Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Coincidentally I got an alert that CFA blocked cleanmgr.exe after installing Windows updates but cleanmgr still executed successfully without whitelisting. My view is that CFA alerts are not always accurate and can be sometimes be ignored.

CFA does not kill or stop the work of applications. It only prevents them to make changes in the protected folders. Usually, the cleanmgr should not do anything in data folders. So, the alert was OK. Most of these alerts are only informative. You can look at it as the reincarnation of VoodooShield (although VS is more informative).

 

[Gandalf_The_Grey]

CFA does not kill or stop the work of applications. It only prevents them to make changes in the protected folders. Usually, the cleanmgr should not do anything in data folders. So, the alert was OK. Most of these alerts are only informative. You can look at it as the reincarnation of VoodooShield (although VS is more informative).

Most of the time I can understand the alerts and know what to do.

Gecontroleerde mappentoegang heeft C:\Program Files\HitmanPro\HitmanPro.exe geblokkeerd voor het aanbrengen van wijzigingen in het geheugen.
Detectietijd: 2020-05-12T19:21:15.406Z
Gebruiker: NITRO\Gandalf
Pad: \Device\HarddiskVolume4
Procesnaam: C:\Program Files\HitmanPro\HitmanPro.exe
Versie van beveiligingsinformatie: 1.315.501.0
Engineversie: 1.1.17000.7
Productversie: 4.18.2004.6

HimanPro has to get access if you use it as second opinion scanner.

But this one puzzles me:

Gecontroleerde mappentoegang heeft C:\Windows\System32\taskhostw.exe geblokkeerd voor het aanbrengen van wijzigingen in het geheugen.
Detectietijd: 2020-05-13T12:34:36.452Z
Gebruiker: NT AUTHORITY\SYSTEM
Pad: \Device\CdRom0
Procesnaam: C:\Windows\System32\taskhostw.exe
Versie van beveiligingsinformatie: 1.315.565.0
Engineversie: 1.1.17000.7
Productversie: 4.18.2004.6

 

[oldschool]

@Gandalf_The_Grey Something puzzles you? You're a wizard!

 

[Gandalf_The_Grey]

@Gandalf_The_Grey Something puzzles you? You're a wizard!

But an incredibly old one, it takes a lot of time to reach a conclusion

 

[Andy Ful]

...
But this one puzzles me:
Gecontroleerde mappentoegang heeft C:\Windows\System32\taskhostw.exe geblokkeerd voor het aanbrengen van wijzigingen in het geheugen.
Detectietijd: 2020-05-13T12:34:36.452Z
Gebruiker: NT AUTHORITY\SYSTEM
Pad: \Device\CdRom0
Procesnaam: C:\Windows\System32\taskhostw.exe
Versie van beveiligingsinformatie: 1.315.565.0
Engineversie: 1.1.17000.7
Productversie: 4.18.2004.6

The executable taskhostw.exe is for starting the Windows Services based on DLLs (kinda similar to svhost.exe). Probably some application which uses a service tries to access the protected folders.

 

[SeriousHoax]

@Gandalf_The_Grey Something puzzles you? You're a wizard!

Your punishment for making this comment:

 

[Gandalf_The_Grey]

The executable taskhostw.exe is for starting the Windows Services based on DLLs (kinda similar to svhost.exe). Probably some application which uses a service tries to access the protected folders.

Okay, thanks, but now I still don't know if I should allow it.
How can I find out more?

 

[simmerskool]

There is no protection against ransomware In WD default settings. To get it you have to activate:

1. ASR rules, WD Network Protection and FirewallHardening rules that can prevent many ransomware attacks,
2. Controlled Folder Access, which is strictly anti-ransomware protection. It has to be properly configured, because only the folders added to CFA will be protected.

If you use WD + H_C Recommended Settings on Windows 10 + ConfigureDefender HIGH Protection level + FirewallHardening (Recommended H_C rules), then 0-day malware (including ransomware) and most exploits are prevented from running, so you do not need additional anti-ransomware protection (except backups).

Please note, that Hard_Configurator design is intended to protect the computers in the home environment. If the computer is connected to the enterprise network, the H_C settings for SRP can be bypassed by the high privileged worms from the local network. In such attacks, the only protection will come from WD ASR rules, WD Network Protection, and FirewallHardening rules (if Windows Firewall is not turned off by 3rd party firewall).

EXCELLENT! thanks @Andy Ful , @Gandalf_The_Grey, @security123

 

[Andy Ful]

Okay, thanks, but now I still don't know if I should allow it.
How can I find out more?

You can use ProcessExplorer (run as Admin) to identify the tasks started by taskhostw.exe.

 

[Gandalf_The_Grey]

You can use ProcessExplorer (run as Admin) to identify the tasks started by taskhostw.exe.

It's getting a bit off topic, but can you tell me how to do that from here?

 

[Andy Ful]

It's getting a bit off topic, but can you tell me how to do that from here?
View attachment 239798

Put the cursor on taskhostw.exe . But it is possible that the application which uses it, is run only sometimes. So you have to correlate this with the CFA block.

 

[Gandalf_The_Grey]

Put the cursor on taskhostw.exe . But it is possible that the application which uses it, is run only sometimes. So you have to correlate this with the CFA block.

Thanks, I will look at it when the next block occurs.

 

[Andy Ful]

I started the new project based on H_C. It will be named CUP (Casual User Protection).
For now, it looks like:

From the "Settings" menu the user will be allowed to download the predefined H_C setting profile and display the current settings. There will not be possible to tweak the particular settings.

 

[oldschool]

From the "Settings" menu the user will be allowed to download the predefined H_C setting profile and display the current settings. There will not be possible to tweak the particular settings.

Very nice, and user-friendly! Bravo! Combined with RunBySmartscreen you will have a real winner.

I always imagine when you aren't posting on MT you are hard at work in your "shop", like Santa Claus but without the elves!

 

[paulderdash]

I started the new project based on H_C. It will be named CUP (Casual User Protection).
For now, it looks like:

View attachment 240081

From the "Settings" menu the user will be allowed to download the predefined H_C setting profile and display the current settings. There will not be possible to tweak the particular settings.

Interesting, Andy.

May even just prefer this over H_C on my basic prod setup, as I am after maximum simplicity there.
Obviously Software Restriction Policies = SRP in H_C, but Windows Hardening = Restrictions in H_C? (If so, IMO that term may also be clearer to use in H_C interface button).
Excuse my ignorance but CUP would not include Firewall Hardening or ConfigureDefender - and the latter would be run seperately?

 

[Andy Ful]

CUP is strictly related to H_C. In fact, it is H_C with simplified GUI.

I think that ConfigureDefender and FirewallHardening will not be included. One can use the standalone versions available on the H_C GitHub website.

 

[ForgottenSeer 85179]

I think that ConfigureDefender and FirewallHardening will not be included. One can use the standalone versions available on the H_C GitHub website.

So what is your plan for future?

Still building ConfigureDefender, FirewallHardening and Hard_Configurator beside CUP? Or move Hard_Configurator fully into CUP ?

I like Hard_Configurator as control center for all 3 tools so i hope that will not changed with CUP. Maybe a advanced option would fit that

 

[paulderdash]

Thanks Andy, love this simplicity of the CUP idea (with the granularity of CD, and possibly FH, additions) for those who 'can't see the wood for the trees' - even if the same is achievable in H_C.
One can always 'graduate' to H_C for more control if required.

 

[Andy Ful]

So what is your plan for future?

Still building ConfigureDefender, FirewallHardening and Hard_Configurator beside CUP? Or move Hard_Configurator fully into CUP ?

I like Hard_Configurator as control center for all 3 tools so i hope that will not changed with CUP. Maybe a advanced option would fit that

The CUP contains all H_C code, but uses a simple GUI. The H_C is for advanced users. It is very flexible and allows adjusting many of particular options. But, for many users, it is too complex and overwhelming. Most of them want to apply a well-proven setting profile, without going into details - the CUP is just for them. Furthermore, with CUP the user cannot spoil the settings by changing some options.

 

[cryogent]

Hi Andy Ful, i have one question, I saw that the version of FirewallHardening in H_C beta 5.1.1.1 is 1.0.1.1 and the one on GitHub is 1.1.1.1, can the old executable be replaced with the new one directly in the folder where H_C is installed? is there any reason for incompatibility?
Same question for DocumentsAntiExploit.