Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The nice thing is that for apps from Microsoft Store one can apply Code Integrity Guard mitigation (via WD Exploit protection).:)
For Adobe Reader Touch I could apply 15 mitigations from Exploit protection (except ACG and DisableWin32kSystemCalls).
 
Last edited:
F

ForgottenSeer 85179

For Adobe Touch I could apply 15 mitigations from Exploit protection (except ACG and DisableWin32kSystemCalls).
Are you sure? For me it works with ACG but DisableWin32kSystemCalls indeed prevent app from start

I have:
ACG enabled but without "Allow thread deactivation" setting. Sounds like a weaker setting for me
CFG enabled but without "use strict CFG" as this prevent app start
Code integrity: need to allow Microsoft store images or app doesn't start
Export Address Filtering (EAF) both with and without bonus setting make app start slow
all other settings can be enabled
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Are you sure? For me it works with ACG but DisableWin32kSystemCalls indeed prevent app from start
...
I am sure. ACG does not work for me in this configuration (with or without "Allow thread deactivation"). It is probable, that other mitigations do not work on some machines, too.
Anyway, Adobe Reader Touch with these mitigations and AppContainer is the most secure PDF viewer I know.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The new and dangerous Astaroth malware:
Astaroth2020.png


In the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.

So, how can this be stopped with H_C settings?
After the user downloads the malware and runs the unpacked content, the shortcut (LNK file) is normally executed which will be blocked by SRP. Even if the user applied the settings that allowed shortucts, then the shortcut normally runs JavaScript file via command-line (BAT commands are included in the shortcut - not in the BAT file), and the script will be blocked by SRP (blocked Windows Script Host).
This malware would be blocked by any predefined H_C setting profile (except All_OFF). It could be also stopped by blocking some Sponsors in H_C (bitsadmin.exe or ExtExport.exe), but this is not necessary (as usual) because of the previous protective layers.

The malware is prepared to avoid AV protection and can bypass SysHardener (if "Turn Off Windows Script Host" is unticked). SysHardener has an option to block the outbound connections of bitsadmin.exe, but unfortunately, this will not stop Astaroth from downloading payloads.

Edit.
SysHardener has several options to restrict Windows Script Host. Some options will block only such scripts when manually executed by the user (unassociated script extensions) and the second option which blocks all attempts of running such scripts (by the user or any process - including malware).
 
Last edited:

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
I have Windows 10. I use Windows Defender with Configure Defender ( high profile). So far so good. When I add Hard_Configurator at recommended settings, the links in Windows Mail cannot be opened anymore in the browser ( Chrome). What setting should I change to be able to open my links?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
This type of Lolbin manipulation is becoming more popular nowadays and most AVs behabior blocker would miss this. This one also used bitsadmin.exe to download some payloads. Have you though about adding some more in recommended firewall hardening rules?
I did not think about it, but of course, it can be done if needed. Do you have some suggestions about adding something to the "Recommended H_C" firewall rules?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I have Windows 10. I use Windows Defender with Configure Defender ( high profile). So far so good. When I add Hard_Configurator at recommended settings, the links in Windows Mail cannot be opened anymore in the browser ( Chrome). What setting should I change to be able to open my links?
Which version of H_C have you installed? Did you look at the FirewallHardening Log?
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
I have version 5.0.0.0; I checked Blocked Events/ Security logs and there is nothing about my blocked links. I also tried to whitelist Chrome and Mail but to no avail. I just switched off SRP. No change. Then I switched off restrictions. And the links open. So it must be one of the restrictions. I will try to play with the restrictions one by one to find the culprit!
I was able turn on Power Shell, Doc antiexploit and Block Remote. But whenever I try Hide Run as Administrator Or run as SmartScreen, my links are blocked.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
...
But whenever I try Hide Run as Administrator Or run as SmartScreen, my links are blocked.
These two options are not related to Windows Mail or URLs, so this is very unusual behavior. Could you tell me something more about these blocked links? Maybe you could post here an example of the blocked link.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
I subscribe to a Newsletter called Gizmo's freeware. You can click on read more to get more information. This is the link to click on.
 

Attachments

  • 2020-04-20_16h47_34.png
    2020-04-20_16h47_34.png
    121.1 KB · Views: 237
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I subscribe to a Newsletter called Gizmo's freeware. You can click on read more to get more information. This is the link to click on.
What is exactly happening when you click this link?
Does Chrome open, but the link is not opened?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Back3
I have tried to reproduce your issue, but after sending an email with this link to another email box, the link can be open without any problem. I used built-in Windows Mail and the same settings as in your previous post.

Please try this:
  1. Restart Windows.
  2. Open Chrome and any website to see if there is no problem with the Internet connection.
  3. Open Windows Mail and try to open the link(y).
Edit.
This issue can probably happen after installing H_C and using the option "Refresh Explorer" instead of "Log OFF". Refreshing the Explorer sometimes does not apply fully the Windows Policies. This was changed in the beta version 5.0.0.1 and the user has to Log OFF after installing the H_C.
 
Last edited:

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
What is exactly happening when you click this link?
Does Chrome open, but the link is not opened?

I get this window from Window Mail telling me that the link couldn't be opened. But I did something new. I checked Hide run as an Administrator and applied the changes and had to refresh with explorer. Then I checked the link. Could not open the link. I turned off the computer and restarted it. I could open the link. Whenever i make changes, I think I will have to restart the computer to avoid this problem. Next time I will use Log off: as you said Refresh explorer sometimes does not fully apply Windows policies. Thanks for your help !
 

Attachments

  • 2020-04-20_18h40_50.png
    2020-04-20_18h40_50.png
    7.5 KB · Views: 224
Last edited:

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
My two day experiment with Hard_ Configurator...still going on..

1. I've been using Windows Defender with Configure Defender for nearly a year now...
2. I looked for tutorials on YouTube: couldn't find one in English but found a good one about version 5 in French. I watched it twice...
3. I made an image with Macrium then installed H_C;
4.In the video, the guy suggested to log off after having accepted the recommended settings. I just refreshed explorer and had problems with Windows Mail.
5. I have two folders on my desktop:I keep shortcuts or portable .exe for maintenance and security applications; I whitelisted those two folders and could use the apps without problems;
6. I then clicked on every app I have in my taskbar and in the start menu to make sure each one was able to run. I had to whitelist my capture app Screenpresso because the .exe is located in program data. I used WizFile to find the exact path to the .exe; Whitelist by path is very easy to use;
7. I did not make any changes in the Configure Defender tab: I already have a High profile setup and it runs good;
8 One year ago I had installed Syshardener to get the firewall rules. I still have them even if I do not have the app on my computer anymore. So for firewall hardening, I already have good external rules. Maybe I will add a few more later....I use Firewall App Blocker to edit firewall rules but next time I will try the H_C firewall tab.

So far my experience has been great because the support here by Andy Ful is great....H_C is a Wow app....
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
My two day experiment with Hard_ Configurator...still going on..

1. I've been using Windows Defender with Configure Defender for nearly a year now...
2. I looked for tutorials on YouTube: couldn't find one in English but found a good one about version 5 in French. I watched it twice...
3. I made an image with Macrium then installed H_C;
4.In the video, the guy suggested to log off after having accepted the recommended settings. I just refreshed explorer and had problems with Windows Mail.
5. I have two folders on my desktop:I keep shortcuts or portable .exe for maintenance and security applications; I whitelisted those two folders and could use the apps without problems;
6. I then clicked on every app I have in my taskbar and in the start menu to make sure each one was able to run. I had to whitelist my capture app Screenpresso because the .exe is located in program data. I used WizFile to find the exact path to the .exe; Whitelist by path is very easy to use;
7. I did not make any changes in the Configure Defender tab: I already have a High profile setup and it runs good;
8 One year ago I had installed Syshardener to get the firewall rules. I still have them even if I do not have the app on my computer anymore. So for firewall hardening, I already have good external rules. Maybe I will add a few more later....I use Firewall App Blocker to edit firewall rules but next time I will try the H_C firewall tab.

So far my experience has been great because the support here by Andy Ful is great....
Good for you (y)
I want to add that the you van easy find the path of blocked programs by using the "buit-in" log viewer.
Go to the main screen of H_C, Tools, Blocked Events / Security Logs
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
Good for you (y)
I want to add that the you van easy find the path of blocked programs by using the "buit-in" log viewer.
Go to the main screen of H_C, Tools, Blocked Events / Security Logs


Thanks
 
  • Like
Reactions: Gandalf_The_Grey

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,870
I did not think about it, but of course, it can be done if needed. Do you have some suggestions about adding something to the "Recommended H_C" firewall rules?
Maybe cmd.exe, bitsadmin, certutil.exe?
Here's one related to using certutil.exe to download malwares
Here's another detailed analysis about LOLbins manipulation by Ramnit trojan that you might be interested to read
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top