shmu26

Level 80
Content Creator
Trusted
Verified
@Gandalf_The_Grey and @shmu26
Could you please check the registry key:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Office 365
Under the value: 'InstallLocation' should be the right installation path. If so, then I can add this into FirewallHardening tool.
I get this value for InstallLocation:
C:\Program Files\Microsoft Office
 

Gandalf_The_Grey

Level 18
Verified
So you both have different versions of Office 365, like @Gandalf_The_Grey noted in his post.
Anyway, Office 365 can be strongly related to the cloud (especially in the case of @Gandalf_The_Grey). So, if one uses Word and does not use Excel and PowerPoint, then only the last two applications may be probably blocked by Firewall.
Yes there are now 3 versions I can think of x86, x64 and installed from the Microsoft Store (known as Office Centennial apps).
indeed not worth it to block them trough the firewall in my case.
 

Andy Ful

Level 43
Content Creator
Trusted
Verified
@Andy Ful
...
a) Since powershell is also included in the block sponsors section, could you change that to running powerscripts RESTRICTED?
PowerShell runs already restricted in recommended settings. Generally, it runs restricted by Constrained Language Mode when <Default Security Level> is set to 'Disallowed' or 'Basic User'.
b) Could you replace the obselete option of "No removable disk execution" with "Disable CMD and scripts"?
...
There are some circumstances for not doing so:
  1. There are already two options <No PowerShell Exec.> and <Disable Win. Script Host> which can disable running script files (globally by policies) related to PowerShell and Windows Script Host: PS1, JS, JSE, VBS, VBE, WSF, WSH scripts.
  2. When you set <Default Security Level> to 'Disallowed', then the scripts (in UserSpace) related to CMD and Windows Script Host are blocked by SRP, independently of point 1. That is why I prefer 'Disallowed' over 'Basic User'. Furthermore, SRP restricts PowerShell to Constrained Language Mode.
When using only SRP (Disallowed) all scripts are blocked/restricted. If the user wants more, then point 1. can be used to additionally block PowerShell scripts. Still, the combination of points 1. and 2. allows running PowerShell and CMD command lines. That can be used by exploits, so on the vulnerable system or when using vulnerable software, the user can use:
<Block Sponsors> <Enhanced> or <Block Sponsors><Script Interpreters>
to block command lines with script sponsors (cmd.exe, powershell.exe, powershell_ise.exe, mshta.exe, wmic.exe, etc.).
 
Last edited:

shmu26

Level 80
Content Creator
Trusted
Verified
It would be a part of Hard_Configurator. The option <Recommended H_C> is prepared for the usual H_C recommended settings. The LOLBins option can block all SysHardener entries and some other important LOLBins which can run the code from the remote locations.
If I hit the add button in all categories, what will happen to me? :unsure::eek:
I mean, any warnings or things I should be aware of? What will break?
 
Last edited:

Andy Ful

Level 43
Content Creator
Trusted
Verified
My computer did not blow up yet, so I guess you are right. :( In fact, the log shows nothing that shouldn't be there.

Question: When .Net framework receives an update, do I need to reapply the rules? The path seems to be version-specific.
This is the same folder as for seven years old Windows 8 which had the version 4.0.30319 . On my Windows 1809 the actual version is 4.7.3190.0 . This is a well known M$ trick for maintaining backward compatibility (the same is with PowerShell).
 

Freki123

Level 5
It seems H_C and games (or I fear me) realy got some beef lately :D
I was trying to run the bought game "Witcher 2 Assassins of Kings" with the gog galaxy laucher (it's gog.com steam "client"). First I whitelisted exes for the game till im stuck with a powershell problem:

PROGRAMS AND SCRIPTS RUN WITH ADMINISTRATIVE RIGHTS
REPORT DATE (Y:M:D H:M): 2019:05:28 18:48
@@@@@ SCRIPTS:
powershell.exe (PID = 7052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_10q4oawz.yjo.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 7052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_qp5hfeqj.xnq.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 4052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_ds0iplfq.rph.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 4052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_mnksjsn5.s1c.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 7632) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_wetn2q5d.lum.ps1 as Unrestricted using
And so on....
For whatever reason it seems to need powershell.exe to do stuff. So what can I do if I don't want to allow powershell for all but still want to play my bought game?
 
Last edited:

oldschool

Level 29
Verified
I think you need to use wildcards to allow because it's writing to AppData and changing, but rule-making is something I'm still trying to learn. More help will arrive.... :D:D

Edit: I don't have many opportunities for rule-making since I use this PC mainly for browsing and have little 3rd party software.
 
Last edited:

Gandalf_The_Grey

Level 18
Verified
@oldschool I envy you :D Atm it seems for me I just always draw the "special" software :/
But we all learn a lot from it (y)

It seems H_C and games (or I fear me) realy got some beef lately :D
I was trying to run the bought game "Witcher 2 Assassins of Kings" with the gog galaxy laucher (it's gog.com steam "client"). First I whitelisted exes for the game till im stuck with a powershell problem:

PROGRAMS AND SCRIPTS RUN WITH ADMINISTRATIVE RIGHTS
REPORT DATE (Y:M:D H:M): 2019:05:28 18:48
@@@@@ SCRIPTS:
powershell.exe (PID = 7052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_10q4oawz.yjo.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 7052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_qp5hfeqj.xnq.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 4052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_ds0iplfq.rph.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 4052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_mnksjsn5.s1c.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 7632) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_wetn2q5d.lum.ps1 as Unrestricted using
And so on....
For whatever reason it seems to need powershell.exe to do stuff. So what can I do if I don't want to allow powershell for all but still want to play my bought game?
The white list rule probably should be:
C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1
But it's safer to let @Andy Ful confirm.
 

shmu26

Level 80
Content Creator
Trusted
Verified
Ps1 is not on the default list of blocked file types. Accordingly, it is powershell.exe that is being blocked here, so writing a whitelist rule won't help.

My suggestion is to unblock powershell on the right-hand side of H_C, but make sure it is on the list of blocked Sponsors on the left-hand side. Since the log shows that these processes are running with admin rights, the sponsor list will be bypassed, and powershell will be allowed to run in constrained language.
 

Andy Ful

Level 43
Content Creator
Trusted
Verified
It seems H_C and games (or I fear me) realy got some beef lately :D
I was trying to run the bought game "Witcher 2 Assassins of Kings" with the gog galaxy laucher (it's gog.com steam "client"). First I whitelisted exes for the game till im stuck with a powershell problem:

PROGRAMS AND SCRIPTS RUN WITH ADMINISTRATIVE RIGHTS
REPORT DATE (Y:M:D H:M): 2019:05:28 18:48
@@@@@ SCRIPTS:
powershell.exe (PID = 7052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_10q4oawz.yjo.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 7052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_qp5hfeqj.xnq.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 4052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_ds0iplfq.rph.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 4052) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_mnksjsn5.s1c.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 7632) identified C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_wetn2q5d.lum.ps1 as Unrestricted using
And so on....
For whatever reason it seems to need powershell.exe to do stuff. So what can I do if I don't want to allow powershell for all but still want to play my bought game?
I assume that you have run something with admin rights and the Log is from H_C Advanced SRP Logging.
You could use the rule:
C:\Users\Nundu\AppData\Local\Temp\__PSScriptPolicyTest_????????.???.ps1
I replaced the random characters with question marks.

Edit.
Anyway, this particular script should be blocked!!! See my post:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-816897
 
Last edited:

oldschool

Level 29
Verified
Andy, why the question marks instead of 1 asterisk ?
I believe the answer is it is more specific, as shown here:


Can wildcards be used for whitelisting files and folders?

#can-wildcards-be-used-for-whitelisting-files-and-folders

Yes, they can. Here are some examples, where the random characters are replaced by wildcards to whitelist the particular EXE file:
Code:
  • C:\Users\Alice\Fly2theMoon\App.1928327467-092837\setup_101989873.exe
  • C:\Users\Alice\Fly2theMoon\App.??????????-??????\setup_?????????.exe
  • C:\Users\Alice\Fly2theMoon\App.*\setup_?????????.exe
  • C:\Users\Alice\Fly2theMoon\App.*\setup_*.exe
  • C:\Users\Alice\Fly2theMoon\App.*\*
Those rules (except the first) are correct, and the EXE file will be whitelisted even when the random numbers will change after some time. The last rule is most general, because it will whitelist many other files and folders, for example:
C:\Users\Alice\Fly2theMoon\App.malware\virus.js