oldschool

Level 30
Verified
I prepared a simple Help for Firewall Hardening tool. If someone would like to add/change something, then let me know, please.

***************************************
Firewall Hardening tool can apply and manage Outbound Block Rules in Windows Firewall by using Windows policies. The restart of Windows is required to apply the configuration changes.
The paths of blocked executables are displayed as a list. Each entry can be managed by using the buttons located on the bottom of the application GUI.
<Add Rule> button allows adding the rule for any executable.
<Deactivate Rule> button makes the highlighted rules inactive, but does not remove rules.
<Block Rule> button changes highlighted inactive rules to blocked.
<Remove Rule> button removes highlighted rules from the list (and Windows Firewall settings).

The user can add/remove some predefined rules by using the options visible on the right of application GUI.
<LOLBins> button allows adding the rules for many executables from system folders, which are known to be commonly abused by malc0ders.
<MS Office> button allows adding rules for MS Office executables (Word, Excel, PowerPoint, and Equation Editor).
<Adobe Acrobat Reader> button allows adding rules for Adobe Acrobat Reader application.
<Recommended H_C> button allows adding some rules suited for users who applied Hard_Configurator Recommended settings.

The applied rules may be also viewed when using Windows Firewall Advanced settings, but can be managed only by Firewall Hardening tool, or by editing the Registry under the key: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules.

The user can enable auditing Windows Firewall with Advanced Security in category "Object Access" and subcategory "Audit Filtering Platform Packet Drop". This can be done by choosing the radio button 'ON', under "Start logging events".
If auditing is enabled, then the blocked events can be filtered from Windows Event Log by 5152 Event Id. This can be done when pressing <Blocked Events> button, visible under the OFF/ON radio buttons. The Event Log file can store the entries from several hours (usually 12 hours).
**************************************
Maybe include some short instruction for users who do not use Hard_Configurator? :unsure:
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
Maybe include some short instruction for users who do not use Hard_Configurator? :unsure:
The Help is independent of H_C, except the info about <Recommended H_C> button.:giggle:
I can change it a little:
<Recommended H_C> button allows adding some rules suited for users who installed Firewall Hardening tool as a part of Hard_Configurator Windows hardening application and applied the Recommended settings.
 

oldschool

Level 30
Verified
The Help is independent of H_C, except the info about <Recommended H_C> button.:giggle:
I can change it a little:
<Recommended H_C> button allows adding some rules suited for users who installed Firewall Hardening tool as a part of Hard_Configurator Windows hardening application and applied the Recommended settings.
What I was wondering is what rules might be recommended for those who don't use H_C. I've enabled everything in FHT but I'm not currently using H_C.
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
In the next version of H_C I plan to modify the SwitchDefaultDeny feature. When the user will switch <Default Deny Protection> to OFF, it will automatically add "Run By SmartScreen" option to the Explorer context menu. This will unify the procedure of installation of any application both on Administrator and Standard User type of account:
  1. Use SwitchDefaultDeny to turn OFF the protection.
  2. Install safely the application by using "Run By SmartScreen" from the right-click Explorer context menu.
  3. Use SwitchDefaultDeny to restore the protection.
Edit.
Still, on Administrator type of account, the user can use "Run As SmartScreen" from the Explorer context menu (without switching off the protection) to install 99% of applications.
 
Last edited:

shmu26

Level 81
Verified
Trusted
Content Creator
Today I got a SRP block but Windows thought it was from group policy:

Annotation 2019-06-10 174648.png


H_C log said:
Access to C:\Users\Shmu\AppData\Local\TogglDesktop\updates\TogglDesktopInstaller-7.4.422.exe has been restricted by your Administrator by the default software restriction policy level.
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
Today I got a SRP block but Windows thought it was from group policy:

View attachment 214803

H_C log said:
Access to C:\Users\Shmu\AppData\Local\TogglDesktop\updates\TogglDesktopInstaller-7.4.422.exe has been restricted by your Administrator by the default software restriction policy level.
SRP is a feature based on Windows policies. But, this alert is somewhat misguiding, because H_C does not use Group Policy Object.
 

Gandalf_The_Grey

Level 19
Verified
Installed Kaspersky Free and i have some blocks from FirewallHardening.
One example:
Local Time: 2019/06/11 18:07:33
ProcessId: 3872
Application: C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction: Outbound
SourceAddress: 192.168.178.171
SourcePort: 49764
DestAddress: 88.221.144.49
DestPort: 80
Protocol: 6
FilterRTID: 68344
LayerName: %%14611
LayerRTID: 48
What should I do with this block?
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
Installed Kaspersky Free and i have some blocks from FirewallHardening.
One example:
Local Time: 2019/06/11 18:07:33
ProcessId: 3872
Application: C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction: Outbound
SourceAddress: 192.168.178.171
SourcePort: 49764
DestAddress: 88.221.144.49
DestPort: 80
Protocol: 6
FilterRTID: 68344
LayerName: %%14611
LayerRTID: 48
What should I do with this block?
Isn't it the same event we talk about in May?:giggle:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-816321
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
If someone wants Firewall Hardening tool to log the events from about 24 hours (on Windows 10) then it is included in these executables:
For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator

To apply the extended Log, the user must reset "Start logging events" by pressing "OFF" and next "ON" radio buttons.

In Windows default settings, the security event log maximum file size is 20MB, and once it reaches the maximum size, old events are overwritten by new events. The events related to 5152 Event Id are only a very small fraction of all logged events, and events related to blocking the outbound connection of applications are only a small fraction of 5152 events.
On Windows 7 the default log can keep the blocked outbound connection events for several days, but on Windows 10 (on my computer) those events are kept only about 12 hours. I think that 24 hours will be more useful. So, I decided to extend the maximum log size to 40 MB.(y)
 
Last edited:

paulderdash

Level 4
I have AppGuard SOLO license but do not plan on renewing, but use H_C instead ... I also have licenses for EAM and HmP.A.

Just done a clean install of W10 Home v1903 and I like to play .. would a combination of EAM , HmP.A and H_C be an outrageous combination? :eek: (ducks) :D

Edit: Or H_C and OSA, too much overlap?
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
I have AppGuard SOLO license but do not plan on renewing, but use H_C instead ... I also have licenses for EAM and HmP.A.

Just done a clean install of W10 Home v1903 and I like to play .. would a combination of EAM , HmP.A and H_C be an outrageous combination? :eek: (ducks) :D

Edit: Or H_C and OSA, too much overlap?
EAM + H_C or HmP.A + H_C, would be fine.
H_C + OSA would not be a good idea.(y)
 

Freki123

Level 5
Verified
Would it be a good Idea to add two new lolbins: update.exe and squirrel.exe ?

Edit: My guess is Discordapp.com (desktop version) also use them. Atleast there is an squirrel.exe and update.exe in the folder.
 
Last edited: