Here is the FAQ (beta version).
It is rather long, but if someone could read it, then it can be improved.:emoji_pray:
The acronyms used in FAQ:
H_C - Hard_Configurator
SRP - Software Restriction Policies (Windows built-in)
UAC - User Account Control
SUA - Standard User Account
H_C default-deny setup - selected Windows built-in policies and security settings, which can restrict Windows, MS Office, and Adobe Acrobat Reader via smart default-deny protection. That protection is configurable via H_C application, which also shows the actual state of applied restrictions. The real-time protection comes from Windows built-in security features and is independent of H_C application.
What is default-deny protection?
It allows running already installed applications and system processes, but blocks by default all new executables (even non-malicious).
Every new executable has first to be whitelisted by the user, in purpose to run. It is the user's responsibility to whitelist only the safe files.
What is the smart-default-deny setup?
It allows running some new executables without whitelisting, bypassing in a safe way default-deny protection.
The smart features make default-deny setup more usable, without losing the high protection level in the home environment.
There are three smart features, which were adopted in H_C default-deny setup:
- Forced SmartScreen (Administrator rights), that can be activated by the setting <Run As SmartScreen> = Administrator.
- SRP set to block only those executables which are going to run with standard user rights (or lower).
- Some file locations whitelisted by default (SystemSpace), like the below folders and subfolders: C:\Windows, C:\Program Files, C:\Program Files (x86) - only on Windows 64-bit, c:\ProgramData\Microsoft\Windows Defender.
Some files in C:\Windows, can be blacklisted by the user, when using <Block Sponsors> settings.
Are the smart features safe?
They are pretty much safe in the home environment, against the malware in the wild.
Yet, the smart features can be bypassed in Enterprises, because of the targeted attacks. Also, some important restrictions like remote features, cannot be blocked in Enterprises.
What are the standard user rights?
From Windows Vista, the execution of applications and processes is restricted by the User Account Control (UAC). The UAC restrictions apply both to Administrator account (default account) and Standard User account (SUA). The executables started by the user can get first, only the standard user rights. The executable can sometimes ask for Administrator rights, and then the UAC prompt is visible. The user has to manually accept it or cancel the action.
Can H_C default-deny setup block system processes, Windows Updates, and system scheduled tasks?
No, it cannot. The system processes, Windows Updates, and system scheduled tasks are not started directly by the user. Furthermore, they are started with higher than standard user rights, so can automatically bypass SRP restrictions, which are used in H_C default-deny setup.
Is it safe to whitelist the SystemSpace?
It is pretty safe in default-deny setup. Those locations are usually not writable with standard user rights. There are some known exceptions, but they are forbidden in H_C by <Protect Windows Folder> setting. The exploit or malware cannot silently drop the payloads to the SystemSpace, when running with the standard user rights.
What is the UserSpace?
It contains every file locations that are not in the SystemSpace. Those locations can usually be writable by any process running with standard user rights. The only restrictions follow from the isolation of the user profiles. In default-deny setup, any executable in the UserSpace is blocked by default, except when whitelisted.
Do all applications install in the SystemSpace?
They should, and this is recommended by Microsoft. But in practice, some legal applications still install to the folders in the UserSpace. Such applications have to be whitelisted manually by the user. If the user wants to install many such applications, then default-deny protection is rather an inconvenient solution.
Is SUA more secure than Administrator account?
Yes, it is. The malware/exploit cannot run with Administrator rights on SUA - it has first to escape from SUA to one of Administrator accounts. Most malware samples are not prepared to do it, and Microsoft usually patches the rare system vulnerabilities, which could allow escaping from SUA. The H_C default-deny setup relies on blocking the applications running with standard user rights, so SUA is an ideal companion to H_C.
SUA should be considered as a security solution, when using the vulnerable system or the popular & vulnerable software.
It is not necessary to use SUA on well updated Windows 10 with updated software, and H_C default-deny setup. Such a setup is already a dead end for the malware/exploits in the home environment.
Does Forced SmartScreen work well on SUA?
Yes, if the application installs in the SystemSpace (usually in C:\Program Files). There can be a problem if it installs in the UserSpace. Why? Because in default-deny setup, Forced SmartSreen uses Administrator rights, so the application will be usually installed in the Administrator profile - even when the installation was started from SUA. The user on SUA cannot access the Administrator profile, so will not be able to run that application, too. In such a case, the user has to turn OFF default-deny protection for a while, and reinstall the application normally (without Forced SmartScreen).
How to install applications on SUA?
- Run the application installer by using "Run As SmartScreen" option from the Explorer right-click context menu.
- Choose custom configuration in application installer to see what is the default installation folder.
- If it is in the Administrator profile, then cancel the installation. If not, then install the application and skip the below points.
- Use 'Switch Default-Deny' to turn OFF temporarily the protection.
- Install the application normally (by left mouse-click or pressing the Enter key).
- Whitelist the application in the UserSpace.
- Use 'Switch Default-Deny' to turn ON the protection.
Why Recommended H_C settings are good as a starting setup?
The user should try first the Recommended settings to get accustomed to H_C restrictions. He/she should be confident that everything works well in that setup. The Recommended settings are strong enough to keep the malware away, and not easy enough to keep users from adding more protection.
Who can consider applying advanced H_C settings?
The Recommended H_C settings can apply preventive protection. They are suited to prevent running the malware in the system.
The advanced H_C settings can apply some additional mitigations, when the malware/exploit is already running in the system. So, when using well-patched software on updated Windows 10, the advanced settings are not required. Otherwise, the user can consider applying some advanced settings.
Can advanced settings spoil my system?
On most computers, even maximum H_C settings cannot break anything important in the system. But anyway, some applications may be not fully functional. The maximum protection usually requires more whitelisting, more logs researching, etc. That may be annoying for most users. If so, then the user should restore the Recommended settings.
How should one apply advanced H_C settings?
The first step could be loading the Recommended_Enhanced profile via H_C <Load Profile> option.
It is not recommended to activate many advanced settings at once. When using advanced settings, the user should look, from time to time, at the blocked entries (<Tools><Blocked Events / Security Logs>). Sometimes, there is no alert when the process is blocked by Windows policies.
What is the difference between the Recommended_Enhanced profile and Recommended settings?
The Recommended_Enhanced profile can be set by loading the file: Windows_*_Recommended_Enhanced.hdc, where the asterisk can be the Windows version (7, 8, or 10). This will introduce the Recommended settings and additionally, some popular Sponsors will be blocked (including Script Interpreters).
What is the Sponsor?
The Sponsor is an executable form the SystemSpace (usually from C:\Windows), that can be used by the attacker to bypass default-deny protection. The sponsors are frequently used in the targeted attacks on organizations and businesses, especially via exploits. Blocking some Sponsors in the home environment, can be important for people who use the vulnerable system/software. In H_C default-deny setup (Recommended settings), Windows Script Host Sponsors (wscript.exe and cscript.exe) are forbidden by SRP, and PowerShell Sponsors (powershell.exe and powershell_ise.exe) are restricted by Constrained Language mode. Those Sponsors are the most popular examples of Script Interpreters. Some other Interpreters (mshta.exe, hh.exe, wmic.exe, scrcons.exe) can be blocked in H_C by <Block Sponsors> option. Unfortunately, some of them can be also (rarely) used by an older software related to pheripherals. Sporadically, a few applications and web browser plugins can use Interpreters for some actions.
In H_C, the Sponsors are blocked for processes running with standard user rights, but allowed for the administrative processes running with higher rights.
Can wildcards be used for whitelisting files and folders?
Yes, they can. Here are some examples, where the random characters are replaced by wildcards to whitelist the particular EXE file:
C:\Users\Alice\Fly2theMoon\App.1928327467-092837\setup_101989873.exe
C:\Users\Alice\Fly2theMoon\App.??????????-??????\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.
\setup_.exe
Those rules (except the first) are correct, and the EXE file will be whitelisted even when the random numbers will change after some time. The last rule is most general, because it will whitelist many other files and folders, for example:
C:\Users\Alice\Fly2theMoon\App.malware\
setup_virus.exe
