Hard_Configurator - Windows Hardening Configurator

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Regarding Bitsadmin.exe
Firewall can't block it effectively, because the actual connection is made by BITS, which can't be blocked (as far as I know). The only thing you can do is block Bitsadmin.exe from executing, but once it executes, you can't block the firewall access.
I think blocking is still better than not blocking. Perhaps, it can prevent hackers from doing something bad but doesn't break what bitsadmin is doing normally
or maybe bitsadmin uses inbound connections, not outbound. I don't know
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
hi, Andy
I appreciate your effort to make Firewall hardening tool
After comparing it vs syshardener's firewall rules, I saw that:
- Firewall hardening tool has many more rules
- syshardener only has 4 more rules (or 6 if syswow64 rules are also counted):
Bitsadmin.exe (+syswow64)
Csrss.exe
Dwm.exe
Eventvwr.exe (+syswow64)


if you can add these following processes to your tool, I'm very happy to delete all syshardener's firewall rules :)

by the way, do you consider blocking all of them with inbound connection rules? hackers can abuse inbound connections to access victim's PC
thank you
Hi,
You can easily add any executable you want, when using Firewall Hardening tool. :giggle:
Please consider the below remarks:
  1. Dwm and Eventvwr are already included, although Eventvwr with a mistake (Evntvwr), which I will correct.
  2. Csrss is a system process, that is specially protected by PPL (Protected Process Light) in Windows 8.1+. This is very strong protection which is also used to protect AV modules (for example in Kaspersky products). On Windows 7 it can be abused, but only with admin rights. I do not know for sure why this file is included in SysHardener. There were malware samples that used the name csrss.exe and were located somewhere else (not into Windows subfolder) but this cannot be blocked by a firewall rule for system native Csrss.exe . Are you sure that blocking this would be necessary?
  3. Protecting Bitsadmin.exe by firewall rules is useless because it only triggers svchost, and this is svchost that downloads the files.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
That's interesting. I admit that I didn't go back after a day to check the log, everything seemed to be working so well I just forgot about it. But I am curious why the daily blocks from Explorer?
Probably nothing special
...
If the user so wishes, he could rely on the Comodo default/deny, and allow EXE and TMP files in H_C.
...
Yes, that could work for some users.(y)
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Hi,
You can easily add any executable you want, when using Firewall Hardening tool. :giggle:
Please consider the below remarks:
  1. Dwm and Eventvwr are already included, although Eventvwr with a mistake (Evntvwr), which I will correct.
  2. Csrss is a system process, that is specially protected by PPL (Protected Process Light) in Windows 8.1+. This is very strong protection which is also used to protect AV modules (for example in Kaspersky products). On Windows 7 it can be abused, but only with admin rights. I do not know for sure why this file is included in SysHardener. There were malware samples that used the name csrss.exe and were located somewhere else (not into Windows subfolder) but this cannot be blocked by a firewall rule for system native Csrss.exe . Are you sure that blocking this would be necessary?
  3. Protecting Bitsadmin.exe by firewall rules is useless because it only triggers svchost, and this is svchost that downloads the files.
I don't know what the processes can do but if normally they don't require internet (blocking doesn't break anything) and only require internet when it's manipulated by malwares, I feel it's safer to block using firewall

if I'm not mistaken, I saw bitsadmin.exe connecting to remote addresses and downloading stuffs during my time in the hub
I have never had any problem by blocking everything with syshardener
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I think blocking is still better than not blocking. Perhaps, it can prevent hackers from doing something bad but doesn't break what bitsadmin is doing normally
or maybe bitsadmin uses inbound connections, not outbound. I don't know
...
I don't know what the processes can do but if normally they don't require internet (blocking doesn't break anything) and only require internet when it's manipulated by malwares, I feel it's safer to block using firewall
Although the idea is interesting for some other files (like notepad.exe), the bitsadmin.exe would be probably the last to block. The logic is simple. Bitsadmin.exe is commonly used by malc0ders to download payloads . So, it is usually monitored by administrators as the very suspicious process. Why someone would want to hide something under a known suspicious process? There are so many innocent processes (like notepad, OneDrive, web browsers, etc.). But, you are probably right that blocking it will not hurt:unsure:
if I'm not mistaken, I saw bitsadmin.exe connecting to remote addresses and downloading stuffs during my time in the hub
I have never had any problem by blocking everything with syshardener
You can use Firewall Hardening tool or SysHardener to check that blocking bitsadmin.exe does not prevent downloading files. Just use the below command line:
Code:
bitsadmin.exe /transfer 'JobName' https://kcsoftwares.com/files/sumo_lite.exe C:\Users\Admin\Downloads\sumo_lite.exe"
It will download the legal (and good) SUMo update application from the developer site.

Anyway, if my arguments do not convince someone, Firewall Hardening tool allows creating the firewall block rule for any program.:giggle:
I can add some other programs to the predefined list, but FH tool is already paranoid on max settings.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
It is worth to remember, that firewall hardening and blocking Sponsors by path can be easily bypassed in targetted attacks, when the user applied default-allow setup. The attacker can simply copy the blocked executable to another location, and then it will not be blocked anymore. This is not possible in a properly configured default-deny setup.
 
Last edited:

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
I do not think it could be much easier.
Sorry I didn't meant it was complicated. If I take your new GUI idea for example: The left side got no "yellow" spaces instead it is a "grey block". The right side has some small "yellow" space between each grey button which I find a lot better to read. It separates each option more clearly.
So for me sometimes me eyes slip down and instead of from 1>1 I read 1>2 (meaning I dropped a line while reading). Like it would be easier to read on squared paper than on paper without squares.
Untitled2 - Copy.png
Anyway I like the new Gui. Hope the picture helps to understand what I mean.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I totally agree.
And it is especially hard to line everything up right, if you increased font size in Windows.
I am not sure what is the problem, so I posted below how looks the GUI on my computer with screen resolution 1680x1050 rescaled to 175% (the graphic is slightly blurred) :
214457


and 1024x768 with rescaling 100%:
214460


I know that on some machines the buttons and labels are not rescaled properly with fonts.
But, this is related to Autoit graphics. By the way, have you similar problems with SwitchDefaultDeny or user-dependent DocmentsAntiExploit tool?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I am not sure what is the problem, so I posted below how looks the GUI on my computer with screen resolution 1680x1050 rescaled to 175% :
View attachment 214457

and 1024x768 with rescaling 100%:
View attachment 214460

I know that on some machines the buttons and labels are not rescaled properly with fonts.
But, this is related to Autoit graphic capabilities. By the way, have you similar problems with SwitchDefaultDeny or user-dependent DocmentsAntiExploit tool?
In your screenshots, the columns line up correctly. I wish mine would do the same. On my machine, if I change the font size, the values don't line up with the names that they relate to.
I am not talking about screen resolution, I am talking about "change the size of text"
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,704
I'm sorry, but how many demands can one make on the developer of a free tool? How big a deal is this anyway? Does it impact performance or function? I think not. Please learn to live with it as is ... and feel grateful to be able to unlock the full potential of Windows! :)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I'm sorry, but how many demands can one make on the developer of a free tool? How big a deal is this anyway? Does it impact performance or function? I think not. Please learn to live with it as is ... and feel grateful to be able to unlock the full potential of Windows! :)
Demands are surely out of place. But if a dev is interested to know what he can improve, then users can give input.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
In your screenshots, the columns line up correctly. I wish mine would do the same. On my machine, if I change the font size, the values don't line up with the names that they relate to.
I am not talking about screen resolution, I am talking about "change the size of text"
I know I rescaled the fonts to 175% in the first screenshot, the only difference is slightly blurred graphic. The standard rescaling can be changed by multiples of 25%. The nonstandard rescaling is also possible (as it is seen on Gandalf_The_Grey screenshot, 110% in his case). I tried this too and everything is rescaled properly on my computer. I think that Autoit graphics is not fully compatible with some drivers, especially on laptops.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I know I rescaled the fonts to 175% in the first screenshot, the only difference is slightly blurred graphic. The standard rescaling can be changed by multiples of 25%. The nonstandard rescaling is also possible (as it is seen on Gandalf_The_Grey screenshot, 110% in his case). I tried this too and everything is rescaled properly on my computer. I think that Autoit graphics is not fully compatible with some drivers, especially on laptops.
It's no big deal. The kind of people who rescale fonts are usually old enough and patient enough to work out what corresponds to what.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Demands are surely out of place. But if a dev is interested to know what he can improve, then users can give input.
Do you remember my question about SwitchDefaultDeny and user dependent DocumentsAntiExploit? :giggle:
I adopted another Autoit GUI in these applications.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Do you remember my question about SwitchDefaultDeny and user dependent DocumentsAntiExploit? :giggle:
I adopted another Autoit GUI in these applications.
Lemme check it out, I need to resize my fonts. I put everything back to default because of other issues, for instance, it makes the top bar in MS Word to be giant, takes up too much screen real estate...
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top