Gandalf_The_Grey

Level 21
Verified
That is interesting. I cannot reproduce adding shortcut there. I even tried pinning Edge Dev shortcut to taskbar and the shortcut is created in :
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
Anyway, the ImplicitAppShortcuts location is a known Windows native location for shortcuts, so I can add it by default to H_C.
It's a strange one. I got it when pinning Edge Dev from the startmenu entry.
But after pinning Edge Dev to the startmenu first and then pin to startmenu from the tile, there is no more problem/warning and it's in another folder now I think... :unsure:
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
I do not want to interfere with the current discussion (on another thread) about differences/similarities of using CF and H_C. So shortly:
  1. H_C on the Recommended settings is more restrictive for the user actions, but less restrictive for the system actions. CF with CS settings has a far greater impact on the system, which can be sometimes a problem on Windows 10.
  2. H_C uses SmartScreen to safely install applications. SmartScreen gives less false positives as compared to File Lookup in Comodo (with reduced TVL list). If TVL is not reduced, then it is not as safe as SmartScreen.
  3. CF has a very good firewall and sandbox. Some people do not like SmartScreen.
CF and H_C can be used for protecting the computers of family members. I used both, but on Windows 10 I prefer H_C because of greater compatibility with Windows OS. (y):giggle:
 
Last edited:

Gandalf_The_Grey

Level 21
Verified
I do not want to interfere with the current discussion (on another thread) about differences/similarities of using CF and H_C. So shortly:
  1. H_C on the Recommended settings is more restrictive for the user actions, but less restrictive for the system actions. CF with CS settings has a far greater impact on the system, which can be sometimes a problem on Windows 10.
  2. H_C uses SmartScreen to safely install applications. SmartScreen gives less false positives as compared to File Lookup in Comodo (with reduced TVL list). If TVL is not reduced, then it is not as safe as SmartScreen.
  3. CF has a very good firewall and sandbox. Some people do not like SmartScreen.
CF and H_C can be used for protecting the computers of family members. I used both, but on Windows 10 I prefer H_C because of greater compatibility with Windows OS. (y):giggle:
With 1. the recommended settings is just press the recommended settings button and not use Configure Defender or the Firewall Hardening tool?
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
With 1. the recommended settings is just press the recommended settings button and not use Configure Defender or the Firewall Hardening tool?
Most of the user actions are restricted by H_C (via SRP and some Windows policies), without touching ConfigureDefender or Firewall Hardening. But, these two tools apply some restrictions, too.
For example, ConfigureDefender (if one uses WD) can activate WD ASR rules or Controlled Folder Access. Furthermore, SmartScreen can be set to Block, etc.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
ConfigureDefender and fileless malware.
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/page-32

WD ASR rules applied by ConfigureDefender can apply additional protection for PowerShell and CMD command-line attacks which are restricted (but not blocked) in the H_C Recommended settings. Of course, these will be rare events. Generally, it is very hard for malware to get access to command-line when H_C Recommended settings are applied. The most probable ways, like MS Office and Adobe Reader vulnerabilities, are additionally protected in H_C via Documents AntiExploit features.
 
Last edited:

legendcampos

Level 6
Verified
Excellent program for Windows Defender I enabled the recommended settings and I can not open the Opera browser I think it gets very restrictive and the cause is the option SRP, disabling the browser works. At the moment I am with Windows defender on high, and switch on restrictions and default firewall is there any risk? Software conflict?
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Excellent program for Windows Defender I enabled the recommended settings and I can not open the Opera browser I think it gets very restrictive and the cause is the option SRP, disabling the browser works.
You can see what was blocked by using the H_C option <Tools> <Blocked Events / Security Logs> (black button). If I correctly recall, Opera installs into User profile (replace xxxx with yours):
c:\Users\xxxx\AppData\Local\Programs\Opera\
This location is in UserSpace, so it is blocked by SRP. You can use <Whitelist By Path> <Add Folder> option to whitelist the Opera folder. Press <APPLY CHANGES>.(y)
But, it is better to use Edge (native) or web browser which installs by default in C:\Program Files like Edge Chromium (Beta Channel or Dev Channel, not Canary Channel), Google Chrome, or Firefox. They will run and update without whitelisting anything.

At the moment I am with Windows defender on high, and switch on restrictions and default firewall is there any risk? Software conflict?
If you do not use 3rd party security programs, then everything should be OK. Otherwise, sometimes the setup will require tweaking.
 
Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
H_C and fileless malware - an example.

Here is the infection chain of the Astaroth variant attack:
fileless-astaroth.jpg


The malware link on stage 1 can be blocked by WD Network protection, but not if it is never seen malware. So the ZIP archive would be probably downloaded and the user will run the shortcut (LNK file) from this archive. But generally, shortcuts in H_C default-deny settings are blocked in UserSpace and this will stop the attack.
Let's suppose that we have another variant without intermediate LNK file. So, the user will run the BAT file instead. This also will be blocked, because BAT scripts are blocked in UserSpace.

We can imagine that another attack variant could somehow get to stage 2 (or 3) and WMIC was run. This will be stopped either when H_C's enhanced profile is applied or <Recommended H_C> outbound block rules in FirewallHardening are applied.
WMIC command will be also blocked if ConfigureDefender MAX Protection Level is applied.

On stage 4, the attack can be blocked when H_C's enhanced profile was applied which blocks running Bitsadmin.exe . It should be remembered that downloading by Bitsadmin.exe cannot be blocked via outbound firewall rules.

On the later stage, H_C could break the infection chain via custom settings by blocking Regsvr32.exe or Certutil.exe.

Anyway, blocking sponsors (Wmic.exe, Bitsadmin.exe, Certutil.exe, Regsvr32.exe) is usually not necessary because in most cases the infection chain can be broken by blocking shortcuts or scripts.

 
Last edited:

paulderdash

Level 4
Couldn't update Dell SupportAssist with H_C at recommended config.
Should I just temporarily disable 'Block PowersHell Scripts' :D?

Logs include the sort of entry below ... also if I update any Drivers, is it a good idea to enable PowerShell?

Error Message = File C:\Program Files\Dell\SupportAssistAgent\bin\Appx\RemoveExistingAppx.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
Fully Qualified Error ID = UnauthorizedAccess
Recommended Action =


Context:
Severity = Warning
Host Name = Default Host
Host Version = 5.1.18362.145
Host ID = 501e1023-313d-4403-bda1-4ba276fcfb4d
Host Application = C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
Engine Version = 5.1.18362.145
Runspace ID = 33bedc5e-2d4a-4c93-8e0f-f19f90e383f1
Pipeline ID = 1
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 19
User = WORKGROUP\SYSTEM
Connected User =
Shell ID = Microsoft.PowerShell


User Data:
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Couldn't update Dell SupportAssist with H_C at recommended config.
Should I just temporarily disable 'Block PowersHell Scripts' :D?

Logs include the sort of entry below ... also if I update any Drivers, is it a good idea to enable PowerShell?

Error Message = File C:\Program Files\Dell\SupportAssistAgent\bin\Appx\RemoveExistingAppx.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
Fully Qualified Error ID = UnauthorizedAccess
Recommended Action =


Context:
Severity = Warning
Host Name = Default Host
Host Version = 5.1.18362.145
Host ID = 501e1023-313d-4403-bda1-4ba276fcfb4d
Host Application = C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
Engine Version = 5.1.18362.145
Runspace ID = 33bedc5e-2d4a-4c93-8e0f-f19f90e383f1
Pipeline ID = 1
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 19
User = WORKGROUP\SYSTEM
Connected User =
Shell ID = Microsoft.PowerShell


User Data:
Yes.(y)
The Dell SupportAssistAgent.exe uses PowerShell script :
C:\Program Files\Dell\SupportAssistAgent\bin\Appx\RemoveExistingAppx.ps1
So, you have to temporarily turn OFF blocking PowerShell scripts:
H_C_disPowersh.png
 
9

93803123

From time to time they discover severe security issues with these support assist tools. It might be wise to just uninstall it until you need it again (hopefully never). If I remember right, all it really does is help you figure out your model number when you log on to their website for assistance...
Almost all use cscript.exe, wscript.exe, mshta.exe, powershell.exe. Plus they all run from user space.

I never use any. I uninstall them and then manually do my own driver updates via the support\driver page.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator

Andy Ful

Level 48
Verified
Trusted
Content Creator
Thanks. For now, it is just a hobby (I am retired). I have bought a cheap code signing license which is very quickly accepted by SmartScreen when I push the new versions. H_C does not need much work, because it activates built-in Windows security. The only thing which is needed is testing H_C by people to make it better and usable.:giggle:(y)
 

SeriousHoax

Level 9
Verified
Malware Tester
SeriousHoax,
What H_C settings do you use in your last test? Could you include this information in your test?
It seems that samples in the dynamic test do not trigger SmartScreen, nor BAFS. If so, then the WD behavior blocking did a very good job.
Oops I forgot to add. I didn't use the recommended settings. I used the one you suggested for my personal use. The profile is "WIndows_10_MT_Windows_Security_hardening" but with "Validate admin C.S." turned off and enabled "Block Powershell Scripts". I'm using it personally and seems suitable for average users without any annoyances.
This is the profile: SeriousHoax H_C Profile
What unpacker do you use to unpack malware samples?
I use either 7zip or Winrar.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Oops I forgot to add. I didn't use the recommended settings. I used the one you suggested for my personal use. The profile is "WIndows_10_MT_Windows_Security_hardening" but with "Validate admin C.S." turned off and enabled "Block Powershell Scripts". I'm using it personally and seems suitable for average users without any annoyances.
This is the profile: SeriousHoax H_C Profile

I use either 7zip or Winrar.
That would be also my suggestion for MT members who would like to use H_C settings. It is similar in idea to SysHardener, but more comprehensive and stronger. The "Recommended Settings" are OK on semi-closed setup, or when an advanced user wants to protect computers of family members.
I would also add Bandizip, because 7-ZIP and Winrar do not transfer MOTW from the archive to unpacked executables, which can weaken Windows Defender (no BAFS on extracted executables).