Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Documents Anti-Exploit (from SwitchDefaultDeny tool) protects MS Office on the particular account - it is not system-wide. If you want its protection on another account, then you must set it on that account. Normally, it does not protect the ReHIPS sandbox (which is a special account), so MS Office works with unblocked settings.
<Documents Anti-Exploit> setting from H_C main window is system-wide, and can protect also MS Office and Adobe Acrobat Reader in the ReHIPS sandbox.

I have that rule disabled, because I already know it doesn't like ReHIPS. Weird.

If you disabled it and did not reboot, then it is OK. But if not, then that is werid, because the rule is still active.

 

[shmu26]

Documents Anti-Exploit protects MS Office on the particular account - it is not system wide. If you want its protection on another account, then you

If you disabled it and did not reboot, then it is OK. But if not, then that is werid, because the rule is still active.

1 I meant that I got prompts due to the documents anti-exploit that is system-wide, the one that is integrated into the main H_C tool. But the separate, user-account-specific tool is not problematic with ReHIPS
2 Yes, weird. Now I am "living on the dangerous side", I have H_C + ReHIPS but no AV. I disabled Windows Defender by GPO, I'll see how that goes.

 

[oldschool]

... Now I am "living on the dangerous side", I have H_C + ReHIPS but no AV. I disabled Windows Defender by GPO, I'll see how that goes.

I'm quite sure there are others going without AV as well, e.g. VoodooShield only, or HMPA only, etc or some combo. Live on the wild side of life once in awhile!
Whatever is comfortable.

 

[shmu26]

Today I installed software for my Logitech wireless mouse, and for some reason, the rule I made didn't work:
C:\ProgramData\Logishrd\*

I needed to add a few specific rules:
C:\ProgramData\Logishrd\LogiOptions\Software\Current\updater.exe
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOverlay.exe
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe

 

[Andy Ful]

1 I meant that I got prompts due to the documents anti-exploit that is system-wide, the one that is integrated into the main H_C tool. But the separate, user-account-specific tool is not problematic with ReHIPS
2 Yes, weird. Now I am "living on the dangerous side", I have H_C + ReHIPS but no AV. I disabled Windows Defender by GPO, I'll see how that goes.

If you are using ReHIPS for MS Office applications, then simply turn OFF both system-wide and non-system-wide Documents Anti-Exploit. Next, set the ReHIPS sandbox to block the Internet connection.
I can recommend to add the driver/software logging tool, such as WDAC on audit:
Discuss - Application Control on Windows 10 Home

 

[Andy Ful]

Today I installed software for my Logitech wireless mouse, and for some reason, the rule I made didn't work:
C:\ProgramData\Logishrd\*

I needed to add a few specific rules:
C:\ProgramData\Logishrd\LogiOptions\Software\Current\updater.exe
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOverlay.exe
C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe

Tested on Windows 10 ver. 1809, and the below rules works for whitelisting the files in C:\ProgramData\Logishrd, and its subfolders:

1. C:\ProgramData\Logishrd
2. C:\ProgramData\Logishrd\*

I made the folder C:\ProgramData\Logishrd, manually and copied executable to C:\ProgramData\Logishrd\LogiOptions\Software\Current\updater.exe. After making one of the above rules and logging OFF from the account, I could run updater.exe .
Could you please do a similar test on your computer with another folder and subfolder? That could show if such rules do not work on your computer, at all.

 

[shmu26]

Tested on Windows 10 ver. 1809, and the below rules works for whitelisting the files in C:\ProgramData\Logishrd, and its subfolders:

1. C:\ProgramData\Logishrd
2. C:\ProgramData\Logishrd\*

I made the folder C:\ProgramData\Logishrd, manually and copied executable to C:\ProgramData\Logishrd\LogiOptions\Software\Current\updater.exe. After making one of the above rules and logging OFF from the account, I could run updater.exe .
Could you please do a similar test on your computer with another folder and subfolder? That could show if such rules do not work on your computer, at all.

Thanks for your help. I did it, and it passed the test. The exclusion rule worked, and updater.exe inside the subfolder executed successfully.
Rule: C:\ProgramData\Test folder\subfolder\*

But I think it's time to restore a system image, too much weirdness lately.

 

[shmu26]

So how common is it for MS Office exploits to use rundll32?
I use MS Office, I open docs that come in through email, and I don't want to enable the ASR rule for block child processes, because then my print-to-fax driver fails.
And SRP doesn't offer protection for rundll32.
On the other hand, I enabled system-wide documents anti-exploit.
Doctor, what are my chances to live to a ripe old age?

 

[Andy Ful]

So how common is it for MS Office exploits to use rundll32?
I use MS Office, I open docs that come in through email, and I don't want to enable the ASR rule for block child processes, because then my print-to-fax driver fails.
And SRP doesn't offer protection for rundll32.
On the other hand, I enabled system-wide documents anti-exploit.
Doctor, what are my chances to live to a ripe old age?

Does your print-to-fax driver work if you have disabled only that one ASR rule? Do you still use ReHIPS?

 

[shmu26]

Does your print-to-fax driver work if you have disabled only that one ASR rule? Do you still use ReHIPS?

1 I have all ASR rules enabled except for child processes and lsass, and the print-to-fax works just fine.
2 I imaged back to a system state without ReHIPS, due to weird behavior on my system. So only H_C + WD right now.

I work in a Standard user account, not admin.

 

[shmu26]

Interim solution: OSArmor at default settings, with a manual block rule for rundll32. It works nicely, except that I need to manually whitelist all the needed command lines.

 

[Andy Ful]

1 I have all ASR rules enabled except for child processes and lsass, and the print-to-fax works just fine.
2 I imaged back to a system state without ReHIPS, due to weird behavior on my system. So only H_C + WD right now.

I work in a Standard user account, not admin.

Could you live with one Admin account for daily tasks + special SUA for MS Office?

 

[shmu26]

Could you live with one Admin account for daily tasks + special SUA for MS Office?

That won't work for me, I need a lot of integration to get things done.

 

[Andy Ful]

Interim solution: OSArmor at default settings, with a manual block rule for rundll32. It works nicely, except that I need to manually whitelist all the needed command lines.

The rundll32 is only one of many possibilities, so blocking it is not a solution. You should rather block the delivery method of malicious DLLs. They can be downloaded by macro or DDE command. They can be also embedded in the document as OLE, etc.
I can see two practical solutions for you (WD high settings + ASR without blocking child + blocked Internet connection for MS Office applications):

1. ReHIPS sandbox for MS Office (blocked Internet in the sandbox), which may be supported by H_C system-wide <Documents Anti-Exploit> = Adobe +VBA.
2. Only H_C (enhanced or more sponsors) with activated both system-wide and non-system-wide <Documents Anti-Exploit>.

Any of them will work for you safely. You can also add Exploit Guard for MS Office applications, but this will require some testing because of your print-to-fax driver.

There is also another possibility via activating your print-to-fax driver by non-MS Office application, and then it should not be blocked by ASR rule when using MS Office. I did it successfully for printing from MS Office with Exploit Guard protection for child processes, which is stronger than ASR. I simply printed first the blank page from Word Mobile, and then I could also print from MS Office.

 

[shmu26]

Only H_C (enhanced or more sponsors) with activated both system-wide and non-system-wide <Documents Anti-Exploit>.

This is basically what I already do. I have almost all sponsors blocked, and I have both kinds of doc anti-exploit.

 

[Andy Ful]

This is basically what I already do. I have almost all sponsors blocked, and I have both kinds of doc anti-exploit.

So, block Internet connection to MS Office applications in the firewall. Consider applying Exploit Guard for MS Office.
Please, do not worry. You have better protection against weaponized documents, than 99,99% people in the world.

 

[shmu26]

You have better protection against weaponized documents, than 99,99% people in the world.

True. And I am also more wary of weaponized documents than your average overworked, underpaid secretary is.
The only big hole I can see in my entire setup is this rundll32 thing, that's why I am obsessing about it.

 

[Andy Ful]

True. And I am also more wary of weaponized documents than your average overworked, underpaid secretary is.
The only big hole I can see in my entire setup is this rundll32 thing, that's why I am obsessing about it.

That big hole, is like a Black Hole - you will never see it in action. With your setup, the rundll32 thing will not be bothered. Your system is probably safer than your home. My advice - stop worrying about your setup. There are probably many other things worth worrying.
By the way, have you ever been infected by the weaponized document?
How many weaponized documents did you encounter in your work?

 

[shmu26]

Today I installed software for my Logitech wireless mouse, and for some reason, the rule I made didn't work:
C:\ProgramData\Logishrd\*

Getting back to this issue, I think the problem was that sometimes SRP needs a full reboot for a rule like that to kick in. Just signing out of the user account isn't always enough, sometimes something gets stuck. This has happened to me before.

 

[Andy Ful]

Getting back to this issue, I think the problem was that sometimes SRP needs a full reboot for a rule like that to kick in. Just signing out of the user account isn't always enough, sometimes something gets stuck. This has happened to me before.

That is a well known procedure. If something does not work as it should, then restarting the system can help.
I like another one, too. The more complicated setup, the more problems.

Edit.
Personally, I like solving problems.