Hard_Configurator - Windows Hardening Configurator

DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
simple question @Andy Ful
is applying Hardconfigurator recommended default setting block "Visual studio code" and if that then why? which components are being blocked ?
i tried to run Visual studio code and get the message "This app is being blocked by your system administrator" however this program was running normally under SUA before using hardconfigurator ? could you explain why this happened ??
Edit 1 : i just noticed i need to choose unrestricted as default security level the program is running (it didn't run when i choose Basic user option)
Edit 2 :when default security level is disallowed and Enforcement is set to no Enforcement the program run normally
 
Last edited:
  • Like
Reactions: harlan4096, Protomartyr, Andy Ful and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
DDE_Server said:
simple question @Andy Ful
is applying Hardconfigurator recommended default setting block "Visual studio code" and if that then why? which components are being blocked ?
i tried to run Visual studio code and get the message "This app is being blocked by your system administrator" however this program was running normally under SUA before using hardconfigurator ? could you explain why this happened ??
Edit 1 : i just noticed i need to choose unrestricted as default security level the program is running (it didn't run when i choose Basic user option)
Edit 2 :when default security level is disallowed and Enforcement is set to no Enforcement the program run normally
Click to expand...
What version of H_C do you use?
 
  • Like
Reactions: Gandalf_The_Grey, harlan4096, Protomartyr and 1 other person
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
version 5.0
1585353429319.png

Andy Ful said:
What version of H_C do you use?
Click to expand...
 
  • Like
Reactions: Gandalf_The_Grey, harlan4096, Protomartyr and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Zero Knowledge said:
Andy I'm just wondering what a a user could do to protect against LOLbins attacks? What are the ones used by more advanced attackers for exploitation/lateral movement? Looking for the more obscure ones that you wouldn't think about but are being used in the wild right now.
Click to expand...
LOLBins are usually applied in the later stages of the infection chain. They are mostly introduced via scripting, macros or shortcuts. So, your primary concern should be to block/restrict scripts, macros, script Interpreters, and shortcuts. The most popular LOLBins are included in "<Block Sponsors> Enhanced" and "FirewallHardening Recommended_HC".
Some LOLBins should not be blocked on execution but their outbound connections can be blocked via Firewall rules.
 
Last edited:
  • Like
  • +Reputation
Reactions: shmu26, ForgottenSeer 85179, Gandalf_The_Grey and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
DDE_Server said:
simple question @Andy Ful
is applying Hardconfigurator recommended default setting block "Visual studio code" and if that then why? which components are being blocked ?
...
Click to expand...
I do not use Visual Studio, but if blocked then it means that something tries to run from UserSpace.

Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
This profile should not block your applications.

Generally, if something is blocked on execution in H_C you have to look at <Tools> <Blocked Events / Security Logs> (black button in Tools). It will display the info about the blocked files, including the file paths. Simply whitelist the folder of the blocked file, except if something is blocked in the user Temp folder. You can post here the info about the blocked entries, and then I will help you to whitelist them properly.
If the outbound connection is blocked, then use FirewallHardening <Blocked Events> feature.
If something is blocked/detected by WD, then you can use ConfigureDefender <Defender Security Log> to see the detailed info.
 
Last edited:
  • +Reputation
  • Like
Reactions: plat, Gandalf_The_Grey, harlan4096 and 2 others
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Andy Ful said:
I do not use Visual Studio, but if blocked then it means that something tries to run from UserSpace.

Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
This profile should not block your applications.

Generally, if something is blocked in H_C you have to look at <Tools> <Blocked Events / Security Logs> (black button in Tools). You can see there the blocked file paths. Simply whitelist the folder of the blocked file, except if something is blocked in the user Temp folder. You can post here the info about the blocked entries, and then I can help you to whitelist them properly.
Click to expand...
Validate Admin C.S is off and Visual studio code still couldn't be run unless i set enforcement to "No" or set default security level to "Unrestricted" also the executable when i downloaded was from Microsoft official website and digitally signed (only updated it with its built in update few days ago)
i will check blocked events and notify you
 
  • Like
Reactions: Gandalf_The_Grey, Protomartyr and Andy Ful
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Andy Ful said:
I do not use Visual Studio, but if blocked then it means that something tries to run from UserSpace.

Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
This profile should not block your applications.

Generally, if something is blocked on execution in H_C you have to look at <Tools> <Blocked Events / Security Logs> (black button in Tools). It will display the info about the blocked files, including the file paths. Simply whitelist the folder of the blocked file, except if something is blocked in the user Temp folder. You can post here the info about the blocked entries, and then I will help you to whitelist them properly.
If the outbound connection is blocked, then use FirewallHardening <Blocked Events> feature.
If something is blocked/detected by WD, then you can use ConfigureDefender <Defender Security Log> to see the detailed info.
Click to expand...
Kindly find the attached log file for blocked events as per your suggestion
kindly note that i replaced my user name with generic one "User Name" as a privacy concern
 
  • Like
Reactions: Gandalf_The_Grey, Protomartyr and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
DDE_Server said:
Validate Admin C.S is off and Visual studio code still couldn't be run unless i set enforcement to "No" or set default security level to "Unrestricted" also the executable when i downloaded was from Microsoft official website and digitally signed (only updated it with its built in update few days ago)
i will check blocked events and notify you
Click to expand...
Did you apply Windows_10_MT_Windows_Security_hardening as I suggested? Please post the info from the Log if something will be still blocked.
By setting Enforcement to OFF or Default Security Level to Unrestricted, you allow execution of most files (including EXE, COM, SCR etc.).
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, harlan4096, Protomartyr and 2 others
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Andy Ful said:
Did you apply Windows_10_MT_Windows_Security_hardening as I suggested? Please post the info from the Log if something will be still blocked.
By setting Enforcement to OFF or Default Security Level to Unrestricted, you allow execution of most files (including EXE, COM, SCR etc.).
Click to expand...
by " Windows_10_MT_Windows_Security_hardening " you mean recommended settings if that what you mean then yes but i switched off hide as administrator option only
 
  • Like
Reactions: Gandalf_The_Grey
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
DDE_Server said:
by " Windows_10_MT_Windows_Security_hardening " you mean recommended settings if that what you mean then yes but i switched off hide as administrator option only
Click to expand...
Please, use the <Load Profile> feature from the main H_C window and apply changes.

As you can see from the Log, two file paths have to be whitelisted:
...\AppData\Local\Programs\Microsoft VS Code\Code.exe
...\Python projects\Python New Projects\venv\Scripts\activate.bat
You can use <Whitelist By Path> <Add File> to whitelist the blocked entries, but I suspect that there will be more blocked entries because Microsoft VS Code and Python Projects are located in UserSpace. If so, then use <Add Folder> to whitelist application folders.
You can delete the attachment Log.txt from the previous post.
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, harlan4096, Protomartyr and 2 others
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Andy Ful said:
As you can see from the Log, two file paths have to be whitelisted:
...\AppData\Local\Programs\Microsoft VS Code\Code.exe
...\Python projects\Python New Projects\venv\Scripts\activate.bat
You can use <Whitelist By Path> <Add File> to whitelist the blocked entries, but I suspect that there will be more blocked entries because Microsoft VS Code and Python Projects are located in UserSpace. If so, then use <Add Folder> to whitelist application folders.
You can delete the attachment Log.txt from the previous post.
Click to expand...
ok thanks alot Andy i will whitelist them
 
  • Like
Reactions: Gandalf_The_Grey and Andy Ful
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Andy Ful said:
Use first the setting profile Windows_10_MT_Windows_Security_hardening (via <Load Profile> button). If you use unsigned applications then set <Validate Admin C.S.> = OFF.
Click to expand...
unfortunately cannot use this profile as some software require administrative privilege during installation and update and aren't digitally signed but trusted and verified using hash such as qbittorrent
 
  • Like
Reactions: Gandalf_The_Grey, harlan4096 and stefanos
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
DDE_Server said:
unfortunately cannot use this profile as some software require administrative privilege during installation and update and aren't digitally signed but trusted and verified using hash such as qbittorrent
Click to expand...
You can. Simply change <Validate Admin C.S.> to OFF. This profile is similar to Recommended Settings, except that it whitelists EXE files and block three LOLBins.
 
  • Like
Reactions: Gandalf_The_Grey, harlan4096, Protomartyr and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
DDE_Server said:
ooh ok but why Block shell script is OFF in this profile ??
Click to expand...
What is "shell script"? PowerShell is restricted By SRP to Constrained Language Mode, but you can also set <Block PowerShell Scripts> = ON (if you do not use PowerShell scripts).

See you tomorrow (I am going to sleep).🙂
 
  • Like
Reactions: Gandalf_The_Grey, [correlate], harlan4096 and 2 others
DDE_Server

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Andy Ful said:
What is "shell script"? PowerShell is restricted By SRP to Constrained Language Mode, but you can also set <Block PowerShell Scripts> = ON (if you do not use PowerShell scripts).
Click to expand...
ok i m reading the manual right now to understand but in any way it is great piece of software which really express a deep knowledge with Windows OS components thanks alot Andy
 
  • Like
  • Applause
Reactions: Andy Ful, Gandalf_The_Grey, [correlate] and 3 others

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,431
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,117
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top