Hard_Configurator - Windows Hardening Configurator

R

Reldel1

Level 2
Verified
Jun 12, 2017
50
Reldel1 said:
Yesterday I updated a machine with Windows 10, 1803 to 17134.112 version. This machine has never had a Hard_Configurator installed on it. This morning I downloaded 4.0.0.0 and attempted to install. SmartScreen allowed the download but throws up a blocking screen when I attempt to install it. This blocking screen does not offer any option to allow me to override it. Normally you could override the block but I am stumped how to install 4.0.0.0. Any ideas?
Click to expand...

Found the solution, I had to go into Windows Security Center, App and Browser control where I could turn off SmartScreen check of APPS. Then I could install Hard_Conf without a problem and then restart SmartScreen check of APPs. NOTE: SmartScreen was set to block APP install, so it was doing its job.
 
Last edited:
  • Like
Reactions: oldschool, Andy Ful and shmu26
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Reldel1 said:
Found the solution, I had to go into Windows Security Center, App and Browser control where I could turn off SmartScreen check of APPS. Then I could install Hard_Conf without a problem and then restart SmartScreen check of APPs. NOTE: SmartScreen was set to block APP install, so it was doing its job.
Click to expand...
You could alternatively set SmartScreen setting to 'Warn' (Defender default setting).(y)
 
  • Like
Reactions: simmerskool, oldschool, shmu26 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
So, we have the below propositions:
<Blocked events and other info>
<Blocked Events/Other Info>
<Windows Security Logs>
<Hardened Windows Logs>
or maybe:
<Blocked Events/Security Logs>
<Security Logs>
 
  • Like
Reactions: simmerskool and oldschool
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
It is an information that Defender Antimalware quick scan was started. If there are no other events, then quick scan did not found malicious files.(y)
Windows Defender AV event IDs and error codes
I included this event in FullEventLogView to see if Defender works as usual.
Click to expand...
I actually find the additional log events very helpful, because I can finally see what is being blocked by Controlled Folder Access.
 
  • Like
Reactions: simmerskool, oldschool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
I have some ideas about how to make use of Controlled Folder Access for protecting whitelisted folders in the User Space. One can add the whitelisted folder in SRP to protected folders in Controlled Folder Access and exclude executables in that folder. The malware cannot drop files, in the usual way, into such protected whitelisted folders but the whitelisted/excluded applications can be run as usual.
 
  • Like
Reactions: ForgottenSeer 85179, Av Gurus, silversurfer and 5 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
I have some ideas about how to make use of Controlled Folder Access for protecting whitelisted folders in the User Space. One can add the whitelisted folder in SRP to protected folders in Controlled Folder Access and exclude executables in that folder. The malware cannot drop files, in the usual way, into such protected whitelisted folders but the whitelisted/excluded applications can be run as usual.
Click to expand...
Sounds interesting.

Controlled Folder Access says it is protecting memory areas, too. That is a new feature, correct?
I am getting more blocks from Controlled Folder than I used to get. I think it is from the memory protection. And I suspect that some of the blocks should be ignored, like most of the memory blocks in AppGuard. But it is hard to know when to ignore, and when not to.
 
  • Like
Reactions: silversurfer, Tiny, oldschool and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Controlled Folder Access generates some memory-related alerts, but there is no documentation about its memory protection capabilities. I think, that Controlled Folder Access protection can collide with many hard disk applications, so it is good to use first the Audit setting to recognize the potential problems.
 
  • Like
Reactions: silversurfer, oldschool, Sunshine-boy and 2 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
Controlled Folder Access generates some memory-related alerts, but there is no documentation about its memory protection capabilities. I think, that Controlled Folder Access protection can collide with many hard disk applications, so it is good to use first the Audit setting to recognize the potential problems.
Click to expand...
Sometimes, the blocks are tricky. It seems to block even if the parent process is not whitelisted, but it doesn't tell you the parent process. A couple times I had to check logs and find out what the parent process was, and whitelist it too.
 
  • Like
Reactions: harlan4096, Andy Ful, silversurfer and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
I noticed that OneDriveSetup application is whitelisted in Controlled Folder Access by default. This can be exploited to bypass Controlled Folder Access, so OneDriveSetup.exe should be protected by the additional Exploit Guard mitigations.
Furthermore, the OneDrive folder is writable as standard user, so the malware can simply kill/replace OneDrive executable to obtain the persistence without changing Windows Registry. This can be mitigated by adding the OneDrive application folder to protected folders in Controlled Folder Access.
 
Last edited:
  • Like
  • Wow
Reactions: ForgottenSeer 85179, simmerskool, oldschool and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
With AppGuard, you do not need Hard_Configurator. You can use ConfigureDefender, but it is necessary to turn off AppGuard protection until you will finish configuring Defender. AppGuard will block PowerShell cmdlets which are intended by Microsoft to configure advanced Defender settings.
The WD settings configured by ConfigureDefender are compatible with AppGuard, and this configuration is stronger in some aspects.
WD + AppGuard (both in default settings) can give the users a decent protection, so adding something more will be OK only for slightly paranoid users.
 
Last edited:
  • Like
Reactions: Sunshine-boy, simmerskool, oldschool and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
ticklemefeet said:
Hello

I remember it was advised I didn't need the WD config program with Appguard. Does that hold true for this program?

Thanks
Click to expand...
If you want to add a long list of vulnerable processes to be protected, and you don't feel like manually configuring Appguard for that, you could use Hard_Configurator instead.
It works a little differently, though. It will only block the vulnerables when they run will standard permissions, not when they run with elevated permissions. This has a certain advantage: it interferes less with valid system processes and program processes, so you can safely block some vulnerables that would be problematic in Appguard.
 
  • Like
Reactions: simmerskool, oldschool, silversurfer and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Adding a long list of vulnerable processes via <Block Sponsors> is usually not required if one can properly adjust Guarded Applications in AppGuard. The idea is to protect by Guarded Applications feature all those applications which can be abused to run vulnerable processes. Some applications (like MS Word) are protected in AppGuard by default.
If the above is not possible in AppGuard because the user needs all features of the application (a few can be not functional when guarded), then blocking vulnerable processes via Hard_Configurator <Block Sponsors> can be considered.
Before adding Hard_Configurator to AppGuard protection, I would suggest replacing the conflicting application with another one which can be both usable and guarded by AppGuard.
Generally, using AppGuard with Hard_Configurator makes the setup complicated.
 
  • Like
Reactions: simmerskool, oldschool, Av Gurus and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
It seems that the users should add SETTINGCONTENT-MS file extension to Designated File Types list.
enigma0x3
I did not test it with all ASR rules, but there is a clever way to bypass some ASR rules to execute cmd.exe via the malicious SETTINGCONTENT-MS file with the reference to AppVLP executable (used in MS Office for Application Virtualization).
.
Edit
I checked the POC and it is clear that SETTINGCONTENT-MS file can run cmd.exe without any help from MS Office. It can be also used as a replacement for LNK files to run the malware.
 
Last edited:
  • Like
Reactions: ForgottenSeer 85179, simmerskool, oldschool and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
It seems that the users should add SETTINGCONTENT-MS file extension to Designated File Types list.
enigma0x3
I did not test it with all ASR rules, but there is a clever way to bypass some ASR rules to execute cmd.exe via the malicious SETTINGCONTENT-MS file with the reference to AppVLP executable (used in MS Office for Application Virtualization).
Click to expand...
The ASR rule for blocking active content will still protect, even if SETTINGCONTENT-MS bypasses the rule for child processes.
Anyways, Microsoft patched this. See discussion here: Bypassing Windows Defender Exploit ASR Rules
 
  • Like
Reactions: ForgottenSeer 85179, simmerskool, oldschool and 2 others

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,430
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,110
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top