Hard_Configurator - Windows Hardening Configurator

[bribon77]

Those two in combo seems like it would be asking for problems.

You can not live together in fact I have them but now H_C I have it installed but disabled. and sometimes I enable it and I love this program.
The problem is that you get two alerts, one from H_c and one from Comodo.

 

[shmu26]

On my wife's laptop I have Comodo Firewall (not at paranoid settings), and H_C with a lot of sponsors enabled. I don't hear any complaints, and I see no conflicts.
CFW at non-paranoid settings has two basic weaknesses: the list of approved software and vendors is fallible, and the vulnerable process protection is weak. I solve both problems with H_C.

 

[bribon77]

I've had it with all the sponsors.
Activated and I haven't had any conflict with Comodo Firewall Cs)

 

[Andy Ful]

H_C is very similar to CF with autosandbox set to Block (no HIPS). But, H_C does not block administrative processes, like Windows updates or system scheduled tasks, and uses forced SmartScreen (instead of File Lookup).
CF can be used in organizations and businesses, because it is stronger against the attacks originated from the local network, especially when those attacks are already elevated.
The advantage of using H_C can be important only in the home environment, because the home users usually do not need the features related to the local network, like SMB protocols, Remote Desktop, Remote Assistance, Remote Shell, Remote Registry, admin scripting, etc. If those features are blocked, then the attack from the local network is hardly possible.
It follows from the above, that in the home environment with H_C settings, the attack via already elevated malware is highly improbable. Any malware must be then originated by the user, so has to initially run not elevated (on Windows Vista and higher versions). Hard_Configurator is made to block such processes (so they cannot also bypass UAC), by using default-deny settings.

 

[kylprq]

Are you running CFW at CruelSister settings?

yes

But, such CF setup can also break your system or

its true somehow with cs settings broke windows update

On my wife's laptop I have Comodo Firewall (not at paranoid settings), and H_C with a lot of sponsors enabled. I don't hear any complaints, and I see no conflicts.
CFW at non-paranoid settings has two basic weaknesses: the list of approved software and vendors is fallible, and the vulnerable process protection is weak. I solve both problems with H_C.

ı mean this ı wanna use it with cf at cs settings,

i did asked for h_c settings

 

[Andy Ful]

kylprq,

Use CF with CS settings. You probably do not need H_C. If you want to use forced SmartScreen, then you can use Run By SmartScreen tool.

 

[shmu26]

ı mean this ı wanna use it with cf at cs settings,

i did asked for h_c settings

I suggest to run H_C at the settings that are recommended for Avast hardened mode/aggressive. There is a special button for this, in the file whitelist section (allow exe and tmp). As Andy said, it is not really needed, but if you want to, that is a good way to do it.

 

[Andy Ful]

I suggest to run H_C at the settings that are recommended for Avast hardened mode/aggressive. There is a special button for this, in the file whitelist section (allow exe and tmp). As Andy said, it is not really needed, but if you want to, that is a good way to do it.

You can simply load the profile:
WIndows_10_Avast_Hardened_Mode_Aggressive.hdc

 

[shmu26]

You can simply load the profile:
WIndows_10_Avast_Hardened_Mode_Aggressive.hdc

@kylprq that's your answer. It's even easier than I thought.

 

[Vasudev]

@Andy Ful - Can you explain this for me please? Is this going to interfere with Windows updates?

I get the feeling sometimes that while EV shows various WD blocks, the operations actually proceed.

Atleast WD PUP protection is actually classifying rempl aka forced WU crap as PUPs.
You're better off w/o that forced update feeding program. I always install only offline updates and no microcode patches or any other so called "Enhanced Reliability" thing which will be the main reason Win 10 breaks.

 

[Andy Ful]

Some people complain after installing Windows Setup Remediations Service in Windows 10, especially on using too much system resources.

 

[shmu26]

Some people complain after installing Windows Setup Remediations Service in Windows 10, especially on using too much system resources.

I think it is basically a tool to help your system get ready for the update to 1809. So users should just go to 1809 already, and get it over with, unless there is a compelling reason not to.

 

[Sunshine-boy]

the results on Malware Hub should be as good as for any decent AV,

Av detects the malicious actions in a smart way:notworthy:
block by default(SRP/comodo sandbox) is just blocking the file and no detection in place.im not saying its bad but we can't compare SRP/comodo sandbox with av because it's not fair. SRP is like you never clicked the file.
I myself like Hard_Configurator and the philosophy behind it

 

[bribon77]

I love H_C.I think it's a great program, it's true that it's different from AV but if you understand it well you don't need AV.
To find out if something is bad or good VT helps. and some on-demand scanners in case you're wrong about something.

 

[Deleted member 178]

AV and SRPs aren't for the same audience anyway.
AVs are generally for average users and those who often install softwares.
SRPs are for skilled users and those with static systems (like in enterprises).

Reason why business versions of AVs like Symantec often includes some SRP-style modules.

 

[Andy Ful]

Av detects the malicious actions in a smart way:notworthy:

Yes. The AVs are also more universal, because they can be used in ogranizations, too. The H_C settings (for SRP), intentionally do not block administrative processes, so can be a strong protection only in the home environment.

Yet, in my opinion the 'smart way' of most AVs, is adjusted not to home users, but for all users (including organizations and businesses). That is why the AVs do not block some Windows features, which are hard to protect like scripting, remote features, and SMB protocols.
In the home environment the 'smart way' would be blocking by default those features with some exclusions.

 

[Andy Ful]

The icons for the new version of H_C:

 

[oldschool]

The icons for the new version of H_C:

View attachment 206513

Stylish! What else is new in the the new version?

 

[Andy Ful]

Stylish! What else is new in the the new version?

When installing H_C, the user will be asked to uninstall Bash (Linux subsystem) and PowerShell 2.0. The user will be also asked to make the System Restore Point separately of whitelisting Autoruns entries (useful when roll up software is installed). Those improvements were proposed/discussed by @Lockdown and @shmu26.

I am working/playing for some time with the mix of H_C and SysHardener. It is called Casual User Protection (CUP), and will be similar to the H_C profile for Avast Hardened Aggressive mode (EXE and TMP files allowed). The CUP is similar to the idea of Simple Stupid Security.
Q&A - Simple Stupid Security vs. free AV
For now I plan 5 options:
<SmartScreen>
<Casual User Protection>
<Windows Defender high settings>
<Firewall hardening>
<Blocked Interpreters Log>

The applied restrictions:

1. SmartScreen set to Block + installation of RunBySmartScreen.
2. SRP default-deny. Allowed EXE, TMP, and MSI (.msi --> changed file association Msi.Package -> RunBySmartScreen).
3. Documents Anti-Exploit (blocked macros in MS Office and Adobe Acrobat Reader XI/DC hardening.
4. Blocked Outbound & Inbound Internet connections for predefined not blocked Interpreters: mshta.exe, hh.exe, mmc.exe, etc. and some other system executables like bitsadmin.exe, etc.
5. Blocked Outbound & Inbound Internet connections for predefined vulnerable applications: MS Office, Adobe Acrobat Reader, etc.
6. PowerShell set to Constrained Language Mode (PSLockdown policy) + Blocked script exec + blocked by path powershell.exe and powershell_ise.exe via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.
7. Blocked Windows Script Host (registry tweak) + blocked wscript.exe, cscript.exe via 'Image File Execution Options' (for logging).
8. Blocked: SMB protocols,Remote Desktop, Remote Assistance, Remote Registry, and Remote Shell.
9. Uninstall PowerShell 2.0 and Bash (if installed).
10. Change the network profile to Public.

The options 1-7 can be turned ON/OFF without Logging Off.
Points 7-10 and RunBySmartScreen are applied when installing CUP, and set to default Windows settings when uninstalling.
The user can use the last option (<Blocked Interpreters Log>), to check if any Windows script or PowerShell command were blocked. If nothing important is blocked, then the CUP settings can be safely applied.

I am experimenting with CUP - I am not quite sure, if such application will be useful. We will see.

 

[ForgottenSeer 72227]

When installing H_C, the user will be asked to uninstall Bash (Linux subsystem) and PowerShell 2.0. The user will be also asked to make the System Restore Point separately of whitelisting Autoruns entries (useful when roll up software is installed). Those improvements were proposed/discussed by @Lockdown and @shmu26.

I am working/playing for some time with the mix of H_C and SysHardener. It is called Casual User Protection (CUP), and will be similar to the H_C profile for Avast Hardened Aggressive mode (EXE and TMP files allowed). The CUP is similar to the idea of Simple Stupid Security.
Q&A - Simple Stupid Security vs. free AV
For now I plan 5 options:
<SmartScreen>
<Casual User Protection>
<Windows Defender high settings>
<Firewall hardening>
<Blocked Interpreters Log>

The applied restrictions:

1. SmartScreen set to Block + installation of RunBySmartScreen.
2. SRP default-deny. Allowed EXE, TMP, and MSI (.msi --> changed file association Msi.Package -> RunBySmartScreen).
3. Documents Anti-Exploit (blocked macros in MS Office and Adobe Acrobat Reader XI/DC hardening.
4. Blocked Outbound & Inbound Internet connections for predefined not blocked Interpreters: mshta.exe, hh.exe, mmc.exe, etc. and some other system executables like bitsadmin.exe, etc.
5. Blocked Outbound & Inbound Internet connections for predefined vulnerable applications: MS Office, Adobe Acrobat Reader, etc.
6. PowerShell set to Constrained Language Mode (PSLockdown policy) + Blocked script exec + blocked by path powershell.exe and powershell_ise.exe via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.
7. Blocked Windows Script Host (registry tweak) + blocked wscript.exe, cscript.exe via 'Image File Execution Options' (for logging).
8. Blocked: SMB protocols,Remote Desktop, Remote Assistance, Remote Registry, and Remote Shell.
9. Uninstall PowerShell 2.0 and Bash (if installed).
10. Change the network profile to Public.

The options 1-7 can be turned ON/OFF without Logging Off.
Points 7-10 and RunBySmartScreen are applied when installing CUP, and set to default Windows settings when uninstalling.
The user can use the last option (<Blocked Interpreters Log>), to check if any Windows script or PowerShell command were blocked. If nothing important is blocked, then the CUP settings can be safely applied.

I am experimenting with CUP - I am not quite sure, if such application will be useful. We will see.

This is Awsome. I would definitely switch with these changes and I could remove syshardener as it will have the benifts of both programs all in one