Discuss Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

It is worth to know, that pressing the green button <Switch OFF/ON SRP> changes SRP 'Default Security Level' to Unrestricted, and this works even without using <APPLY CHANGES> button. This should allow most updates in the User Space without refreshing the Explorer. Refreshing the Explorer is required to turn OFF other SRP features like: <Block Sponsors>, <Protect Windows Folder>, and <Protect Shortcuts> which usually is not required when updating applications in the User Space.

 

[shmu26]

It is worth to know, that pressing the green button <Switch OFF/ON SRP> changes SRP 'Default Security Level' yo Unrestricted, and this works even without using <APPLY CHANGES> button. This should allow most updates in the User Space without refreshing the Explorer. Refreshing the Explorer is required to turn OFF other SRP features like: <Block Sponsors>, <Protect Windows Folder>, and <Protect Shortcuts> which usually is not required when updating applications in the User Space.

That's good to know, thanks

 

[Andy Ful]

Hard_Configurator ver. 4.0.0.0 is available on GitHub:
For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator
.
Hard_Configurator executables are whitelisted by Microsoft, Emsisoft, Symantec, and Avast. They are not accepted by SmartScreen, yet.
.
The EXE files can be allowed in Hard_Configurator when Avast is installed and uses the file reputation cloud for them (that is the way how Avast works in Hardened Aggressive mode). So, Hard_Configurator + Avast Hardened Aggressive mode can work as default-deny security. The user can simply load the appropriate setting profile (depending on Windows version): WIndows_7_Avast_Hardened_Mode_Aggressive (also for Windows Vista) or WIndows_8_Avast_Hardened_Mode_Aggressive, or WIndows_10_Avast_Hardened_Mode_Aggressive.
.
The new version has also integrated ConfigureDefender tool, and the events blocked by Defender can be viewed similarly to SRP events when using <Tools><View Blocked Events>.
<ConfigureDefender> option is available only when Windows Defender is the main AV in the system.
.
I also added the option <Documents Anti-Exploit> that works as follows:

• In MS Office, the below settings are applied (up to MS Office 2016):
  Disabled Macros for MS Office XP, MS Office 2003, and higher versions (Excel, FrontPage, Outlook, PowerPoint, Publisher, and Word).
  Disabled DDE for Word 2010, and higher versions (requires Windows Update KB4011575, pushed in January 2018).
  Disabled auto-update for any linked fields (including DDE and OLE) in Word 2007, Excel 2007, Outlook 2007, One Note 2013 and higher versions. Links may be updated manually by the user.
  Disabled ActiveX or MS Office 2007, and higher versions.
  Disabled OLE for MS Office 2007, and higher versions (Word, Excel, PowerPoint).
• In Adobe Acrobat Reader XI/DC, all protective features are turned ON including AppContainer Mode for Adobe Acrobat Reader DC.

The full list of changes:
Version 4.0.0.0

1. Deinstallation of Hard_Configurator is available only from <Tools> <Uninstall Hard_Configurator>.
2. Added <Documents Ant-Exploit button> to block/unblock active content in MS Office and Adobe Acrobat Reader XI / DC.
3. Added <ConfigureDefender> button to run ConfigureDefender utility (installed with this package).
4. Added <Allow EXE files> button in 'Whitelist By Path' window. This feature allows all EXE files except ticked in <Block Sponsors>.
5. Added the Avast_Hardened_Mode_Aggressive profile to work with Avast, set to Hardened Aggressive mode.
6. Changed the name of the button <Run SRP/Scripts EventLogView> to <View Blocked Events>.
7. Extended the logged events in <View Blocked Events> to include Exploit Guard ASR, Controlled Folder Access, Network Protection, and Defender blocked/audited events.
8. Added some new paths to blacklist writable Windows subfolders.
9. Corrected the whitelisting of OneDrive executables.
10. Added the new versions of: Sysinternals Autoruns, NirSoft FullEventView, and 7-ZIP.
11. Recommended settings in ver. 4.0.0.0 are based on <Default Security Level> = 'Disallowed', as compared to <Default Security Level> = 'Basic User' used in the previous versions. The difference for the user will be visible only with the extended SRP protection for BAT and CMD files.
12. Added <Update> button to check/install the new Hard_Configurator versions.

 

[Av Gurus]

Super!
So, when Hard_Configurator is on the system there is no need for ConfigureDefender tool?
It's all in one?

 

[Andy Ful]

Super!
So, when Hard_Configurator is on the system there is no need for ConfigureDefender tool?
It's all in one?

Yes.
ConfigureDefender executable is located in Hard_Configurator folder and accessible from Hard_Configurator main window. The FullEventLogView in Hard_Configurator is also configured to filter Defender events from Windows Event Log (ASR, Controlled Folder Access, Network Protection, etc.).

 

[shmu26]

Looking good.
I like the additions to the sponsors list.

 

[shmu26]

Today I got a block. I don't know if it is really a block, because under the "level" tab, it says "information". Not sure what that means.

Windows Defender Antivirus scan has started.
Scan ID: {18A5CF64-E1D2-49DC-9E1D-11A8F9B69290}
Scan Type: Antimalware
Scan Parameters: Quick Scan
Scan Resources:
User: NT AUTHORITY\SYSTEM

Event Time Record ID Event ID Level Channel Provider Description Opcode Task Keywords Process ID Thread ID Computer User
06/12/18 8:24:58 AM.183 78315 1000 Information Microsoft-Windows-Windows Defender/Operational Microsoft-Windows-Windows Defender Windows Defender Antivirus scan has started.
Scan ID: {18A5CF64-E1D2-49DC-9E1D-11A8F9B69290}
Scan Type: Antimalware
Scan Parameters: Quick Scan
Scan Resources:
User: NT AUTHORITY\SYSTEM 0x8000000000000000 3832 16356 DESKTOP-ME NT AUTHORITY\SYSTEM

 

[Andy Ful]

Today I got a block. I don't know if it is really a block, because under the "level" tab, it says "information". Not sure what that means.

Windows Defender Antivirus scan has started.
Scan ID: {18A5CF64-E1D2-49DC-9E1D-11A8F9B69290}
Scan Type: Antimalware
Scan Parameters: Quick Scan
Scan Resources:
User: NT AUTHORITY\SYSTEM

Event Time Record ID Event ID Level Channel Provider Description Opcode Task Keywords Process ID Thread ID Computer User
06/12/18 8:24:58 AM.183 78315 1000 Information Microsoft-Windows-Windows Defender/Operational Microsoft-Windows-Windows Defender Windows Defender Antivirus scan has started.
Scan ID: {18A5CF64-E1D2-49DC-9E1D-11A8F9B69290}
Scan Type: Antimalware
Scan Parameters: Quick Scan
Scan Resources:
User: NT AUTHORITY\SYSTEM 0x8000000000000000 3832 16356 DESKTOP-ME NT AUTHORITY\SYSTEMView attachment 190457

It is an information that Defender Antimalware quick scan was started. If there are no other events, then quick scan did not found malicious files.
Windows Defender AV event IDs and error codes
I included this event in FullEventLogView to see if Defender works as usual.

 

[shmu26]

It is an information that Defender Antimalware quick scan was started. If there are no other events, then quick scan did not found malicious files.
Windows Defender AV event IDs and error codes

But why does this show up in TOOLS/"View Blocked Events"

 

[Andy Ful]

A few words about <Documents Anti-Exploit> feature. It can be especially useful on computers with Windows 8.1 (and prior versions + any AV) or on Windows 10 with a 3rd party AV.
On Windows 10 with Defender, the more usable solution is activating Defender ASR mitigations and using PDF viewer in App Container.
.
On default Windows account (default Administrator Account) <Documents Anti-Exploit> blocks:

1. VBA, OLE, DDE, and ActiveX in documents opened by MS Office;
2. the active content in documents opened by Acrobat Reader XI/DC.

On SUA, it blocks:

1. VBA in documents opened by MS Office;
2. the active content in documents opened by Acrobat Reader XI/DC.

The idea is making SUA more usable by skipping some MS Office restrictions, because:

• SUA has much stronger anti-exploit protection;
• OLE, DDE, and ActiveX can be well mitigated by SRP on SUA.

I am opened for other suggestions.

 

[Andy Ful]

But why does this show up in TOOLS/"View Blocked Events"

Nothing is perfect. I could not find the more appropriate name for this feature. Any suggestions?

 

[shmu26]

Nothing is perfect. I could not find the more appropriate name for this feature. Any suggestions?

So what is the best way to know if something was actually blocked, or if it is just "information"?

 

[Andy Ful]

So what is the best way to know if something was actually blocked, or if it is just "information"?

Generally, it can be seen by looking at the event icon or the entry in the 'Level' column:

• 'Information' icon means information (not actually blocked).
• 'Warning' icon means that something was blocked (restricted by administrator).

 

[Andy Ful]

Maybe the better name will be: <Blocked Events / Informations> ?

 

[shmu26]

Maybe the better name will be: <Blocked Events / Informations> ?

I suggest: "Logged Events"

 

[Andy Ful]

I suggest: "Logged Events"

This name looks too innocent and too general. You can log anything (like via Windows Event Log). The main purpose of this feature is avoiding problems with the events which can be blocked.
I added, by the way, a few useful events related to blocked ones, like changing Defender or PowerShell settings. The event Id = 1000 was initially related to blocked Windows Script Host policy, but FullEventLogView will show also this event number for Defender (An antimalware scan started) because both providers are included in the config of FullEventLogView. So, due to the way of FullEventLogView filtering, some events will be shown in the Log by an accident and not related to blocked events.

 

[shmu26]

This name looks too innocent and too general. You can log anything (like via Windows Event Log). The main purpose of this feature is avoiding problems with the events which can be blocked.
I added, by the way, a few useful events related to blocked ones, like changing Defender or PowerShell settings. The event Id = 1000 was initially related to blocked Windows Script Host policy, but FullEventLogView will show also this event number for Defender (An antimalware scan started) because both providers are included in the config of FullEventLogView. So, due to the way of FullEventLogView filtering, some events will be shown in the Log by an accident and not related to blocked events.

So how about this name:
"Block events and other info"

 

[Andy Ful]

So, we have two propositions:
<Blocked Events / Informations>
<Blocked events and other info>
.
Any further suggestions?

 

[shmu26]

So, we have two propositions:
<Blocked Events / Informations>
<Blocked events and other info>
.
Any further suggestions?

"Informations" with s at the end is not proper English

 

[Reldel1]

Yesterday I updated a machine with Windows 10, 1803 to 17134.112 version. This machine has never had a Hard_Configurator installed on it. This morning I downloaded 4.0.0.0 and attempted to install. SmartScreen allowed the download but throws up a blocking screen when I attempt to install it. This blocking screen does not offer any option to allow me to override it. Normally you could override the block but I am stumped how to install 4.0.0.0. Any ideas?