Hard_Configurator - Windows Hardening Configurator

[aldist]

Thank you for your unselfishly great program!
I disable SmartScreen in the Windows 8.1 Security Center settings or in the Local Group Policy Editor, but SmartDefaultDeny turns it back on. How do I make SDD not enable it?

Is there an option to not install the "Install by SmartScreen" context menu item at all, or just manually remove it from the registry?

 

[aldist]

 

[silversurfer]

Thank you for your unselfishly great program!
I disable SmartScreen in the Windows 8.1 Security Center settings or in the Local Group Policy Editor, but SmartDefaultDeny turns it back on. How do I make SDD not enable it?

Is there an option to not install the "Install by SmartScreen" context menu item at all, or just manually remove it from the registry?

It's possible to disable fully SmartScreen as entry on context menu, just click on the button "Forced SmartScreen" => OFF

 

[Andy Ful]

Thank you for your unselfishly great program!
I disable SmartScreen in the Windows 8.1 Security Center settings or in the Local Group Policy Editor, but SmartDefaultDeny turns it back on. How do I make SDD not enable it?

If you run H_C then it will always enable SmartScreen.
Why do you want to disable SmartScreen?

 

[aldist]

Why do you want to disable SmartScreen?

I have an established practice, I don't use SmartScreen, Internet Explorer, Edge, Windows Defender. If you want to convince me otherwise, it won't work

 

[Andy Ful]

I have an established practice, I don't use SmartScreen, Internet Explorer, Edge, Windows Defender. If you want to convince me otherwise, it won't work

I am not going to convince you even if it looks strange to me.
Be safe.

 

[Andy Ful]

Yes, but more specifically I referred to the ASR rules MD has specially for Office Programs, scripts and browser. On top of that when people are using MD as AV, they can add Code Integrity Guard to the mix*. Defender free AV with Configure Defender, Documents Anti-exploit, Simple Windows Hardening and Firewall Hardening should be top-notch.

* Ever considered adding Code Integrity Guard for Office and Edge to Configure Defender?

I have in mind the possibility of using Exploit Protection (EP) for several years. The problem is with testing because many users would have to use it and report the issues. This would require a special thread on MT.
I would add some solutions based on EP only on the base of such a thread. The EP is not an urgent solution when using H_C in the Recommended Settings (ConfigureDefender + FirewallHardening+ DocumentsAntiExploit tool):

1. Edge has already got CIG enabled for rendering. Enabling CIG for msedge.exe via Exploit Protection makes sense in Businesses to protect Edge against malware already running in the local network.
2. The same is true mostly for MS Office versions supported by Microsoft (patched exploits).
3. EP looks very interesting to harden MS Store applications (also non-Microsoft), due to the additional CIG setting for MS Store. But, these apps are not abused so far and not especially popular.

 

[ForgottenSeer 92963]

I have in mind the possibility of using Exploit Protection (EP) for several years. The problem is with testing because many users would have to use it and report the issues. This would require a special thread on MT.
I would add some solutions based on EP only on the base of such a thread. The EP is not an urgent solution when using H_C in the Recommended Settings (ConfigureDefender + FirewallHardening+ DocumentsAntiExploit tool):

1. Edge has already got CIG enabled for rendering. Enabling CIG for msedge.exe via Exploit Protection makes sense in Businesses to protect Edge against malware already running in the local network.
2. The same is true mostly for MS Office versions supported by Microsoft (patched exploits).
3. EP looks very interesting to harden MS Store applications (also non-Microsoft), due to the additional CIG setting for MS Store. But, these apps are not abused so far and not especially popular.

To prevent issues with Anti_virus solutions injecting DLL's into these processes, I think would be a better as an option in Configure Defender(because you are sure Defender is used).

Ad 1. But not the broker process. The broker proces is often targeted by key-loggers in home user environment

Ad 2. ASR has a reversed rule, which prevents Office processes to inject code into other processes (and another rule which prevents Office programs launching other programs). I googled and only found one recent case of code injection into Office this year. Do you mean it is hardly a problem for home users with ASR rules enabled and anti-documents exploit?

Ad 3. Some apps available in Windows store like VLC Media players are often targeted (although I don't know whether these are true store-apps).

 

[Andy Ful]

...
Ad 1. But not the broker process. The broker proces is often targeted by key-loggers in home user environment

Key-logger has to be active in the system (so the system is already infected). The same is true for other malware samples that can use Edge to masquerade malicious actions (like BazarBacdoor, Androzek, etc.).

Ad 2. ASR has a reversed rule, which prevents Office processes to inject code into other processes (and another rule which prevents Office programs launching other programs). I googled and only found one recent case of code injection into Office this year. Do you mean it is hardly a problem for home users with ASR rules enabled and anti-documents exploit?

Yes.

Ad 3. Some apps available in Windows store like VLC Media players are often targeted (although I don't know whether these are true store-apps).

If I correctly recall the attacks were performed against desktop versions (not on UWP apps).

 

[ForgottenSeer 92963]

Key-logger has to be active in the system (so the system is already infected). The same is true for other malware samples that can use Edge to masquerade malicious actions (like BazarBacdoor, Androzek, etc.).

So why do you add sponsors to firewall hardening? W'hen they call out the system is also infected. I don't understand why you are so opposed to the no frills security improvements of the Code Integrity Guard (for Microsoft programs when using Microsoft Defender as AV). I added a bunch. of vulnerable windows processes and it never gave any problems.

But lets agree to disagree. Thanks for your answers. I am happy with your hardening tools. I prefer them above the group policy editor (also with your tools and O&O shutup, the setup time for a PC has been reduced from two hours to less than 20 minutes).

 

[paulderdash]

Andy, just seeking confirmation ... I have MS 365 (with Office 365) and don't use Adobe, there would be no benefit in running Document Anti-Exploit tool in one of the 'ON' configurations?
Recommended to leave MS Office and Adobe settings OFF?

 

[Andy Ful]

Andy, just seeking confirmation ... I have MS 365 (with Office 365) and don't use Adobe, there would be no benefit in running Document Anti-Exploit tool in one of the 'ON' configurations?
Recommended to leave MS Office and Adobe settings OFF?

Do you have Exchange Online Protection (EOP) or Microsoft 365 Defender for Office subscription (P1 or P2)?

EOP	Microsoft Defender for Office 365 P1	Microsoft Defender for Office 365 P2
Prevents broad, volume-based, known attacks.	Protects email and collaboration from zero-day malware, phish, and business email compromise.	Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).

With EOP only you can consider using DocumentsAntiExploit tool. But, even without it, you can get strong protection of MS Office when using H_C on Recommended Settings + Defender (ConfigureDefender High settings) + FirewallHardening.

 

[Andy Ful]

So why do you add sponsors to firewall hardening? W'hen they call out the system is also infected.

Not necessarily. For example, some people cannot use the Adobe +VBA AntiExploit setting or DocumentsAntiExploit tool. This allows macros that can download payloads via several LOLBins. FirewallHardening settings can block this action and the system is not infected.

I don't understand why you are so opposed to the no frills security improvements of the Code Integrity Guard (for Microsoft programs when using Microsoft Defender as AV). I added a bunch. of vulnerable windows processes and it never gave any problems.

I am not opposed and I do not disagree with you. I would like to use CIG but simply, I do not know the consequences. The non-Chromium Edge (legacy now) had such anty-injection protection and this blocked many web browser extensions.
When we will know the impact of using CIG on edge.exe then I can consider CIG in ConfigureDefender.

 

[paulderdash]

Do you have Exchange Online Protection (EOP) or Microsoft 365 Defender for Office subscription (P1 or P2)?

EOP	Microsoft Defender for Office 365 P1	Microsoft Defender for Office 365 P2
Prevents broad, volume-based, known attacks.	Protects email and collaboration from zero-day malware, phish, and business email compromise.	Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).

With EOP only you can consider using DocumentsAntiExploit tool. But, even without it, you can get strong protection of MS Office when using H_C on Recommended Settings + Defender (ConfigureDefender High settings) + FirewallHardening.

I just have Microsoft 365 Family, so none of those business protection options.
But as you indicated, protection would probably suffice with config you describe (which are my current settings).

 

[ForgottenSeer 92963]

@paulderdash - In the past you used three anti-exec's. What security do you use at the moment?

 

[paulderdash]

@paulderdash - In the past you used three anti-exec's. What security do you use at the moment?

Hi Kees, I don't think I ever used 3 simultaneously! But I do like to play around ...
I have 6 Win OS's spread across 2 laptops (5 x Win10, 1 x Win11), with various combinations of security in each (Win11 just Defender).
Where I use H_C, it is standalone, except for Windows Firewall Control the only other security soft, which I am just checking out - hadn't used it before.
(Where I use OSA, I have Emsisoft, AdGuard - and HMPA also because I have licenses).

 

[ForgottenSeer 92963]

@paulderdash I did not realize you were using it in VM on different OS images

OSA + Emsisoft + HMPA = sufficient protection

Maybe try H_C on strict_recommended settings (but keep Run as Admin enabled) and Configure Defender on Max (using Microsofts whitelist) with WFC when you have so many OS in VM to play with

 

[paulderdash]

@paulderdash I did not realize you were using it in VM on different OS images

OSA + Emsisoft + HMPA = sufficient protection

Maybe try H_C on strict_recommended settings (but keep Run as Admin enabled) and Configure Defender on Max (using Microsofts whitelist) with WFC when you have so many OS in VM to play with

Thanks Kees, may give that a try ...
(OT, but my OS's are not in VM, but separate physical OS's using Terabyte BootIt-UEFI, with shared data partition. As I said, I like to play ... ).

 

[VladDracul]

Any idea why i am facing this error when i try to open Configur Defender?Thank you.

 

[oldschool]

Any idea why i am facing this error when i try to open Configur Defender?Thank you.

Because you're blocking PS in H_C. You may change the setting, but first have you read all the help files?

I haven't used it in a while so not sure how to adjust your settings. IIRC the PS setting is related to your choice of available built-in configurations.