Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

...
All my internal drives are formatted with NTFS.
...

It would be very helpful if you could run msinfo32.exe, and look at the Components - Storage - Media Type, for your secondary hard disk. I Wonder if the Media Type is 'Fixed hard disk' or 'Removable media'. If it would be 'Removable media', then I could build in Hard_Configurator some security check.

 

[shmu26]

The options on the recommended restrictions side, if selected, will apply to all users?

 

[Andy Ful]

The options on the recommended restrictions side, if selected, will apply to all users?

Yes.
There is a possibility to make some restrictions for the concrete user, but then they could be changed by malware as standard user, which is not a good idea.

 

[AlainS]

It would be very helpful if you could run msinfo32.exe, and look at the Components - Storage - Media Type, for your secondary hard disk. I Wonder if the Media Type is 'Fixed hard disk' or 'Removable media'. If it would be 'Removable media', then I could build in Hard_Configurator some security check.

I checked just now. They are all "Fixed hard disk". There was clearly a mix up between fixed and removable.

Maybe you could just remove the "No Removable Disks Exec." from the "Recommend Restrictions"? All the other settings are really safe and easy to revert if needed.

 

[Andy Ful]

I checked just now. They are all "Fixed hard disk". There was clearly a mix up between fixed and removable.

Maybe you could just remove the "No Removable Disks Exec." from the "Recommend Restrictions"? All the other settings are really safe and easy to revert if needed.

Thanks for your help and support. I decided to remove <No Removable Disks Exec> option in the next Hard_Configurator version:
1. This Windows feature can cause very unpleasant side effects, when Windows OS recognizes fixed hard disk as removable (especially when it is a system disk).
2. <Recommended SRP> option also blocks execution from removable media via default deny SRP.
3. Even without active SRP, Windows OS (from Vista + SP2) disables AutoRun feature, so the danger of malware infection via autorun.inf commans is very low. Users can still be infected, when pressing the optical drive icon (when using an infected optical disc), but not when pressing the icon of pendrive or USB disk.

 

[Andy Ful]

Defender on Windows 10 is still evolving. I noticed recently, that the previous version (3.0.0.1 for Windows 32-bit) of Hard_Configurator installer is flagged now as the malware file:

Hard_Configurator_setup(x86)_3.0.0.1.exe-->(inno#000000)
file:c:\Windows\Hard_Configurator\is-L8O5K.tmp

It looks like Defender AI detects one of temporary files made by Inno Setup free installer, as malicious (Trojan:Win32/Spursint.F!cl).
Similarly, Defender AI detects as a trojan Crystal Security 3.7.0.14 (also the false positive).
This is Defender AI detection, because signature detection on Virustotal is clean.
I uploaded again Hard_Configurator_3.0.0.1.zip to Microsoft as a false positive.

The link to the actual correct detection of all Hard_Configurator installers (Emsisoft):
What is this exe file? Is this file safe? Check here

 

[Andy Ful]

Thanks to @askalan, Windows Built-in security with Hard_Configurator settings was tested against Locky Variant #ykcol ransomware.
As @askalan wrote "10008001353.vbs (undetected threat) was blocked by Hard_Configurator", so I would like to put some comments here.
In the 'Recommended Settings' Windows Script Host is disabled, so the execution of VBS, JS, VBE, JSE, WSF, and WSH scripts is blocked by Windows.
The words: "blocked by Hard_Configurator" should be understood as a useful shortcut, with the meaning :
"blocked by Windows built-in security configured by Hard_Configurator" (this comment is for Microsoft guys).

 

[Andy Ful]

After I submitted the false positives to Microsoft (a week ago), from a few days, the installer executables: Hard_Configurator_setup(x86)_3.0.0.1.exe and Hard_Configurator_setup(x64)_3.0.0.1.exe, have finally the clean Windows Defender detection. As a bonus, Microsoft added both to SmartScreen accepted files.
But, the ZIP archive that contains the above installers is still considered by SmartScreen as dangerous ????
When I look to false positive file submission, all files related to those installers are clean, but the analysis is not finished, yet.

 

[509322]

But, the ZIP archive that contains the above installers is still considered by SmartScreen as dangerous ????
When I look to false positive file submission, all files related to those installers are clean, but the analysis is not finished, yet.

Immediately after the most recent cumulative update on Win 10, I observed Windows Defender devouring safe files with valid certificates and quarantining registry keys. It looks like it has issues with virtualized protected code. 4 days later the behavior disappeared.

I have found that reports to Microsoft have about a 50:50 chance of being resolved - requiring multiple submissions to ensure a fix.

 

[Andy Ful]

Some additional notes about malware testing on Windows 8+ (Windows built-in security).
Hard_Configurator in the Recommended Settings (<Recommended SRP> + <Recommended Restrictions>) allows to run files in two modes:
1. 'Default Deny' mode
2. 'Install' mode
The first mode is invoked for files which are run by the User, when left clicking or pressing the Enter key.
The second mode is for bypassing the first mode by the User, when right clicking and choosing "Run As SmartScreen" from Explorer context menu. The second mode runs only EXE and MSI files - they are obligatory checked by SmartScreen Application Reputation, and if not blocked, they are run with Administrative Rights.

So, how can this security work for the common malware samples: *.exe, *.scr, *.com, *.doc, *.doc.exe, *.pdf.exe, *.pdf, *.vbs, *.js, *.ps1 ?

'Default Deny' mode.

• The files: *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 - will always be blocked.
• The files: *.doc, *.pdf - will always be allowed
• If *.doc, *.pdf files have embedded scripts or are going to use *.vbs, *.js, *.ps1 scripts - they will be blocked.
• PowerShell scripts ran filelessly from the remote servers will also be blocked (Constrained Language).
• If *.doc, *.pdf files have embedded scripts which try to load from the Internet and run from the disk the malicious *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 files - they also will be blocked.
• If *.doc, *.pdf files have embedded scripts which try to activate remote access - they will be blocked.
• If *.doc, *.pdf files have embedded malicious Internet links, then they will be allowed, except if the User has something like Adguard DNS that can block many of them.

Anyway, there are some other, ways to attack the system, so generally is recommended to use sandboxed applications which opens documents, photos, media files, or related to Internet.

'Install' mode.
In this mode, the User applies "Run As SmartScreen", so all files are blocked except MSI or EXE, which passed SmartScreen check. This mode is 'user dependent', if the user has the ability to bypass SmartScreen.
In this mode the files with a double extension (like *.doc.exe, *.pdf.exe) shoud not be tested, because they are prepared to fool the users, when left clicking or pressing the Enter key (covered by 'Default Deny' mode).
If allowed executables are going to use *.vbs, *.js, *.ps1 scripts or activate the remote access - they will be mostly blocked.
'Mostly blocked' means, that the malware additionally has to change some registry values to unblock the above actions.

 

[AlanOstaszewski]

@Andy Ful I'm now creating my third report. "blocked by Windows built-in security configured by Hard_Configurator" I added now to my next report! Thanks! I also tested now with the "install" mode. Smartscreen blocked all samples! WOW!
I have one question to you: I done a right click scan and Defender detected two samples but in the samples folder were 4 samples deleted. That means that the Defender Cloud was automatically activated. How I should describe this in my test? I didn't became a dialog about this so I couldn't screenshot this.

 

[Andy Ful]

Thanks for testing.
The samples detected by the cloud, can be viewed using the scanning history from Windows Defender Security Center.

 

[Av Gurus]

@Andy Ful I'm now creating my third report. "blocked by Windows built-in security configured by Hard_Configurator" I added now to my next report! Thanks! I also tested now with the "install" mode. Smartscreen blocked all samples! WOW!
I have one question to you: I done a right click scan and Defender detected two samples but in the samples folder were 4 samples deleted. That means that the Defender Cloud was automatically activated. How I should describe this in my test? I didn't became a dialog about this so I couldn't screenshot this.

Any link to that report/test?

I found it:
https://malwaretips.com/threads/22-9-17-10.75622/#post-673560

 

[Andy Ful]

Microsoft seems to forget correcting the SmartScreen false positive related to the older version Hard_Configurator_3.0.0.1.zip, but thankfully added to Defender and SmartSreen, the signatures of installers: Hard_Configurator_setup(x86)_3.0.0.1.exe and Hard_Configurator_setup(x86)_3.0.0.1.exe . So, I took a simple solution, and replaced the ZIP file on the GitHub with the above two EXE files.
Hard_Configurator/Hard_Configurator_setup(x64)_3.0.0.1.exe at master · AndyFul/Hard_Configurator · GitHub
Hard_Configurator/Hard_Configurator_setup(x86)_3.0.0.1.exe at master · AndyFul/Hard_Configurator · GitHub

The beta version 3.0.1.0 is still available here:
Hard_Configurator---old-versions/Hard_Configurator_setup(x64)_beta_3.0.1.0.exe at master · AndyFul/Hard_Configurator---old-versions · GitHub
Hard_Configurator---old-versions/Hard_Configurator_setup(x86)_beta_3.0.1.0.exe at master · AndyFul/Hard_Configurator---old-versions · GitHub

Both 3.0.0.1 and beta 3.0.1.0 versions are accepted by Defender and SmartScreen.
The new version 3.1.0.0 will be uploaded in the next month. I would like to test it on Windows 10 Fall Creators Update.

 

[Deleted member 65228]

I really like this software because it makes it quick for the user to perform the tweaks. Really good work!!

 

[AlanOstaszewski]

@Andy Ful What new features will have the new version comming next month? ^^

 

[Andy Ful]

The first file from Malware Samples 22-9-23 #2 is a keygen for Atlantis Word Processor (first submitted to Virustotal 2016-05-01).
The second file from Malware Samples 22-9-23 #2 is a crack of the registration executable for Machine Translation Systems of PROMT company (first submitted to Virustotal 2010-07-04).
Both samples are known and used for a long time, so gained a sufficient reputation to pass the SmartScreen.

 

[AlanOstaszewski]

The first file from Malware Samples 22-9-23 #2 is a keygen for Atlantis Word Processor (first submitted to Virustotal 2016-05-01).
The second file from Malware Samples 22-9-23 #2 is a crack of the registration executable for Machine Translation Systems of PROMT company (first submitted to Virustotal 2010-07-04).
Both samples are known and used for a long time, so gained a sufficient reputation to pass the SmartScreen.

Not this topic?

 

[Sunshine-boy]

@Andy Ful
Can I use this tool on windows 10 pro version?or it doesn't work on pro?

 

[Andy Ful]

@Andy Ful What new features will have the new version comming next month? ^^

Nothing special from the security side, as compared to beta 3.0.1.0
Here are the details (for now):

Version 3.1.0.0

1. Blocked external utilities (Nirsoft FullEventLogView, Sysinternals Autoruns, 7-Zip) as standard user, in '%SystemRoot%\Hard_Configurator' folder.
2. Hard_Configurator will not use NirSoft nircmdc.exe .
3. Added <Disable Cached Logons> and <UAC CTRL_ALT_DEL> buttons to harden credentials protection outside the home network.
4. Added backup management for Profile Base (whitelist profiles and setting profiles can be 'exported to'/'imported from' one compressed file).
5. Removed the option <No Removable Disks Exec.>.
6. Corrected the bug related to Maximum Shadow Copy Storage space in Windows Vista.
7. Corrected the <Disable SMB> displaying '?' when SMB 1.0 is not installed (as in Windows 10 Fall Creators Update).