Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

If you are going to check smart screen, you might as well check UAC when set to max as well.

Not in Hard_Configurator default-deny config. Any UAC bypass starts as standard user, and unknown applications are blocked by Hard_Configurator settings. If the user wants to run the application (even the malicious one) with higher rights he/she has to use SmartScreen, that also will block execution and prevent UAC bypass.
Still, the UAC is an additional mitigation against rare threats, that could exploit an installed application (document viewer/editor).

 

[silversurfer]

But, Malware Hub is something more than a simple comparison of AV detection results. It also allows recognizing the weak points in security solutions and helps to improve the home users security.
For this reason, it would be interesting to keep the test in the same thread with other AV solutions (for some time). Then we would see on the same pule of samples, how the simple AV improvements (like restricting scripts) could make some AVs stronger.

Well said @Andy Ful
We need more participants in the Malware Hub, so every tester should be allowed to pick the product they want to test IMO, except for too many products of the same vendor! I don't know the opinion of the other AV-Testers...

 

[Andy Ful]

@askalan
I can recommend you the below setup for testing:

1. SoftMaker Office
2. SmatraPdf + additional INI file - can block the access to: Internet, files on disk, Windows Registry.
3. Hard_Configurator recommended settings.

Using SoftMaker Office (or another editor instead of MS Office) and SumatraPdf (instead of Adobe Acrobat Reader), is recommended for the security reasons.
I think that with activated Defender on Windows 10 FCU+, the user could also use MS Office, when Defender ASR is also activated.
.
The above setup, belongs to another security class than standard AVs, so maybe it should be called: Highly Restricted.

 

[Solarquest]

Well said @Andy Ful
We need more participants in the Malware Hub, so every tester should be allowed to pick the product they want to test IMO, except for too many products of the same vendor! I don't know the opinion of the other AV-Testers...

+1

 

[Andy Ful]

Successfully upgraded to Windows ver. 1803, with Hard_Configurator recommended settings and <Block Sponsors> (all 57 vulnerable system executables blocked by SRP).
All Hard_Configurator features work well. 'Run As SmartScreen' and 'Run By SmartScreen' also work and force the SmartScreen Check.
But, SmartScreen for Explorer seems to be blocked for some reason in Windows ver. 1803 so the final check is not done.

 

[shmu26]

I need help backing up my profile.
I saved a whitelist, but when I go to "Export Profiles", it is empty. It doesn't find my profile.
What am I doing wrong?
See screenshot

 

[Andy Ful]

I need help backing up my profile.
I saved a whitelist, but when I go to "Export Profiles", it is empty. It doesn't find my profile.
What am I doing wrong?
See screenshotView attachment 188531

You want to export profiles, so you should simply write the name of the backup file. Then it will be created and the exported profiles will be contained in this file. The backup will contain all saved profiles. After creating the backup, you can see what profiles are contained in it by using the option 'List Profiles in Backup'.
I know what your problem is. You want to see/choose saved profiles and next backup only some of them. But, this option makes the global backup of all saved Setting Profiles and all saved Whitelist Profiles into one encrypted backup file.
Some time ago I made video clips, you can look at the second one:
Hard_Configurator - Windows Hardening Configurator

 

[shmu26]

You want to export profiles, so you should simply write the name of the backup file. Then it will be created and the exported profiles will be contained in this file. The backup will contain all saved profiles. After creating the backup, you can see what profiles are contained in it by using the option 'List Profiles in Backup'.
I know what is your problem. You want to see/choose saved profiles and next backup only some of them. But, this option makes the global backup of all saved Setting Profiles and all saved Whitelist Profiles into one encrypted backup file.
Some time ago I made video clips, you can look at the second one:
Hard_Configurator - Windows Hardening Configurator

Got it, thanks.

 

[Andy Ful]

In the new Hard_Configurator version 4.0.0.0, the list of blocked sponsors was extended to 91 entries (based on the Bouncer blacklist from February 2018). Next, I tested the Recommended settings + blocked sponsors (full list) against the fresh installation of Windows 7 SP1 (Home Premium 64-bit) + over 200 updates.
I noticed two warnings related to blocking Regsvr32.exe by SRP, but the OS managed to update successfully.

 

[Daniel Keller]

Sounds great Andy,

when will the open beta start?

 

[Andy Ful]

I will push the new version in Jun or July. Here is the changelog for the version 4.0.0.0:
0. Deinstallation of Hard_Configurator is available only from <Tools> <Uninstall Hard_Configurator>.
1. Added <Documents Ant-Exploit button> to block/unblock active content in MS Office and Adobe Acrobat Reader XI / DC.
2. Added <ConfigureDefender> button to run ConfigureDefender utility.
3. Added <Allow EXE files> button in 'Whitelist By Path' window. This feature allows all EXE files except ticked in <Blocked Sponsors> - can be used with Avast set to Hardened Aggressive mode.
4. Added the Avast_Hardened_Mode_Aggressive profile to work with Avast set to Hardened Aggressive mode.
5. Changed the name of the button <Run SRP/Scripts EventLogView> to <View Blocked Events>.
6. Extended the logged events in <View Blocked Events> to include Exploit Guard ASR, Controlled Folder Access, Network Protection, and Defender blocked/audited events.
7. Added some new paths to blacklist writable Windows subfolders.
8. Corrected the whitelisting of OneDrive executables.
9. Added the new versions of: Sysinternals Autoruns, NirSoft FullEventView, and 7-ZIP.
10. Recommended settings in ver. 4.0.0.0 are based on <Default Security Level> = 'Disallowed', as compared to <Default Security Level> = 'Basic User' used in the previous versions. The difference for the users will be visible only with the extended SRP protection for BAT and CMD files.
11. Added <Update> button to check/install the new Hard_Configurator versions.

 

[shmu26]

I will push the new version in June or July. Here is the changelog for the version 4.0.0.0:
0. Deinstallation of Hard_Configurator is available only from <Tools> <Uninstall Hard_Configurator>.
1. Added <Documents Ant-Exploit button> to block/unblock active content in MS Office and Adobe Acrobat Reader XI / DC.
2. Added <ConfigureDefender> button to run ConfigureDefender utility.
3. Added <Allow EXE files> button in 'Whitelist By Path' window. This feature allows all EXE files except ticked in <Blocked Sponsors> - can be used with Avast set to Hardened Aggressive mode.
4. Added the Avast_Hardened_Mode_Aggressive profile to work with Avast set to Hardened Aggressive mode.
5. Changed the name of the button <Run SRP/Scripts EventLogView> to <View Blocked Events>.
6. Extended the logged events in <View Blocked Events> to include Exploit Guard ASR, Controlled Folder Access, Network Protection, and Defender blocked/audited events.
7. Added some new paths to blacklist writable Windows subfolders.
8. Corrected the whitelisting of OneDrive executables.
9. Added the new versions of: Sysinternals Autoruns, NirSoft FullEventView, and 7-ZIP.
10. Recommended settings in ver. 4.0.0.0 are based on <Default Security Level> = 'Disallowed', as compared to <Default Security Level> = 'Basic User' used in the previous versions. The difference for the users will be visible only with the extended SRP protection for BAT and CMD files.
11. Added <Update> button to check/install the new Hard_Configurator versions.

Awesome!

 

[In2an3_PpG]

Looking forward to it

 

[Deleted member 69059]

Really a great job @Andy Ful! About two months ago I was plannig to develop something like this (focused on inexperienced users) but all the features I planned to add to my software are present in Hard_Configurator (and with the time and updates It's seems to be more powerful and easier to use), so I can only say:

Keep up the good work! I hope this project continues to grow.

 

[Andy Ful]

Test of the extended sponsors' blacklist (91 entries, based on the Bouncer blacklist from February 2018).
Windows 64-bit Home Premium in VirtualBox.

1. Installed the fresh Windows 10 ver. 1703 (Creators Update) with OneDrive.
2. Installed Hard_Configurator ver. 4.0.0.0 with Recommended settings (including SRP) + <Block Sponsors> (all 91 entries).
3. Fully updated Windows (10 updates).
4. Upgraded to Windows ver. 1803.

No issues with blocked sponsors.
Anyway, I remember one Windows Update on Windows ver. 1709 (Fall Creators Update) when regsvr32.exe and mmc.exe were blocked.

 

[shmu26]

The refresh button, used after making changes, has a problem. The desktop goes black, but doesn't come back.

 

[Andy Ful]

The refresh button, used after making changes, has a problem. The desktop goes black, but doesn't come back.

REFRESH feature closes all instances of Explorer and runs Explorer again. Some programs, rely on Explorer session and closing it may cause the problem for them.
I have this issue two times over a year. It can be overcome by Ctrl-Alt-Delete, choosing 'Task Manager' and running explorer.exe from File menu.
I was thinking of removing REFRESH feature, but it is very convenient for advanced users. What do you think?

 

[shmu26]

I use Task Manager, like you said, because I always have problems with REFRESH. So for me, REFRESH is not useful. But if it works for others, it is very good.
Restarting Explorer is a much better option than signing out, because if a program is trying to update, and you sign out, it is hard to get the program to update again, because many programs will not try again until a day has gone by.

 

[Av Gurus]

I have no problem with refresh button

 

[Daniel Keller]

Refresh button is a good idea. On one certain PC it kills explorer every time, so I have to use the workaround Andy described but usually it works without problems.