Hard_Configurator - Windows Hardening Configurator

Nagisa

Level 7
Verified
Jul 19, 2018
342
Defender sends only the samples it deemed to be interesting, AFAIK. So, setting cloud blocking level to "zero tolerance" is not as effective as enabling the ASR rule named "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", right? Just wondering how much effective the latter one is against truly unknown malware.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Defender sends only the samples it deemed to be interesting, AFAIK. So, setting cloud blocking level to "zero tolerance" is not as effective as enabling the ASR rule named "Block executable files from running unless they meet a prevalence, age, or trusted list criterion", right? Just wondering how much effective the latter one is against truly unknown malware.
Yes.
Defender uses this ASR rule to prevent polymorphic threats, which are unknown yet to the cloud backend.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Andy Ful

is there a way to disable privileged execution\admin bypass of sponsor blocking in admin account :unsure:

iirc the ability to run sponsors as admin is controlled by a registry key but i cannot remembeer the key :emoji_beer:
If you will run Hard_Configurator with "-p" switch, then this will force all current SRP restrictions to block also Administrators. I included a special section about this in the manual.(y)
Running H_C normally will switch SRP to standard restriction mode.
 
F

ForgottenSeer 69673

Can this program also give back admin rights? Even yjough I am logged in as Admin, I can not run any Msc command.
I have UAC set to off, Ran sfc /r chkdsk ect. I still get blocked

ScreenHunter_147 Jan. 10 05.35.jpg
 
Last edited by a moderator:
  • Like
Reactions: [correlate]

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
@Andy Ful Hi maybe you can help me why network protection is working in that way.

Windows 10 21H2, HC 6.0.0.0 (the inbuild Configure Settings on High + "block unless reputation age is ok"). Adguard Desktop 7.8 with Adguard DNS enabled.
When I have network protection on "audit" I see one DNS server listed (the one from adguard)
When I have network protection on "on" I see one DNS server (the one from adguard) listed plus a dozen from my ISP
The only difference was network protection on/audit nothing else was changed.
I haven't touched the service for network protection in any other way then using your on/audit switch followed by an reboot.


Any ideas?Network audit.jpgNetwork on.jpg
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Andy Ful Hi maybe you can help me why network protection is working in that way.

Windows 10 21H2, HC 6.0.0.0 (the inbuild Configure Settings on High + "block unless reputation age is ok"). Adguard Desktop 7.8 with Adguard DNS enabled.
When I have network protection on "audit" I see one DNS server listed (the one from adguard)
When I have network protection on "on" I see one DNS server (the one from adguard) listed plus a dozen from my ISP
The only difference was network protection on/audit nothing else was changed.
I haven't touched the service for network protection in any other way then using your on/audit switch followed by an reboot.


Any ideas?View attachment 263763View attachment 263764

No idea. In my case, I can see always one entry (either in Audit or ON setting).
Maybe some other users can check it, too (DNS leak test).
Did you inspect the other servers?
 
Last edited:
F

ForgottenSeer 92963

@Heki

Most ISP have rolled out or are rolling out IP6, so they might reset the router to their default values.

DNS can be set in Browser, Network Adaptor in Windows (of your PC) and in the Router, best to check all of IP4 and IP6 settings for correct DNS settings (AdGuard)

When all fails, try to set Adguard DNS IP addresses also in the router for IP4 and IP6 and in your browser for HTTPS over DNS

/K
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Heki

Most ISP have rolled out or are rolling out IP6, so they might reset the router to their default values.

DNS can be set in Browser, Network Adaptor in Windows (of your PC) and in the Router, best to check all of IP4 and IP6 settings for correct DNS settings (AdGuard)

When all fails, try to set Adguard DNS IP addresses also in the router for IP4 and IP6 and in your browser for HTTPS over DNS

/K

The problem is how Defender Network Protection can be involved.:unsure:
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
@Andy Ful What do you mean with "inspect the other servers"? I tried some others from the default ones Adguard Desktop offered (even different protocols there like DOH, DOQ, DOT) same result for me.
@Kees1958 I have IP6 disabled under Ethernet property>networking (only Ip4 is checked all the rest is unchecked). The browser has no DNS selected and in the ISP router you can't really change anything.
I didn't change anything browser/router related between the two results only the on/audit toggle.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Andy Ful What do you mean with "inspect the other servers"?

The test shows the IP of the server. You can use it to identify the company behind an IP address and several other details:

By the way, I have repeated this test several times without changing Defender settings, and the results are not the same. In the beginning, I got one server, but after some time I can see even 7 servers with different IPs.
 
  • Like
Reactions: Freki123

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
The test shows the IP of the server. You can use it to identify the company behind an IP address and several other details:
I checked the IP (via the website you linked)
"Audit" results = only Adguard Server shown
"On" results = Adguard server and a random amount of ISP servers (the IP shown clearly belong to them your website tells me).
Even when I recheck like 6 times "audit" is still only the Adguard server. While "on" may change the amount of ISP servers (like 7-12 or so) but they are still there and the adguard server of course.

Andy how big is the increase in security when I run "on" instead of "audit"? Is it like 5% or 50% :D?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
...
Andy how big is the increase in security when I run "on" instead of "audit"? Is it like 5% or 50% :D?

Normally any website can see your IP if it needs. I think that the test on dnslinktest.com makes sense only when you use anonymity or privacy service (like VPN).
  • If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data.


See also:

If the Network Protection (NP) is set to Audit, then it does not protect anything but only checks the URL and writes the information to the Log about connections with malicious URLs. If there is any difference on dnsleaktest.com then it can follow from the fact that Defender can block some URLs when NP is set to ON. I am not sure if the Defender's telemetry is the same or slightly different when using ON or Audit mode.
 
Last edited:

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
@Kees1958 Just did that: I added Adguard DNS over HTTPS setting in FF. The leaktest shows only ONE server (which belongs to adguard)Untitled.jpg
It shows one server now with Network protection "on".
When I want to do it for the global OS it also works when I enter the Adguard Dns Crypt IP under IP4 in ethernet (one server with network protection "on").

Edit:
Afaik the DNS leaktest should also work for DNS leaks when you change your DNS. When I see my ISP name in the results something is broken. An encrypted DNS shouldn't show that. At least that's the way I understood it. And when it works it does exactly that (show only servers from the chosen DNS provider in the results and not my ISP name at all)
I know it's not an VPN I just want like my ISP enough to not use another DNS that's not theirs.
I never thought I would have to use redundancy's (in different places of the OS) when I use DNS Servers. I thought I just activate it (e.g. in Adguard Desktop) and be done with it.

Thank you both for your time and help.
 
Last edited:

normalizerx

Level 2
Oct 9, 2012
124
Hello, Andy Ful and thank you for your efforts and the very useful tools you're making. I have a question - at the moment I'm using H_C with WD and Configure defender set to high. Will I lose much protection if I replace WD with ESET (AV only) and keep H_C, as I know that Configure defender works only with WD active.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Hello, Andy Ful and thank you for your efforts and the very useful tools you're making. I have a question - at the moment I'm using H_C with WD and Configure defender set to high. Will I lose much protection if I replace WD with ESET (AV only) and keep H_C, as I know that Configure defender works only with WD active.
Do you use MS Office?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top