The video about the new version will be finished tomorrow.
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
I found a detection error on Emsisoft related webpage:
log.exe Details. Is this file safe? Check the directory
The detection is for Nirsoft nircmdc.exe v.2.81, and it is recognized as a malware.
On VirusTotal the same file is detected by Emsisoft as clean:
Antivirus scan for 12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261 at 2017-08-03 16:20:51 UTC - VirusTotal
I downloaded the original file from NirSoft webpage, and uploaded to VirusTotal. The SHA-1 and MD5 hashes were identical with those from log.exe Details. Is this file safe? Check the directory. So, I submited this file to Emsisoft as a false positive.
Unfortunately, Hard_Configurator installers contain this (most actual) version of nircmdc.exe, so also Hard_Configurator installers are recognized on "http://www.isthisfilesafe.com" as Not Trusted.:(
Of course, on VirusTotal, the Emsisoft detection of Hard_Configurator beta 3.0.1.0 installers is clean.
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
Last edited:
Top