Hard_Configurator - Windows Hardening Configurator

[Freki123]

@Andy Ful
Hi Andy, is there any reason at all how Hard_Configurator could cause a Behavior:Win32/WDBlockFirewallRule.P Error?
I was just browsing the internet while it poped up...

H_C Version 5.1.1.2
H_C Recommended Settings + added block Sponsors "Script interpreters" and "Enhanced"
Configure Defender "High" with added "Block unknown files low reputation"
Firewall Hardening: Add Recommended settings.

Windows 10 Pro,19043.1165, Windows Feature Experience Pack 120.2212.3530.0
Firewall: Glasswire light in "ask to connect" mode. Current Version

It's a fresh install since I wanted to try the new 21H1.

 

[Andy Ful]

@Andy Ful
Hi Andy, is there any reason at all how Hard_Configurator could cause a Behavior:Win32/WDBlockFirewallRule.P Error?
I was just browsing the internet while it poped up...

H_C Version 5.1.1.2
H_C Recommended Settings + added block Sponsors "Script interpreters" and "Enhanced"
Configure Defender "High" with added "Block unknown files low reputation"
Firewall Hardening: Add Recommended settings.

Windows 10 Pro,19043.1165, Windows Feature Experience Pack 120.2212.3530.0
Firewall: Glasswire light in "ask to connect" mode. Current Version

It's a fresh install since I wanted to try the new 21H1.

View attachment 260168

This block is not related to Hard_Configurator but to Defender detection. It looks like you use some application that uses a service (hidden under svchost.exe) to apply firewall rules. It could be Glasswire or something similar.

 

[Freki123]

Any way for me to find out which service is hidden under svchost.exe (if it happens again)?

 

[Andy Ful]

Any way for me to find out which service is hidden under svchost.exe (if it happens again)?

There are several ways possible, for example:

View the List of Services Hosted by the svchost.exe Process in Windows

Svchost.exe is a process that hosts other Windows services that perform various system functions. There can be multiple instances of svchost.exe running on your computer, with each instance containing a different service. We published a post a while back on what you can do if svchost.exe is...

helpdeskgeek.com

Download svchost.exe Lookup Tool

Download svchost.exe Lookup Tool 1.6.0 - A comprehensive piece of software that displays detailed information about the services ran by svchost.exe so you can check how resources are used

www.softpedia.com

 

[oldschool]

Any way for me to find out which service is hidden under svchost.exe (if it happens again)?

Yes, but what a PITA!

 

[aldist]

Any way for me to find out which service is hidden under svchost.exe (if it happens again)?

You will get a list of 50-80 svchost services by the methods described above, but this will not help you. You need to identify one particular service or process that is causing your problem. To identify the culprit, you can try OSArmor, which works much like HIPS in firewalls, and shows warnings when one service or process tries to access another process, with the exact service and command line keys. Or Process Monitor by Russinovich.

 

[Digmor Crusher]

Try this.

Tweaking.com - svchost.exe Lookup Tool

I think its the same as Andys link but when I click on his it doesn't open.

 

[Freki123]

Thanks for all the answers.
I did contact Ken_Glasswire (in the past about that) and he thinks it's another programm causing this and not Glasswire.
Since it's a fresh install I only got H_C and O&O shutup (with all Windows Defender stuff allowed ) my list off suspects are:
Glasswire (mainsuspect) and after a very looooong pause H_C since it's a fresh install.

 

[Andy Ful]

You will get a list of 50-80 svchost services by the methods described above, but this will not help you.

It will. You can identify the right Svchost process by PID as was explained in the article from my post.

 

[Andy Ful]

Thanks for all the answers.
I did contact Ken_Glasswire (in the past about that) and he thinks it's another programm causing this and not Glasswire.
Since it's a fresh install I only got H_C and O&O shutup (with all Windows Defender stuff allowed ) my list off suspects are:
Glasswire (mainsuspect) and after a very looooong pause H_C since it's a fresh install.

H_C cannot be directly involved because its processes do not run at all, except when you manually run H_C, ConfigureDefender, etc. Also, these processes do not use Svchost. The only thing that H_C can cause indirectly is a more aggressive Defender setup. So, Defender on default settings could ignore Behavior:Win32/WDBlockFirewallRule.P. and detect it with advanced setup.

The issue can be also related to O&O Shutup, because it changes firewall rules to restrict Windows telemetry (not related to Defender O&O settings). In fact, any application which uses a service and can modify firewall rules can be the issue.

I am not sure if this issue will happen again, because it could be forced by the Run once key after Windows restart. If so, then a single Defender block simply disabled adding firewall rule and the application will not try to do it again. <----- this possibility seems to be excluded by the details of the issue described on the Glasswire forum.

Edit. Checked O&O Shutup. It does not use a service or change Firewall rules under the Registry key:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
From the Glasswire forum about Behavior:Win32/WDBlockFirewallRule.P issue it follows that the above Registry key is involved.

 

[Andy Ful]

From some of the posts on the Glasswire forum it follows that the issue can be related to the application that uses service to check something on VirusTotal:

Defender detection happened at the same moment as the attempt to use VirusTotal.
Another user noticed that the PID of the blocked item was related to the VPN client (NordVPN with the NordLynx protocol).
Another user has got this issue with the PID of the Glasswire process. Some sources of this issue were solved by the Glasswire developer (as he mentioned on the forum), so it is not clear if Glasswire is responsible (together with more aggressive Defender settings).

Behavior:Win32/WDBlockFirewallRule.P

You need to update your Win 10 to version 21H1. That’s what I had to do. Here what I have …,

forum.glasswire.com

 

[Freki123]

Andy I really have to say a big thank you for your kind and helpful answers. That would be the/an answer I expected from gw after sending lots of screenshots...
If I understood you correct I had to look for the PID which would be 3972? I hope I got the right number? PID (and Eventlog) Novice here.

Spoiler: Pic

Since I didn't find it listed in Process Explorer it would make sense since the VT is only somtimes.
I will disable the VT instant lookup and hope the problem will be gone.
Thanks a lot for you great help

Edit: My post here is with 21H1

 

[Andy Ful]

...
If I understood you correct I had to look for the PID which would be 3972? I hope I got the right number? PID (and Eventlog) Novice here.

Spoiler: Pic

View attachment 260180

Since I didn't find it listed in Process Explorer it would make sense since the VT is only somtimes.
I will disable the VT instant lookup and hope the problem will be gone.
Thanks a lot for you great help

Edit: My post here is with 21H1

The Svchost process that triggered this detection (PID 3792) has been already closed - it is not visible in Process Explorer anymore.
The VirusTotal auto-check feature in Glasswire is a good candidate that could trigger the detection. But, there are probably some others, too.

 

[Andy Ful]

I posted an interesting article about Endpoint Detection and Response Systems against Advanced Persistent Threats.

Endpoint Detection and ResponseSystems against Advanced Persistent Threats

An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors Autors: George Karantzas and Constantinos Patsakis https://arxiv.org/pdf/2108.10422.pdf WARNING. This article should not upset Home users, because the chances of such attacks (via never-seen...

malwaretips.com

So here is a question: What would happen if a home user would encounter such malware reused in widespread attacks?

The answer.
The attack method in the article starts with some spear-phishing emails that try to lure the target user into opening a file or follow a link that will be used to compromise the victim’s host. The authors crafted some emails with links to cloud providers that lead to some custom malware. The malicious files were CPL, HTA, and EXE files, plus DLL file (side loading attack).
The execution of CPL, HTA, and EXE files will be blocked in the H_C Recommended Settings. The EXE file will be also blocked when executing via InstallBySmartScreen. Also, the DLL hijacking attack will be blocked when the attacker would use a legal EXE file which normally loads a DLL dropped into the same location (side loading attack).

Is H_C better than EDR?
No. In some cases, the Administrator could apply the Windows built-in setup similar to the H_C settings, but in most cases, such a setup would be too much restrictive in the Enterprise Environment (too much work for Administrators).
The second reason is that there are far more attack vectors in Enterprises. For example, the attacker could compromise one machine in the network and have got high privileges. After dropping CPL, HTA, EXE, and DLL files into the "Program Files" folder on another machine, these files could be executed remotely without SRP blocks ("Program Files" folder is whitelisted in H_C settings).

 

[Andy Ful]

Super cool! Microsoft SRP is some amazing security.

Yes, it is. But, it is not easy to make it usable.

 

[Andy Ful]

Thank you for that insight. Yeah, I agree. Usability for all should be continuously improved. Can you explain why, given its issues, SRP in all of its forms is so widely used, particularly in environments where the utmost security is a critical requirement?

The explanation is already well known. The older SRP solutions (classic SRP and Applocker) are not considered a security boundary - Microsoft suggests using WDAC for that. This follows from the fact that in Enterprises the properly configured WDAC can better protect against malicious drivers and attacks related to Windows kernel.

In Enterprises the classic SRP and Applocker are used for other purposes like for example:

• Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
• An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
• The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
• The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
• A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
• Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
• A single user or small group of users needs to use a specific app that is denied for all others.
• Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
• In addition to other measures, you need to control the access to sensitive data through app usage.

AppLocker

This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker policies.

docs.microsoft.com

So, the purpose is to restrict users from running/opening unwanted/malicious executables or other unsafe files. I would say that it is a kind of reducing the attack surface via software whitelisting methods. Microsoft found out also that attack surface reduction can be done with the help of the cloud and some exploit mitigations - so we have Defender ASR rules, CFA, and Exploit Protection mitigations.

 

[Azure]

@Andy Ful

A user over at Wilders is having some issues

Hard_Configurator - GUI to Manage Software Restriction Policies and harden Windows Home OS

Started using this and recommended settings is probably safe to use? I also added recommended H_C in firewall hardening.

www.wilderssecurity.com

 

[Andy Ful]

@Andy Ful

A user over at Wilders is having some issues

Hard_Configurator - GUI to Manage Software Restriction Policies and harden Windows Home OS

Started using this and recommended settings is probably safe to use? I also added recommended H_C in firewall hardening.

www.wilderssecurity.com

Post updated.

For now, the below procedure works for the shortcut with non-changing file name in the Startup folder:

From the Log we know the blocked path:

Access to C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sidebar792.lnk
...

The shortcut has been blocked, so one has to whitelist the shortcut.

Edit.
Unfortunately, it seems does not work when the random numbers are replaced by wildcards.
I will try to figure out how to overcome this issue.
For now, the solution for Sidebar is as follows:

1. Rename the Sidebar792.lnk to SSidebar.lnk
2. Whitelist the SSidebar.lnk in H_C using the above procedure via <Add Path*Wildcards>

 

[wat0114]

Hi Andy,

sorry if this has been answered already elsewhere and I couldn't find the answer in the documentation, but why is it possible, at least in my case, to launch an executable file under:

C:\Users\myname\AppData\Local\Temp

I have SRP enabled with Default Security Level at "Disallowed", Enforcement: Skip DLL's

I have not added any paths to the default ones included. Using Windows 10 v21H1, 19043.1202

 

[Azure]

Post updated.

For now, the below procedure works for the shortcut with non-changing file name in the Startup folder:

View attachment 260445

View attachment 260446

From the Log we know the blocked path:



The shortcut has been blocked, so one has to whitelist the shortcut.

View attachment 260456

Edit.
Unfortunately, it seems does not work when the random numbers are replaced by wildcards.
I will try to figure out how to overcome this issue.
For now, the solution for Sidebar is as follows:

1. Rename the Sidebar792.lnk to SSidebar.lnk
2. Whitelist the SSidebar.lnk in H_C using the above procedure via <Add Path*Wildcards>

He is still having issues

Hard_Configurator - GUI to Manage Software Restriction Policies and harden Windows Home OS

Started using this and recommended settings is probably safe to use? I also added recommended H_C in firewall hardening.

www.wilderssecurity.com