Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
I have just finished a quick test of Smart App Control on Windows 11 (Insider). It is much more useful than I thought.
After downloading 30 fresh applications from Softpedia it gave slightly fewer false positives compared to Norton 360, Windows SmartScreen, or Defender ASR prevalence rule.

I compiled a fresh & unsigned version of ConfigureDefender to see what will happen:

1655766985519.png



In my test, the digitally signed applications were installed & run without issues (except for two events). A few installations were blocked (some were partially blocked).:

1655767201898.png


The cons (for some people) can be that the blocked installer or application cannot be allowed/whitelisted/excluded by the user. It can be only submitted to Microsoft as a false positive in the Smart App Control category. For now, Smart App Control cannot be temporarily turned off.
It would be interesting to test Defender + Smart App Control in Malware Hub.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
H_C is for Win 10 only ?
because I'm on Win 11
It has never been for Windows 10 only. As you can see in the help files it is for Windows Vista, 7, and 8+.
Please read the "What_is_new.txt" (it is displayed after installing H_C) for changelog details.
There is no difference in how the H_C works on Windows 10 and 11.
 
Last edited:

sypqys

Level 2
Apr 18, 2022
74
It has never been for Windows 10 only. As you can see in the help files it is for Windows Vista, 7, and 8+.
Please read the "What_is_new.txt" (it is displayed after installing H_C) for changelog details.
There is no difference in how the H_C works on Windows 10 and 11.
Ok it is an another french NAS forum which someone said me that...
Thanks !
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
Ok it is an another french NAS forum which someone said me that...
Thanks !
Why ask on forums? Are the H_C website info, H_C help files and manual as bad? :unsure::)

1655824248812.png


Edit.
I know that many people do not read easily the manuals in English, so it is easier for them to ask someone. (y)
 
Last edited:

sypqys

Level 2
Apr 18, 2022
74
Why ask on forums? Are the H_C website info, H_C help files and manual as bad? :unsure::)

View attachment 267624

Edit.
I know that many people do not read easily the manuals in English, so it is easier for them to ask someone. (y)
No, I ask on NAS forum why I don't access at my NAS. And, I have "disable SMB" on "???" H_C settings. And when I was found that, I said that, why. And someone, say me that H_C its only create for Win 10 and that the reason why I demand it there.

Thats the reason why.

I completely forget this option, and on "???" its ON123 I guess for me.
I put on ON1 and the issue is resolve.

(sorry for my bad english)
 
  • Like
Reactions: plat and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
...
I put on ON1 and the issue is resolve.

Is your NAS problem solved?
If you can see "????" setting then it is a non-standard setting that was not set by the H_C. The H_C just read it from the registry but could not recognize it as the standard one. The H_C Recommended Settings do not change the SMB settings.

You have three options in H_C related to SMB. Start from SMB123 and restart the computer if NAS works then OK. If not then use SMB1 setting. If both do not work then use the OFF setting. If NAS does not work with the OFF setting then the issue is not related to the H_C.

Anyway, you can also Switch OFF the H_C protection (it is simple), restart the computer, and see if NAS works or not. If not, then you have a problem that can be solved on NAS forums.
 
Last edited:

sypqys

Level 2
Apr 18, 2022
74
Is your NAS problem solved?
If you can see "????" setting then it is a non-standard setting that was not set by the H_C. The H_C just read it from the registry but could not recognize it as the standard one. The H_C Recommended Settings do not change the SMB settings.

You have three options in H_C related to SMB. Start from SMB123 and restart the computer if NAS works then OK. If not then use SMB1 setting. If both do not work then use the OFF setting. If NAS does not work with the OFF setting then the issue is not related to the H_C.

Anyway, you can also Switch OFF the H_C protection (it is simple), restart the computer, and see if NAS works or not. If not, then you have a problem that can be solved on NAS forums.
Yes it is resolve. Because I have put on ON1 and only SMB 2 and 3 are active...
Because SMB 1.0 is bad for the ransomware risk...
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
Yes it is resolve. Because I have put on ON1 and only SMB 2 and 3 are active...
Because SMB 1.0 is bad for the ransomware risk...
All SMB protocols can be vulnerable in some way, but SMB 1.0 is the most attacked. Anyway, If your NAS uses SMB 2&3, then these protocols must be enabled.
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,846
I have just finished a quick test of Smart App Control on Windows 11 (Insider). It is much more useful than I thought.
After downloading 30 fresh applications from Softpedia it gave slightly fewer false positives compared to Norton 360, Windows SmartScreen, or Defender ASR prevalence rule.

I compiled a fresh & unsigned version of ConfigureDefender to see what will happen:

View attachment 267619


In my test, the digitally signed applications were installed & run without issues (except for two events). A few installations were blocked (some were partially blocked).:

View attachment 267621

The cons (for some people) can be that the blocked installer or application cannot be allowed/whitelisted/excluded by the user. It can be only submitted to Microsoft as a false positive in the Smart App Control category. For now, Smart App Control cannot be temporarily turned off.
It would be interesting to test Defender + Smart App Control in Malware Hub.
Do you think that that feature will require a fresh install even in the final version? I doubt that many people will take advantage of it if it requires a fresh install.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
Do you think that that feature will require a fresh install even in the final version? I doubt that many people will take advantage of it if it requires a fresh install.
It is early-stage in Insider, so everything is possible. The current version is not practical.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
Smart App Control (SAC) is a similar idea to Forced SmartScreen (FS), already applied in the H_C. But there is an important difference. SAC can block the downloaded application installers with MOTW and also any executable (EXE, DLL, MSI, etc.) dropped to disk (no MOTW). FS can block only executables with MOTW (mostly application installers downloaded via web browser). So, SAC can be more robust when the system is already compromised (via malware or exploit).

if SAC would be more practical, then it could replace FS. But, this would require that SAC's alerts should behave similarly to the SmartScreen alerts. So, the user could choose to allow the execution, and the execution could be controlled by the system policy.
One could use the H_C Basic_Recommended_Settings + SAC (or SWH + SAC) to get similar but more usable protection as with the H_C Strict_Recommended_Settings.
Anyway, such a configuration would not be as usable as the H_C Recommended_Settings. The Forced SmartScreen allows almost all software auto-updates because they are downloaded without MOTW, so they are ignored by SmartScreen. On the contrary, the SAC blocks are independent of MOTW, so it can still block many software auto-updates, especially when the software is not digitally signed. But, this would not be a serious issue for digitally signed applications (except those with low reputation or prevalence).

Edit.
SAC can also block many fileless attacks that use DLL hijacking or standard DLL injections. So in the home environment, it could be very good protection even without H_C or SWH. Of course, some advanced techniques realized via scripts (custom DLL loaders, process hollowing, shell code injections, etc.) are not covered by SAC - but these methods are uncommon in widespread attacks.
 
Last edited:

wat0114

Level 7
Verified
Well-known
Apr 5, 2021
321
@Andy Ful

I see in the article below:


it mentions to include psm1 as a designated file type when using SRP to enforce PowerShell CLM, but in the H_C file types I don't see that one:

PS designated file types.png

If I try adding more PowerShell script file types, psm1 is not offered. I'm sure there's a perfectly valid reason for this, but I'm just curious as to why it isn't included.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
@Andy Ful

I see in the article below:

https://4sysops.com/archives/mitigating-powershell-risks-with-constrained-language-mode/

it mentions to include psm1 as a designated file type when using SRP to enforce PowerShell CLM, but in the H_C file types I don't see that one:

The list was created several years ago. Now, adding other PowerShell extensions except PS1 is not necessary on Windows Home and Pro:
  1. The user cannot accidentally run any PowerShell file. Windows built-in default settings will force opening it in the notepad or the file will not be opened at all (extension not registered).
  2. The PSM1 files do not support the "Run with PowerShell" option in the right-click Explorer context menu.
The PSM1 script can be run by using CmdLine, but this cannot be blocked by adding PSM1 extension to <Designated File Types>. The author uses a config related to Enterprises, where the default Windows PowerShell settings are different.

Finally, Hard_Configurator blocks by default all possible PowerShell scripts (also PSM1) not by SRP, but via the <Block PowerShell Scripts> option from the H_C right panel.
I could add the PSM1 extension, but I did not test it, so I do not know how this could impact the users who skipped the <Block PowerShell Scripts> option. The PSM1 files are for PS1 files like DLLs for EXE files. The PSM1 modules are used to store functions that can be imported by PS1 scripts.
 
Last edited: