Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Let's suppose that one uses MS Office version, which is not supported by Microsoft (previous to MS Office 2010) and cannot fully apply ASR. In the home environment, the H_C default-deny (enhanced) settings + non-system-wide Documents Anti-Exploit will be required to stop the threats in the wild. But, there is some additional danger, if one is forced to use frequently the documents from the Enterprise. For example, the Enterprise could be under the targeted attack via specially crafted & weaponized document. I can recommend in such situation the below precautions:
  1. Use <Block Sponsors> in H_C (like @shmu26 did).
  2. Block the Internet connection to MS Office applications.
  3. Block the Internet connection to: certutil.exe, cmstp.exe, control.exe, dnscmd.exe, explorer.exe, ie4uinit.exe, rundll32.exe.
The above sponsors can be used to run DLLs directly from a remote server or via other ways like .inf files. There are some others, but they are included already on H_C sponsors lists. The same should be done, if for some reason, the sponsor from H_C settings cannot be blocked directly.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
...
And SRP doesn't offer protection for rundll32. :(
...
That is not quite true. You could set SRP to block DLLs in the UserSpace, by setting:
<Enforcement> = All Files
But, this would make whitelisting more complicated and .NET DLLs would not blocked, anyway.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Let's suppose that one uses MS Office version, which is not supported by Microsoft (previous to MS Office 2010) and cannot fully apply ASR. In the home environment, the H_C default-deny (enhanced) settings + non-system-wide Documents Anti-Exploit will be required to stop the threats in the wild. But, there is some additional danger, if one is forced to use frequently the documents from the Enterprise. For example, the Enterprise could be under the targeted attack via specially crafted & weaponized document. I can recommend in such situation the below precautions:
  1. Use <Block Sponsors> in H_C (like @shmu26 did).
  2. Block the Internet connection to MS Office applications.
  3. Block the Internet connection to: certutil.exe, cmstp.exe, control.exe, dnscmd.exe, explorer.exe, getobject.exe, ie4uinit.exe, rundll32.exe.
The above sponsors can be used to run DLLs directly from a remote server or via other ways like .inf files. There are some others, but they are included already on H_C sponsors lists. The same should be done, if for some reason, the sponsor from H_C settings cannot be blocked directly.
Thanks, Andy. Great post.

It seems that getobject.exe and dnscmd.exe are not installed by default in the Windows directory. A search on my win10 x64 1809 system finds only the flat version of them.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Thanks, Andy. Great post.

It seems that getobject.exe and dnscmd.exe are not installed by default in the Windows directory. A search on my win10 x64 1809 system finds only the flat version of them.
Yes, the executable dnscmd.exe is included in Remote Server Administration Tools, which can be installed as an additional Windows feature in Windows Pro, Education or Enterprise editions.
I have edited my previous post - getobject.exe can be skipped.
 
Last edited:

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Because of activity of this thread im gonna give H_C another go, over avast. Did clean install over night while sleeping, and now getting to installation part..the main goal is just using WD, because its integrated in windows. My first option was to just use firefox and re:hips, since it cant isolate chrome on free version so i rather just use H_C
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Because of activity of this thread im gonna give H_C another go, over avast. Did clean install over night while sleeping, and now getting to installation part..the main goal is just using WD, because its integrated in windows. My first option was to just use firefox and re:hips, since it cant isolate chrome on free version so i rather just use H_C
Did you have any problems with Avast? H_C + Avast Hardened Aggressive mode is usually easier for users, while still a default-deny protection.
But, H_C + WD is the kind of setup, which is most compatible with Windows.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
H_C + WD is also more reliable than Avast Hardened mode, because Avast needs internet to work. If you download something, and then your internet connection goes flaky when you want to run it, Avast Hardened won't protect you. Also, Avast Hardened only warns you once, it is hard to block it afterward, if you regret your decision to allow it. That's how I remember it, anyway.
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Did you have any problems with Avast? H_C + Avast Hardened Aggressive mode is usually easier for users, while still a default-deny protection.
But, H_C + WD is the kind of setup, which is most compatible with Windows.
I had no problems with avast, only the privacy issues in my mind.
I have everything working fine except the game client i play on, i have whitelisted everything correctly..but when i run the client and try to turn GPU-plugin on i just run on to endless jogamp_exe train, i add pat*wildcards x2 jogamp_exe but even i whitelist those 2 new jogamp urls, and restart client it will give me another 2 jogamp_exe to whitelist:unsure: I dont bother with this issue really anymore, i just have made settings to game client so it will always run as admin, and the gpu plugin will stay enabled. On below ; red = correct whitelist , Green= endless jogamp_exe when i turn gpu- plugin on, without running client with admin rights

hcproblem.png



The whatsapp problem i fixed by using whatsapp app from windows store, i aswell installed spotify from windows store.

TLDR; everything is working fine, the issue with game client exist, but is fixed by running it as administrator
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I had no problems with avast, only the privacy issues in my mind.
I have everything working fine except the game client i play on, i have whitelisted everything correctly..but when i run the client and try to turn GPU-plugin on i just run on to endless jogamp_exe train, i add pat*wildcards x2 jogamp_exe but even i whitelist those 2 new jogamp urls, and restart client it will give me another 2 jogamp_exe to whitelist:unsure: I dont bother with this issue really anymore, i just have made settings to game client so it will always run as admin, and the gpu plugin will stay enabled. On below ; red = correct whitelist , Green= endless jogamp_exe when i turn gpu- plugin on, without running client with admin rights

View attachment 207965


The whatsapp problem i fixed by using whatsapp app from windows store, i aswell installed spotify from windows store.

TLDR; everything is working fine, the issue with game client exist, but is fixed by running it as administrator
Your rules for the executable jogamp_exe are ineffective, because the plugin runs it with random numbers, so the name of the file changes constantly. You have to use something like the below:
  1. c:\users\Joni\jogamp_exe_tst???????????????????.exe
  2. c:\users\Joni\jogamp_exe_tst*.exe
In the first example, every question mark replaces the digit in the random number, so 19 question marks should be used.
In the second example the whole random number is replaced by the asterisk.(y)
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Your rules for the executable jogamp_exe are ineffective, because the plugin runs it with random numbers, so the name of the file changes constantly. You have to use something like the below:
  1. c:\users\Joni\jogamp_exe_tst???????????????????.exe
  2. c:\users\Joni\jogamp_exe_tst*.exe
In the first example, every question mark replaces the digit in the random number, so 19 question marks should be used.
In the second example the whole random number is replaced by the asterisk.(y)
Well that makes sense, thanks. Its 3rd party client, not official one and the developer has posted recommendation to just run it as administrator, since the problem exist on many others so i just rather run it as admin now anyways since it works
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
My first option was to just use firefox and re:hips, since it cant isolate chrome on free version so i rather just use H_C
Even with Firefox, you will be close to the demo limit, if you use the modern, multi-process Firefox, and you will soon go over the limit.
But IMHO, a secure browser like Chrome doesn't need isolation. It's overkill. You can run ReHIPS demo, and configure Chrome to run out of isolation.
Off-topic!
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Well that makes sense, thanks. Its 3rd party client, not official one and the developer has posted recommendation to just run it as administrator, since the problem exist on many others so i just rather run it as admin now anyways since it works
It is not recommended to run applications as administrator, except when the administrator rights are required (like in the case of most installers). It seems to me that the plugin can be run without admin rights, so whitelisting it would be the right thing.(y)
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
I did the above, when i run client it takes around 30 secs (?) to fully run but then it works normally. Without having to run it as administrator rights. Should i still be worried about the spam it makes on logs?

log123.png


Btw as stupid as it sounds i also whitelisted; C:\Users\Joni\.jogamp_????\jogamp_exe_tst???????????????????.exe


Edit: i did read from this thread earlier sometimes its required to restart computer for changes to turn on, i just did that and now the client works as it should :unsure:(y)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top