Hard_Configurator - Windows Hardening Configurator

[oldschool]

Do you use some applications installed outside of Program Files (except OneDrive)?

I’ve been away from home and my laptop for almost two weeks so the question is a bit hard to answer right now. I know I don’t do much on it aside from surfing. Most apps are probably in Program Files.

 

[Andy Ful]

I’ve been away from home and my laptop for almost two weeks so the question is a bit hard to answer right now. I know I don’t do much on it aside from surfing. Most apps are probably in Program Files.

The applications installed outside of Program Files will require a special treatment. They should be whitelisted. This is not a hard task in most cases, but sometimes whitelisting can be challenging for many users. Those whitelisted applications have to run and auto-update without problems.

 

[shmu26]

This is a very strong protection. It disables totally the macros in all MS Office applications. It is also in HKLM Registry hive, so cannot be reverted by non-elevated malware/exploit.

So when I deleted <[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\16.0\Common]
"VBAOFF"=dword:00000001> I undid this protection?

 

[Andy Ful]

So when I deleted <[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\16.0\Common]
"VBAOFF"=dword:00000001> I undid this protection?

If "VBAOFF"=dword:00000001, then you are protected even you allow macros in MS Office via Trust Center.
If "VBAOFF"=dword:00000000 (or deleted) then, VBA interpreter is now active. You can choose via MS Office Trust Center, if VBA Macros should be allowed or not.
By the way, if you open the blank DOCX file, do you see any info about macros. I am curious if MS Office is able to alert about macros in your .dotm add-on file in STARTUP folder.

 

[shmu26]

If "VBAOFF"=dword:00000001, then you are protected even you allow macros in MS Office via Trust Center.
If "VBAOFF"=dword:00000000 (or deleted) then, VBA interpreter is now active. You can choose via MS Office Trust Center, if VBA Macros should be allowed or not.
By the way, if you open the blank DOCX file, do you see any info about macros. I am curious if MS Office is able to alert about macros in your .dotm add-on file in STARTUP folder.

When I had this setting enabled, I got a MS Office alert when launching Word, even though I did not open any document, not even a new one.
Now that I deleted the reg entry, I am back to where I was before: no alert, even if I open a doc.

 

[Andy Ful]

When I had this setting enabled, I got a MS Office alert when launching Word, even though I did not open any document, not even a new one.
Now that I deleted the reg entry, I am back to where I was before: no alert, even if I open a doc.

What setting did you choose for macros:
Options > Trust Center > Trust Center Settings > Macro Settings .

 

[shmu26]

Disable all macros without notification

 

[Andy Ful]

Disable all macros without notification

So we still do not know, if you could see the alert with default setting:
Disable all macros with notification.
If the alert is not visible with the above setting (closing Word is required), then VBAOFF is really strong, because it could protect also against malware persistence due to infecting MS Office templates.

 

[shmu26]

So we still do not know, if you could see the alert with default setting:
Disable all macros with notification.
If the alert is not visible with the above setting (closing Word is required), then VBAOFF is really strong, because it could protect also against malware persistence due to infecting MS Office templates.

I checked it yesterday. I got the same behavior with Disable all macros with notification

 

[Andy Ful]

I checked it yesterday. I got the same behavior with Disable all macros with notification

Thanks. Good to know this.

 

[shmu26]

Thanks. Good to know this.

If you want to experiment with a simple Word addon, here is a link to one of mine. If configured properly, it forces Word to do a full save of the open document every X number of minutes. This way, it will sync changes in the document to Dropbox/GoogleDrive, and also, you are better prepared for a system crash.
Dropbox - SaveReminder Ver 2.1.7z

 

[Andy Ful]

If you want to experiment with a simple Word addon, here is a link to one of mine. If configured properly, it forces Word to do a full save of the open document every X number of minutes. This way, it will sync changes in the document to Dropbox/GoogleDrive, and also, you are better prepared for a system crash.
Dropbox - SaveReminder Ver 2.1.7z

Thanks, I will take a look at it.

 

[oldschool]

Thanks. Good to know this.

I’ve simply been trying to follow this thread without having installed H_C. Until I do I am not going to be clear about specifics etc. that you discuss. But I am soaking up as much as I can in the meantime. I’d really like to compare it from experience to SysHardener, which I currently use.

 

[Freki123]

Any tips how to get Discord (Desktop client) /Teamviewer running when i still want them to be sandboxed by sandboxie? Tried adding the .exe to the hash whitelist.
Discord was on the main(windows) hdd, Teamviewer on my storage hdd (normal internal hdd used for larger files mostly). Win 10 64bit.
Screen 1 was for discord

Even "run as smartscreen" didn't help.

Are there any (sha256 or so) checksums for the install files?

 

[Andy Ful]

Any tips how to get Discord (Desktop client) /Teamviewer running when i still want them to be sandboxed by sandboxie? Tried adding the .exe to the hash whitelist.
Discord was on the main(windows) hdd, Teamviewer on my storage hdd (normal internal hdd used for larger files mostly). Win 10 64bit.
Screen 1 was for discord
View attachment 194161
View attachment 194162
Even "run as smartscreen" didn't help.

Are there any (sha256 or so) checksums for the install files?

You probably are going to "Run As SmartScreen" the shortcut to the executable. The shortcut uses commandline with switches to run. Please, use Explorer right-click menu choose 'Properties' and post the commandline seen in the "Target".
What is the location of that shortcut?

 

[Freki123]

@Andy Ful
Thanks for the help. That was exactly the problem. I was trying to use shortcuts to start the program. After starting the program directly
from the folder it was in (it worked) i created a new shortcut on my desktop and now it runs just from clicking the newly created shortcut.

 

[Andy Ful]

I’ve simply been trying to follow this thread without having installed H_C. Until I do I am not going to be clear about specifics etc. that you discuss. But I am soaking up as much as I can in the meantime. I’d really like to compare it from experience to SysHardener, which I currently use.

There are some essential differences between SysHardener and Hard_Configurator (default-deny setup). SysHardener allows execution of programs (good and bad) downloaded by the user from the Internet or located on any other storage (pendrive, secondary disc, Memory Card, DVD disk, USB disk). On the contrary, Hard_Configurator (default-deny setup) blocks execution from all those places - to be more precise all locations outside Windows and Program Files folders. If the user wants to run the program installation from the forbidden location, then it is possible via 'Run As SmartScreen'. If the application was installed via 'Run As SmartScreen' to the forbidden location, then it is assumed as safe, so it can be whitelisted to run normally (without using 'Run As SmartScreen'). In any case, all installed applications were obligatory checked by SmartScreen reputation service, which is much safer than running them only under the protection of standard AV (the danger from 0-day malware).
There are more differences when something can be exploited, but the above is the essential difference. In the short words, the main difference follows from the below:

• SysHardener is default-allow for application installers and programs.
• Hard_Configurator is smart default-deny for them.

Edit.
If the user is cautious and knows the limitations of SmartScreen, then the above difference is less important and can be essential only when something will be exploited. Then default-deny protection is able to stop executable payload.

 

[shmu26]

What is the status of the root folder of C: drive? I see that I need admin permission to copy a file to it, like system space. On the other hand, SRP blocks execution, like user space. On the third hand, AppGuard treats it as system space.
What's up with this?

 

[Andy Ful]

What is the status of the root folder of C: drive? I see that I need admin permission to copy a file to it, like system space. On the other hand, SRP blocks execution, like user space. On the third hand, AppGuard treats it as system space.
What's up with this?

The users have no need to copy files to the root C: (system disk), but the malware could try to do it. So, this location is blocked by SRP and also files cannot be "Run As SmartScreen". This is a pure prophylactic, but sometimes can prevent the infection.
.
AppGuard has root C: and C:\Folder in the System space (except C:\Users and some special folders). This follows from the fact, that in Enterprises, some folders in the root C: are used for applications and for the programs or scripts related to the hardware (Intel, AMD etc.). Furthermore, the Guarded Applications in AppGuard cannot copy files to those locations (and generally to System space) even with Admin rights.

 

[shmu26]

The users have no need to copy files to the root C: (system disk), but the malware could try to do it. So, this location is blocked by SRP and also files cannot be "Run As SmartScreen".

If it needs admin privileges to copy files to it, why does it need more protection than program files folder?