Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I did the above, when i run client it takes around 30 secs (?) to fully run but then it works normally. Without having to run it as administrator rights. Should i still be worried about the spam it makes on logs?

View attachment 207974

Btw as stupid as it sounds i also whitelisted; C:\Users\Joni\.jogamp_????\jogamp_exe_tst???????????????????.exe


Edit: i did read from this thread earlier sometimes its required to restart computer for changes to turn on, i just did that and now the client works as it should :unsure:(y)
You have done it right. :giggle:
Just look at the blocked events from time to time. If you are certain that a blocked entry should be allowed to run on your computer, then whitelist it. Please remember, if something is blocked out of the blue, then it can be a malware.
 
Last edited:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Your rules for the executable jogamp_exe are ineffective, because the plugin runs it with random numbers, so the name of the file changes constantly. You have to use something like the below:
  1. c:\users\Joni\jogamp_exe_tst???????????????????.exe
  2. c:\users\Joni\jogamp_exe_tst*.exe
In the first example, every question mark replaces the digit in the random number, so 19 question marks should be used.
In the second example the whole random number is replaced by the asterisk.(y)

While this answer may seem elementary to some , I am simply amazed at your level of understanding! :notworthy:(y)
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
A short walkthrough for beginners.
How to get started.
You have the recommended settings and some profiles for Avast and Windows 10 Recommended Enhanced.
What are the differences? Why choose one of those profiles?
Maybe some troubleshooting, like looking for blocked events? White list by hash/path and the use of * and ? ?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I see your point, the intent of the ASR rule would be to stop other sponsors (script engines) from both executing something they downloaded.

Assumption is we’re discussing the use case of clicking a link file and not having link coverage in SRP - otherwise if we assume that already arbitrary code can be run, then the computer is already compromised, while it’s entire fair to see how to contain the damage , the question I’m trying to address is what is the minimal set of native mechanisms that prevents a compromise
After a minimal set has been determined one can add more layers and see how to mitigate a compromise
In the home environment, the minimal set could be that used in H_C default-deny setup.
  1. Forced SmartScreen (safely bypass SRP in the UserSpace).
  2. Block dangerous file extensions in the UserSpace (SRP).
  3. Block shortcuts (.lnk) via the special rules (SRP)
  4. Block executables in the UserSpace (SRP).
  5. Make SystemSpace not writable (SRP).
  6. Block active content in documents opened by MS Office and Adobe Acrobat Reader.
The above will work on well patched Windows 10 (with Edge) and well updated software. You cannot run unsafe applications, and the dangerous files will not be opened. Also, the system/software is hard to exploit (and run command lines).
Next, you can add more layers, if you want. The first to add will be: blocking the Interpreters, and disabling remote features.
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
In the home environment, the minimal set could be that used in H_C default-deny setup.
  1. Forced SmartScreen (safely bypass SRP in the UserSpace).
  2. Block dangerous file extensions in the UserSpace (SRP).
  3. Block shortcuts (.lnk) via the special rules (SRP)
  4. Block executables in the UserSpace (SRP).
  5. Make SystemSpace not writable (SRP).
  6. Block active content in documents opened by MS Office and Adobe Acrobat Reader.
The above will work on well patched Windows 10 (with Edge) and well updated software. You cannot run unsafe applications, and the dangerous files will not be opened. Also, the system/software is hard to exploit (and run command lines).
Next, you can add more layers, if you want. The first to add will be: blocking the Interpreters, and disabling remote features.

we’re in agreement that with an SRP setup that blocks shortcuts as well the setup works. The question is can it be further simplified without at the same time Blocking lolbins one by one ( with the exception of powershell ).

Would eg

UAC+SRP(without shortcuts)+ASR+Powershell not allowed child processes via Exploit Guard+constrained(+signed only)

suffice as well to prevent an attack that does use shortcuts as the delivery method (just a shortcut, not shortcut + binaries as this would be fairly obvious to most users)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
...
UAC+SRP(without shortcuts)+ASR+Powershell not allowed child processes via Exploit Guard+constrained(+signed only)

suffice as well to prevent an attack that does use shortcuts as the delivery method (just a shortcut, not shortcut + binaries as this would be fairly obvious to most users)
NO. The shortcuts can run scriptlets (not binary files) by using sponsors (mshta.exe, hh.exe, etc.). Those scriptlets can download other scriptlets via PowerShell (ore some other methods) and execute them by sponsors.
Shortcuts has to be protected, because they can run commandlines with sponsors.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Here is the FAQ (beta version).:giggle:
It is rather long, but if someone could read it, then it can be improved.:emoji_pray::giggle:

The acronyms used in FAQ:
H_C - Hard_Configurator
SRP - Software Restriction Policies (Windows built-in)
UAC - User Account Control
SUA - Standard User Account

H_C default-deny setup - selected Windows built-in policies and security settings, which can restrict Windows, MS Office, and Adobe Acrobat Reader via smart default-deny protection. That protection is configurable via H_C application, which also shows the actual state of applied restrictions. The real-time protection comes from Windows built-in security features and is independent of H_C application.

SystemSpace - the below file locations (folders and subfolders) are whitelisted by default C:\Windows, C:\Program Files, C:\Program Files (x86) - only on Windows 64-bit, C:\ProgramData\Microsoft\Windows Defender.

UserSpace - all locations on the user local drives (also USB external drives) which are not in the SystemSpace. This does not include the network locations which are not protected by H_C settings.


What is default-deny protection?
It allows running already installed applications and system processes, but blocks by default all new executables (even non-malicious).
Every new executable has first to be whitelisted by the user, in purpose to run. It is the user's responsibility to whitelist only the safe files.

What is the smart-default-deny setup?
It allows running some new executables without whitelisting, bypassing in a safe way default-deny protection.
The smart features make default-deny setup more usable, without losing the high protection level in the home environment.
There are three smart features, which were adopted in H_C default-deny setup:
  1. Forced SmartScreen (Administrator rights), that can be activated by the setting <Run As SmartScreen> = Administrator.
  2. SRP set to block only those executables which are going to run with standard user rights (or lower).
  3. Whitelisted by default SystemSpace.
    Some files in C:\Windows, can be blacklisted by the user, when using <Block Sponsors> settings.
Are the smart features safe?
They are pretty much safe in the home environment, against the malware in the wild.
Yet, the smart features can be bypassed in Enterprises, because of the targeted attacks. Also, some important restrictions like remote features, cannot be blocked in Enterprises.

What are the standard user rights?
From Windows Vista, the execution of applications and processes is restricted by the User Account Control (UAC). The UAC restrictions apply both to Administrator account (default account) and Standard User account (SUA). The executables started by the user can get first, only the standard user rights. The executable can sometimes ask for Administrator rights, and then the UAC prompt is visible. The user has to manually accept it or cancel the action.

Can H_C default-deny setup block system processes, Windows Updates, and system scheduled tasks?
No, it cannot. The system processes, Windows Updates, and system scheduled tasks are not started directly by the user. Furthermore, they are started with higher than standard user rights, so can automatically bypass SRP restrictions, which are used in H_C default-deny setup.

Is it safe to whitelist the SystemSpace?
It is pretty safe in default-deny setup. Those locations are usually not writable with standard user rights. There are some known exceptions, but they are forbidden in H_C by <Protect Windows Folder> setting. The exploit or malware cannot silently drop the payloads to the SystemSpace, when running with the standard user rights.

What is the UserSpace?
It contains every file locations that are not in the SystemSpace. Those locations can usually be writable by any process running with standard user rights. The only restrictions follow from the isolation of the user profiles. In default-deny setup, any executable in the UserSpace is blocked by default, except when whitelisted.

Do all applications install in the SystemSpace?
They should, and this is recommended by Microsoft. But in practice, some legal applications still install to the folders in the UserSpace. Such applications have to be whitelisted manually by the user. If the user wants to install many such applications, then default-deny protection is rather an inconvenient solution.

Is SUA more secure than Administrator account?
Yes, it is. The malware/exploit cannot run with Administrator rights on SUA - it has first to escape from SUA to one of Administrator accounts. Most malware samples are not prepared to do it, and Microsoft usually patches the rare system vulnerabilities, which could allow escaping from SUA. The H_C default-deny setup relies on blocking the applications running with standard user rights, so SUA is an ideal companion to H_C.
SUA should be considered as a security solution, when using the vulnerable system or the popular & vulnerable software.
It is not necessary to use SUA on well updated Windows 10 with updated software, and H_C default-deny setup. Such a setup is already a dead end for the malware/exploits in the home environment.

Does Forced SmartScreen work well on SUA?
Yes, if the application installs in the SystemSpace (usually in C:\Program Files). There can be a problem if it installs in the UserSpace. Why? Because in default-deny setup, Forced SmartSreen uses Administrator rights, so the application will be usually installed in the Administrator profile - even when the installation was started from SUA. The user on SUA cannot access the Administrator profile, so will not be able to run that application, too. In such a case, the user has to turn OFF default-deny protection for a while, and reinstall the application normally (without Forced SmartScreen).

How to install applications on SUA?
  1. Run the application installer by using "Run As SmartScreen" option from the Explorer right-click context menu.
  2. Choose custom configuration in application installer to see what is the default installation folder.
  3. If it is in the Administrator profile, then cancel the installation. If not, then install the application and skip the below points.
  4. Use 'Switch Default-Deny' to turn OFF temporarily the protection.
  5. Install the application normally (by left mouse-click or pressing the Enter key).
  6. Whitelist the application in the UserSpace.
  7. Use 'Switch Default-Deny' to turn ON the protection.
Why Recommended H_C settings are good as a starting setup?
The user should try first the Recommended settings to get accustomed to H_C restrictions. He/she should be confident that everything works well in that setup. The Recommended settings are strong enough to keep the malware away, and not easy enough to keep users from adding more protection.

Who can consider applying advanced H_C settings?
The Recommended H_C settings can apply preventive protection. They are suited to prevent running the malware in the system.
The advanced H_C settings can apply some additional mitigations, when the malware/exploit is already running in the system. So, when using well-patched software on updated Windows 10, the advanced settings are not required. Otherwise, the user can consider applying some advanced settings.

Can advanced settings spoil my system?
On most computers, even maximum H_C settings cannot break anything important in the system. But anyway, some applications may be not fully functional. The maximum protection usually requires more whitelisting, more logs researching, etc. That may be annoying for most users. If so, then the user should restore the Recommended settings.

How should one apply advanced H_C settings?
The first step could be loading the Recommended_Enhanced profile via H_C <Load Profile> option.
It is not recommended to activate many advanced settings at once. When using advanced settings, the user should look, from time to time, at the blocked entries (<Tools><Blocked Events / Security Logs>). Sometimes, there is no alert when the process is blocked by Windows policies.

What is the difference between the Recommended_Enhanced profile and Recommended settings?
The Recommended_Enhanced profile can be set by loading the file: Windows_*_Recommended_Enhanced.hdc, where the asterisk can be the Windows version (7, 8, or 10). This will introduce the Recommended settings and additionally, some popular Sponsors will be blocked (including Script Interpreters).

What is the Sponsor?
The Sponsor is an executable form the SystemSpace (usually from C:\Windows), that can be used by the attacker to bypass default-deny protection. The sponsors are frequently used in the targeted attacks on organizations and businesses, especially via exploits. Blocking some Sponsors in the home environment, can be important for people who use the vulnerable system/software. In H_C default-deny setup (Recommended settings), Windows Script Host Sponsors (wscript.exe and cscript.exe) are forbidden by SRP, and PowerShell Sponsors (powershell.exe and powershell_ise.exe) are restricted by Constrained Language mode. Those Sponsors are the most popular examples of Script Interpreters. Some other Interpreters (mshta.exe, hh.exe, wmic.exe, scrcons.exe) can be blocked in H_C by <Block Sponsors> option. Unfortunately, some of them can be also (rarely) used by an older software related to pheripherals. Sporadically, a few applications and web browser plugins can use Interpreters for some actions.
In H_C, the Sponsors are blocked for processes running with standard user rights, but allowed for the administrative processes running with higher rights.

Can wildcards be used for whitelisting files and folders?
Yes, they can. Here are some examples, where the random characters are replaced by wildcards to whitelist the particular EXE file:
Code:
C:\Users\Alice\Fly2theMoon\App.1928327467-092837\setup_101989873.exe
C:\Users\Alice\Fly2theMoon\App.??????????-??????\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_*.exe
C:\Users\Alice\Fly2theMoon\App.*\*
Those rules (except the first) are correct, and the EXE file will be whitelisted even when the random numbers will change after some time. The last rule is most general, because it will whitelist many other files and folders, for example:
C:\Users\Alice\Fly2theMoon\App.malware\virus.js
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
Here is the FAQ (beta version).:giggle:
It is rather long, but if someone could read it, then it can be improved.:emoji_pray::giggle:

The acronyms used in FAQ:
H_C - Hard_Configurator
SRP - Software Restriction Policies (Windows built-in)
UAC - User Account Control
SUA - Standard User Account

H_C default-deny setup - selected Windows built-in policies and security settings, which can restrict Windows, MS Office, and Adobe Acrobat Reader via smart default-deny protection. That protection is configurable via H_C application, which also shows the actual state of applied restrictions. The real-time protection comes from Windows built-in security features and is independent of H_C application.


What is default-deny protection?
It allows running already installed applications and system processes, but blocks by default all new executables (even non-malicious).
Every new executable has first to be whitelisted by the user, in purpose to run. It is the user's responsibility to whitelist only the safe files.

What is the smart-default-deny setup?
It allows running some new executables without whitelisting, bypassing in a safe way default-deny protection.
The smart features make default-deny setup more usable, without losing the high protection level in the home environment.
There are three smart features, which were adopted in H_C default-deny setup:
  1. Forced SmartScreen (Administrator rights), that can be activated by the setting <Run As SmartScreen> = Administrator.
  2. SRP set to block only those executables which are going to run with standard user rights (or lower).
  3. Some file locations whitelisted by default (SystemSpace), like the below folders and subfolders: C:\Windows, C:\Program Files, C:\Program Files (x86) - only on Windows 64-bit, c:\ProgramData\Microsoft\Windows Defender.
    Some files in C:\Windows, can be blacklisted by the user, when using <Block Sponsors> settings.
Are the smart features safe?
They are pretty much safe in the home environment, against the malware in the wild.
Yet, the smart features can be bypassed in Enterprises, because of the targeted attacks. Also, some important restrictions like remote features, cannot be blocked in Enterprises.

What are the standard user rights?
From Windows Vista, the execution of applications and processes is restricted by the User Account Control (UAC). The UAC restrictions apply both to Administrator account (default account) and Standard User account (SUA). The executables started by the user can get first, only the standard user rights. The executable can sometimes ask for Administrator rights, and then the UAC prompt is visible. The user has to manually accept it or cancel the action.

Can H_C default-deny setup block system processes, Windows Updates, and system scheduled tasks?
No, it cannot. The system processes, Windows Updates, and system scheduled tasks are not started directly by the user. Furthermore, they are started with higher than standard user rights, so can automatically bypass SRP restrictions, which are used in H_C default-deny setup.

Is it safe to whitelist the SystemSpace?
It is pretty safe in default-deny setup. Those locations are usually not writable with standard user rights. There are some known exceptions, but they are forbidden in H_C by <Protect Windows Folder> setting. The exploit or malware cannot silently drop the payloads to the SystemSpace, when running with the standard user rights.

What is the UserSpace?
It contains every file locations that are not in the SystemSpace. Those locations can usually be writable by any process running with standard user rights. The only restrictions follow from the isolation of the user profiles. In default-deny setup, any executable in the UserSpace is blocked by default, except when whitelisted.

Do all applications install in the SystemSpace?
They should, and this is recommended by Microsoft. But in practice, some legal applications still install to the folders in the UserSpace. Such applications have to be whitelisted manually by the user. If the user wants to install many such applications, then default-deny protection is rather an inconvenient solution.

Is SUA more secure than Administrator account?
Yes, it is. The malware/exploit cannot run with Administrator rights on SUA - it has first to escape from SUA to one of Administrator accounts. Most malware samples are not prepared to do it, and Microsoft usually patches the rare system vulnerabilities, which could allow escaping from SUA. The H_C default-deny setup relies on blocking the applications running with standard user rights, so SUA is an ideal companion to H_C.
SUA should be considered as a security solution, when using the vulnerable system or the popular & vulnerable software.
It is not necessary to use SUA on well updated Windows 10 with updated software, and H_C default-deny setup. Such a setup is already a dead end for the malware/exploits in the home environment.

Does Forced SmartScreen work well on SUA?
Yes, if the application installs in the SystemSpace (usually in C:\Program Files). There can be a problem if it installs in the UserSpace. Why? Because in default-deny setup, Forced SmartSreen uses Administrator rights, so the application will be usually installed in the Administrator profile - even when the installation was started from SUA. The user on SUA cannot access the Administrator profile, so will not be able to run that application, too. In such a case, the user has to turn OFF default-deny protection for a while, and reinstall the application normally (without Forced SmartScreen).

How to install applications on SUA?
  1. Run the application installer by using "Run As SmartScreen" option from the Explorer right-click context menu.
  2. Choose custom configuration in application installer to see what is the default installation folder.
  3. If it is in the Administrator profile, then cancel the installation. If not, then install the application and skip the below points.
  4. Use 'Switch Default-Deny' to turn OFF temporarily the protection.
  5. Install the application normally (by left mouse-click or pressing the Enter key).
  6. Whitelist the application in the UserSpace.
  7. Use 'Switch Default-Deny' to turn ON the protection.
Why Recommended H_C settings are good as a starting setup?
The user should try first the Recommended settings to get accustomed to H_C restrictions. He/she should be confident that everything works well in that setup. The Recommended settings are strong enough to keep the malware away, and not easy enough to keep users from adding more protection.

Who can consider applying advanced H_C settings?
The Recommended H_C settings can apply preventive protection. They are suited to prevent running the malware in the system.
The advanced H_C settings can apply some additional mitigations, when the malware/exploit is already running in the system. So, when using well-patched software on updated Windows 10, the advanced settings are not required. Otherwise, the user can consider applying some advanced settings.

Can advanced settings spoil my system?
On most computers, even maximum H_C settings cannot break anything important in the system. But anyway, some applications may be not fully functional. The maximum protection usually requires more whitelisting, more logs researching, etc. That may be annoying for most users. If so, then the user should restore the Recommended settings.

How should one apply advanced H_C settings?
The first step could be loading the Recommended_Enhanced profile via H_C <Load Profile> option.
It is not recommended to activate many advanced settings at once. When using advanced settings, the user should look, from time to time, at the blocked entries (<Tools><Blocked Events / Security Logs>). Sometimes, there is no alert when the process is blocked by Windows policies.

What is the difference between the Recommended_Enhanced profile and Recommended settings?
The Recommended_Enhanced profile can be set by loading the file: Windows_*_Recommended_Enhanced.hdc, where the asterisk can be the Windows version (7, 8, or 10). This will introduce the Recommended settings and additionally, some popular Sponsors will be blocked (including Script Interpreters).

What is the Sponsor?
The Sponsor is an executable form the SystemSpace (usually from C:\Windows), that can be used by the attacker to bypass default-deny protection. The sponsors are frequently used in the targeted attacks on organizations and businesses, especially via exploits. Blocking some Sponsors in the home environment, can be important for people who use the vulnerable system/software. In H_C default-deny setup (Recommended settings), Windows Script Host Sponsors (wscript.exe and cscript.exe) are forbidden by SRP, and PowerShell Sponsors (powershell.exe and powershell_ise.exe) are restricted by Constrained Language mode. Those Sponsors are the most popular examples of Script Interpreters. Some other Interpreters (mshta.exe, hh.exe, wmic.exe, scrcons.exe) can be blocked in H_C by <Block Sponsors> option. Unfortunately, some of them can be also (rarely) used by an older software related to pheripherals. Sporadically, a few applications and web browser plugins can use Interpreters for some actions.
In H_C, the Sponsors are blocked for processes running with standard user rights, but allowed for the administrative processes running with higher rights.

Can wildcards be used for whitelisting files and folders?
Yes, they can. Here are some examples, where the random characters are replaced by wildcards to whitelist the particular EXE file:
C:\Users\Alice\Fly2theMoon\App.1928327467-092837\setup_101989873.exe
C:\Users\Alice\Fly2theMoon\App.??????????-??????\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.\setup_.exe

Those rules (except the first) are correct, and the EXE file will be whitelisted even when the random numbers will change after some time. The last rule is most general, because it will whitelist many other files and folders, for example:
C:\Users\Alice\Fly2theMoon\App.malware\setup_virus.exe

How does H_C deal with desktop shortcuts and start menu shortcuts ?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
How does H_C deal with desktop shortcuts and start menu shortcuts ?
They are whitelisted. If the vulnerable & popular software is used, then there is an option to use Controlled Folder Access to prevent replacing the legal shortcuts by malicious ones. But, such danger is related mainly to targeted attacks.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
Here is the FAQ (beta version).:giggle:
It is rather long, but if someone could read it, then it can be improved.:emoji_pray::giggle:

The acronyms used in FAQ:
H_C - Hard_Configurator
SRP - Software Restriction Policies (Windows built-in)
UAC - User Account Control
SUA - Standard User Account

H_C default-deny setup - selected Windows built-in policies and security settings, which can restrict Windows, MS Office, and Adobe Acrobat Reader via smart default-deny protection. That protection is configurable via H_C application, which also shows the actual state of applied restrictions. The real-time protection comes from Windows built-in security features and is independent of H_C application.


What is default-deny protection?
It allows running already installed applications and system processes, but blocks by default all new executables (even non-malicious).
Every new executable has first to be whitelisted by the user, in purpose to run. It is the user's responsibility to whitelist only the safe files.

What is the smart-default-deny setup?
It allows running some new executables without whitelisting, bypassing in a safe way default-deny protection.
The smart features make default-deny setup more usable, without losing the high protection level in the home environment.
There are three smart features, which were adopted in H_C default-deny setup:
  1. Forced SmartScreen (Administrator rights), that can be activated by the setting <Run As SmartScreen> = Administrator.
  2. SRP set to block only those executables which are going to run with standard user rights (or lower).
  3. Some file locations whitelisted by default (SystemSpace), like the below folders and subfolders: C:\Windows, C:\Program Files, C:\Program Files (x86) - only on Windows 64-bit, C:\ProgramData\Microsoft\Windows Defender.
    Some files in C:\Windows, can be blacklisted by the user, when using <Block Sponsors> settings.
Are the smart features safe?
They are pretty much safe in the home environment, against the malware in the wild.
Yet, the smart features can be bypassed in Enterprises, because of the targeted attacks. Also, some important restrictions like remote features, cannot be blocked in Enterprises.

What are the standard user rights?
From Windows Vista, the execution of applications and processes is restricted by the User Account Control (UAC). The UAC restrictions apply both to Administrator account (default account) and Standard User account (SUA). The executables started by the user can get first, only the standard user rights. The executable can sometimes ask for Administrator rights, and then the UAC prompt is visible. The user has to manually accept it or cancel the action.

Can H_C default-deny setup block system processes, Windows Updates, and system scheduled tasks?
No, it cannot. The system processes, Windows Updates, and system scheduled tasks are not started directly by the user. Furthermore, they are started with higher than standard user rights, so can automatically bypass SRP restrictions, which are used in H_C default-deny setup.

Is it safe to whitelist the SystemSpace?
It is pretty safe in default-deny setup. Those locations are usually not writable with standard user rights. There are some known exceptions, but they are forbidden in H_C by <Protect Windows Folder> setting. The exploit or malware cannot silently drop the payloads to the SystemSpace, when running with the standard user rights.

What is the UserSpace?
It contains every file locations that are not in the SystemSpace. Those locations can usually be writable by any process running with standard user rights. The only restrictions follow from the isolation of the user profiles. In default-deny setup, any executable in the UserSpace is blocked by default, except when whitelisted.

Do all applications install in the SystemSpace?
They should, and this is recommended by Microsoft. But in practice, some legal applications still install to the folders in the UserSpace. Such applications have to be whitelisted manually by the user. If the user wants to install many such applications, then default-deny protection is rather an inconvenient solution.

Is SUA more secure than Administrator account?
Yes, it is. The malware/exploit cannot run with Administrator rights on SUA - it has first to escape from SUA to one of Administrator accounts. Most malware samples are not prepared to do it, and Microsoft usually patches the rare system vulnerabilities, which could allow escaping from SUA. The H_C default-deny setup relies on blocking the applications running with standard user rights, so SUA is an ideal companion to H_C.
SUA should be considered as a security solution, when using the vulnerable system or the popular & vulnerable software.
It is not necessary to use SUA on well updated Windows 10 with updated software, and H_C default-deny setup. Such a setup is already a dead end for the malware/exploits in the home environment.

Does Forced SmartScreen work well on SUA?
Yes, if the application installs in the SystemSpace (usually in C:\Program Files). There can be a problem if it installs in the UserSpace. Why? Because in default-deny setup, Forced SmartSreen uses Administrator rights, so the application will be usually installed in the Administrator profile - even when the installation was started from SUA. The user on SUA cannot access the Administrator profile, so will not be able to run that application, too. In such a case, the user has to turn OFF default-deny protection for a while, and reinstall the application normally (without Forced SmartScreen).

How to install applications on SUA?
  1. Run the application installer by using "Run As SmartScreen" option from the Explorer right-click context menu.
  2. Choose custom configuration in application installer to see what is the default installation folder.
  3. If it is in the Administrator profile, then cancel the installation. If not, then install the application and skip the below points.
  4. Use 'Switch Default-Deny' to turn OFF temporarily the protection.
  5. Install the application normally (by left mouse-click or pressing the Enter key).
  6. Whitelist the application in the UserSpace.
  7. Use 'Switch Default-Deny' to turn ON the protection.
Why Recommended H_C settings are good as a starting setup?
The user should try first the Recommended settings to get accustomed to H_C restrictions. He/she should be confident that everything works well in that setup. The Recommended settings are strong enough to keep the malware away, and not easy enough to keep users from adding more protection.

Who can consider applying advanced H_C settings?
The Recommended H_C settings can apply preventive protection. They are suited to prevent running the malware in the system.
The advanced H_C settings can apply some additional mitigations, when the malware/exploit is already running in the system. So, when using well-patched software on updated Windows 10, the advanced settings are not required. Otherwise, the user can consider applying some advanced settings.

Can advanced settings spoil my system?
On most computers, even maximum H_C settings cannot break anything important in the system. But anyway, some applications may be not fully functional. The maximum protection usually requires more whitelisting, more logs researching, etc. That may be annoying for most users. If so, then the user should restore the Recommended settings.

How should one apply advanced H_C settings?
The first step could be loading the Recommended_Enhanced profile via H_C <Load Profile> option.
It is not recommended to activate many advanced settings at once. When using advanced settings, the user should look, from time to time, at the blocked entries (<Tools><Blocked Events / Security Logs>). Sometimes, there is no alert when the process is blocked by Windows policies.

What is the difference between the Recommended_Enhanced profile and Recommended settings?
The Recommended_Enhanced profile can be set by loading the file: Windows_*_Recommended_Enhanced.hdc, where the asterisk can be the Windows version (7, 8, or 10). This will introduce the Recommended settings and additionally, some popular Sponsors will be blocked (including Script Interpreters).

What is the Sponsor?
The Sponsor is an executable form the SystemSpace (usually from C:\Windows), that can be used by the attacker to bypass default-deny protection. The sponsors are frequently used in the targeted attacks on organizations and businesses, especially via exploits. Blocking some Sponsors in the home environment, can be important for people who use the vulnerable system/software. In H_C default-deny setup (Recommended settings), Windows Script Host Sponsors (wscript.exe and cscript.exe) are forbidden by SRP, and PowerShell Sponsors (powershell.exe and powershell_ise.exe) are restricted by Constrained Language mode. Those Sponsors are the most popular examples of Script Interpreters. Some other Interpreters (mshta.exe, hh.exe, wmic.exe, scrcons.exe) can be blocked in H_C by <Block Sponsors> option. Unfortunately, some of them can be also (rarely) used by an older software related to pheripherals. Sporadically, a few applications and web browser plugins can use Interpreters for some actions.
In H_C, the Sponsors are blocked for processes running with standard user rights, but allowed for the administrative processes running with higher rights.

Can wildcards be used for whitelisting files and folders?
Yes, they can. Here are some examples, where the random characters are replaced by wildcards to whitelist the particular EXE file:
Code:
C:\Users\Alice\Fly2theMoon\App.1928327467-092837\setup_101989873.exe
C:\Users\Alice\Fly2theMoon\App.??????????-??????\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_*.exe
C:\Users\Alice\Fly2theMoon\App.*\*
Those rules (except the first) are correct, and the EXE file will be whitelisted even when the random numbers will change after some time. The last rule is most general, because it will whitelist many other files and folders, for example:
C:\Users\Alice\Fly2theMoon\App.malware\virus.js
Great start with the FAQ (y)
You mention what is UserSpace. Maybe give an example of such a folder/directory
Aso mention what is SystemSpace (I know its covered in "What is the smart-default-deny setup?", but I think it deserves it''s own place in the FAQ.
I would also mention the quick configuration from the manual (possibly save the manual on the website and provide a link to it in the FAQ):
QUICK CONFIGURATION (after the fresh installation).
1. On the first run, let Hard_Configurator make System Restore Point and
check/whitelist autoruns - it costs nothing, and can save you a lot of time
when in trouble.
2. When the above job is done (it can last a few minutes), the Tools window
may be closed, and the main Hard_Configurator window should appear.
3. Press first <Recommended SRP> button, and next <Recommended Restrictions> button to make a quick configuration (the order of pressing the
buttons does matter!).
  1. Use <ConfigureDefender> button to configure advanced Windows Defender settings (if required).
  2. The changes are applied, when pressing <APPLY CHANGES> button.
  3. Read the help files to get info about Hard_Configurator options.
  4. Full information about a program and SRP can be accessed using <Documentation> button (next choose PDF document), available after pressing <General Help> button.
Sorry, the formatting doesn't work well when copying from a pdf to a forumpost...
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Great start with the FAQ (y)
You mention what is UserSpace. Maybe give an example of such a folder/directory
Aso mention what is SystemSpace (I know its covered in "What is the smart-default-deny setup?", but I think it deserves it''s own place in the FAQ.
I would also mention the quick configuration from the manual (possibly save the manual on the website and provide a link to it in the FAQ):

Sorry, the formatting doesn't work well when copying from a pdf to a forumpost...
I edited the FAQ. Added the definitions of the SystemSpace and the UserSpace (as the negation of SystemSpace).
I think that the Quick Configuration could be added as the separate point (not in FAQ). But, we will see.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Maybe I'm going to far with this, but your other projects ConfigureDefender and Run-By-Smartscreen are part of HC.
Do they need to be mentioned in the FAQ?
Forced SmartScreen and ConfigureDefender are explained already on the main webpage. Run By SmartScreen can be used in the H_C default-deny setup only in the very specific config.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
I have had two unusual experiences today. I got the infamous "SmartScreen is not available" message when executing an installer via RAS. This happened once only.

Issue #2: Upon executing an installer via RAS, I am receiving a brief visual of the Windows Store trying to connect, then disappearing almost immediately. This is followed by the expected UAC prompt. Might this be a Windows bug, some corrupted system files, or.... ? Very strange. :unsure:
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Issue #2 happened several times today while test-installing different software. I am no longer seeing this issue. (y)

"Very strange, (music playing … ), so very strange, must be the season of the witch … yea-ah, … must be the season of the witch. (music fades … )" Lyrics courtesy of Donovan Leitch. :cool:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top