ErzCrz

Level 7
Verified
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges. But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.

Most programs don't install in user-space but I always check "Advanced options" when installing anything new. You can swap over to the Recommended_Strict configuration profile which won't allow user-space executable to run and therefore you'll need manually whitelist them. I had to do that with Discord in versions prior to 5.x when the change was made to allow those by default. Anyway, I would always check where things are being installed via the installer or switch to the strict profile.

From the manual:
" Updating from previous versions. Because of several important changes in version 5.0.1.0, it is recommended (just after update) to load one of the predefined setting profiles or simply apply first the Recommended Settings and next adjust the restrictions. This will properly activate the new features. The whitelisted entries will not be changed, except adjusting the Unrestricted and Disallowed rules for EXE (TMP) and MSI files.

If the user wants to globally allow EXE (TMP) and MSI files, then the profile "Windows_*_Basic_Recommended_Settings.hdc" can be applied (* denotes the Windows version). This setting profile requires an antivirus with strong proactive protection for EXE and MSI files.

If the user wants to block also EXE (TMP) and MSI files in UserSpace, then the profile "Windows_*_Strict_Recommended_Settings.hdc" can be applied. "
 

mkoundo

Level 3
Verified
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges. But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.

found in the FAQs:

How to install applications on SUA.
1. Run the application installer by using "Run As SmartScreen" option from the Explorer
right-click context menu.
2. Check the default installation folder.
3. If it is in the Administrator profile, then cancel the installation and continue with Steps
#4-7. If not, then continue with the installation and skip Steps #4-7.
4. Use “Switch Default-Deny“ to turn OFF the protection temporarily.
5. Install the application normally (by left mouse-click or pressing the Enter key).
6. Whitelist the application in the UserSpace.
7. Use “Switch Default-Deny“ to turn ON the protection.
 

security123

Level 26
Verified
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges. But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.
Best install path for programs is in official programs folder which is protected by UAC.

So if a program doesn't need admin rights, it install in a insecure path like appdata, temp, documents, .. which should be avoided which is done by H_C.
 

Andy Ful

Level 64
Verified
Trusted
Content Creator
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges.
That was changed in the ver. 5.1.1.2. In the Recommended Settings the Forced Smartscreen (""Install by Smartscreen" right-click entry) works with standard privileges. You can still use Forced Smartscreen with Admin privileges when applying the Strict_Recommended_Settings profile. Please, read the help about <More SRP ...><Update Mode> for more details.

But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.
Solved with <Update Mode> feature introduced in the actual version.:)(y)
 

shmu26

Level 85
Verified
Trusted
Content Creator
That was changed in the ver. 5.1.1.2. In the Recommended Settings the Forced Smartscreen (""Install by Smartscreen" right-click entry) works with standard privileges. You can still use Forced Smartscreen with Admin privileges when applying the Strict_Recommended_Settings profile. Please, read the help about <More SRP ...><Update Mode> for more details.


Solved with <Update Mode> feature introduced in the actual version.:)(y)
Thanks, Andy!
 

Andy Ful

Level 64
Verified
Trusted
Content Creator
found in the FAQs:

How to install applications on SUA.
1. Run the application installer by using "Run As SmartScreen" option from the Explorer
right-click context menu.
2. Check the default installation folder.
3. If it is in the Administrator profile, then cancel the installation and continue with Steps
#4-7. If not, then continue with the installation and skip Steps #4-7.
4. Use “Switch Default-Deny“ to turn OFF the protection temporarily.
5. Install the application normally (by left mouse-click or pressing the Enter key).
6. Whitelist the application in the UserSpace.
7. Use “Switch Default-Deny“ to turn ON the protection.

This fragment is not from the actual manual, but from the older version.(y):)
In the actual version we have:

How to install applications on Windows 8+ with the H_C Recommended
Settings.

Forced SmartScreen feature is available only on Windows 8+.
In the Recommended Settings, the Forced SmartScreen feature is integrated
with <Update Mode> = ON. So, the "Install By SmartScreen" entry in the
right-click Explorer context menu can be used to install applications. This
works well for EXE and MSI standalone installers. When <Update Mode> is
set to ON, the installation process does not force high privileges and the application
always installs in the right user profile.
The "Install By SmartScreen" entry will not work for non-standalone installers,
for example when the installation must be done from CD/DVD drives,
CD/DVD images, archives containing the installation files copied from
CD/DVD, etc. In such cases, the user must disable default-deny protection
temporarily with SwitchDefaultDeny tool, and install the application normally
without using "Install By SmartScreen".

How to install applications on Windows 7 (Vista) with the H_C Recommended
Settings.

1.Use the SwitchDefaultDeny tool to turn OFF the protection temporarily
(SRP rules are automatically refreshed).
2. Install the application normally (by using left mouse-click or pressing the
Enter key).
3.Whitelist the application if it was installed in UserSpace.
4.Use the SwitchDefaultDeny tool again to turn ON the protection (SRP rules
are automatically refreshed).

How to update applications with the H_C Recommended Settings.

On Windows 8+ the applications usually can auto-update without problems.
The manual updates with standalone EXE or MSI installers can be done via
"Install By SmartScreen" entry in the right-click Explorer context menu.
If the Recommended Settings are applied on Windows 7 (Vista), then the
H_C protection should be temporarily turned off to allow software updates.
The user should be very cautious to run only safe executables.

How to update applications with H_C's custom default-deny settings.
1. Use the SwitchDefaultDeny tool to switch OFF the Default Deny Protection
temporarily (SRP rules are automatically refreshed).
2. Install the application normally.
3. Switch ON the Default Deny Protection (SRP rules are automatically refreshed).

:)(y)
 

Andy Ful

Level 64
Verified
Trusted
Content Creator
@Andy Ful

Hard_Configurator needs a notification when the policy is disabled, but the user forgets to re-enable it after X minutes. Maybe even and auto-time out where policy is auto-renabled.
This would require a scheduled task. I was thinking about it but finally decided to implement something similar in SwitchDefaultDeny via the autorun registry key.
As @aldist mentioned, when the protection is switched OFF by SwitchDefaultDeny, then SwitchDefaultDeny starts automatically after reboot (more precisely after each sign in).
 

Gangelo

Level 3
Verified
I am having serious trouble updating Adguard for Windows and I cannot find a solution..

I have set up Hard Configurator to 'Basic Recommended Settings'.
Today, I saw Adguard notifying that there is a new update. I initiated the update but ASR blocked it as follows:

Capture.PNG


Mind you, this was an update from within the software, I did not download any installer myself.
Next step was to uninstall Adguard, download the installer, Switched Off SRP's, Switched Off Restrictions, Applied settings, Loged Off and On.
I run the installer 2 times. One by Smartscreen and one as Administrator, both times with no success (same block as above picture)...

What am I doing wrong here???
 
Last edited:

Andy Ful

Level 64
Verified
Trusted
Content Creator
I am having serious trouble updating Adguard for Windows and I cannot find a solution..

I have set up Hard Configurator to 'Basic Recommended Settings'.
Today, I saw Adguard notifying that there is a new update. I initiated the update but ASR blocked it as follows:

View attachment 245403

Mind you, this was an update from within the software, I did not download any installer myself.
Next step was to uninstall Adguard, download the installer, Switched Off SRP's, Switched Off Restrictions, Applied settings, Loged Off and On.
I run the installer 2 times. One by Smartscreen and one as Administrator, both times with no success (same block as above picture)...

What am I doing wrong here???

As you can see from the alert, the file is blocked by one of WD ASR rules - it is not blocked by the settings visible directly in the H_C window. The WD configuration depends on ConfigureDefender settings. So, simply open ConfigureDefender and disable this rule temporarily (reboot needed).(y)

This update is blocked because it uses a method that is also used by some ransomware.
No worry, WD has probably got an update for ASR rules. Simply, wait one day (just in case) and follow the above. It is very probable that the false positive will be removed by Microsoft in the future because AdGuard is popular.
 
Last edited:

Gangelo

Level 3
Verified
As you can see from the alert, the file is blocked by one of WD ASR rules - it is not blocked by the settings visible directly in the H_C window. The WD configuration depends on ConfigureDefender settings. So, simply open ConfigureDefender and disable this rule temporarily (reboot needed).(y)

This update is blocked because it uses a method that is also used by some ransomware.
No worry, WD has probably got an update for ASR rules. Simply, wait one day (just in case) and follow the above. It is very probable that the false positive will be removed by Microsoft in the future because AdGuard is popular.

Andy, many thanks for the reply, I suspected that it was irrelevant to the H_C visible settings but wanted to confirm in case I missed something.
I will try again as you instructed.

Cheers!
 

Gandalf_The_Grey

Level 36
Verified
Trusted
Content Creator
Another LOLbin for H_C to need to guard against?
Seems not necessary:
No problem for H_C, VS, and SWH due to anti-script (command-line) protection.
 

Andy Ful

Level 64
Verified
Trusted
Content Creator
Another LOLbin for H_C to need to guard against?
Normally it is not required to block LOLBins, because H_C blocks scrips. Blocking LOLBins is required when using not patched system/software or when applying the H_C custom settings (scripts allowed). If Microsoft does not secure the MpCmdRun.exe, then I can add it to blocked sponsors. But, it is easy for MS to secure this LOLBin by simply checking if the downloaded file is really the WD update.
 
I am looking into using hard_configurator. I would like to use it on my gaming computer I just built as well as a laptop my mother is using. She is basically just knows how to browse the web and check her email. Therefore, I do not want to overwhelm her. Is there a user friendly way I can enable it on her computer? On my gaming pc I used the Windows 10 basic config file, HC firewall hardening, and Defender on high.

*Edit - Ahhh nevermind I will just use simple hardening for her. I do not think it will interfere with anything she is doing. She pretty much just browses, email, and uses her nursing software.
 
Last edited:
Top