Reldel1

Level 1
Yesterday I updated a machine with Windows 10, 1803 to 17134.112 version. This machine has never had a Hard_Configurator installed on it. This morning I downloaded 4.0.0.0 and attempted to install. SmartScreen allowed the download but throws up a blocking screen when I attempt to install it. This blocking screen does not offer any option to allow me to override it. Normally you could override the block but I am stumped how to install 4.0.0.0. Any ideas?
Found the solution, I had to go into Windows Security Center, App and Browser control where I could turn off SmartScreen check of APPS. Then I could install Hard_Conf without a problem and then restart SmartScreen check of APPs. NOTE: SmartScreen was set to block APP install, so it was doing its job.
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
Found the solution, I had to go into Windows Security Center, App and Browser control where I could turn off SmartScreen check of APPS. Then I could install Hard_Conf without a problem and then restart SmartScreen check of APPs. NOTE: SmartScreen was set to block APP install, so it was doing its job.
You could alternatively set SmartScreen setting to 'Warn' (Defender default setting).(y)
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
So, we have the below propositions:
<Blocked events and other info>
<Blocked Events/Other Info>
<Windows Security Logs>
<Hardened Windows Logs>
or maybe:
<Blocked Events/Security Logs>
<Security Logs>
 

shmu26

Level 83
Verified
Trusted
Content Creator
It is an information that Defender Antimalware quick scan was started. If there are no other events, then quick scan did not found malicious files.(y)
Windows Defender AV event IDs and error codes
I included this event in FullEventLogView to see if Defender works as usual.
I actually find the additional log events very helpful, because I can finally see what is being blocked by Controlled Folder Access.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
I have some ideas about how to make use of Controlled Folder Access for protecting whitelisted folders in the User Space. One can add the whitelisted folder in SRP to protected folders in Controlled Folder Access and exclude executables in that folder. The malware cannot drop files, in the usual way, into such protected whitelisted folders but the whitelisted/excluded applications can be run as usual.
 

shmu26

Level 83
Verified
Trusted
Content Creator
I have some ideas about how to make use of Controlled Folder Access for protecting whitelisted folders in the User Space. One can add the whitelisted folder in SRP to protected folders in Controlled Folder Access and exclude executables in that folder. The malware cannot drop files, in the usual way, into such protected whitelisted folders but the whitelisted/excluded applications can be run as usual.
Sounds interesting.

Controlled Folder Access says it is protecting memory areas, too. That is a new feature, correct?
I am getting more blocks from Controlled Folder than I used to get. I think it is from the memory protection. And I suspect that some of the blocks should be ignored, like most of the memory blocks in AppGuard. But it is hard to know when to ignore, and when not to.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Controlled Folder Access generates some memory-related alerts, but there is no documentation about its memory protection capabilities. I think, that Controlled Folder Access protection can collide with many hard disk applications, so it is good to use first the Audit setting to recognize the potential problems.
 

shmu26

Level 83
Verified
Trusted
Content Creator
Controlled Folder Access generates some memory-related alerts, but there is no documentation about its memory protection capabilities. I think, that Controlled Folder Access protection can collide with many hard disk applications, so it is good to use first the Audit setting to recognize the potential problems.
Sometimes, the blocks are tricky. It seems to block even if the parent process is not whitelisted, but it doesn't tell you the parent process. A couple times I had to check logs and find out what the parent process was, and whitelist it too.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
I noticed that OneDriveSetup application is whitelisted in Controlled Folder Access by default. This can be exploited to bypass Controlled Folder Access, so OneDriveSetup.exe should be protected by the additional Exploit Guard mitigations.
Furthermore, the OneDrive folder is writable as standard user, so the malware can simply kill/replace OneDrive executable to obtain the persistence without changing Windows Registry. This can be mitigated by adding the OneDrive application folder to protected folders in Controlled Folder Access.
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
With AppGuard, you do not need Hard_Configurator. You can use ConfigureDefender, but it is necessary to turn off AppGuard protection until you will finish configuring Defender. AppGuard will block PowerShell cmdlets which are intended by Microsoft to configure advanced Defender settings.
The WD settings configured by ConfigureDefender are compatible with AppGuard, and this configuration is stronger in some aspects.
WD + AppGuard (both in default settings) can give the users a decent protection, so adding something more will be OK only for slightly paranoid users.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
Hello

I remember it was advised I didn't need the WD config program with Appguard. Does that hold true for this program?

Thanks
If you want to add a long list of vulnerable processes to be protected, and you don't feel like manually configuring Appguard for that, you could use Hard_Configurator instead.
It works a little differently, though. It will only block the vulnerables when they run will standard permissions, not when they run with elevated permissions. This has a certain advantage: it interferes less with valid system processes and program processes, so you can safely block some vulnerables that would be problematic in Appguard.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Adding a long list of vulnerable processes via <Block Sponsors> is usually not required if one can properly adjust Guarded Applications in AppGuard. The idea is to protect by Guarded Applications feature all those applications which can be abused to run vulnerable processes. Some applications (like MS Word) are protected in AppGuard by default.
If the above is not possible in AppGuard because the user needs all features of the application (a few can be not functional when guarded), then blocking vulnerable processes via Hard_Configurator <Block Sponsors> can be considered.
Before adding Hard_Configurator to AppGuard protection, I would suggest replacing the
conflicting application with another one which can be both usable and guarded by AppGuard.
Generally, using AppGuard with Hard_Configurator makes the setup complicated.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
It seems that the users should add SETTINGCONTENT-MS file extension to Designated File Types list.
enigma0x3
I did not test it with all ASR rules, but there is a clever way to bypass some ASR rules to execute cmd.exe via the malicious SETTINGCONTENT-MS file with the reference to AppVLP executable (used in MS Office for Application Virtualization).
.
Edit
I checked the POC and it is clear that SETTINGCONTENT-MS file can run cmd.exe without any help from MS Office. It can be also used as a replacement for LNK files to run the malware.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
It seems that the users should add SETTINGCONTENT-MS file extension to Designated File Types list.
enigma0x3
I did not test it with all ASR rules, but there is a clever way to bypass some ASR rules to execute cmd.exe via the malicious SETTINGCONTENT-MS file with the reference to AppVLP executable (used in MS Office for Application Virtualization).
The ASR rule for blocking active content will still protect, even if SETTINGCONTENT-MS bypasses the rule for child processes.
Anyways, Microsoft patched this. See discussion here: Bypassing Windows Defender Exploit ASR Rules