SeriousHoax

Level 8
Verified
Malware Tester
I applied the recommended setting of Hard Configuarator and High of Configure Defender and this is the error I'm getting a lot. Running the program as administrator of course solves the problem but trying to launch a game which doesn't require any admin access in general but unable to run it normally because of this.
Same for Steam games too. This is related to which setting of Hard Configurator? How do I disable it?
I know it's related to SRP but if I want to turn this specific protection off for my convenience while keeping others then what should I do? I don't know about SRP hence the confusion.
hc.png
ste.png
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
I applied the recommended setting of Hard Configuarator and High of Configure Defender and this is the error I'm getting a lot. Running the program as administrator of course solves the problem but trying to launch a game which doesn't require any admin access in general but unable to run it normally because of this.
Same for Steam games too. This is related to which setting of Hard Configurator? How do I disable it?
I know it's related to SRP but if I want to turn this specific protection off for my convenience while keeping others then what should I do? I don't know about SRP hence the confusion.
View attachment 221980View attachment 221981
You have probably the SteamLibrary folder (the folder with installed games) somewhere in the UserProfile. You must whitelist this folder (the easy way) or whitelist all game executables in its subfolders containing games.
You can use <Tools> <Blocked Events / Security Logs> to see the blocked events.(y)
If you have a problem with Log, then PM me this log privately - I will try to help you.
 

Andy Ful

Level 46
Verified
Trusted
Content Creator
Yes before installation of Windows 10.
I think that even if you had SmartScreen disabled, then it was enabled by installing H_C.
Next, you probably used ConfigureDefender MAX Protection level which hid the WSC.
Just do what I already suggested - unhide WSC in ConfigureDefender and reboot. After that, you will able to look at SmartScreen settings in WSC.:giggle:
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
Seems like a great tool but i dont know much how to tweak it, I just click default setting is that enough?
Yes, If you mean <Recommended Settings> ?
After some time, you can also try the violet buttons <ConfigureDefender> (HIGH Protection Level) and <Firewall Hardening> (Recommended H_C option).
H_C has some advanced settings/profiles but they usually require more skills and looking at the H_C Logs for blocked entries.
 
Last edited:

bribon77

Level 28
Verified
Well, I'm running H_C.version 5.0.0.0 .with the configuration of Configure Defender to the maximum and Firewall Hardening and Recommended_Enhanced for W10. Everything is going very well, the only thing I don't like is the consumption of WD. But it is not H_C's fault ... Microsoft has to improve in that regard.
 

Andy Ful

Level 46
Verified
Trusted
Content Creator
Well, I'm running H_C.version 5.0.0.0 .with the configuration of Configure Defender to the maximum and Firewall Hardening and Recommended_Enhanced for W10. Everything is going very well, the only thing I don't like is the consumption of WD. But it is not H_C's fault ... Microsoft has to improve in that regard.
You have activated some advanced settings, so it is advisable from time to time to look at H_C Log and FirewallHardening Log (for silently blocked entries).
 

Andy Ful

Level 46
Verified
Trusted
Content Creator
Correlate has posted a very nice article about fileless attacks:

This is a summary of Deep Instinct white paper "Making Sence of Fileless malware".
Fileless attack (common definition) is an attack during which no portable executable (PE) file is written to and executed from disk.
There are some recommendations in the above white paper:

"Recommendations and summary
Regardless of an organizations choice of a security solution, there are some steps organizations and users can take to protect themselves from fileless attacks:

  1. Restrict the use of scripts and scripting languages inside the organization, by applying different policies to different areas of the network. Allow scripts to run from read-only network locations or access only specific machines.
  2. Restrict and monitor the use of Interactive PowerShell and WMI within the organization.
  3. Block execution of macros, and digitally sign trusted macros, which can be allowed to run within the organization.
  4. Make sure all your computers and programs are updated regularly and on time. This will prevent the exploitation of known and patched vulnerabilities.
  5. In any case, do not click on unknown or untrusted links, and do not open email attachments which are unknown or untrusted. Infection through social engineering is the most common method of infection.
  6. Deploy an advanced endpoint protection solution which can detect and mitigate fileless attacks. Some advanced endpoint solutions can also enforce all the points mentioned above."
In a few further posts, I will try to address the first three steps to Hard_Configurator settings.
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
Restricting PowerShell on Windows 10.

PowerShell code is usually run as follows:
  1. By clicking (or using Enter key): on the file icon from Desktop, or on the file entry from Explorer.
  2. By using a command-line with PowerShell interpreter (powershell.exe or powershell_ise.exe) to run the PowerShell script files from local disk.
  3. By using a command-line to run PowerShell commands. This can be used to run PowerShell code (also script files) from remote locations.
  4. By running PowerShell interpreters in interactive mode and copy-paste the code into PowerShell console.
The method from point 1. is forbidden by Windows default settings on Windows 7+. This behavior is forced by H_C settings via SRP on Windows Vista.

Both methods from points 1. and 2. are blocked by the H_C option <Block PowerShell Scripts> independently of Windows settings from point 1. The scripts are blocked when running with standard or administrative rights, so cannot be run also by system processes. This is not an issue, because system processes use PowerShell functions via System.Management.Automation.dll, which is not blocked by H_C.

The methods from points 2., 3., and 4. are restricted via the integration of PowerShell 5.0 with SRP (in default-deny setup). PowerShell 5.0 is built by default in all Windows 10 versions. This restricts PowerShell to use only features allowed by Constrained Language mode, when PowerShell is running with standard rights. This mode disables most of the advanced PowerShell capabilities, including those commonly used in exploit kits.
When SRP is set to default-allow, or earlier PowerShell version is used, then this restriction is not available. So, in Windows Vista, 7, 8, and 8.1 the H_C settings force blocking PowerShell interpreters via SRP. This can be seen when looking into <Block Sponsors> in H_C.
On Windows 10, PowerShell interpreters are also blocked in advanced H_C profiles, together with some other dangerous LOLBins.

When PowerShell is run by the user in interactive mode, with standard rights and H_C default-deny settings, then it uses Constrained Language mode. If PowerShell is run with administrative rights, then it is not restricted (uses Full Language mode).

Summary of H_C (default-deny) restrictions related to PowerShell.
On Windows versions prior to Windows 10, the PowerShell is blocked - with the exception of System.Management.Automation.dll .
On Windows 10, the PowerShell scripts from local sources are blocked. PowerShell can be used to run command-lines or in the interactive mode. Yet, when running with standard rights, it is restricted by Constrained Language mode, which can block most techniques used by fileless malware.
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
PowerShell and malicious shortcuts.

The shortcuts are very useful and that is why they are also dangerous.
They can run command-lines, so the shortcut can run any script interpreter (including PowerShell) or another LOLBin.
One of SRP features I like, is the ability to block shortcuts by default in UserSpace and whitelist only some locations (for usability). So, if the user will download the malicious shortcut from the Internet to the Download folder, then the shortcut will be blocked.
Although blocking shortcuts in SRP is slightly buggy, there is a way to do it properly (not widely known).
SRP is exceptional, because shortcuts cannot be blocked (so far) in Applocker, WD Application Control, SysHardener, OSArmor, VoodooShield, etc. I cannot also recall any AV which could do it. I am not sure about AppGuard - it is SRP software so it should be able to block shortcuts. Some security software can restrict shortcut command-lines, by comparing them against the command-line whitelist (blacklist) or by using heuristics.
Shortcuts in UserSpace (with some exclusions) are blocked in H_C settings. This can be seen when looking at the option <More SRP ...> <Protect Shortcuts>.
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
Why is C:\Users\xxx\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\af8446203517116f\Microsoft Edge (ontwikkelaars).lnk blocked by the default configuration?
Because I did not whitelist by default the below folder for shortcuts:
C:\Users\xxx\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts
I wonder how the shortcuts are created there.:emoji_thinking:
 
Last edited:

shmu26

Level 82
Verified
Trusted
Content Creator
Because I did not whitelist by default the below folder for shortcuts:
C:\Users\xxx\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts
I wonder how the shortcuts are created there.:emoji_thinking:
For me it happened when I chose to pin Chrome to taskbar. Strange that it goes into an Internet Explorer folder, but it does...
 

Andy Ful

Level 46
Verified
Trusted
Content Creator
For me was it when pinning Edge Dev to the taskbar.
That is interesting. I cannot reproduce adding shortcut there. I even tried pinning Edge Dev shortcut to taskbar and the shortcut is created in :
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
Anyway, the ImplicitAppShortcuts location is a known Windows native location for shortcuts, so I can add it by default to H_C.