Hard_Configurator - Windows Hardening Configurator

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I use the term "scripts" for files and "command-lines with script Interpreters" for fileless scripting. [/CODE]
Thanks. I was asking due to the comparison with VoodooShield, in the context of which you mentioned that H_C will probably stop the scripts before VS gets a chance to handle them. That makes perfect sense to me as regards script files. But it puzzles me as regards fileless scripting, because the recommended settings of H_C don't block script interpreters per se.
@Gandalf_The_Grey,
The discussion about H_C is probably off-topic. If you want we can move some posts to the H_C thread.
Maybe we can ask a mod to move the posts? There are a lot of them, containing valuable discussion about H_C, and I think the H_C thread is where it belongs.

By the way, the names for the configs make sense to me. But they do require some previous knowledge.
Idea: give them a strictness rating. The most lenient config is 1, and the strictest is 10.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
@Andy Ful

So you have 3 basic configurations, each with an enhancement making it 6 variations for each OS (Windows 7 Windows 8 & Windows 10). I would keep it clean and drop all other versions.
There are some special configs for Avast and for SUA lockdown. The H_C setting profiles for Avast require some knowledge about SRP, CyberCapture and Hardened Aggressive Mode, so I made the predefined configs.

The setups for Windows Vista are the same as for Windows 7, and the setups for Windows 8.1 are the same as for Windows 8. That is why the names of setups start with Windows_7..., Windows_8..., Windows_10....

The name Recommended Settings means that these settings can apply similar protection on different Windows versions. It means that Recommended Settings on Windows 7 will have more restrictive SRP settings as compared to Windows 10. Simply SRP has to cover more on Windows 7, because Windows 7 has fewer security features as compared to Windows 10.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
Thanks. I was asking due to the comparison with VoodooShield, in the context of which you mentioned that H_C will probably stop the scripts before VS gets a chance to handle them. That makes perfect sense to me as regards script files. But it puzzles me as regards fileless scripting, because the recommended settings of H_C don't block script interpreters per se.
The fileless anti-scripting protection is applied in H_C by SRP (PowerShell works in Constrained Language Mode), <Block Sponsors>, <Protect Shortcuts>, <FirewallHardening>, <ConfigureDefender>.
By the way, the names for the configs make sense to me. But they do require some previous knowledge.
Idea: give them a strictness rating. The most lenient config is 1, and the strictest is 10.
You forgot that other H_C settings, ConfigureDefender and FirewallHardening can add to the strictness.
If you will define the strictness as chances to block something that the user would not want to block, then on Windows 10 (RS is always the base of calculations):
RS = 2, Basic = -1, Strict = +2, Enhanced =+1, CD HIGH = +1, CD MAX =+ 4, FirewallHardening (FH)= +1 or +2, other H_C hardening +1 or +2.

For example:
Basic_Recommended = -1 + 2 = 1
Basic_Recommended_Enhanced = -1 + 2 + 1 = 2
Recommended = 2
Basic_Recommended + CD HIGH + FH (H_C recommended) = -1 + 2 + 1 + 1 = 3
Recommended + CD HIGH + FH (H_C recommended) = 2 + 1 + 1 = 4
Strict_Recommended_Enhanced = 2 + 2 + 1 = 5
Basic_Recommended + CD MAX = -1 + 2 + 4 = 5
etc.
 
Last edited:

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Because I studied webdesign/digital marketing I am always called (in our family) when somebody messes up his/her PC or wants a cheap Microsoft Office version installed (digital Office license). I hope an all Microsoft setup (now including Edge-chromium) reduces the chance of being called for help.

Since 2019 every family member having problems or came to ask to setup a new Laptop/PC, I use the configuration below

1. Hard_configurator setting:
- default deny for basic user (allow admin) except dll, exe, msi, msp, msu and tmp (in all user folders).
- designated (protected) file types the default plus powershell minus above file extensions
- enhanced blocked sponsors set (25 in total).
- protect windows folders and shortcuts
- enabled shell extension security and anti-exploit set to block Adobe + VBA
- disabled remote access, 16 bits and SMB1
- powershell script block and windows script host block both off
- validate Admin Code Signature, Run as Admin, Run as Smartscreen all off

2. ConfigureDefender set to MAX and Protected Folders OFF

3. Firewall Hardening blocking Office programs only

At least 7 PC's are setup this way and I have never been called for problems. So even with risk value of 5, most average PC users (using programs in stead of installing and trailing programs) are probably good to go. (y)(y)(y) (thanks to @Andy Ful)

Note: I have same H_C and FH config on my girlfriend's laptop with Kaspersky Free and I never heard her complain about anything either.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
The fileless anti-scripting protection is applied in H_C by SRP (PowerShell works in Constrained Language Mode), <Block Sponsors>, <Protect Shortcuts>, <FirewallHardening>, <ConfigureDefender>.

You forgot that other H_C settings, ConfigureDefender and FirewallHardening can add to the strictness.
If you will define the strictness as chances to block something that the user would not want to block, then on Windows 10 (RS is always the base of calculations):
RS = 2, Basic = -1, Strict = +2, Enhanced =+1, CD HIGH = +1, CD MAX =+ 4, FirewallHardening (FH)= +1 or +2, other H_C hardening +1 or +2.

For example:
Basic_Recommended = -1 + 2 = 1
Basic_Recommended_Enhanced = -1 + 2 + 1 = 2
Recommended = 2
Basic_Recommended + CD HIGH + FH (H_C recommended) = -1 + 2 + 1 + 1 = 3
Recommended + CD HIGH + FH (H_C recommended) = 2 + 1 + 1 = 4
Strict_Recommended_Enhanced = 2 + 2 + 1 = 5
Basic_Recommended + CD MAX = -1 + 2 + 4 = 5
etc.
Can't argue with arithmetic! :)
Really what I was suggesting was a way for someone who clicks on the "load profile" button to easily evaluate what he is seeing. If the options presented there would have some kind of color code or number code, the user could just choose a config on that basis.
Alternatively, they could be assigned a paranoia rating: ultra lenient, very lenient, slightly lenient, standard, slightly paranoid, very paranoid, ultra paranoid.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
Can't argue with arithmetic! :)
Really what I was suggesting was a way for someone who clicks on the "load profile" button to easily evaluate what he is seeing. If the options presented there would have some kind of color code or number code, the user could just choose a config on that basis.
Alternatively, they could be assigned a paranoia rating: ultra lenient, very lenient, slightly lenient, standard, slightly paranoid, very paranoid, ultra paranoid.
I think that Basic_Recommended, Recommended, and Strict_Recommended just do a similar thing as lenient, standard, and slightly paranoid. Use all restrictions for ultra paranoid and use only the restrictions from the right H_C panel for ultra lenient. :)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
The fileless anti-scripting protection is applied in H_C by SRP (PowerShell works in Constrained Language Mode), <Block Sponsors>, <Protect Shortcuts>, <FirewallHardening>, <ConfigureDefender>.
True, but my experience shows that VoodooShield will still block some scripts that H_C ignores. I see this when I try to print something with my HP printer. I think it is rundll32 that VS is detecting.
I think that Basic_Recommended, Recommended, and Strict_Recommended just do a similar thing as lenient, standard, and slightly paranoid. Use all restrictions for ultra paranoid and use only the restrictions from the right H_C panel for ultra lenient. :)
True.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
True, but my experience shows that VoodooShield will still block some scripts that H_C ignores. I see this when I try to print something with my HP printer. I think it is rundll32 that VS is detecting.

True.
It cannot do it, if by scripts you mean files with script extensions, except if the script is whitelisted in H_C. Is your HP software in the whitelisted folders?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It cannot do it, if by scripts you mean files with script extensions, except if the script is whitelisted in H_C. Is your HP software in the whitelisted folders?
Here is from VS whitelist:
Annotation 2020-03-31 182937.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
Here is from VS whitelist:
View attachment 235926
These command-lines come from scripts located in whitelisted folders or from Registry keys added by HP software. There is no reason to block them.
The executable rundll32.exe can be also used by exploits, but first, the exploit has to download/extract/drop the malicious DLL payload. The H_C settings (including FirewallHardening) can prevent this in most cases.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
These command-lines come from scripts located in whitelisted folders or from Registry keys added by HP software. There is no reason to block them.
The executable rundll32.exe can be also used by exploits, but first, the exploit has to download/extract/drop the malicious DLL payload. The H_C settings (including FirewallHardening) can prevent this in most cases.
Thanks, Andy. Not sure how practical this is, but Voodooshield should be using you as a consultant. I think they would have less FPs and frustrated users.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Andy, I am using the basic profile, every time I open the GUI and close it the box pops up asking me to log off even though I have not touched any settings. Is this normal? Thanks.
It's a know issue with the latest beta:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
Thanks, Andy. Not sure how practical this is, but Voodooshield should be using you as a consultant. I think they would have less FPs and frustrated users.
I think that VS took a different security approach. It would be hard to change the FPs rate, without diminishing the protection.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
Andy, I am using the basic profile, every time I open the GUI and close it the box pops up asking me to log off even though I have not touched any settings. Is this normal? Thanks.
Yes. That is a known minor bug in the newest H_C beta version. H_C shows an unnecessary alert, even when nothing was changed. Please, look at this post:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-869220

Edit
It seems that @Gandalf_The_Grey posted the above just before me.:)
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Question @Andy Ful

The ConfigureDefender MAX sets the Windows Defender Antivirus Cloud delivered protection to BLOCK all unknown executables. How does this differ from Smartscreen's cloud based protection? My guess is that WD cloud checks all executables while Smartscreen only checks executables with Mark Of The Web. Is that correct? Do you have links to info sources on scope of WD Cloud where this is explained?

As far as I understand this is not explicitely mentioned in the info below.


Other question. Does Configure defender also sets the ad-hoc updates based on cloud protection data?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,594
Question @Andy Ful

The ConfigureDefender MAX sets the Windows Defender Antivirus Cloud delivered protection to BLOCK all unknown executables. How does this differ from Smartscreen's cloud based protection? My guess is that WD cloud checks all executables while Smartscreen only checks executables with Mark Of The Web. Is that correct? Do you have links to info sources on scope of WD Cloud where this is explained?
...
This setting is poorly documented. I think that it can work similarly to Intelligent Security Graph (ISG) integrated with WD Application Control. But, I never tested this. ISG allows application installers if they were checked by SmartScreen. But, in many cases the same application installers will be blocked if SmartScreen was not triggered. ISG uses SmartScreen when file has MOTW, and uses advanced heuristics in the cloud for other files.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top