Hard_Configurator - Windows Hardening Configurator

Nestor

Level 9
Verified
Well-known
Apr 21, 2018
397
I, instead, never expect them to perform well because according to my experience, they never give a clean result especially for sophos
Their signatures are so bad that is a reason for infection. If they signatures are better, they would have had better results
also, I was disappointed with WD VPN bandwidth consumption. It consumed 150MB yesterday while bitdefender free only consumed 15MB, sophos 18MB
During the test, WD uploaded everything to the cloud => privacy concern???

I think there are some ways to get a clean result in this test
- avast hardened mode + syshardener/H_C blocking all scripts
- Block all scripts + Run everything .exe with smartscreen
- any anti-exe, comodo firewall (not preferred as they always work)
- Kaspersky's trusted application mode
Evjl's Rain when you testing CF in hub, did you ever notice system infection from malicious files running in containment?I am asking because of a discussion about how safe is "partially limited"mode in CF containment.Thanks
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Evjl's Rain when you testing CF in hub, did you ever notice system infection from malicious files running in containment?I am asking because of a discussion about how safe is "partially limited"mode in CF containment.Thanks
I don't really understand what you mean!? In my test everything was sandboxed/contained and there was no malware escaping the sandbox so the VM was totally protected
I was using the default sandbox settings (no limit)
I never use any restriction for the containment because if I want to monitor the behavior of a sandboxed process to determine if it's safe or unsafe, I must let it run unrestricted. Any restriction will cause a program to malfunction
 

Nestor

Level 9
Verified
Well-known
Apr 21, 2018
397
I don't really understand what you mean!? In my test everything was sandboxed/contained and there was no malware escaping the sandbox so the VM was totally protected
I was using the default sandbox settings (no limit)
I never use any restriction for the containment because if I want to monitor the behavior of a sandboxed process to determine if it's safe or unsafe, I must let it run unrestricted. Any restriction will cause a program to malfunction
Ok thanks,thats really i want to understand because there was a fear that running a malicious app in containment maybe sometimes will infect the system, although it was contained.Since that was not the case,even with (no limit) in containment that's really nice.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Ok thanks,thats really i want to understand because there was a fear that running a malicious app in containment maybe sometimes will infect the system, although it was contained.Since that was not the case,even with (no limit) in containment that's really nice.
there was no problem running the sandbox unrestricted because if there is any sandbox escape, people would report it to comodo and they will fix it quickly (because it's their priority)

partially limited is fine IMO if you block the internet connection of the sandboxed processes

you can read the description here
  • Set Restriction Level - When 'Run Restricted' is selected as 'Action' in Step 1, then this option is automatically selected and cannot be unchecked. If 'Run Virtually' action is selected, then this option can be checked or unchecked.
  • You can select the 'Restriction Level' from the following options:
  • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)
  • Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
  • Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
  • Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
there was no problem running the sandbox unrestricted because if there is any sandbox escape, people would report it to comodo and they will fix it quickly (because it's their priority)

partially limited is fine IMO if you block the internet connection of the sandboxed processes

you can read the description here
Please remind me how do you block internet connection of the sandboxed processes?
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Please remind me how do you block internet connection of the sandboxed processes?
hi, CS already demonstrated it in the video
here is it
Capture.PNG

also, you can uncheck that box so CF will show you a prompt everytime a sandboxed/unrecognized process wants to connects
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
I noticed that SRP is incompatible with Microsoft Child Account. When I added the child account via 'Add a family member' option on Windows 10 (ver. 1803) and applied the restrictions to applications (child age limit) + the restrictions to the content of web pages, then SRP stopped working on all accounts.:devil:
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,704
I noticed that SRP is incompatible with Microsoft Child Account. When I added the child account via 'Add a family member' option on Windows 10 (ver. 1803) and applied the restrictions to applications (child age limit) and to the content of the web pages, then SRP stopped working on all accounts.:devil:

You will find the solution, I'm sure. (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
...
VoodooShield in AutoPilot mode will allow all true 0-day malware.
...
Because of the false positives, most non-advanced users will probably use one or two on-demand scanners for checking the 0-day malware and infect the computer anyway. Nothing is perfect.
Dan (VS developer) mailed to me that my first sentence above may be misleading. I agree with him.
Bypassing VS by the true 0-day malware (never seen before) will require in many cases the user interaction. The average user will be mostly fooled by the very low or 0 detection on Virus Total, so the VS detection of non-VT modules (AI, anti-script, etc) will be treated as a false positive. That is why I prefer the Forced SmartScreen solution for application installers in Hard_Configurator (much less false positives).
Anyway, the chance of silently bypassing VS is very low. Here is the Dan's explanation:
"In order for a zero day to slip through AutoPilot… It would have to…
  1. Be an executable (scripts and the like are auto blocked unless they are spawned from certain parents)
  2. Not be an unknown on VT
  3. Trick all VT engines that do not have a high FP rate on VT (and are not part of VS’s FP detection)… there are around 40 of them
  4. Trick VoodooAi (which is slightly more aggressive than the other ML/Ai engines). Most ML/Ai engines will have roughly the same result since we all use very similar algos and models (trust me, the is no exaggeration… they are very, very, very similar. But VS was designed to be slightly more aggressive. Some of the other ML/Ai engines have a better false positive with a roughly 90-95% detection ratio (Cylance, CrowdStrike, etc), whereas VS was designed to have a roughly 99.5% detection ratio, with higher false positives.
  5. There are other checks as well… but these checks alone would block almost all zero days."
 
Last edited:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,704
That will be also the case for many home user computers.:)
Using Hard_Configurator with recommended settings is not complicated, but the user needs some learning when using more advanced settings (like <Block Sponsors>).(y)

@Andy Ful can you please expand/explain in more detail as it relates to Blocked Sponsors? I see in the manual it suggests using this setting when on an unsecured network. :notworthy::)

Edit: OK, I see the discussion continues in Post #433 and on re: MS Office 2007, which explains more. I can see well enough that I need not enable a feature like Blocked Sponsors unless in unsecure environment.
 
Last edited:
  • Like
Reactions: Andy Ful and Nestor

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,782
The average user will be mostly fooled by the very low or 0 detection on Virus Total,
Even SYSADMINs will be fooled!
Not be an unknown on VT
whereas VS was designed to have a roughly 99.5% detection ratio, with higher false positives.
I remember when Opcode bypassed Voodoo Ai with his malware:notworthy: the file had no detection in VT(all green) and the Voodoo Ai also showed the file is safe(again green)! how can I decide? if AI and VT tell me the file is safe I will allow it!even most paranoid users will allow it.
There are other checks as well… but these checks alone would block almost all zero days.
only marketing words without evidence. what are these checks? ask him, Ty.
I'm not saying vs is bad. its good in Alway on mode and that Cuckoo Sandbox is enough for my need but its far from great.also the free version has a lot of limitation! even the paid version lack some useful features.
There are better free alternatives:
Hard_Configurator
Avast Hardened Mode
Smart Screen
ERP Beta
Rehips.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
@Andy Ful can you please expand/explain in more detail as it relates to Blocked Sponsors? I see in the manual it suggests using this setting when on an unsecured network. :notworthy::)

Edit: OK, I see the discussion continues in Post #433 and on re: MS Office 2007, which explains more. I can see well enough that I need not enable a feature like Blocked Sponsors unless in unsecure environment.
"Sponsors" is roughly the same as "vulnerable processes", a concept you might be familiar with from other security softs.
It's things like powershell, wscript, mshta, cmd, etc.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top