shmu26

Level 80
Content Creator
Trusted
Verified
SRP and Bouncer can be used as a default deny because they can differ between a DLL with changed extension (for example, malware.dat) from non-executable file with the same name and extension (malware.dat). FIDES cannot do it. It would be hardly possible (or maybe with much effort) to use FIDES as default-deny in UserSpace.
Ah, you are not talking about LOL bins, you are talking about malicious dlls downloaded with a false extension, and FIDES will not even know it is a dll. That makes sense.
 

shmu26

Level 80
Content Creator
Trusted
Verified
I would not recommend this. Both options "Run As SmartScreen" and "Run as administrator" can be easily confused, and then you will run the unsafe file via "Run as administrator" without SmartScreen check.
The new icon for Run as SmartScreen actually helps for this issue. The bright green color catches my eye and pulls me away from the more boring Run as Administrator. The more that icon stands out, the better it is, as far as I am concerned.
 

Andy Ful

Level 42
Content Creator
Trusted
Verified
The C# compiler is installed with .NET Framework, so it is a part of the Windows system. The F# compiler has to be installed by the user as the external programming language, usually as a part of Visual Studio. It seems that blocking F# would not be welcome.

The whitelisting option 'Allow EXE and TMP' was initially prepared for Avast Hardened Mode Aggressive as a kind of default-deny setup.
This option can be used with any executable reputation service, and also with WD Cloud Protection Level set to Block + ASR rule:
"Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
 
Last edited:

Andy Ful

Level 42
Content Creator
Trusted
Verified
@Andy Ful

Some additional feature requests for Hard_Configurator
a) Disable CMD and Scripts
b) Align HighRiskFileTypes (for mail & attachments) with the Designed File Types of SRP.
c) Disable remote access and shared desktop
You can already disable CMD and Scripts in H_C.
H_C blocks by default Remote Desktop (remote access), Remote Registry, and Remote Shell.
Windows Desktop Sharing (for Vista and higher versions) is a part of Remote Desktop.

For now, those HighRiskFileTypes are included in RunBySmartScreen. Most of them are related to MS Office, and they are protected by Documents Anti-Exploit in H_C or Switch Default Deny tool. But anyway, I could add the 'Paranoid' set of extensions to <Designated File Types> in H_C. (y)
 
Last edited:

Felipe Oliveira

Level 12
Tester
Verified
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
 

Andy Ful

Level 42
Content Creator
Trusted
Verified
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
The problem with people who never were infected is similar to people who never were victims of a traffic accident. You cannot be sure if this is due to safe habits or luck.
The second example can be house contents insurance. You could ask, should I pay such insurance If I never had an occasion to use it? I do not know.... There are many people who probably first die, and will never benefit from such insurance.

I think that users who know what vectors of attack are not covered by such a setup (only CF proactive), and are cautious enough, might use it without a problem. They are not 100% safe, but there are many other, more dangerous things that can happen.
Anyway, such a setup is not recommended for average users.
 
Last edited:

shmu26

Level 80
Content Creator
Trusted
Verified
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
Try enabling Windows Defender, and see if it bothers you. It has improved a lot. If it still bothers you, disable it again. You lose nothing by trying.
 

Andy Ful

Level 42
Content Creator
Trusted
Verified
I published the Firewall Hardening tool on GitHub:
What it can do:
  1. Block (predefined) LOLBins which use outbound Internet connections in attacks.
  2. Block outbound Internet connections of MS Office applications and Adobe Acrobat Reader.
  3. Block the outbound Internet connection of any application chosen by the user.
  4. Turn ON logging of blocking events.
  5. Display blocked events.
214157


It works, but I did not included the Help text, so please ask if something is not clear. The questions will help me to write the final Help text.

Edit.
The new firewall rules work after restarting Windows.
 
Last edited:

Gandalf_The_Grey

Level 18
Verified
I published the Firewall Hardening tool on GitHub:
What it can do:
  1. Block (predefined) LOLBins which use outbound Internet connections in attacks.
  2. Block outbound Internet connections of MS Office applications and Adobe Acrobat Reader.
  3. Block the outbound Internet connection of any application chosen by the user.
  4. Turn ON logging of blocking events.
  5. Display blocked events.
View attachment 214157

It works, but I did not included the Help text, so please ask if something is not clear. The questions will help me to write the final Help text.
We could/should use this tool next to Hard Configurator?
 

Gandalf_The_Grey

Level 18
Verified
It would be a part of Hard_Configurator. The option <Recommended H_C> is prepared for the usual H_C recommended settings. The LOLBins option can block all SysHardener entries and some other important LOLBins which can run the code from the remote locations.
Okay thanks. Added LOLBins, MS Office and Recommended.
In blocked events I see Kaspersky Free Antivirus:
Code:
Local Time:  2019/05/25 18:50:21
ProcessId:  4640
Application:  C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction:  Outbound
SourceAddress:  192.168.178.171
SourcePort:  49750
DestAddress:  88.221.144.67
DestPort:  80
Protocol:  6
FilterRTID:  68333
LayerName:  %%14611
LayerRTID:  48
How to unblock/allow Kaspersky?
 

Andy Ful

Level 42
Content Creator
Trusted
Verified
Okay thanks. Added LOLBins, MS Office and Recommended.
In blocked events I see Kaspersky Free Antivirus:
Code:
Local Time:  2019/05/25 18:50:21
ProcessId:  4640
Application:  C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction:  Outbound
SourceAddress:  192.168.178.171
SourcePort:  49750
DestAddress:  88.221.144.67
DestPort:  80
Protocol:  6
FilterRTID:  68333
LayerName:  %%14611
LayerRTID:  48
How to unblock/allow Kaspersky?
It is not blocked by my tool. You have to look at your firewall settings or Kaspersky settings.

...
DestAddress: 88.221.144.67
...
This address belongs to Akamai International B.V. in Italy.