Andy Ful

Level 49
Verified
Trusted
Content Creator
I am thinking about adding two H_C options: <Harden EXE> and <Harden EXE via WDAC>.
Both can be applied as additional protection to any Allow EXE profile.


The first will simply block EXE files via SRP in the default user folders on the system partition like: Desktop, Download, Videos, Documents, Pictures, Music.

The second will be based on Windows Defender Application Control (WDAC). It will apply the additional protection to all drives and partitions, except system partition (usually C:\). This protection includes:
  1. All programs (EXE, MSI) and DLLs which are accepted by Microsoft as safe (Intelligent Security Graph Authorization) are allowed.
  2. All other programs (EXE, MSI) and DLLs are blocked (also .NET DLLs).
  3. PowerShell and Windows Script Host scripting is restricted also for elevated processes.
  4. "Run As SmartScreen" or "Run By SmartScreen" can bypass blocking MSI and EXE files.
  5. The system partition (usually C:\) is whitelisted, so EXE, MSI, and DLL files from system partition are allowed by WDAC, but can be restricted by other H_C features.
Both <Harden EXE> and <Harden EXE via WDAC> are prepared to work with any "Allow Exe" setup. So, with Allow EXE setting the commonly used user folders will be protected as in the H_C Recommended Settings, other locations on system drive will allow EXE files, and non-system drives (also USB drives) will be additionally protected by Windows Defender Application Control.

The H_C Allow EXE setup + <Harden EXE> + <Harden EXE via WDAC> will be probably included in H_C as "Default Profile". There will be no problems with installing & updating applications in UserSpace on the system partition. Still, while installing applications the user will usually have to use "Run As SmartScreen" from the Explorer context menu, because the installers will be started from Download or Desktop folder, or non-system drive/partition.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
I am thinking about adding two H_C options: <Harden EXE> and <Harden EXE via WDAC>.
Both can be applied as additional protection to any Allow EXE profile.


The first will simply block EXE files via SRP in the default user folders on the system partition like: Desktop, Download, Videos, Documents, Pictures, Music.

The second will be based on Windows Defender Application Control (WDAC). It will apply the additional protection to all drives and partitions, except system partition (usually C:\). This protection includes:
  1. All programs (EXE, MSI) and DLLs which are accepted by Microsoft as safe (Intelligent Security Graph Authorization) are allowed.
  2. All other programs (EXE, MSI) and DLLs are blocked (also .NET DLLs).
  3. PowerShell and Windows Script Host scripting is restricted also for elevated processes.
  4. "Run As SmartScreen" or "Run By SmartScreen" can bypass blocking MSI and EXE files.
  5. The system partition (usually C:\) is whitelisted, so EXE, MSI, and DLL files from system partition are allowed by WDAC, but can be restricted by other H_C features.
Both <Harden EXE> and <Harden EXE via WDAC> are prepared to work with any "Allow Exe" setup. So, with Allow EXE setting the commonly used user folders will be protected as in the H_C Recommended Settings, other locations on system drive will allow EXE files, and non-system drives (also USB drives) will be additionally protected by Windows Defender Application Control.

The H_C Allow EXE setup + <Harden EXE> + <Harden EXE via WDAC> will be probably included in H_C as "Default Profile". There will be no problems with installing & updating applications in UserSpace on the system partition. Still, while installing applications the user will usually have to use "Run As SmartScreen" from the Explorer context menu, because the installers will be started from Download or Desktop folder, or non-system drive/partition.
Sounds like a great idea, I am looking forward to it!
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Hello
1-what's the difference between SmartScreen and this feature?
2-Does it works only on execution(directly by user ) or it also covers child execution (like a script that dl and run the malicious Exe or Msi)
thanks:emoji_pray:
1. It is slightly more restrictive for EXE and MSI files, checks all loaded DLLs, and does not require MOTW.
2. Works on execution (even when executed by malware as payload), covers child processes.

But, the version used in H_C will not use most of this because the system partition is whitelisted. On system partition, H_C will not use this protection, but SRP. Only files on non-system drives/partitions will be blocked by WDAC.
Here are some examples:
  1. The user runs a legal (but vulnerable) executable from the USB drive which tries to load malicious DLL from this drive. WDAC will block the execution of malicious DLL.
  2. The user has copied the EXE file from the USB drive to the Desktop or Download folder. The file execution will be blocked by SRP, even with the H_C Allow EXE setup.
  3. The user has copied the file from an infected USB drive (shortcut malware) which is, in fact, a shortcut to malware (DLL, EXE, etc.) hidden somewhere on the USB drive. The shortctuts on Desktop are normally allowed in H_C, but when the shortcut will be executed, then the malware on USB will be blocked by WDAC, anyway.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
1. It is slightly more restrictive for EXE and MSI files, checks all loaded DLLs, and does not require MOTW.
2. Works on execution (even when executed by malware as payload), covers child processes.

But, the version used in H_C will not use most of this because the system partition is whitelisted. On system partition, H_C will not use this protection, but SRP. Only files on non-system drives/partitions will be blocked by WDAC.
Here are some examples:
  1. The user executes something from the USB drive which will try to load malicious DLL from this drive. WDAC will block the execution of malicious DLL.
  2. The user has copied the EXE file from the USB drive to the Desktop or Download folder. The file execution will be blocked by SRP, even with the H_C Allow EXE setup.
  3. The user has copied the file from an infected USB drive (shortcut malware) which is, in fact, a shortcut to malware (DLL, EXE, etc.) hidden somewhere on the USB drive. The shortctuts on Desktop are normally allowed in H_C, but when the shortcut will be executed, then the malware on USB will be blocked by WDAC, anyway.
Thanks for the careful explanation. I like it!
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Bypassing SmartScreen.

It is worth to know that SmartScreen Application Reputation check, can be bypassed by DLL hijacking. Simply, the checked executable could be a legal (vulnerable) program with malicious DLL located in the same folder. This DLL will be loaded by the program after SmartScreen check and DLL will not be checked by SmartScreen.
Such a method is often used via infected USB drives. Both "Run As SmartScreen" and "Run By SmartScreen" can prevent DLL hijacking when used on executables located on USB drives.

The attackers can also use the packed spam attachments (ZIP, ARJ, 7-ZIP, etc. downloaded to hard disk), which can contain the legal EXE file alongside the malicious DLL to apply DLL hijacking. Usually, the attack starts from the script or shortcut that drops the malicious DLL and runs the EXE file - this method is prevented by H_C settings.
But in theory, the attacker could also use social engineering to convince the user to run the EXE file directly - this would bypass SmartScreen even if unpacked files had MOTW.

I will try to prevent the above in the next H_C version.:giggle:
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
DLL hijacking can be also a weak point of Anti-EXE solutions (and generally all default-deny solutions) that do not block DLLs.
For example, Voodooshield in Autopilot mode can be bypassed in the same way as SmartScreen, because the legal EXE file will be allowed to run both by VT check and AI check. NVT ERP will initially block the EXE file, but some users will allow it to run after checking by VT or on-demand scanner. Of course, most users will be smart enough to set Explorer to show hidden files, and will not run the EXE file when seeing the DLLs in the same folder.:giggle:(y)
 
Last edited:

Tiamati

Level 3
@Andy Ful

First, let me ty for your excellent work. I'm relatively new at the forum, but i'm already impressed about how people help each other here! If i had more knowledge in developing tools, i would certainly join you. :)

If you don't mind, can you solve some fast doubts?

1) Considering I would like to accept *.exe file to be run normally when double clicking them through explorer or through the download tab from chrome for example. I concluded that there are 2 ways to get that: 1) Add EXE and TMP files to whitelist bt path; 2) Setting H_C with No enforcement setting. Wich option would be less vulnerable? There is any other way?

2) Installing H_C could, in any way, open vulnerabilities to be explored (at the same time it closes other ones)?

3) In case i would like to remove the H_C, following the guide steps would remove 100% of the changes?

4) H_C would in any way conflict with IOBIT unninstaller functions, like the one that monitore the installation of new software and log the changes?

I found one small conflict that i was able to solve but i'll let you know anyway. When i installed H_C, i was not able to run Brave through windows task bar cause the standard shortcut was a *.LNK file. I solved it by deleting it, creating a new shortcut and adding the new one to the taskbar. Idk why that happened.

tyvm!
 
  • Like
Reactions: Correlate

oldschool

Level 37
Verified
@Tiamati

My responses to your questions:

1. You may run Exe and Tmp files as you normally would if you use Default-Allow by loading this profile: "Windows_10_MT_Windows_Security... etc." IMPORTANT: if you use this profile then disable by turning OFF this > "Validate Admin C.S."

2. No, you would be eliminating vulnerabilities depending on which profile you load and use. You can make your system as restricted (or not) as you prefer.

3. Uninstalling via the H_C UI will restore all Windows defaults. Guaranteed! (y)

4. I doubt it but you may need to whitelist IObit. I'm uncertain if this will be necessary or not as I don't use an uninstaller so I can't say for sure.

You will learn by trying to use it, but please read all info and become familiar with the UI so you know what each feature is for. :D
 

Tiamati

Level 3
ty @oldschool . Always you around here :cool:. Really appreciate. Did you find where are the descriptions of each profile? (EDIT: i found it)

Oh, voodoohshield would still be necessary considering H_C already covers so many extensions and functions?

Should I enable "block power shell scripts" when using "Windows_10_MT_Windows_Security..." profile?
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
@Andy Ful

First, let me ty for your excellent work. I'm relatively new at the forum, but i'm already impressed about how people help each other here! If i had more knowledge in developing tools, i would certainly join you. :)

If you don't mind, can you solve some fast doubts?

1) Considering I would like to accept *.exe file to be run normally when double clicking them through explorer or through the download tab from chrome for example. I concluded that there are 2 ways to get that: 1) Add EXE and TMP files to whitelist bt path; 2) Setting H_C with No enforcement setting. Wich option would be less vulnerable? There is any other way?

2) Installing H_C could, in any way, open vulnerabilities to be explored (at the same time it closes other ones)?

3) In case i would like to remove the H_C, following the guide steps would remove 100% of the changes?

4) H_C would in any way conflict with IOBIT unninstaller functions, like the one that monitore the installation of new software and log the changes?

I found one small conflict that i was able to solve but i'll let you know anyway. When i installed H_C, i was not able to run Brave through windows task bar cause the standard shortcut was a *.LNK file. I solved it by deleting it, creating a new shortcut and adding the new one to the taskbar. Idk why that happened.

tyvm!
Thanks.:giggle:
  1. Use Allow EXE and TMP from <Whitelist By Path> or set <Default Security Level> = Unrestricted or set <Enforcement> = No Enforcement. Each setting has different implications. The first is recommended if you want to allow EXE files, but use a default-deny setup for the rest.
  2. H_C does not introduce/open any vulnerability in real-time protection, because all its processes are closed after finishing the configuration. The protection is based on Windows built-in security which is already in the system. H_C setup makes it only more restrictive.
  3. No. After uninstallation H_C reverts the changed settings to Windows default settings. This is usually 100% of the old settings, except when the user had some non-default settings before installing H_C.
  4. No, there should not be any conflict.
I have Brave installed on Windows 10 ver.1903. After installation, Brave creates two shortcuts, one on the Desktop and the second on Start Menu. They are not blocked by H_C.
I also pinned Brave to taskbar - this added another shortcut in:
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
This location is not blocked by H_C, too.
The Brave shortcut was probably made somehow in the non-standard location that was not whitelisted by default in H_C. This can happen, for example, if you use 3rd party start menu application. Another possibility is when you use Brave with different profiles, then the shortcut can be added to the location:
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts
which is not whitelisted by default in H_C.(y)
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
...
Should I enable "block power shell scripts" when using "Windows_10_MT_Windows_Security..." profile?
After some weeks of using the current profile, you can try to harden it a little:
  1. From the left panel options, use the option <Block Sponsors> and <ADD> (below Enhanced label).
  2. From the right panel options set <Block PowerShell Scripts> = ON
  3. From the right panel options set <Block Windows Script Host> = ON
Please remember, that adding these options can block something that you need, because the script blocking will be stronger and will be applied also on administrator level (points 2 and 3). That is why you should first wait a few weeks to be certain that the initial profile works well. If the new setup will become too restrictive then you can always load "Windows_10_MT_Windows_Security..." profile.
As @oldschool already mentioned, you can also set <Validate Admin C.S.> to OFF, if you use unsigned applications that require admin rights to run or update.
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
RunBySmartScreen and DLL hijacking.

When the user applied H_C's Allow EXE setup, the SmartScreen check can be done via 'Run By SmartScreen' option on the Explorer right-click context menu. This option allows checking and opening any file which is located in an untrusted location (like USB drive, Download folder, etc.), without knowing if the file is a photo, document, video clip, script, shortcut, or executable.
Suppose now that the user wants to check the file, and it happened to be the LegalApp.exe with hijacked DLL. Then in the new H_C version, using "Run By SmartScreen" will show the alert with some instructions and two buttons <Cancel> and <Run anyway>:

"This is an executable EXE file (*.exe) - it cannot be Run By SmartScreen from the current location. One or more DLL files are in the same location, and this can bypass SmartScreen via DLL hijacking.

Press the <Cancel> button, if you are not sure what to do. Next, check if all the DLL files are clean and necessary in the current location. Please note, that they can be often hidden, except when Windows Explorer is set to show hidden files. Do not run the initial EXE file without using 'Run By SmartScreen', until you are sure that these DLL files are clean.

Press the <Run anyway> button only if you are sure that the initial EXE file is a standalone application installer or portable application executable. The file will be executed from another location, without loading the DLL files from the current location."


Please let me know if something can be improved in the alert text.:giggle:
 
Last edited:

Freki123

Level 6
Verified
Maybe something with more warning of the danger in the first part of the sentence?

Warning:
One or more DLL files are in the same location and this can bypass SmartScreen via DLL hijacking.
I would care more about the warning/bypass than that the file is an exe :D

I really like your dedication and work :)