Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Hi, < @Andy Ful

First of all, thank you for your work and your time.

I would like to know how I can tweak the options to get Recommended Settings but without running as SmartScreen, to get what is, for me, a balance between protection and comfort.

Thank you in advance

<Hide 'Run As Administrator> = OFF
<Run As SmartScreen> = OFF
But, I do not understand why these settings would be more comfortable.
You can set only <Hide 'Run As Administrator> = OFF, if you want run PowerShell or CMD with high privileges, and still use "Run As SmartScreen" to check & run files with SmartScreen check.

 

[Step 1]

<Hide 'Run As Administrator> = OFF
<Run As SmartScreen> = OFF
But, I do not understand why these settings would be more comfortable.
You can set only <Hide 'Run As Administrator> = OFF, if you want run PowerShell or CMD with high privileges, and still use "Run As SmartScreen" to check & run files with SmartScreen check.

I'm the laziest guy in town. I don't like having to open a game by running it as SmartScreen every time. The euphemism of my story is "comfortable"

 

[shmu26]

I'm the laziest guy in town. I don't like having to open a game by running it as SmartScreen every time. The euphemism of my story is "comfortable"

Just whitelist it, and you won't need to run it as smartscreen.

 

[Step 1]

Just whitelist it, and you won't need to run it as smartscreen.

Thanks @shmu26 now this lazy guy is happy.
I would like to say that the language barrier was the problem, but the truth is that it was pure ignorance on my part. The definition of stupidity is trying to do the same thing several times and expecting a different result, I had tried to get comfortable with H_C and I was always repeating the same steps.
Again thank you very much

 

[shmu26]

Thanks @shmu26 now this lazy guy is happy.
I would like to say that the language barrier was the problem, but the truth is that it was pure ignorance on my part. The definition of stupidity is trying to do the same thing several times and expecting a different result, I had tried to get comfortable with H_C and I was always repeating the same steps.
Again thank you very much

If you have figured out how to whitelist things, then welcome to the "advanced user" club!

 

[SeriousHoax]

This setting is poorly documented. I think that it can work similarly to Intelligent Security Graph (ISG) integrated with WD Application Control. But, I never tested this. ISG allows application installers if they were checked by SmartScreen. But, in many cases the same application installers will be blocked if SmartScreen was not triggered. ISG uses SmartScreen when file has MOTW, and uses advanced heuristics in the cloud for other files.

So, what's the bottom line here? I mean is there any advantage setting Cloud protection to "Block" instead of "High"?

 

[Andy Ful]

So, what's the bottom line here? I mean is there any advantage setting Cloud protection to "Block" instead of "High"?

The "Block" setting seems to be more aggressive. If I correctly recall, this was the opinion of @Evjl's Rain after WD tests on MH. But, it would be interesting to make some other tests to compare "Highest" and "Block" settings.

 

[oldschool]

it would be interesting to make some other tests to compare "Highest" and "Block" settings.

I agree, as this has always been my unspoken question.

 

[SWCLM2020]

The "Block" setting seems to be more aggressive. If I correctly recall, this was the opinion of @Evjl's Rain after WD tests on MH. But, it would be interesting to make some other tests to compare "Highest" and "Block" settings.

The link below defines the protection levels for Defender ATP.
Specify cloud-delivered protection level in Windows Defender Antivirus - Windows security

 

[oldschool]

Select the level of protection:

• Default Windows Defender Antivirus blocking level provides strong detection without increasing the risk of detecting legitimate files.
• High blocking level applies a strong level of detection while optimizing client performance (greater chance of false positives).
• High + blocking level applies additional protection measures (may impact client performance and increase risk of false positives).
• Zero tolerance blocking level blocks all unknown executables.

Warning
While unlikely, setting this switch to High or High + may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).

 

[DDE_Server]

Hi @Andy Ful
when i tried to create new project in pycharm i faced this error
should i whitelist certain path ?? what do you think the cause of the problem ?

 

[DDE_Server]

Hi @Andy Ful
when i tried to create new project in pycharm i faced this error
should i white list certain path ?? what do you think the cause of the problem ?
some Hard configurator features block interpreter path in App data ??
View attachment 236244

 

[DDE_Server]

I white listed the interpreter path but the error appear and could not link to python interpreter or compile the program

 

[DDE_Server]

The problem is solved when i load OFF profile but i enabled remote access block and Document Anti exploit

 

[DDE_Server]

may be i should white list this path again. however you told me the new rules created automatically should solved this issue ??

 

[Andy Ful]

Select the level of protection:

• Default Windows Defender Antivirus blocking level provides strong detection without increasing the risk of detecting legitimate files.
• High blocking level applies a strong level of detection while optimizing client performance (greater chance of false positives).
• High + blocking level applies additional protection measures (may impact client performance and increase risk of false positives).
• Zero tolerance blocking level blocks all unknown executables.

Warning
While unlikely, setting this switch to High or High + may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).

Unfortunately, these descriptions are not especially helpful and can be deduced from the words: default, high, high+. The last level (Zero tolerance) is also misguiding because it suggests that only known files are allowed (kind of large whitelist in the cloud), which is not true (tested on fresh compiled files on Windows Enterprise). Microsoft uses the term "unknown" somewhat differently - probably some advanced heuristics are involved to recognize the similarity of the executable to the known one.

 

[Andy Ful]

may be i should white list this path again. however you told me the new rules created automatically should solved this issue ??
View attachment 236246

I do not know how your old rule looks like, but it is evident that it does not work. Whitelist the folder
D:\python development project\
(use <Whitelist By Path><Add Folder>).

The H_C predefined rules are related to the user AppData and ProgramAppdata folders. These folders and "Program Files ..." are the default Windows folders used by application installations. You chose the custom installation and custom folder for Python projects, so this folder it has to be whitelisted manually.

 

[DDE_Server]

I do not know how your old rule looks like, but it is evident that it does not work. Whitelist the folder
D:\python development project\
(use <Whitelist By Path><Add Folder>).

The H_C predefined rules are related to the user AppData and ProgramAppdata folders. These folders and "Program Files ..." are the default Windows folders used by application installations. You chose the custom installation and custom folder for Python projects, so this folder it has to be whitelisted manually.

ok thanks i tried MT_profile and white listed the path i will try to open the project to see if the problem has been resolved

 

[Andy Ful]

ok thanks i tried MT_profile and white listed the path i will try to open the project to see if the problem has been resolved

If I correctly remember, you use some unsigned applications that require elevation. If so, then you have to set also <Validate Admin C.S.> = OFF , because otherwise such applications will be blocked.

 

[Andy Ful]

I am finishing tests with H_C beta ver. 5.0.1.0.
One of the tests included fighting CXK-NMSL ransomware. The attack performed via the BAT file bypassed many strong AVs.
I considered possible attacks as follows:

1. Initial BAT malware executed manually by the user from UserSpace,
2. Initial BAT malware executed manually by the user from the email client,
3. Initial (original) BAT malware executed manually by the user from the archiver application,
4. Initial (original) EXE file which extracts & runs the BAT malware by using "cmd /c ..." command-line (in-the-wild attack), when EXE was allowed to run by the AV.

The test was performed on the weakest H_C setting profile e.g. :
Windows_*_Basic_Recommended_Settings.hdc
This profile allows EXE and MSI files globally, except when opened from the archiver or e-mail client applications.

The BAT malware was blocked in all scenarios. Furthermore, this profile will block any malware which will use one of these scenarios or similar scenarios 1-4 that use Windows native scripts (like BAT, CMD, JS, JSE, VBS, VBE, WSF, WSH, PS1).

The users who applied SysHardener should know that such attacks are not blocked in default settings for BAT and CMD files (also the scenario 4 for PowerShell scripts). Some additional tweaks are required:

1. Unassociate BAT extension (will block the scenarios 1-3 for BAT scripts, but will not block similar attacks via CMD scripts).
2. Disable PowerShell Script Execution (will block all scenarios 1-4 for PowerShell scripts).

It is not possible to block scenario 4, by using SysHardener.