Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,596
Hi, < @Andy Ful

First of all, thank you for your work and your time.

I would like to know how I can tweak the options to get Recommended Settings but without running as SmartScreen, to get what is, for me, a balance between protection and comfort.

Thank you in advance
<Hide 'Run As Administrator> = OFF
<Run As SmartScreen> = OFF
But, I do not understand why these settings would be more comfortable.:unsure:
You can set only <Hide 'Run As Administrator> = OFF, if you want run PowerShell or CMD with high privileges, and still use "Run As SmartScreen" to check & run files with SmartScreen check.
 
Last edited:

Step 1

Level 3
Verified
Sep 17, 2018
102
<Hide 'Run As Administrator> = OFF
<Run As SmartScreen> = OFF
But, I do not understand why these settings would be more comfortable.:unsure:
You can set only <Hide 'Run As Administrator> = OFF, if you want run PowerShell or CMD with high privileges, and still use "Run As SmartScreen" to check & run files with SmartScreen check.
I'm the laziest guy in town. I don't like having to open a game by running it as SmartScreen every time. The euphemism of my story is "comfortable"
 

Step 1

Level 3
Verified
Sep 17, 2018
102
Just whitelist it, and you won't need to run it as smartscreen.
Thanks @shmu26 now this lazy guy is happy. :)
I would like to say that the language barrier was the problem, but the truth is that it was pure ignorance on my part. The definition of stupidity is trying to do the same thing several times and expecting a different result, I had tried to get comfortable with H_C and I was always repeating the same steps. :rolleyes:
Again thank you very much :)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Thanks @shmu26 now this lazy guy is happy. :)
I would like to say that the language barrier was the problem, but the truth is that it was pure ignorance on my part. The definition of stupidity is trying to do the same thing several times and expecting a different result, I had tried to get comfortable with H_C and I was always repeating the same steps. :rolleyes:
Again thank you very much :)
If you have figured out how to whitelist things, then welcome to the "advanced user" club! :)
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,872
This setting is poorly documented. I think that it can work similarly to Intelligent Security Graph (ISG) integrated with WD Application Control. But, I never tested this. ISG allows application installers if they were checked by SmartScreen. But, in many cases the same application installers will be blocked if SmartScreen was not triggered. ISG uses SmartScreen when file has MOTW, and uses advanced heuristics in the cloud for other files.
So, what's the bottom line here? I mean is there any advantage setting Cloud protection to "Block" instead of "High"?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,596
So, what's the bottom line here? I mean is there any advantage setting Cloud protection to "Block" instead of "High"?
The "Block" setting seems to be more aggressive. If I correctly recall, this was the opinion of @Evjl's Rain after WD tests on MH. But, it would be interesting to make some other tests to compare "Highest" and "Block" settings.
 

SWCLM2020

New Member
Apr 1, 2020
5

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,701
Select the level of protection:

  • Default Windows Defender Antivirus blocking level provides strong detection without increasing the risk of detecting legitimate files.
  • High blocking level applies a strong level of detection while optimizing client performance (greater chance of false positives).
  • High + blocking level applies additional protection measures (may impact client performance and increase risk of false positives).
  • Zero tolerance blocking level blocks all unknown executables.
Warning
While unlikely, setting this switch to High or High + may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
Hi @Andy Ful
when i tried to create new project in pycharm i faced this error
should i whitelist certain path :unsure: :unsure: ?? what do you think the cause of the problem ?
1586034001566.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,596
Select the level of protection:

  • Default Windows Defender Antivirus blocking level provides strong detection without increasing the risk of detecting legitimate files.
  • High blocking level applies a strong level of detection while optimizing client performance (greater chance of false positives).
  • High + blocking level applies additional protection measures (may impact client performance and increase risk of false positives).
  • Zero tolerance blocking level blocks all unknown executables.
Warning
While unlikely, setting this switch to High or High + may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
Unfortunately, these descriptions are not especially helpful and can be deduced from the words: default, high, high+. The last level (Zero tolerance) is also misguiding because it suggests that only known files are allowed (kind of large whitelist in the cloud), which is not true (tested on fresh compiled files on Windows Enterprise). Microsoft uses the term "unknown" somewhat differently - probably some advanced heuristics are involved to recognize the similarity of the executable to the known one.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,596
may be i should white list this path again. however you told me the new rules created automatically should solved this issue ??
View attachment 236246
I do not know how your old rule looks like, but it is evident that it does not work. Whitelist the folder
D:\python development project\
(use <Whitelist By Path><Add Folder>).

The H_C predefined rules are related to the user AppData and ProgramAppdata folders. These folders and "Program Files ..." are the default Windows folders used by application installations. You chose the custom installation and custom folder for Python projects, so this folder it has to be whitelisted manually.
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
I do not know how your old rule looks like, but it is evident that it does not work. Whitelist the folder
D:\python development project\
(use <Whitelist By Path><Add Folder>).

The H_C predefined rules are related to the user AppData and ProgramAppdata folders. These folders and "Program Files ..." are the default Windows folders used by application installations. You chose the custom installation and custom folder for Python projects, so this folder it has to be whitelisted manually.
ok thanks i tried MT_profile and white listed the path i will try to open the project to see if the problem has been resolved
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,596
ok thanks i tried MT_profile and white listed the path i will try to open the project to see if the problem has been resolved
If I correctly remember, you use some unsigned applications that require elevation. If so, then you have to set also <Validate Admin C.S.> = OFF , because otherwise such applications will be blocked.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,596
I am finishing tests with H_C beta ver. 5.0.1.0.
One of the tests included fighting CXK-NMSL ransomware. The attack performed via the BAT file bypassed many strong AVs.
I considered possible attacks as follows:
  1. Initial BAT malware executed manually by the user from UserSpace,
  2. Initial BAT malware executed manually by the user from the email client,
  3. Initial (original) BAT malware executed manually by the user from the archiver application,
  4. Initial (original) EXE file which extracts & runs the BAT malware by using "cmd /c ..." command-line (in-the-wild attack), when EXE was allowed to run by the AV.
The test was performed on the weakest H_C setting profile e.g. :
Windows_*_Basic_Recommended_Settings.hdc
This profile allows EXE and MSI files globally, except when opened from the archiver or e-mail client applications.

The BAT malware was blocked in all scenarios. Furthermore, this profile will block any malware which will use one of these scenarios or similar scenarios 1-4 that use Windows native scripts (like BAT, CMD, JS, JSE, VBS, VBE, WSF, WSH, PS1).

The users who applied SysHardener should know that such attacks are not blocked in default settings for BAT and CMD files (also the scenario 4 for PowerShell scripts). Some additional tweaks are required:
  1. Unassociate BAT extension (will block the scenarios 1-3 for BAT scripts, but will not block similar attacks via CMD scripts).
  2. Disable PowerShell Script Execution (will block all scenarios 1-4 for PowerShell scripts).
It is not possible to block scenario 4, by using SysHardener.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top