Hard_Configurator - Windows Hardening Configurator

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
simple question @Andy Ful
is applying Hardconfigurator recommended default setting block "Visual studio code" and if that then why? which components are being blocked ?
i tried to run Visual studio code and get the message "This app is being blocked by your system administrator" however this program was running normally under SUA before using hardconfigurator ? could you explain why this happened ??
Edit 1 : i just noticed i need to choose unrestricted as default security level the program is running (it didn't run when i choose Basic user option)
Edit 2 :when default security level is disallowed and Enforcement is set to no Enforcement the program run normally
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
simple question @Andy Ful
is applying Hardconfigurator recommended default setting block "Visual studio code" and if that then why? which components are being blocked ?
i tried to run Visual studio code and get the message "This app is being blocked by your system administrator" however this program was running normally under SUA before using hardconfigurator ? could you explain why this happened ??
Edit 1 : i just noticed i need to choose unrestricted as default security level the program is running (it didn't run when i choose Basic user option)
Edit 2 :when default security level is disallowed and Enforcement is set to no Enforcement the program run normally
What version of H_C do you use?
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
version 5.0
1585353429319.png

What version of H_C do you use?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
Andy I'm just wondering what a a user could do to protect against LOLbins attacks? What are the ones used by more advanced attackers for exploitation/lateral movement? Looking for the more obscure ones that you wouldn't think about but are being used in the wild right now.
LOLBins are usually applied in the later stages of the infection chain. They are mostly introduced via scripting, macros or shortcuts. So, your primary concern should be to block/restrict scripts, macros, script Interpreters, and shortcuts. The most popular LOLBins are included in "<Block Sponsors> Enhanced" and "FirewallHardening Recommended_HC".
Some LOLBins should not be blocked on execution but their outbound connections can be blocked via Firewall rules.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
simple question @Andy Ful
is applying Hardconfigurator recommended default setting block "Visual studio code" and if that then why? which components are being blocked ?
...
I do not use Visual Studio, but if blocked then it means that something tries to run from UserSpace.

Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
This profile should not block your applications.

Generally, if something is blocked on execution in H_C you have to look at <Tools> <Blocked Events / Security Logs> (black button in Tools). It will display the info about the blocked files, including the file paths. Simply whitelist the folder of the blocked file, except if something is blocked in the user Temp folder. You can post here the info about the blocked entries, and then I will help you to whitelist them properly.
If the outbound connection is blocked, then use FirewallHardening <Blocked Events> feature.
If something is blocked/detected by WD, then you can use ConfigureDefender <Defender Security Log> to see the detailed info.
 
Last edited:

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
I do not use Visual Studio, but if blocked then it means that something tries to run from UserSpace.

Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
This profile should not block your applications.

Generally, if something is blocked in H_C you have to look at <Tools> <Blocked Events / Security Logs> (black button in Tools). You can see there the blocked file paths. Simply whitelist the folder of the blocked file, except if something is blocked in the user Temp folder. You can post here the info about the blocked entries, and then I can help you to whitelist them properly.
Validate Admin C.S is off and Visual studio code still couldn't be run unless i set enforcement to "No" or set default security level to "Unrestricted" also the executable when i downloaded was from Microsoft official website and digitally signed (only updated it with its built in update few days ago)
i will check blocked events and notify you
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
I do not use Visual Studio, but if blocked then it means that something tries to run from UserSpace.

Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
This profile should not block your applications.

Generally, if something is blocked on execution in H_C you have to look at <Tools> <Blocked Events / Security Logs> (black button in Tools). It will display the info about the blocked files, including the file paths. Simply whitelist the folder of the blocked file, except if something is blocked in the user Temp folder. You can post here the info about the blocked entries, and then I will help you to whitelist them properly.
If the outbound connection is blocked, then use FirewallHardening <Blocked Events> feature.
If something is blocked/detected by WD, then you can use ConfigureDefender <Defender Security Log> to see the detailed info.
Kindly find the attached log file for blocked events as per your suggestion
kindly note that i replaced my user name with generic one "User Name" as a privacy concern
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
Validate Admin C.S is off and Visual studio code still couldn't be run unless i set enforcement to "No" or set default security level to "Unrestricted" also the executable when i downloaded was from Microsoft official website and digitally signed (only updated it with its built in update few days ago)
i will check blocked events and notify you
Did you apply Windows_10_MT_Windows_Security_hardening as I suggested? Please post the info from the Log if something will be still blocked.
By setting Enforcement to OFF or Default Security Level to Unrestricted, you allow execution of most files (including EXE, COM, SCR etc.).
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Did you apply Windows_10_MT_Windows_Security_hardening as I suggested? Please post the info from the Log if something will be still blocked.
By setting Enforcement to OFF or Default Security Level to Unrestricted, you allow execution of most files (including EXE, COM, SCR etc.).
by " Windows_10_MT_Windows_Security_hardening " you mean recommended settings if that what you mean then yes but i switched off hide as administrator option only
 
  • Like
Reactions: Gandalf_The_Grey

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
by " Windows_10_MT_Windows_Security_hardening " you mean recommended settings if that what you mean then yes but i switched off hide as administrator option only
Please, use the <Load Profile> feature from the main H_C window and apply changes.

As you can see from the Log, two file paths have to be whitelisted:
...\AppData\Local\Programs\Microsoft VS Code\Code.exe
...\Python projects\Python New Projects\venv\Scripts\activate.bat
You can use <Whitelist By Path> <Add File> to whitelist the blocked entries, but I suspect that there will be more blocked entries because Microsoft VS Code and Python Projects are located in UserSpace. If so, then use <Add Folder> to whitelist application folders.
You can delete the attachment Log.txt from the previous post.
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
As you can see from the Log, two file paths have to be whitelisted:
...\AppData\Local\Programs\Microsoft VS Code\Code.exe
...\Python projects\Python New Projects\venv\Scripts\activate.bat
You can use <Whitelist By Path> <Add File> to whitelist the blocked entries, but I suspect that there will be more blocked entries because Microsoft VS Code and Python Projects are located in UserSpace. If so, then use <Add Folder> to whitelist application folders.
You can delete the attachment Log.txt from the previous post.
ok thanks alot Andy i will whitelist them
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
unfortunately cannot use this profile as some software require administrative privilege during installation and update and aren't digitally signed but trusted and verified using hash such as qbittorrent
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
unfortunately cannot use this profile as some software require administrative privilege during installation and update and aren't digitally signed but trusted and verified using hash such as qbittorrent
You can. Simply change <Validate Admin C.S.> to OFF. This profile is similar to Recommended Settings, except that it whitelists EXE files and block three LOLBins.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
ooh ok but why Block shell script is OFF in this profile ??
What is "shell script"? PowerShell is restricted By SRP to Constrained Language Mode, but you can also set <Block PowerShell Scripts> = ON (if you do not use PowerShell scripts).

See you tomorrow (I am going to sleep).🙂
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
What is "shell script"? PowerShell is restricted By SRP to Constrained Language Mode, but you can also set <Block PowerShell Scripts> = ON (if you do not use PowerShell scripts).
ok i m reading the manual right now to understand but in any way it is great piece of software which really express a deep knowledge with Windows OS components thanks alot Andy
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top