Update Hard_Configurator - Windows Hardening Configurator

Freki123

Level 9
Verified
Aug 10, 2013
405
1,437
@Andy Ful
Hi Andy, is there any reason at all how Hard_Configurator could cause a Behavior:Win32/WDBlockFirewallRule.P Error?
I was just browsing the internet while it poped up...

H_C Version 5.1.1.2
H_C Recommended Settings + added block Sponsors "Script interpreters" and "Enhanced"
Configure Defender "High" with added "Block unknown files low reputation"
Firewall Hardening: Add Recommended settings.

Windows 10 Pro,19043.1165, Windows Feature Experience Pack 120.2212.3530.0
Firewall: Glasswire light in "ask to connect" mode. Current Version

It's a fresh install since I wanted to try the new 21H1.

Untitled - Copy.jpg
 

Attachments

  • Untitled - Copy.jpg
    Untitled - Copy.jpg
    87.3 KB · Views: 107
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
@Andy Ful
Hi Andy, is there any reason at all how Hard_Configurator could cause a Behavior:Win32/WDBlockFirewallRule.P Error?
I was just browsing the internet while it poped up...

H_C Version 5.1.1.2
H_C Recommended Settings + added block Sponsors "Script interpreters" and "Enhanced"
Configure Defender "High" with added "Block unknown files low reputation"
Firewall Hardening: Add Recommended settings.

Windows 10 Pro,19043.1165, Windows Feature Experience Pack 120.2212.3530.0
Firewall: Glasswire light in "ask to connect" mode. Current Version

It's a fresh install since I wanted to try the new 21H1.

View attachment 260168
This block is not related to Hard_Configurator but to Defender detection. It looks like you use some application that uses a service (hidden under svchost.exe) to apply firewall rules. It could be Glasswire or something similar.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
Any way for me to find out which service is hidden under svchost.exe (if it happens again)?
There are several ways possible, for example:
 
Last edited:

aldist

Level 1
Jul 22, 2020
46
82
Any way for me to find out which service is hidden under svchost.exe (if it happens again)?
You will get a list of 50-80 svchost services by the methods described above, but this will not help you. You need to identify one particular service or process that is causing your problem. To identify the culprit, you can try OSArmor, which works much like HIPS in firewalls, and shows warnings when one service or process tries to access another process, with the exact service and command line keys. Or Process Monitor by Russinovich.
 

Freki123

Level 9
Verified
Aug 10, 2013
405
1,437
Thanks for all the answers.
I did contact Ken_Glasswire (in the past about that) and he thinks it's another programm causing this and not Glasswire.
Since it's a fresh install I only got H_C and O&O shutup (with all Windows Defender stuff allowed ) my list off suspects are:
Glasswire (mainsuspect) and after a very looooong pause H_C since it's a fresh install.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
You will get a list of 50-80 svchost services by the methods described above, but this will not help you.
It will. You can identify the right Svchost process by PID as was explained in the article from my post.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
Thanks for all the answers.
I did contact Ken_Glasswire (in the past about that) and he thinks it's another programm causing this and not Glasswire.
Since it's a fresh install I only got H_C and O&O shutup (with all Windows Defender stuff allowed ) my list off suspects are:
Glasswire (mainsuspect) and after a very looooong pause H_C since it's a fresh install.
H_C cannot be directly involved because its processes do not run at all, except when you manually run H_C, ConfigureDefender, etc. Also, these processes do not use Svchost. The only thing that H_C can cause indirectly is a more aggressive Defender setup. So, Defender on default settings could ignore Behavior:Win32/WDBlockFirewallRule.P. and detect it with advanced setup.

The issue can be also related to O&O Shutup, because it changes firewall rules to restrict Windows telemetry (not related to Defender O&O settings). In fact, any application which uses a service and can modify firewall rules can be the issue.

I am not sure if this issue will happen again, because it could be forced by the Run once key after Windows restart. If so, then a single Defender block simply disabled adding firewall rule and the application will not try to do it again.
<----- this possibility seems to be excluded by the details of the issue described on the Glasswire forum.

Edit. Checked O&O Shutup. It does not use a service or change Firewall rules under the Registry key:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
From the Glasswire forum about Behavior:Win32/WDBlockFirewallRule.P issue it follows that the above Registry key is involved.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
From some of the posts on the Glasswire forum it follows that the issue can be related to the application that uses service to check something on VirusTotal:

GW.jpeg

gw2.jpeg


Defender detection happened at the same moment as the attempt to use VirusTotal.
Another user noticed that the PID of the blocked item was related to the VPN client (NordVPN with the NordLynx protocol).
Another user has got this issue with the PID of the Glasswire process. Some sources of this issue were solved by the Glasswire developer (as he mentioned on the forum), so it is not clear if Glasswire is responsible (together with more aggressive Defender settings).

 
Last edited:

Freki123

Level 9
Verified
Aug 10, 2013
405
1,437
Andy I really have to say a big thank you for your kind and helpful answers. That would be the/an answer I expected from gw after sending lots of screenshots...
If I understood you correct I had to look for the PID which would be 3972? I hope I got the right number? PID (and Eventlog) Novice here.
Untitled - Copy.jpg
Since I didn't find it listed in Process Explorer it would make sense since the VT is only somtimes.
I will disable the VT instant lookup and hope the problem will be gone.
Thanks a lot for you great help :)

Edit: My post here is with 21H1
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
...
If I understood you correct I had to look for the PID which would be 3972? I hope I got the right number? PID (and Eventlog) Novice here.
Since I didn't find it listed in Process Explorer it would make sense since the VT is only somtimes.
I will disable the VT instant lookup and hope the problem will be gone.
Thanks a lot for you great help :)

Edit: My post here is with 21H1
The Svchost process that triggered this detection (PID 3792) has been already closed - it is not visible in Process Explorer anymore. :(
The VirusTotal auto-check feature in Glasswire is a good candidate that could trigger the detection. But, there are probably some others, too. (y)
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
I posted an interesting article about Endpoint Detection and Response Systems against Advanced Persistent Threats.

So here is a question: What would happen if a home user would encounter such malware reused in widespread attacks?

The answer.
The attack method in the article starts with some spear-phishing emails that try to lure the target user into opening a file or follow a link that will be used to compromise the victim’s host. The authors crafted some emails with links to cloud providers that lead to some custom malware. The malicious files were CPL, HTA, and EXE files, plus DLL file (side loading attack).
The execution of CPL, HTA, and EXE files will be blocked in the H_C Recommended Settings. The EXE file will be also blocked when executing via InstallBySmartScreen. Also, the DLL hijacking attack will be blocked when the attacker would use a legal EXE file which normally loads a DLL dropped into the same location (side loading attack).

Is H_C better than EDR?
No. In some cases, the Administrator could apply the Windows built-in setup similar to the H_C settings, but in most cases, such a setup would be too much restrictive in the Enterprise Environment (too much work for Administrators).:)(y)
The second reason is that there are far more attack vectors in Enterprises. For example, the attacker could compromise one machine in the network and have got high privileges. After dropping CPL, HTA, EXE, and DLL files into the "Program Files" folder on another machine, these files could be executed remotely without SRP blocks ("Program Files" folder is whitelisted in H_C settings).
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
Thank you for that insight. Yeah, I agree. Usability for all should be continuously improved. Can you explain why, given its issues, SRP in all of its forms is so widely used, particularly in environments where the utmost security is a critical requirement?
The explanation is already well known. The older SRP solutions (classic SRP and Applocker) are not considered a security boundary - Microsoft suggests using WDAC for that. This follows from the fact that in Enterprises the properly configured WDAC can better protect against malicious drivers and attacks related to Windows kernel.

In Enterprises the classic SRP and Applocker are used for other purposes like for example:
  • Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
  • An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
  • The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
  • The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
  • A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
  • Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
  • A single user or small group of users needs to use a specific app that is denied for all others.
  • Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
  • In addition to other measures, you need to control the access to sensitive data through app usage.

So, the purpose is to restrict users from running/opening unwanted/malicious executables or other unsafe files. I would say that it is a kind of reducing the attack surface via software whitelisting methods. Microsoft found out also that attack surface reduction can be done with the help of the cloud and some exploit mitigations - so we have Defender ASR rules, CFA, and Exploit Protection mitigations.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,278
42,827
@Andy Ful

A user over at Wilders is having some issues


Post updated.

For now, the below procedure works for the shortcut with non-changing file name in the Startup folder:

1630969304923.png


1630969394915.png


From the Log we know the blocked path:

Access to C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sidebar792.lnk
...

The shortcut has been blocked, so one has to whitelist the shortcut.

1630979101096.png


Edit.
Unfortunately, it seems does not work when the random numbers are replaced by wildcards.
I will try to figure out how to overcome this issue.
For now, the solution for Sidebar is as follows:
  1. Rename the Sidebar792.lnk to SSidebar.lnk
  2. Whitelist the SSidebar.lnk in H_C using the above procedure via <Add Path*Wildcards>
 
Last edited:

wat0114

Level 4
Verified
Apr 5, 2021
181
1,291
Hi Andy,

sorry if this has been answered already elsewhere and I couldn't find the answer in the documentation, but why is it possible, at least in my case, to launch an executable file under:

C:\Users\myname\AppData\Local\Temp

I have SRP enabled with Default Security Level at "Disallowed", Enforcement: Skip DLL's

I have not added any paths to the default ones included. Using Windows 10 v21H1, 19043.1202
 
Last edited:

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,569
5,152
Post updated.

For now, the below procedure works for the shortcut with non-changing file name in the Startup folder:

View attachment 260445

View attachment 260446

From the Log we know the blocked path:



The shortcut has been blocked, so one has to whitelist the shortcut.

View attachment 260456

Edit.
Unfortunately, it seems does not work when the random numbers are replaced by wildcards.
I will try to figure out how to overcome this issue.
For now, the solution for Sidebar is as follows:
  1. Rename the Sidebar792.lnk to SSidebar.lnk
  2. Whitelist the SSidebar.lnk in H_C using the above procedure via <Add Path*Wildcards>
He is still having issues

 
Top