Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
...
All my internal drives are formatted with NTFS.
...
It would be very helpful if you could run msinfo32.exe, and look at the Components - Storage - Media Type, for your secondary hard disk. I Wonder if the Media Type is 'Fixed hard disk' or 'Removable media'. If it would be 'Removable media', then I could build in Hard_Configurator some security check.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
The options on the recommended restrictions side, if selected, will apply to all users?
Yes. :)
There is a possibility to make some restrictions for the concrete user, but then they could be changed by malware as standard user, which is not a good idea.
 

AlainS

Level 1
Aug 26, 2017
3
It would be very helpful if you could run msinfo32.exe, and look at the Components - Storage - Media Type, for your secondary hard disk. I Wonder if the Media Type is 'Fixed hard disk' or 'Removable media'. If it would be 'Removable media', then I could build in Hard_Configurator some security check.

I checked just now. They are all "Fixed hard disk". There was clearly a mix up between fixed and removable.

Maybe you could just remove the "No Removable Disks Exec." from the "Recommend Restrictions"? All the other settings are really safe and easy to revert if needed.
 
  • Like
Reactions: Syafiq and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I checked just now. They are all "Fixed hard disk". There was clearly a mix up between fixed and removable.

Maybe you could just remove the "No Removable Disks Exec." from the "Recommend Restrictions"? All the other settings are really safe and easy to revert if needed.

Thanks for your help and support. I decided to remove <No Removable Disks Exec> option in the next Hard_Configurator version:
1. This Windows feature can cause very unpleasant side effects, when Windows OS recognizes fixed hard disk as removable (especially when it is a system disk).
2. <Recommended SRP> option also blocks execution from removable media via default deny SRP.
3. Even without active SRP, Windows OS (from Vista + SP2) disables AutoRun feature, so the danger of malware infection via autorun.inf commans is very low. Users can still be infected, when pressing the optical drive icon (when using an infected optical disc), but not when pressing the icon of pendrive or USB disk.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Defender on Windows 10 is still evolving. I noticed recently, that the previous version (3.0.0.1 for Windows 32-bit) of Hard_Configurator installer is flagged now as the malware file:

Hard_Configurator_setup(x86)_3.0.0.1.exe-->(inno#000000)
file:c:\Windows\Hard_Configurator\is-L8O5K.tmp

It looks like Defender AI detects one of temporary files made by Inno Setup free installer, as malicious (Trojan:Win32/Spursint.F!cl).
Similarly, Defender AI detects as a trojan Crystal Security 3.7.0.14 (also the false positive).
This is Defender AI detection, because signature detection on Virustotal is clean.
I uploaded again Hard_Configurator_3.0.0.1.zip to Microsoft as a false positive.

The link to the actual correct detection of all Hard_Configurator installers (Emsisoft):
What is this exe file? Is this file safe? Check here
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Thanks to @askalan, Windows Built-in security with Hard_Configurator settings was tested against Locky Variant #ykcol ransomware.
As @askalan wrote "10008001353.vbs (undetected threat) was blocked by Hard_Configurator", so I would like to put some comments here.
In the 'Recommended Settings' Windows Script Host is disabled, so the execution of VBS, JS, VBE, JSE, WSF, and WSH scripts is blocked by Windows.
The words: "blocked by Hard_Configurator" should be understood as a useful shortcut, with the meaning :
"blocked by Windows built-in security configured by Hard_Configurator" (this comment is for Microsoft guys).:)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
After I submitted the false positives to Microsoft (a week ago), from a few days, the installer executables: Hard_Configurator_setup(x86)_3.0.0.1.exe and Hard_Configurator_setup(x64)_3.0.0.1.exe, have finally the clean Windows Defender detection. As a bonus, Microsoft added both to SmartScreen accepted files.:)
But, the ZIP archive that contains the above installers is still considered by SmartScreen as dangerous ????:sick:
When I look to false positive file submission, all files related to those installers are clean, but the analysis is not finished, yet.
 
5

509322

But, the ZIP archive that contains the above installers is still considered by SmartScreen as dangerous ????:sick:
When I look to false positive file submission, all files related to those installers are clean, but the analysis is not finished, yet.

Immediately after the most recent cumulative update on Win 10, I observed Windows Defender devouring safe files with valid certificates and quarantining registry keys. It looks like it has issues with virtualized protected code. 4 days later the behavior disappeared.

I have found that reports to Microsoft have about a 50:50 chance of being resolved - requiring multiple submissions to ensure a fix.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Some additional notes about malware testing on Windows 8+ (Windows built-in security).
Hard_Configurator in the Recommended Settings (<Recommended SRP> + <Recommended Restrictions>) allows to run files in two modes:
1. 'Default Deny' mode
2. 'Install' mode
The first mode is invoked for files which are run by the User, when left clicking or pressing the Enter key.
The second mode is for bypassing the first mode by the User, when right clicking and choosing "Run As SmartScreen" from Explorer context menu. The second mode runs only EXE and MSI files - they are obligatory checked by SmartScreen Application Reputation, and if not blocked, they are run with Administrative Rights.

So, how can this security work for the common malware samples: *.exe, *.scr, *.com, *.doc, *.doc.exe, *.pdf.exe, *.pdf, *.vbs, *.js, *.ps1 ?

'Default Deny' mode.
  • The files: *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 - will always be blocked.
  • The files: *.doc, *.pdf - will always be allowed
  • If *.doc, *.pdf files have embedded scripts or are going to use *.vbs, *.js, *.ps1 scripts - they will be blocked.
  • PowerShell scripts ran filelessly from the remote servers will also be blocked (Constrained Language).
  • If *.doc, *.pdf files have embedded scripts which try to load from the Internet and run from the disk the malicious *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 files - they also will be blocked.
  • If *.doc, *.pdf files have embedded scripts which try to activate remote access - they will be blocked.
  • If *.doc, *.pdf files have embedded malicious Internet links, then they will be allowed, except if the User has something like Adguard DNS that can block many of them.
Anyway, there are some other, ways to attack the system, so generally is recommended to use sandboxed applications which opens documents, photos, media files, or related to Internet.

'Install' mode.
In this mode, the User applies "Run As SmartScreen", so all files are blocked except MSI or EXE, which passed SmartScreen check. This mode is 'user dependent', if the user has the ability to bypass SmartScreen.
In this mode the files with a double extension (like *.doc.exe, *.pdf.exe) shoud not be tested, because they are prepared to fool the users, when left clicking or pressing the Enter key (covered by 'Default Deny' mode).
If allowed executables are going to use *.vbs, *.js, *.ps1 scripts or activate the remote access - they will be mostly blocked.
'Mostly blocked' means, that the malware additionally has to change some registry values to unblock the above actions.
 
Last edited:

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
@Andy Ful I'm now creating my third report. "blocked by Windows built-in security configured by Hard_Configurator" I added now to my next report! Thanks! I also tested now with the "install" mode. Smartscreen blocked all samples! WOW!
I have one question to you: I done a right click scan and Defender detected two samples but in the samples folder were 4 samples deleted. That means that the Defender Cloud was automatically activated. How I should describe this in my test? I didn't became a dialog about this so I couldn't screenshot this.
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
@Andy Ful I'm now creating my third report. "blocked by Windows built-in security configured by Hard_Configurator" I added now to my next report! Thanks! I also tested now with the "install" mode. Smartscreen blocked all samples! WOW!
I have one question to you: I done a right click scan and Defender detected two samples but in the samples folder were 4 samples deleted. That means that the Defender Cloud was automatically activated. How I should describe this in my test? I didn't became a dialog about this so I couldn't screenshot this.

Any link to that report/test?

I found it:
https://malwaretips.com/threads/22-9-17-10.75622/#post-673560
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Microsoft seems to forget correcting the SmartScreen false positive related to the older version Hard_Configurator_3.0.0.1.zip, but thankfully added to Defender and SmartSreen, the signatures of installers: Hard_Configurator_setup(x86)_3.0.0.1.exe and Hard_Configurator_setup(x86)_3.0.0.1.exe . So, I took a simple solution, and replaced the ZIP file on the GitHub with the above two EXE files.:)
Hard_Configurator/Hard_Configurator_setup(x64)_3.0.0.1.exe at master · AndyFul/Hard_Configurator · GitHub
Hard_Configurator/Hard_Configurator_setup(x86)_3.0.0.1.exe at master · AndyFul/Hard_Configurator · GitHub

The beta version 3.0.1.0 is still available here:
Hard_Configurator---old-versions/Hard_Configurator_setup(x64)_beta_3.0.1.0.exe at master · AndyFul/Hard_Configurator---old-versions · GitHub
Hard_Configurator---old-versions/Hard_Configurator_setup(x86)_beta_3.0.1.0.exe at master · AndyFul/Hard_Configurator---old-versions · GitHub

Both 3.0.0.1 and beta 3.0.1.0 versions are accepted by Defender and SmartScreen.:)
The new version 3.1.0.0 will be uploaded in the next month. I would like to test it on Windows 10 Fall Creators Update.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
The first file from Malware Samples 22-9-23 #2 is a keygen for Atlantis Word Processor (first submitted to Virustotal 2016-05-01).
The second file from Malware Samples 22-9-23 #2 is a crack of the registration executable for Machine Translation Systems of PROMT company (first submitted to Virustotal 2010-07-04).
Both samples are known and used for a long time, so gained a sufficient reputation to pass the SmartScreen.
 

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
The first file from Malware Samples 22-9-23 #2 is a keygen for Atlantis Word Processor (first submitted to Virustotal 2016-05-01).
The second file from Malware Samples 22-9-23 #2 is a crack of the registration executable for Machine Translation Systems of PROMT company (first submitted to Virustotal 2010-07-04).
Both samples are known and used for a long time, so gained a sufficient reputation to pass the SmartScreen.
Not this topic? :p
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
@Andy Ful What new features will have the new version comming next month? ^^
Nothing special from the security side, as compared to beta 3.0.1.0
Here are the details (for now):

Version 3.1.0.0
  1. Blocked external utilities (Nirsoft FullEventLogView, Sysinternals Autoruns, 7-Zip) as standard user, in '%SystemRoot%\Hard_Configurator' folder.
  2. Hard_Configurator will not use NirSoft nircmdc.exe .
  3. Added <Disable Cached Logons> and <UAC CTRL_ALT_DEL> buttons to harden credentials protection outside the home network.
  4. Added backup management for Profile Base (whitelist profiles and setting profiles can be 'exported to'/'imported from' one compressed file).
  5. Removed the option <No Removable Disks Exec.>.
  6. Corrected the bug related to Maximum Shadow Copy Storage space in Windows Vista.
  7. Corrected the <Disable SMB> displaying '?' when SMB 1.0 is not installed (as in Windows 10 Fall Creators Update).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top