Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Maybe cmd.exe, bitsadmin, certutil.exe?
Here's one related to using certutil.exe to download malwares
Here's another detailed analysis about LOLbins manipulation by Ramnit trojan that you might be interested to read
Certutil is already added. Bitsadmin and CMD do not make outbound connections, but trigger other processes that do this for them. For example, bitsadmin.exe triggers svchost.exe. The CMD will trigger Bitsadmin, Wscript, Cscript, PowerShell, Certutil, or other LOLBins.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
You mean in the upcoming new version?
Beta 5.0.0.1
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
If Macrium works with admin rights, then it should work without whitelisting like other high privileged system processes. SRP in H_C does not block such processes. Anyway, this can be easily tested by creating a test backup.
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
If Macrium works with admin rights, then it should work without whitelisting like other high privileged system processes. SRP in H_C does not block such processes. Anyway, this can be easily tested by creating a test backup.
Confirmed, I'm using both Macrium Reflect Free & Hard_Configurator (Recommended Settings for SRP), I have been never running into issues to fail any backup/image by Macrium for almost two years until now... 👍
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
What's the best way to install a secure downloaded app? Switch off Default Deny Protection, install the app then switch it on. Or right click on the .exe, and execute it as administrator. Or run as SmartScreen.
Normally the safest and preferred way would be run as smartscreen.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
What's the best way to install a secure downloaded app? Switch off Default Deny Protection, install the app then switch it on. Or right click on the .exe, and execute it as administrator. Or run as SmartScreen.
Do you use SUA or default admin account?

You can use the below methods when running the installation from the hard disk or when running the standalone installator from another source (flash drive, CD/DVD, etc.).
  1. On SUA ---> switch off the protection and use "Run By SmartScreen" from the right-click Explorer context menu. Switch on the protection after installation.
  2. On any admin account ---> use "Run As SmartScreen" from the right-click Explorer context menu.
The difference between 1 and 2 follows from the fact that using admin rights on SUA can spoil the installation (some files will be put on the admin profile instead of the user profile).

When one wants to run the non-standalone installation (like setup.exe + installation files in some folders) from non-NTFS sources like, flash drive, memory card, CD/DVD source, ISO image, etc. then the above simple methods cannot be applied. You have to switch off the protection and run the installation normally. This should be done with caution because the installation will not be checked with SmartScreen (files do not have MOTW).
 
Last edited:

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
I use an admin account. I was wondering if I can always use Run as SmartScreen even if the exe is small or large. For instance, installing a small .exe like Chrome or a large .exe such as LibreOffice. I understand that the bigness of the .exe + installation files doesn't matter if I run a standalone installation.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I use an admin account. I was wondering if I can always use Run as SmartScreen even if the exe is small or large. For instance, installing a small .exe like Chrome or a large .exe such as LibreOffice. I understand that the bigness of the .exe + installation files doesn't matter if I run a standalone installation.
That is right. You will be waiting a little longer for SmartScreen check with big files.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Hi Andy,

I'm using H_C 5.0.1 beta, where is the basic recommended setting profile? I don't see it when i load profiles. Also will there be any problem if i block all sponsors and is it necessary?
This profile is included in the upcoming beta. You can set it in the version 5.0.0.1 as follows:
  1. Apply the "Recommended Settings"
  2. Set <More SRP ...> <Update Mode> = OFF
  3. Open <Whitelist By Path>, use "Allow EXE and TMP" and "Allow MSI" to whitelist globally the EXE (TMP) and MSI files.
  4. Close the window and use <APPLY CHANGES>
You should see something like below:
BasicProfile.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
...Also will there be any problem if i block all sponsors and is it necessary?
That will depend on the installed software. You could probably live with blocked Sponsors while checking from time to time the H_C Log for possible blocked events. The cons of blocking Sponsors is that you cannot whitelist the action of the Sponsor - it can be only enabled or disabled.
The H_C settings are for decreasing the attack surface area. The necessity of blocking sponsors can depend on your security setup, software vulnerabilities, computer activity, safe habits, etc. For non-happy clickers on well updated Windows 10 with well updated software, blocking sponsors is usually unnecessary. Please, use "Run By SmartScreen" from the right-click Explorer context menu to check & run the EXE and MSI standalone application installers.

Edit.
Your current setup (KAV 20, Hard_Configurator, WiseVector StopX) is OK.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
My firewall hardening already includes Syshardener outbound firewall rules. Would it be a good idea to add those two rules:
C:\Windows\system32\mshta.exe
C:\Windows\system32\rundll32.exe
Thanks
Yes.(y)
Anyway, you can use FirewallHardening (without adding any rules) to see the blocked outbound connections - enable logging events and use <Blocked Events>. Pay attention to the entries blocked by your custom rules. There can be more blocked processes related to your privacy settings and default firewall rules - you can ignore them.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top