Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Ok, just downloaded the v5.1.1.1. Didn't touch any settings except enabling 'HIGH' in WD

I noticed there are 2 icons on my tablet. One is the H_C and the other is the Switch Default Deny.

What is the latter button for? If I press it what will happen? Press once means switch to Default Deny? Press again will revert its action?

Thanks
If you run it, then you have the ability to switch OFF/ON default deny SRP restrictions (without opening H_C).

Please read the info about SwitchDefaultDeny from the H_C manual (run H_C and use <General Help><Documentation>, choose the PDF document "Hard_Configurator - Manual") .
You can also run SwitchDefaultDeny and read the help (<Menu><Help>).(y)

You can probably get some other useful information by looking at the help files about the options that are mysterious to you.:)(y)
Please let me know when something in the help is hard to understand.
 
Last edited:

Reldel1

Level 2
Verified
Jun 12, 2017
50
I updated from 5.1.1.1 beta to 5.1.1.1 stable by doing a clean install of H-C, (within H_C GUI reset everything to default>restart>uninstalled H_C from within GUI>restart). Before installing 5.1.1.1 I noted that the Documents Anti-Exploit Icon remained on my desktop. I was curious, I thought it had previously installed during H_C installations but obviously my memory was wrong because it remained without H_C installed. After checking Windows 10 (2004) All Settings>APPs uninstall and Control Panel uninstall I found neither lists Documents Anti-Exploit and thus it cannot be uninstalled by normal means. Furthermore, while the Documents Anti-Exploit Icon shows on my desktop it does not show in the start menu.

So, what is the method to use to uninstall Documents Anti-Exploit if I want to do so?

Install of 5.1.1.1 stable went as expected, all good.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
...
So, what is the method to use to uninstall Documents Anti-Exploit if I want to do so?
...
Thanks. You can delete it from the desktop.(y)

This tool cannot be well integrated with H_C because it is not system-wide. When one uninstalls H_C, the settings made by DocumentsAntiExploit tool are not removed, so this tool is copied to the Desktop to be available for the user. But, in the ver. 5.1.1.1, I added the execution limitations for H_C executables that prevent to run them in UserSpace, so this tool cannot be run from the Desktop anymore (one have to use the standalone version). :(
I will correct this in the next version.

Post edited.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Andy,

This link shows a 404 error.
Yes, I edited my post. The event you have reported is normal, but the DocumentsAntiExploit tool will not run from the Desktop (thing to correct in the next version). The reason for copying to the desktop is noted in the manual and in the help:

DocumentsAntiExploit.png


You can run the DocumentsAntiExploit tool via SwitchDefaultDeny.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Actually, there is available a standalone DocumentsAntiExploit tool (independent of the H_C). So, I think that I can remove the imperfect integration of DocumentsAntiExploit tool from the H_C's SwitchDefaultDeny. In such a case the H_C installer + standalone DocumentsAntiExploit tool can be put into one ZIP archive and the user can use them separately.
The DocumentsAntiExploit tool may be skipped when the user:
  • does not use MS Office and Adobe Acrobat Reader XI/DC,
  • uses H_C and WD with ASR rules for Office Applications and Adobe Reader (like in ConfigureDefender HIGH protection Level).
It is worth remembering that applying the restrictions via DocumentsAntiExploit tool on several user accounts, require launching/configuring it on all these accounts. The same is necessary when removing the restrictions from several user accounts.
 
Last edited:

Reldel1

Level 2
Verified
Jun 12, 2017
50
Actually, there is available a standalone DocumentsAntiExploit tool (independent of the H_C). So, I think that I can remove the imperfect integration of DocumentsAntiExploit tool from the H_C's SwitchDefaultDeny. In such a case the H_C installer + standalone DocumentsAntiExploit tool can be put into one ZIP archive and the user can use them separately.
The DocumentsAntiExploit tool may be skipped when the user:
  • does not use MS Office and Adobe Acrobat Reader XI/DC,
  • uses H_C and WD with ASR rules for Office Applications and Adobe Reader (like in ConfigureDefender HIGH protection Level).
It is worth remembering that applying the restrictions via DocumentsAntiExploit tool on several user accounts, require launching/configuring it on all these accounts. The same is necessary when removing the restrictions from several user accounts.
Got it. You are always thinking, that's what makes your product great.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Hard_Configurator ver. 5.1.1.2 (stable version)

The update can be done via <Update> option from the H_C. The displayed version in the H_C window is still 5.1.1.1 because this executable did not change.
Only the DocumentsAntiExploit tool was replaced by the standalone version, the rest of the executables are identical as in the version 5.1.1.1.

The separation of DocumentsAntiExploit from H_C will be done in ver. beta 6.0.0.0.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Installed first 5.1.1.1, then 5.1.1.2 over the top via the user interface. No problems to report so far. Many thanks for this software, it's a part of my core security. :cool:

PS: there is no mention of H_C's installation in Event Viewer, this is OK, Andy Ful?
Yes. The H_C is semi-portable. You can copy/paste the H_C folder to the other computer with the same Windows bitness (64-bit or 32-bit). The only requirement is that the path has to be "%WinDir%\Hard_Configurator". Furthermore, the H_C is intentionally hidden to avoid the uninstallation by casual users, children, etc. (when their computers are configured by advanced users).
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
Hard_Configurator ver. 5.1.1.1 (stable version)

I just tried the link 21jun 0601 UTC and it was 404?

EDIT update, the link to 5.1.1.2 works, and downloaded ok, but not installed yet. THANKS!!
 
Last edited:

Reldel1

Level 2
Verified
Jun 12, 2017
50
Hard_Configurator ver. 5.1.1.2 (stable version)

The update can be done via <Update> option from the H_C. The displayed version in the H_C window is still 5.1.1.1 because this executable did not change.
Only the DocumentsAntiExploit tool was replaced by the standalone version, the rest of the executables are identical as in the version 5.1.1.1.

The separation of DocumentsAntiExploit from H_C will be done in ver. beta 6.0.0.0.

Andy

After using the prescribed update button within the GUI and updating from 5.1.1.1 to 5.1.1.2, if I return to the GUI and use the update button again, H_C will again appear to download the 5.1.1.2 version. This pattern can be repeatedly be reproduced.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
ver. 5.1.1.2 installed, thanks Andy. You are a ⭐.

Edit: Question - just out of interest, how would MBAM Premium run alongside H_C (with WD). Would it add value?
Anyone using this combo?
Just looking at this old post, which piqued my interest: Is Malwarebytes 3 Considered An AV? - Anti-Virus, Anti-Malware, and Privacy Software
I do not think that MBAM Premium protection for MZ files (like EXE, CPL, SYS, DLL, SCR, OCX, etc.) adds something important to the WD protection with ConfigureDefender HIGH preset.
Anyway, the MBAM anti-exploit protection can be useful if one uses a vulnerable (not patched) system/software. In such a case, MBAM Premium is probably easier for many people than applying Windows 10 Exploit Protection for the concrete applications.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Andy

After using the prescribed update button within the GUI and updating from 5.1.1.1 to 5.1.1.2, if I return to the GUI and use the update button again, H_C will again appear to download the 5.1.1.2 version. This pattern can be repeatedly be reproduced.
Yes, this is normal behavior because the main H_C executable is the same as in the ver. 5.1.1.1 (only DocumentsAntiExploit tool was replaced with a standalone version). This will be stopped tomorrow when I replace the main H_C executable in the installer with a new one (ver. 5.1.1.2 will be displayed in the H_C window). It takes some time because any new executable has to be whitelisted by AV vendors.

For the H_C users, there is no need to update until July because nothing new will be added to H_C. The small corrections are not related to H_C protection and features when H_C is installed.

The correction from 5.1.1.1 to 5.1.1.2 can be important when someone uninstalled the H_C improperly (and did not install a new version) and forgot to remove the settings related to DocumentAntiExploit tool (made via SwitchDefaultDeny). (y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Interesting ransomware was tested on MH:
This example shows two things:
  1. Even the AV with ATP cannot detect all scripting attacks.
  2. There is a big difference between malware tests and real-world tests.
The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace.

The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top