Andy Ful

Level 36
Content Creator
Trusted
Verified
@Andy Ful - Thanks for the update. How is the new "Document Anti-Exploit" feature coming along?
I am finishing it. The system-wide settings for all accounts (blocking the VBA interpreter and Adobe Acrobat Reader XI/DC hardening) are now in Hard_Configurator. They can be used on Windows 10 with activated ASR rules.
I prepared the external application to configure MS Office and Adobe Acrobat Reader XI/DC for the separate accounts (non-system-wide). This application can harden MS Office even more strictly and should be used when another AV is a real-time protection or when the user cannot apply ASR rules.
 
D

Deleted Member 3a5v73x

Hey Andy, is there a way to make user notify if something have blocked/not working as intended/changes intercepted? I mean, I always find myself digging through your implemented windows events tab, but if I wouldn't, I wouldn't know what's been blocked. I regularly have to look at it if something doesn't seem to be working. I hope you get what I mean, having a rough time explaining.. love ur work and H_C, no homo <3
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Most SRP blocked events show an alert that something has been blocked by administrator. As you mentioned, the details can be viewed in Hard_Configurator ( <Tools><Blocked Events>). The same can be said about WD ASR and Controlled Folder Access. Other restrictions can sometimes block silently the execution and the user has to be smart enough to solve the problem.
That is not as convenient as in the case of the realtime applications, when you can often see more detailed alerts. Maybe someday I will find out the more convenient solution. :emoji_pray:
That is a price we pay when using the configurator tool instead of the realtime application.:emoji_innocent:
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
@Andy Ful New update for redstone 4 messed up edge reg settings and its starting again! Anyway to force update or reset gpedit.msc rules to defaults? I'm on Home edition and gpedit.msc trick worked for few months!
Could you tell more about this issue? What Edge settings are messed up?
I have a fresh updated Windows 10 ver. 1803 (Redstone 4) and no issues with Edge.:emoji_thinking:
Are those issues related to some Hard_Configurator settings?
 

Vasudev

Level 26
Verified
Could you tell more about this issue? What Edge settings are messed up?
I have a fresh updated Windows 10 ver. 1803 (Redstone 4) and no issues with Edge.:emoji_thinking:
Are those issues related to some Hard_Configurator settings?
Edge starts in background eventhough its told not to! I didn't use Hard_configurator at all, its too restrictive. But I keep a tab on most settings Hard_config offers and incorporated most of the tweaks.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified

Andy Ful

Level 36
Content Creator
Trusted
Verified
IMPORTANT
Hard_Configurator uses ConfigureDefender tool which actually is flagged as a hack tool, because it have the option to disable WD real time protection. I removed that option from ConfigureDefender and the new ver. 1.1.1.1 was analyzed and accepted by Microsoft.
Q&A - ConfigureDefender utility for Windows 10
I recommend to open the Hard_Configurator folder (C:\Windows\Hard_Configurator) and let Windows Defender quarantine the old ConfigureDefender. Tonight I will push the new ConfigureDefender version 1.1.1.1 which is actually analyzed and accepted by Microsoft.
ConfigureDefender is portable, but to work with Hard_Configurator, the executable has to be copied to the folder C:\Windows\Hard_Configurator.

In some cases the Hard_Configurator can be blocked after trying to open the old ConfigureDefender. This is related to the WD local dynamic signatures even when the blocked executable is clean, but is involved in the infection chain. In such cases to unblock the clean executable the user can run the below commandline from c:\Program Files\Windows Defender folder:
MpCmdRun.exe -removedefinitions -dynamicsignatures

Be safe.(y)
 
Last edited:

shmu26

Level 72
Content Creator
Trusted
Verified
IMPORTANT
Hard_Configurator uses ConfigureDefender tool which actually is flagged as a hack tool, because it have the option to disable WD real time protection. I removed that option from ConfigureDefender and the new ver. 1.1.1.1 was analyzed and accepted by Microsoft.
Q&A - ConfigureDefender utility for Windows 10
I recommend to open the Hard_Configurator folder (C:\Windows\Hard_Configurator) and let Windows Defender quarantine the old ConfigureDefender. Tonight I will push the new ConfigureDefender version 1.1.1.1 which is actually analyzed and accepted by Microsoft.
ConfigureDefender is portable, but to work with Hard_Configurator, the executable has to be copied to the folder C:\Windows\Hard_Configurator.

In some cases the Hard_Configurator can be blocked after trying to open the old ConfigureDefender. This is related to the WD local dynamic signatures even when the blocked executable is clean, but is involved in the infection chain. In such cases to unblock the clean executable the user can run the below commandline from c:\Program Files\Windows Defender folder:
MpCmdRun.exe -removedefinitions -dynamicsignatures

Be safe.(y)
For some reason, I have the ConfigureDefender executable where you said, and also in Program Files.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Yesterday, Microsoft flagged also Hard_Configurator installer ver. 4.0.0.0 as a hack-tool (only 64-bit version) so I removed the installers from GitHub repository. I will try to push the new version 4.0.0.1 (which will include also the corrected ConfigureDefender) in a week.(y)
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Here is the changelog for the new version.
Version 4.0.0.1
  1. Corrected the ability to whitelist OneDrive on SUA.
  2. Changed the way of using <Refresh Explorer> option to avoid problems on SUA.
  3. Added the warning before Hard_Configurator deinstallation, about using DocumentAntiExploit tool.
  4. Added the DocumentsAntiExploit tool to the SwitchDefaultDeny application, for managing different MS Office and Adobe Acrobat Reader XI/DC settings on different user accounts.
  5. In the 4.0.0.1 version the <Documents Anti-Exploit> option in Hard_Configurator can only change system-wide settings. Non-system-wide settings are now available only via DocumentsAntiExploit tool.
  6. Added IQY and SETTINGCONTENT-MS file extensions to the default list of Designated File Types and to the hardcoded dangerous extensions in RunBySmartScreen.
  7. Improved Shortcut protection.
  8. Improved the protection of MS Office and Adobe Acrobat Reader XI/DC applications, against the weaponized documents.
  9. Improved 'Run By SmartScreen' with over 250 blocked file extensions (SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader attachments blacklists). The extensions BAT, DLL, CMD, JSE, OCX, and VBE are now blocked with notification, instead of beeing checked by SmartScreen. Popular vulnerable files (RTF, DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) related to MS Office and Adobe Reader, are opened with the warning instruction.
  10. Changed the names of some buttons in the TOOLS menu: <View Blocked Events> --> <Blocked Events / Security Logs>, <Run Autoruns: Scripts/UserSpace> --> <Whitelist Autoruns / View Scripts>
  11. Changed 'Allow EXE' option in the <Whitelist by Path> to 'Allow EXE and TMP'. So, both EXE files and TMP files are whitelisted - this option is prepared to work with Avast Hardened Mode Aggressive as default-deny.
  12. Updated Hard_Configurator manual.
 

shmu26

Level 72
Content Creator
Trusted
Verified
Here is the changelog for the new version.
Version 4.0.0.1
  1. Corrected the ability to whitelist OneDrive on SUA.
  2. Changed the way of using <Refresh Explorer> option to avoid problems on SUA.
  3. Added the warning before Hard_Configurator deinstallation, about using DocumentAntiExploit tool.
  4. Added the DocumentsAntiExploit tool to the SwitchDefaultDeny application, for managing different MS Office and Adobe Acrobat Reader XI/DC settings on different user accounts.
  5. In the 4.0.0.1 version the <Documents Anti-Exploit> option in Hard_Configurator can only change system-wide settings. Non-system-wide settings are now available only via DocumentsAntiExploit tool.
  6. Added IQY and SETTINGCONTENT-MS file extensions to the default list of Designated File Types and to the hardcoded dangerous extensions in RunBySmartScreen.
  7. Improved Shortcut protection.
  8. Improved the protection of MS Office and Adobe Acrobat Reader XI/DC applications, against the weaponized documents.
  9. Improved 'Run By SmartScreen' with over 250 blocked file extensions (SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader attachments blacklists). The extensions BAT, DLL, CMD, JSE, OCX, and VBE are now blocked with notification, instead of beeing checked by SmartScreen. Popular vulnerable files (RTF, DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) related to MS Office and Adobe Reader, are opened with the warning instruction.
  10. Changed the names of some buttons in the TOOLS menu: <View Blocked Events> --> <Blocked Events / Security Logs>, <Run Autoruns: Scripts/UserSpace> --> <Whitelist Autoruns / View Scripts>
  11. Changed 'Allow EXE' option in the <Whitelist by Path> to 'Allow EXE and TMP'. So, both EXE files and TMP files are whitelisted - this option is prepared to work with Avast Hardened Mode Aggressive as default-deny.
  12. Updated Hard_Configurator manual.
Awesome!
 

shmu26

Level 72
Content Creator
Trusted
Verified
If "VBAOFF"=dword:00000001, then you are protected even you allow macros in MS Office via Trust Center.
If "VBAOFF"=dword:00000000 (or deleted) then, VBA interpreter is now active. You can choose via MS Office Trust Center, if VBA Macros should be allowed or not.
By the way, if you open the blank DOCX file, do you see any info about macros. I am curious if MS Office is able to alert about macros in your .dotm add-on file in STARTUP folder.
Does "documents anti-exploit" change any other registry entries, besides KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\*\Common\VBAOFF
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Does "documents anti-exploit" change any other registry entries, besides HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\*\Common\VBAOFF
Yes, except the above system-wide entries, in the actual version 4.0.0.0 on Administrator type of account, there are many other registry entries for hardening MS Office. They are related to the below registry keys (non-system-wide, the asterisk means the version 12.0, 14.0, 15.0, 16.0):
HKCU\Software\Microsoft\Office\*\Word\Security
HKCU\Software\Microsoft\Office\*\Word\Options
HKCU\Software\Microsoft\Office\*\Word\Options\WordMail
HKCU\Software\Microsoft\Office\*\Excel\Security
HKCU\Software\Microsoft\Office\*\Excel\Options
HKCU\Software\Microsoft\Office\*\PowerPoint\Security
HKCU\Software\Microsoft\Office\*\OneNote\Options
HKCU\Software\Microsoft\Office\Common\Security

There are also many entries (system-wide and non-system-wide for Adobe Acrobat Reader XI and DC).
But for MS Office on SUA, only the system-wide VBAOFF entry is applied.

In the new version 4.0.0.1 the system-wide entries will be configured by Hard_Configurator, and those entries for MS Office and Adobe Acrobat Reader XI/DC can be supported by WD ASR rules (also system wide) and default-deny SRP to apply the strong security against weaponized documents opened by MS Office and Adobe Acrobat Reader XI/DC.
If one cannot apply ASR then it is possible to use DocumentsAntiExploit tool (from SwitchDefaultDeny application) to apply the above and some additional entries in HKCU Hive. They are not system wide, so the settings can be different on different accounts.
 

Similar Threads

Similar Threads