Hard_Configurator - Windows Hardening Configurator

shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
SRP and Bouncer can be used as a default deny because they can differ between a DLL with changed extension (for example, malware.dat) from non-executable file with the same name and extension (malware.dat). FIDES cannot do it. It would be hardly possible (or maybe with much effort) to use FIDES as default-deny in UserSpace.
Click to expand...
Ah, you are not talking about LOL bins, you are talking about malicious dlls downloaded with a false extension, and FIDES will not even know it is a dll. That makes sense.
 
  • Like
Reactions: oldschool, Andy Ful and harlan4096
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
I would not recommend this. Both options "Run As SmartScreen" and "Run as administrator" can be easily confused, and then you will run the unsafe file via "Run as administrator" without SmartScreen check.
Click to expand...
The new icon for Run as SmartScreen actually helps for this issue. The bright green color catches my eye and pulls me away from the more boring Run as Administrator. The more that icon stands out, the better it is, as far as I am concerned.
 
  • Like
Reactions: blackice, oldschool, Gandalf_The_Grey and 3 others
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

Two questions:
  1. Unless I am overlooking something, but I can't find FSC.exe in the list of SPONSORS (it is the F-sharp compiler, when you block C-sharp you might as well block this also).

  2. With the allow EXE and TMP option, why not use cloud feature as white list?

    214005
 
  • Like
Reactions: oldschool, Andy Ful, Handsome Recluse and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
The C# compiler is installed with .NET Framework, so it is a part of the Windows system. The F# compiler has to be installed by the user as the external programming language, usually as a part of Visual Studio. It seems that blocking F# would not be welcome.

The whitelisting option 'Allow EXE and TMP' was initially prepared for Avast Hardened Mode Aggressive as a kind of default-deny setup.
This option can be used with any executable reputation service, and also with WD Cloud Protection Level set to Block + ASR rule:
"Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
 
Last edited:
  • Like
  • Thanks
Reactions: ZeroDay, simmerskool, Gandalf_The_Grey and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
Windows_Security said:
@Andy Ful

Some additional feature requests for Hard_Configurator
a) Disable CMD and Scripts
b) Align HighRiskFileTypes (for mail & attachments) with the Designed File Types of SRP.
c) Disable remote access and shared desktop
Click to expand...
You can already disable CMD and Scripts in H_C.
H_C blocks by default Remote Desktop (remote access), Remote Registry, and Remote Shell.
Windows Desktop Sharing (for Vista and higher versions) is a part of Remote Desktop.

Remote Desktop Services - Wikipedia

en.wikipedia.org en.wikipedia.org

For now, those HighRiskFileTypes are included in RunBySmartScreen. Most of them are related to MS Office, and they are protected by Documents Anti-Exploit in H_C or Switch Default Deny tool. But anyway, I could add the 'Paranoid' set of extensions to <Designated File Types> in H_C. (y)
 
Last edited:
  • Like
  • Thanks
  • Applause
Reactions: ForgottenSeer 85179, oldschool, AlanOstaszewski and 5 others
Fel Grossi

Fel Grossi

Level 13
Verified
Top Poster
Well-known
Jan 17, 2014
627
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
 
  • Like
Reactions: simmerskool, Gandalf_The_Grey, harlan4096 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
Felipe Oliveira said:
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
Click to expand...
The problem with people who never were infected is similar to people who never were victims of a traffic accident. You cannot be sure if this is due to safe habits or luck.
The second example can be house contents insurance. You could ask, should I pay such insurance If I never had an occasion to use it? I do not know.... There are many people who probably first die, and will never benefit from such insurance.

I think that users who know what vectors of attack are not covered by such a setup (only CF proactive), and are cautious enough, might use it without a problem. They are not 100% safe, but there are many other, more dangerous things that can happen.
Anyway, such a setup is not recommended for average users.
 
Last edited:
  • Like
Reactions: simmerskool, oldschool, Gandalf_The_Grey and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Felipe Oliveira said:
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
Click to expand...
Try enabling Windows Defender, and see if it bothers you. It has improved a lot. If it still bothers you, disable it again. You lose nothing by trying.
 
  • Like
Reactions: simmerskool, oldschool, Gandalf_The_Grey and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
Andy Ful said:
From time to time I work on the new icons (the last two are new to compare with the first one):

View attachment 214144

I tried to use half-spheres (for the new icons) to mimic the letters C and D.
Click to expand...
They are beautiful, but I'm still more into the square ones like the one for Configure Defender below:

standalone-png.213499
 
  • Like
Reactions: oldschool, silversurfer, stefanos and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
I published the Firewall Hardening tool on GitHub:
What it can do:
  1. Block (predefined) LOLBins which use outbound Internet connections in attacks.
  2. Block outbound Internet connections of MS Office applications and Adobe Acrobat Reader.
  3. Block the outbound Internet connection of any application chosen by the user.
  4. Turn ON logging of blocking events.
  5. Display blocked events.
214157


It works, but I did not included the Help text, so please ask if something is not clear. The questions will help me to write the final Help text.

Edit.
The new firewall rules work after restarting Windows.
 
Last edited:
  • Like
  • Thanks
Reactions: ForgottenSeer 85179, ZeroDay, paulderdash and 7 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
Andy Ful said:
I published the Firewall Hardening tool on GitHub:
What it can do:
  1. Block (predefined) LOLBins which use outbound Internet connections in attacks.
  2. Block outbound Internet connections of MS Office applications and Adobe Acrobat Reader.
  3. Block the outbound Internet connection of any application chosen by the user.
  4. Turn ON logging of blocking events.
  5. Display blocked events.
View attachment 214157

It works, but I did not included the Help text, so please ask if something is not clear. The questions will help me to write the final Help text.
Click to expand...
We could/should use this tool next to Hard Configurator?
 
  • Like
Reactions: oldschool and shmu26
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
Gandalf_The_Grey said:
We could/should use this tool next to Hard Configurator?
Click to expand...
It would be a part of Hard_Configurator. The option <Recommended H_C> is prepared for the usual H_C recommended settings. The LOLBins option can block all SysHardener entries and some other important LOLBins which can run the code from the remote locations.
 
  • Like
Reactions: paulderdash, simmerskool, shmu26 and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
Andy Ful said:
It would be a part of Hard_Configurator. The option <Recommended H_C> is prepared for the usual H_C recommended settings. The LOLBins option can block all SysHardener entries and some other important LOLBins which can run the code from the remote locations.
Click to expand...
Okay thanks. Added LOLBins, MS Office and Recommended.
In blocked events I see Kaspersky Free Antivirus:
Code: 
Local Time:  2019/05/25 18:50:21
ProcessId:  4640
Application:  C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction:  Outbound
SourceAddress:  192.168.178.171
SourcePort:  49750
DestAddress:  88.221.144.67
DestPort:  80
Protocol:  6
FilterRTID:  68333
LayerName:  %%14611
LayerRTID:  48
How to unblock/allow Kaspersky?
 
  • Like
Reactions: shmu26, oldschool, harlan4096 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
Gandalf_The_Grey said:
Okay thanks. Added LOLBins, MS Office and Recommended.
In blocked events I see Kaspersky Free Antivirus:
Code: 
Local Time:  2019/05/25 18:50:21
ProcessId:  4640
Application:  C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction:  Outbound
SourceAddress:  192.168.178.171
SourcePort:  49750
DestAddress:  88.221.144.67
DestPort:  80
Protocol:  6
FilterRTID:  68333
LayerName:  %%14611
LayerRTID:  48
How to unblock/allow Kaspersky?
Click to expand...
It is not blocked by my tool. You have to look at your firewall settings or Kaspersky settings.

Gandalf_The_Grey said:
...
DestAddress: 88.221.144.67
...
Click to expand...
This address belongs to Akamai International B.V. in Italy.
 
  • Like
Reactions: simmerskool, harlan4096, shmu26 and 1 other person

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,431
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,123
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top