Andy Ful

Level 60
Verified
Trusted
Content Creator
The nice thing is that for apps from Microsoft Store one can apply Code Integrity Guard mitigation (via WD Exploit protection).:)
For Adobe Reader Touch I could apply 15 mitigations from Exploit protection (except ACG and DisableWin32kSystemCalls).
 
Last edited:

security123

Level 19
For Adobe Touch I could apply 15 mitigations from Exploit protection (except ACG and DisableWin32kSystemCalls).
Are you sure? For me it works with ACG but DisableWin32kSystemCalls indeed prevent app from start

I have:
ACG enabled but without "Allow thread deactivation" setting. Sounds like a weaker setting for me
CFG enabled but without "use strict CFG" as this prevent app start
Code integrity: need to allow Microsoft store images or app doesn't start
Export Address Filtering (EAF) both with and without bonus setting make app start slow
all other settings can be enabled
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
Are you sure? For me it works with ACG but DisableWin32kSystemCalls indeed prevent app from start
...
I am sure. ACG does not work for me in this configuration (with or without "Allow thread deactivation"). It is probable, that other mitigations do not work on some machines, too.
Anyway, Adobe Reader Touch with these mitigations and AppContainer is the most secure PDF viewer I know.
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
The new and dangerous Astaroth malware:
Astaroth2020.png


In the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.

So, how can this be stopped with H_C settings?
After the user downloads the malware and runs the unpacked content, the shortcut (LNK file) is normally executed which will be blocked by SRP. Even if the user applied the settings that allowed shortucts, then the shortcut normally runs JavaScript file via command-line (BAT commands are included in the shortcut - not in the BAT file), and the script will be blocked by SRP (blocked Windows Script Host).
This malware would be blocked by any predefined H_C setting profile (except All_OFF). It could be also stopped by blocking some Sponsors in H_C (bitsadmin.exe or ExtExport.exe), but this is not necessary (as usual) because of the previous protective layers.

The malware is prepared to avoid AV protection and can bypass SysHardener (if "Turn Off Windows Script Host" is unticked). SysHardener has an option to block the outbound connections of bitsadmin.exe, but unfortunately, this will not stop Astaroth from downloading payloads.

Edit.
SysHardener has several options to restrict Windows Script Host. Some options will block only such scripts when manually executed by the user (unassociated script extensions) and the second option which blocks all attempts of running such scripts (by the user or any process - including malware).
 
Last edited:

Back3

Level 5
I have Windows 10. I use Windows Defender with Configure Defender ( high profile). So far so good. When I add Hard_Configurator at recommended settings, the links in Windows Mail cannot be opened anymore in the browser ( Chrome). What setting should I change to be able to open my links?
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
This type of Lolbin manipulation is becoming more popular nowadays and most AVs behabior blocker would miss this. This one also used bitsadmin.exe to download some payloads. Have you though about adding some more in recommended firewall hardening rules?
I did not think about it, but of course, it can be done if needed. Do you have some suggestions about adding something to the "Recommended H_C" firewall rules?
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
I have Windows 10. I use Windows Defender with Configure Defender ( high profile). So far so good. When I add Hard_Configurator at recommended settings, the links in Windows Mail cannot be opened anymore in the browser ( Chrome). What setting should I change to be able to open my links?
Which version of H_C have you installed? Did you look at the FirewallHardening Log?
 

Back3

Level 5
I have version 5.0.0.0; I checked Blocked Events/ Security logs and there is nothing about my blocked links. I also tried to whitelist Chrome and Mail but to no avail. I just switched off SRP. No change. Then I switched off restrictions. And the links open. So it must be one of the restrictions. I will try to play with the restrictions one by one to find the culprit!
I was able turn on Power Shell, Doc antiexploit and Block Remote. But whenever I try Hide Run as Administrator Or run as SmartScreen, my links are blocked.
 
Last edited:

Back3

Level 5
I subscribe to a Newsletter called Gizmo's freeware. You can click on read more to get more information. This is the link to click on.
 

Attachments

Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
I subscribe to a Newsletter called Gizmo's freeware. You can click on read more to get more information. This is the link to click on.
What is exactly happening when you click this link?
Does Chrome open, but the link is not opened?
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
@Back3
I have tried to reproduce your issue, but after sending an email with this link to another email box, the link can be open without any problem. I used built-in Windows Mail and the same settings as in your previous post.

Please try this:
  1. Restart Windows.
  2. Open Chrome and any website to see if there is no problem with the Internet connection.
  3. Open Windows Mail and try to open the link(y).
Edit.
This issue can probably happen after installing H_C and using the option "Refresh Explorer" instead of "Log OFF". Refreshing the Explorer sometimes does not apply fully the Windows Policies. This was changed in the beta version 5.0.0.1 and the user has to Log OFF after installing the H_C.
 
Last edited:

Back3

Level 5
What is exactly happening when you click this link?
Does Chrome open, but the link is not opened?
I get this window from Window Mail telling me that the link couldn't be opened. But I did something new. I checked Hide run as an Administrator and applied the changes and had to refresh with explorer. Then I checked the link. Could not open the link. I turned off the computer and restarted it. I could open the link. Whenever i make changes, I think I will have to restart the computer to avoid this problem. Next time I will use Log off: as you said Refresh explorer sometimes does not fully apply Windows policies. Thanks for your help !
 

Attachments

Last edited:

Back3

Level 5
My two day experiment with Hard_ Configurator...still going on..

1. I've been using Windows Defender with Configure Defender for nearly a year now...
2. I looked for tutorials on YouTube: couldn't find one in English but found a good one about version 5 in French. I watched it twice...
3. I made an image with Macrium then installed H_C;
4.In the video, the guy suggested to log off after having accepted the recommended settings. I just refreshed explorer and had problems with Windows Mail.
5. I have two folders on my desktop:I keep shortcuts or portable .exe for maintenance and security applications; I whitelisted those two folders and could use the apps without problems;
6. I then clicked on every app I have in my taskbar and in the start menu to make sure each one was able to run. I had to whitelist my capture app Screenpresso because the .exe is located in program data. I used WizFile to find the exact path to the .exe; Whitelist by path is very easy to use;
7. I did not make any changes in the Configure Defender tab: I already have a High profile setup and it runs good;
8 One year ago I had installed Syshardener to get the firewall rules. I still have them even if I do not have the app on my computer anymore. So for firewall hardening, I already have good external rules. Maybe I will add a few more later....I use Firewall App Blocker to edit firewall rules but next time I will try the H_C firewall tab.

So far my experience has been great because the support here by Andy Ful is great....H_C is a Wow app....
 
Last edited:

Gandalf_The_Grey

Level 31
Verified
My two day experiment with Hard_ Configurator...still going on..

1. I've been using Windows Defender with Configure Defender for nearly a year now...
2. I looked for tutorials on YouTube: couldn't find one in English but found a good one about version 5 in French. I watched it twice...
3. I made an image with Macrium then installed H_C;
4.In the video, the guy suggested to log off after having accepted the recommended settings. I just refreshed explorer and had problems with Windows Mail.
5. I have two folders on my desktop:I keep shortcuts or portable .exe for maintenance and security applications; I whitelisted those two folders and could use the apps without problems;
6. I then clicked on every app I have in my taskbar and in the start menu to make sure each one was able to run. I had to whitelist my capture app Screenpresso because the .exe is located in program data. I used WizFile to find the exact path to the .exe; Whitelist by path is very easy to use;
7. I did not make any changes in the Configure Defender tab: I already have a High profile setup and it runs good;
8 One year ago I had installed Syshardener to get the firewall rules. I still have them even if I do not have the app on my computer anymore. So for firewall hardening, I already have good external rules. Maybe I will add a few more later....I use Firewall App Blocker to edit firewall rules but next time I will try the H_C firewall tab.

So far my experience has been great because the support here by Andy Ful is great....
Good for you (y)
I want to add that the you van easy find the path of blocked programs by using the "buit-in" log viewer.
Go to the main screen of H_C, Tools, Blocked Events / Security Logs
 

Back3

Level 5
Good for you (y)
I want to add that the you van easy find the path of blocked programs by using the "buit-in" log viewer.
Go to the main screen of H_C, Tools, Blocked Events / Security Logs


Thanks
 

SeriousHoax

Level 28
Verified
Malware Tester
I did not think about it, but of course, it can be done if needed. Do you have some suggestions about adding something to the "Recommended H_C" firewall rules?
Maybe cmd.exe, bitsadmin, certutil.exe?
Here's one related to using certutil.exe to download malwares
Here's another detailed analysis about LOLbins manipulation by Ramnit trojan that you might be interested to read
 
Top