- Feb 25, 2017
- 2,585
Oh man, awkward situation. Thanks for letting me know.
Hard_Configurator - Windows Hardening Configurator
- Thread starter Andy Ful
- Start date
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
These tools are also available via @askaln's H_C website:... Thanks for letting me know.
Download - Hard_Configurator (hard-configurator.com)
- Feb 25, 2017
- 2,585
Run by Smartscreen removed by Cylance... Predictable. 
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
It seems that Cylance does not see a difference between a standard Zone.Identifier and malicious Alternate Data Stream.Run by Smartscreen removed by Cylance... Predictable.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Due to the recent development of weaponized MS Office documents I recommend additional protection by using SwitchDefaultDeny tool to set user-dependent DocumentsAntiExploit MS Office protection to ON2.
The ON2 settings + H_C setting <Documents Anti-Exploit> = Adobe + VBA can provide a comprehensive protection. Please note: the ON2 settings are user-dependent so have to be applied on any account available on a particular computer. The H_C setting Adobe +VBA is system-wide.
The ON2 settings + H_C setting <Documents Anti-Exploit> = Adobe + VBA can provide a comprehensive protection. Please note: the ON2 settings are user-dependent so have to be applied on any account available on a particular computer. The H_C setting Adobe +VBA is system-wide.
Last edited:
Are both needed or recommend?
Currently i only use the recommend H_C Adobe+VBA protection but i also don't have Office or Adobe Reader installed
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Not needed if MS Office is not installed.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
I would like to note again that DocumentsAntiExploit tool is user-dependent. It is not important if one has only one user account on the computer (default Admin account). But if there are more user accounts on the computer, then running it on the first account has no impact on the second account. The restrictions will be limited only to the first account (restrictions are not system-wide). If one wants to protect MS Office on the second account then the tool has to be run and configured again on the second account.
The same is true when removing restrictions. If the restrictions were applied on several accounts, then the tool has to be run on each of these accounts and set to OFF each time.
The same is true when removing restrictions. If the restrictions were applied on several accounts, then the tool has to be run on each of these accounts and set to OFF each time.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Hard_Configurator and IOBIT malware.
IObit forums hacked to spread ransomware to its members (bleepingcomputer.com)
This malware cannot run with H_C Recommended Settings enabled. After unpacking the archive in UserSpace the user has to use the InstallBySmartscreen feature to run the executable. InstallBySmartscreen will detect the DLLs in the current directory and will show the alert:
The user should choose <CANCEL> and examine the installation DLLs. If not, then the executable will be run in the random temporary location without DLLs - in this case, the malicious DLL will not be executed. This will protect the inexperienced user from being infected.
In such cases when the installation is blocked by SmartScreen (EXE and MSI files) or the installation fails due to the above alert (protection against DLL hijacking), the simplest method is waiting one day before turning off the H_C settings to run the installation. After one day the AV will usually detect the malware (some other people will be infected).
But, the real danger of the IOBIT attack follows from the convincing and personalized scam. So, above-average users will probably ignore the potential danger and many of them will turn off the AV protection to run the malicious installation without checking the DLLs thoroughly.
I also checked the method of running the final payload (in the case of turning off H_C settings and keeping ConfigureDefender settings) - it will be blocked by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". The iobit.dll (final payload) is run via rundll32 - this method triggers the mentioned ASR rule which uses Microsoft file reputation to block executables (EXE, DLL, etc.). It is also possible that such a payload can be detected by the Cloud Block Level in ConfigureDefender HIGH preset or the ASR rule "Use advanced protection against ransomware".
IObit forums hacked to spread ransomware to its members (bleepingcomputer.com)
This malware cannot run with H_C Recommended Settings enabled. After unpacking the archive in UserSpace the user has to use the InstallBySmartscreen feature to run the executable. InstallBySmartscreen will detect the DLLs in the current directory and will show the alert:
The user should choose <CANCEL> and examine the installation DLLs. If not, then the executable will be run in the random temporary location without DLLs - in this case, the malicious DLL will not be executed. This will protect the inexperienced user from being infected.
In such cases when the installation is blocked by SmartScreen (EXE and MSI files) or the installation fails due to the above alert (protection against DLL hijacking), the simplest method is waiting one day before turning off the H_C settings to run the installation. After one day the AV will usually detect the malware (some other people will be infected).
But, the real danger of the IOBIT attack follows from the convincing and personalized scam. So, above-average users will probably ignore the potential danger and many of them will turn off the AV protection to run the malicious installation without checking the DLLs thoroughly.
I also checked the method of running the final payload (in the case of turning off H_C settings and keeping ConfigureDefender settings) - it will be blocked by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". The iobit.dll (final payload) is run via rundll32 - this method triggers the mentioned ASR rule which uses Microsoft file reputation to block executables (EXE, DLL, etc.). It is also possible that such a payload can be detected by the Cloud Block Level in ConfigureDefender HIGH preset or the ASR rule "Use advanced protection against ransomware".
Last edited:
- Jul 8, 2012
- 894
Okay, I have a question about the Firewall Harding tool. Does it do more then MBAM WFC ... or does it do things differently. I ask because I am not sure I want to continue using MBAM WFC? Quit often when I get a warning pop up from WFC, I am not sure if I can block or allow the process to connect out/in. ( Other times I am certain, but still. ) And although I can easily change it in WFC, I get the feeling this could be bad thing not knowing if I should allow or block a process. ( And yeah I could ask here, but doing that every time I get a warning is to much in my opinion. )
So with that in mind would the Firewall Hardening tool be a better match for me?
So with that in mind would the Firewall Hardening tool be a better match for me?
Please, if possible, I have few simple questions for @Andy Ful :
1) What's your opinion about "Windows Defender Core Isolation" feature?
2) "Memory Integrity" feature?
3) I read several articles/posts/comments etc with negative feedbacks. Are "Core isolation" & "Memory Integrity" really needed/useful?
4) Are efficient?
5) Are (any of/or both) hurting device performance?
I apologize in advance if my questions have already been asked.
Thank you!
1) What's your opinion about "Windows Defender Core Isolation" feature?
2) "Memory Integrity" feature?
3) I read several articles/posts/comments etc with negative feedbacks. Are "Core isolation" & "Memory Integrity" really needed/useful?
4) Are efficient?
5) Are (any of/or both) hurting device performance?
I apologize in advance if my questions have already been asked.
Thank you!
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
MBAM WFC is intended to generally harden the Firewall connections (outbound and inbound). FirewallHardening blocks only outbound connections of LOLBins and executables chosen by the user. The predefined MBAM WFC rules do not block LOLBins, but such rules can be made manually.
So, anything done by FirewallHardening can be done by MBAM WFC with some effort. MBAM WFC requires some knowledge, FirewallHardening is much simpler in idea and maintenance.
- Jul 8, 2012
- 894
Guess I will tryout your FirewallHardening tool for a while, see how that goes, thank you Andy Full.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Core Isolation uses hardware virtualization to protect the critical areas of the Windows kernel against attacks of user-mode processes. Memory Integrity is a subsystem of Core Isolation. Both are important, especially in Enterprises. Core Isolation can be enabled without problems on the machines that support it. The performance change is hardly visible.
Performance Impact of Hyper-V virtualisation (Windows 10 Pro) – Compute – SiSoftware
Memory Integrity can sometimes cause problems with drivers. So, the user has to check this on his/her machine.
- Apr 24, 2016
- 7,232
When you turn on Memory Integrity Microsoft Defender can and if needed will warn you about incompatible drivers.
I used Driver Store Explorer to delete the two old drivers in my system and after that i could enable Memory Integrity.
Another option could be to use Autoruns for finding and removing those drivers.
github.com
I used Driver Store Explorer to delete the two old drivers in my system and after that i could enable Memory Integrity.
Another option could be to use Autoruns for finding and removing those drivers.
GitHub - lostindark/DriverStoreExplorer: Driver Store Explorer [RAPR]
Driver Store Explorer [RAPR]. Contribute to lostindark/DriverStoreExplorer development by creating an account on GitHub.
github.com
Autoruns - Sysinternals
See what programs are configured to startup automatically when your system boots and you login.
docs.microsoft.com
Thank you @Andy Ful for your replay.
Yeah, basically I already knew what you explained (thank you anyway!).
I don't want to push you, but what about specifically questions "3)" and "4)"? Are both efficient in real word - average users? Are both really needed/useful for average users - outside enterprise environments?
Thanks again!
Yeah, basically I already knew what you explained (thank you anyway!).
I don't want to push you, but what about specifically questions "3)" and "4)"? Are both efficient in real word - average users? Are both really needed/useful for average users - outside enterprise environments?
Thanks again!
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Core Isolation will be efficient if there will be attacks on the Windows kernel in the home environment. I did not hear about such attacks, yet. I can guess that such attacks will not be frequent in the near future because there exist many simpler methods of infecting home users.
I use SysHardener outbound firewall rules. Are they about the same as Recommended H_C rules? Maybe I'm missing something? SysHardener added 71 rules to my firewall. SH is not on my PC anymore, but I kept its rules.
Last edited:
- Aug 17, 2014
- 11,072
I believe that Firewall Hardening of H_C and additional entries for "LOLBins" are more maintained than SysHardener as it wasn't updated for long time...
Similar threads
-
- Sticky
