Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

If it needs admin privileges to copy files to it, why does it need more protection than program files folder?

More protection for the root C: does not hurt. You could not say the same If it would be adopted for Windows and Program Files.
You could also say, why CHM files are blocked by SRP but DOCX files are not. The answer would be the same. Blocking the CHM files does not hurt.

 

[shmu26]

More protection for the root C: does not hurt. You could not say the same If it would be adopted for Windows and Program Files.
You could also say, why CHM files are blocked by SRP but DOCX files are not. The answer would be the same. Blocking the CHM files does not hurt.

Thanks, Andy. That makes sense.

 

[Andy Ful]

When malware is too smart.
@silversurfer included one interesting malware sample Facture_23100.31.07.2018.exe :
https://malwaretips.com/threads/3-08-2018-21.85688/#post-754757
The malware had embedded the icon of DOCX file to fool the potential victims. It was probably delivered via spam with the social engineering info --> why the user should open such interesting document. It had the stolen & valid Authenticode Signature with a good reputation, so it even could bypass SmartScreen.
Could the Hard_Configurator Recommended settings stop such dangerous malware?
The answer is yes (mostly). But, how it is possible when the malware could bypass SmartScreen?
Because it was too smart. The user knows from e-mail that the attachment is a document and the file icon confirms this belief. So, after downloading, the file will be open by the user as a document by left mouse-click or by pressing the Enter key. This will fail and the file will be blocked by SRP.
The user will not open the malware via "Run As SmartScreen" because the malc0der successfully convinced him that the file is an innocent document.
.
In my personal opinion, the danger of such malware for the home users is close to 0, because the files with stolen certificates are mostly used in attacks on institutions and enterprises. After some days, the malware can be reused to attack the home users, but then, the fingerprint/signature is already available in the cloud, so the malware will be blocked via the cloud AV service.
The exception can be the event similar to CCleaner, because in this case the installer executable was infected. The installer of CCleaner is digitally signed and very popular (good SmartScreen reputation), so it can bypass SmartScreen check. The user can only depend on the AV protection and has a pretty good chance to be infected.

 

[silversurfer]

Fresh sample, signed, icon of document again, included here: https://malwaretips.com/threads/6-08-2018-16.85757/

Sample is might be broken, according to Hybrid Analysis:
https://www.hybrid-analysis.com/sam...449f2e9591dcb63e4837614f840?environmentId=100

 

[Andy Ful]

Fresh sample, signed, icon of document again, included here: https://malwaretips.com/threads/6-08-2018-16.85757/

Sample is might be broken, according to Hybrid Analysis:
https://www.hybrid-analysis.com/sam...449f2e9591dcb63e4837614f840?environmentId=100

This sample has DigiCert High Assurance EV Root CA, so should also bypass SmartScreen.

Edit.
@Evjl's Rain Confirmed SmartScreen bypass. I am not sure if the second SmartScreen bypass was real, because WD checks files on access when the folder is opened. The suspicious files are blocked by WD until the analysis will complete. So I suspect that the malware sample __-_.exe could be not checked by SmartScreen at all.
By the way, he uses 'Run By SmartScreen' in his tests. On the contrary to "Run As SmartScreen", his treatment of the malware with document icon was correct. The 'Run By SmartScreen' is intended for default-allow security setup and for all unsafe files in the Userspace (outside' Windows' and 'Program Files...' folders). It checks more file extensions (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR, and VBE) via SmartScreen. Furthermore, if the file extension is dangerous (WSH, WSF, WSC, WS, VBS, VB, SHS, SCT, REG, PS1, PCD, MST, MSP, MSC, MDE, MDB, JS, JAR, ISP, INS, INF, HTA, HLP, CRT, CHM, BAS, ADP, ADE), then the file is blocked with notification. Other files, when "Run By SmartScreen", are allowed to be opened.
The proper usage of "Run By SmartScreen" is always opening the new files via the right-click Explorer context menu option (Run By SmartScreen). If that would be so, then most malware samples in @Evjl's Rain tests:
https://malwaretips.com/threads/6-08-2018-16.85757/post-755188
https://malwaretips.com/threads/3-08-2018-21.85688/post-754757
would be blocked with notification, except the popular types like documents, photos, media.
.
I suspect that @Evjl's Rain intended to test forced SmartScreen itself, but not the "Run By SmartScreen" capabilities.

 

[Evjl's Rain]

sorry but I don't understand what you said about Runbysmartscreen
I use it because I don't want to upload everything to a website and download them 1 by 1 so I right-click and "Run-by-smartscreen" with anything I can, except the extensions you give the warning sign of SS being not supported => ignore because SS by default won't show any warning like that => to simulate a real-world scenario

I don't look at the icon, I look at the extensions. If it has .exe or anything SS supports, I will Run-by-smartscreen

I want to test WD at max settings and smartscreen but not the app Run-by-smartscreen and I also want to test WD without SS because there are so many ways to ignore SS lookup. Sorry for the confusion
I should have clarified it in the test

The suspicious files are blocked by WD until the analysis will complete

I think I disagree with that. It's true in theory, I guess
however, during my test with the high settings, WD allowed everything to run -> analyzed and blocked if they were malicious, if not, no notification from the beginning. It worked like a BB but not BB

I noticed some files were running for 10s and then disappeared. At the same time, the CPU usage of WD process was significantly increased -> a sign of it analyzing the files -> then WD showed a noti. with malwares were detected

WD is quite aggressive as it uploaded files even when I was right-clicking the undetected samples
it consumed >100MB of my VPN bandwidth. Once in the past, WD used to consumed all of my 200MB daily limit and my VPN was automically disconnected during the test => I must have stopped the test immediately to protect myself

 

[oldschool]

Hard_Configurator in the present form (ver. 4.0.0.0), works well as an admin tool when started from the Administrator type of account.
Furthermore, all Hard_Configurator settings required to configure any Standard User Account, can be set from Administrator Account (except OneDrive issue).
It is possible to start Hard_Configurator from SUA, but then some issues are visible (reported by the testers):
1. Whitelisting OneDrive on SUA is possible via <Add File>, <Add Folder>, <Add Path *Wildcards> buttons, but is not possible via OneDrive <Add> button.
2. The option <Refresh Explorer> available for Windows 10, does not work properly on SUA. After killing all instances of Explorer, the refreshed Explorer process is running on Admin Account instead of SUA. So, the user on SUA cannot access the Explorer shell (Desktop is not visible), and has to run Explorer manually via Task Manager.
.
The above issues are related to the fact that any application started from SUA with Administrative Rights, is running on Administrator Account. It is not obvious to the user because Windows makes some magic with shared Desktop and the application window is available on SUA while application processes are running on Administrator Account. The magic works for most programs, but not for the Explorer shell.
.
The OneDrive issue can be easily fixed, because the whitelisted path is written to HKLM registry hive (system-wide).
The <Refresh Explorer> issue could be also solved by asking the user for the SUA password. But, I do not like this solution for the privacy reasons. Personally, I do not like applications which are asking for account credentials. I am thinking about keeping <Refresh Explorer> option when only one user is logged to the system (Administrator type of account). In other cases, the <Refresh Explorer> option will be skipped.
It is also possible, to move the <Refresh Explorer> option to SwitchDefaultDeny tool.

@Andy Ful - do you recommend installing H_C from Admin account or SUA? Or does it make no difference other than noted in this post?

 

[Andy Ful]

@Andy Ful - do you recommend installing H_C from Admin account or SUA? Or does it make no difference other than noted in this post?

It does not matter. But, when running H_C on SUA, use Log OFF after applying the settings - do not use 'Refresh Explorer' option.

 

[oldschool]

Thanks!

 

[Andy Ful]

I use it because I don't want to upload everything to a website and download them 1 by 1 so I right-click and "Run-by-smartscreen" with anything I can, except the extensions you give the warning sign of SS being not supported => ignore because SS by default won't show any warning like that => to simulate a real-world scenario

I don't look at the icon, I look at the extensions. If it has .exe or anything SS supports, I will Run-by-smartscreen

I want to test WD at max settings and smartscreen but not the app Run-by-smartscreen and I also want to test WD without SS because there are so many ways to ignore SS lookup. Sorry for the confusion
I should have clarified it in the test

Yes, you use some capabilities of 'Run By SmartScreen' to test forced SmartScreen - that is OK because you intended to use it that way. But, the recommended way for the average user, would be 'Run By SmartScreen' all tested malware samples. That is why I wrote the note about 'Run By SmartScreen'.

I think I disagree with that. It's true in theory, I guess
however, during my test with the high settings, WD allowed everything to run -> analyzed and blocked if they were malicious, if not, no notification from the beginning. It worked like a BB but not BB

I am not sure what happened. Some time ago I tested many malware samples against WD, and some files were locked for several minutes by WD - that depended on the number of samples. In the high settings each file can be locked for max 60s, but when it is recognized as malicious then the time can be substantially longer because WD is very slow to quarantine the files. If the file happened to be locked, and 'Run By SmartScreen' was used before it has been quarantined, then it could be not checked by SmartScreen.
So, when testing SmartScreen, it is better to turn off WD realtime protection.

Edit (for Hard_Configurator users)
Run By SmartScreen = forced SS (all supported files) + block dangerous files + allow other files
It is recommended for running/opening all new files in the default-allow security setup.

Run As SmartScreen = forced SS (only EXE, MSI) + Run as administrator (EXE, MSI) + block other files
It is recommended only for the application installers (EXE, MSI) in SRP based setup (default-deny).

 

[slash/]

@Andy Ful Remove the colour formatting on post #663. The text is black and invisible in Midnight theme. I thought I was going crazy.

Really great work with your software, btw.

 

[oldschool]

Andy - No blocked events. One error message re: Powershell

 

[Andy Ful]

View attachment 194654

Andy - No blocked events. One error message re: Powershell

OK. I have to get some sleep. We will continue this later.

 

[Andy Ful]

View attachment 194654

Andy - No blocked events. One error message re: Powershell

That is a good setup for starting with H_C. Yet, this is not H_C Recommended SRP setup, because you set Default Security Level to Basic User (recommended is Disallowed in H_C ver. 4.0.0.0).
Your setup has an advantage for starting with H_C, because the scripts (BAT, CMD, JS, JSE, VBS, VBE, WSF, WSH) can be run in the Userspace by the commandline. Still, the user cannot run them directly from the Explorer or Desktop.
Also after the reboot on SUA, you will probably get an alert about blocking OneDrive.

 

[oldschool]

That is a good setup for starting with H_C. Yet, this is not H_C Recommended SRP setup, because you set Default Security Level to Basic User (recommended is Disallowed in H_C ver. 4.0.0.0).
Your setup has an advantage for starting with H_C, because the scripts (BAT, CMD, JS, JSE, VBS, VBE, WSF, WSH) can be run in the Userspace by the commandline. Still, the user cannot run them directly from the Explorer or Desktop.
Also after the reboot on SUA, you will probably get an alert about blocking OneDrive.

I think I might have done this setup by mistake. Also, I am a bit fuzzy about the "Warnings" in the Help section of Default Security Level. If I change setup to "Disallowed" will H_C remain as set and forget for me or will it require whitelisting even when I have so few installed apps? As a side note, I can see in the H_C Manual that the section "How SRP can control file execution/opening" is beyond by current skill level. I will study it further for the learning benefit and see where it takes me.

 

[Andy Ful]

I think I might have done this setup by mistake. Also, I am a bit fuzzy about the "Warnings" in the Help section of Default Security Level. If I change setup to "Disallowed" will H_C remain as set and forget for me or will it require whitelisting even when I have so few installed apps? As a side note, I can see in the H_C Manual that the section "How SRP can control file execution/opening" is beyond by current skill level. I will study it further for the learning benefit and see
where it takes me.

In H_C Recommended settings and profiles, the difference between Basic User and Disallowed security levels is related to blocking scripts. There is no difference on most home user machines, but sometimes a few scripts more have to be whitelisted when using Disallowed.
You do not have to read/understand the manual section "How SRP can control file execution/opening" to use H_C. Please, keep the actual settings, until you will whitelist everything that should not be blocked.
1. Do you use OneDrive on SUA?
2. If so, then is it properly whitelisted? (no blocking alerts after login to SUA)

 

[oldschool]

I think I will change to "Disallowed" since I have so few apps installed and rarely use them. I uninstalled OneDrive because I never use it.

 

[ForgottenSeer 69673]

I uninstalled OneDrive because I never use it

I did too because I never used it and got tired of Appguard's popups blocking it.

 

[Andy Ful]

I think I will change to "Disallowed" since I have so few apps installed and rarely use them. I uninstalled OneDrive because I never use it.

OK. Post here if you will have any problem with H_C.

 

[oldschool]

OK. Post here if you will have any problem with H_C.

No problems yet. Thanks!