Hard_Configurator - Windows Hardening Configurator

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
The system-wide H_C option <Documents Anti-Exploit> set to 'Adobe + VBA' is a very strong mitigation, and it will block any attempts to use VBA code in MS Office applications. It is much stronger than blocking macros in MS Office documents. Usually, the users do not need VBA in MS Office, unless they need the automation macros in templates, Add-ins, etc. In such a case, the system-wide H_C option <Documents Anti-Exploit> should be set to 'Adobe'. Next, MS Office hardening can be done via Switch Default-Deny >> Documents Anti-Exploit . This hardening is valid only for the current account, so it should be done on all user accounts that use MS Office.
Thanks, Andy.
My favorite Word add-on is SaveReminder, because it can be configured to force Word to do a full save of the open document every X number of minutes. If Word doesn't do a full save, Cloud syncing services such as Dropbox will not be able to sync changes to the open doc. They will sync changes only when you close the doc, or remember to hit the save button.

If anyone can think of another way to do this, I would be happy to get rid of the add-on.

I experimented with the new "Automatically save" feature in Office 365, it is enabled if your docs are in OneDrive. It regularly syncs changes in open documents.
It's pretty good, but if you are using a free OneDrive account, it won't help you recover from ransomware. This is because a free OneDrive will only keep past versions for a file in Office format. Once the file extension changes, OneDrive no longer recognizes it as an Office doc, and the past versions are lost.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
I experimented with the new "Automatically save" feature in Office 365, it is enabled if your docs are in OneDrive. It regularly syncs changes in open documents.
It's pretty good, but if you are using a free OneDrive account, it won't help you recover from ransomware. This is because a free OneDrive will only keep past versions for a file in Office format. Once the file extension changes, OneDrive no longer recognizes it as an Office doc, and the past versions are lost.
Can they be recovered manually from OneDrive?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Nope.
I created test.docx and made a few changes, I saw that versions were created.
I changed the file name to test.docxpwned, and the versions were no longer available.
But possibly, If the document was closed, synced to OneDrive and next encrypted/renamed on disk, then it can be manually recovered.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
But possibly, If the document was closed, synced to OneDrive and next encrypted/renamed on disk, then it can be manually recovered.
That is what I did. I closed the file, and renamed in on disk. OneDrive looks at it as a file modification, not as a new file.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
That is what I did. I closed the file, and renamed in on disk. OneDrive looks at it as a file modification, not as a new file.
Strange. Is it possible to recover the file from OneDrive recycle bin, OneDrive version history, or OneDrive Files Restore (for 365 subscribers)?
 
  • Like
Reactions: harlan4096

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Strange. Is it possible to recover the file from OneDrive recycle bin, OneDrive version history, or OneDrive Files Restore (for 365 subscribers)?
Real 365 subscribers will not have a problem, because they have the paid version of OneDrive. It's part of the deal. In fact, ransomware protection is one of their selling points.
For free users, the file will not be in the recycle bin. Because it was never deleted.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Real 365 subscribers will not have a problem, because they have the paid version of OneDrive. It's part of the deal. In fact, ransomware protection is one of their selling points.
For free users, the file will not be in the recycle bin. Because it was never deleted.
So, OneDrive version history did not work for you, too?
 
  • Like
Reactions: harlan4096

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So, OneDrive version history did not work for you, too?
My 365 account was assigned to me by a large org. The administration of the account is completely out of my hands. The admin doesn't even know who I am, and could delete my account at whim without even notifying me. So I synced my important work docs to my personal OneDrive, which is free. And in fact, I switched to dropbox when I discovered this whole problem.
But on the paid OneDrive, I don't even need to go poking around in version history, if I would get encrypted, I can restore all the data to the date and time of my choice. I don't even need permission from the admin. :)
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Have you got this alert before, or this is a new alert.
This alert is a sign that something in your Word, tries to run a VBA code (Word template, VBA Add-in, etc.). The alert can be avoided by changing H_C settings, but it would be better to find out why Word tries to run VBA code (probably macro).
The similar problem had @shmu26. If I correctly remember, he used a Word template with macro.
Thanks @Andy Ful and @shmu26 (y)I always get that alert when opening a blank page in Word. Thanks to you I found out what causes it and disabled the corresponding COM add-in. It was from Foxit Reader.
210269
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@oldschool and I have finally finished the FAQ. It was hard work, and we have also managed to integrate some of @shmu26 corrections. The FAQ is a true group work because it includes also the problems posted by other MT members who tested H_C. Thank you, guys.
I think that @askalan will manage to put the FAQ on his website, soon.

Abbreviations used in this FAQ:

H_C
- Hard_Configurator
AV - Antivirus application
SRP - Software Restriction Policies (Windows built-in security feature)
UAC - User Account Control
SUA - Standard User Account
AA - Administrator Account; not to be confused with 'Built-in Administrator Account' (disabled by default), that can be used to boot Windows to 'Audit mode'.


Basic concepts:

Standard rights (standard user rights)

These are standard (default) rights granted by the Windows system to processes initiated by the user on AA or SUA. Access to higher rights is controlled by User Account Control (UAC). This feature was introduced with Windows Vista.
An Administrator Account (AA) created during a fresh installation of Windows, or any account created manually by the user (AA or SUA), is limited to standard rights by UAC.

Administrator rights (Administrative rights)
A process initiated by the user on AA or SUA may be elevated to Administrator rights and access important, new privileges. Process elevation is controlled by User Account Control (UAC). If the elevated process is initiated on AA (with standard rights), then process creation and elevation take place on AA, and the process continues to run on AA (account change not required). If it is initiated on SUA, then process creation and elevation also take place on AA, except the process no longer runs on SUA (account change SUA ---> AA, admin password required).

H_C smart default-deny setup
Selected Windows built-in security features can restrict Windows, MS Office, and Adobe Acrobat Reader with smart default-deny protection. These features are normally disabled in Windows. H_C allows the user to enable them, make configuration changes, and displays the user's chosen settings. After configuration, real-time protection comes only from Windows' built-in security features.

SystemSpace
The following file locations (folders and subfolders) are defined as SystemSpace and are whitelisted by default in H_C:
C:\Windows
C:\Program Files
C:\Program Files (x86) - only on Windows 64-bit
C:\ProgramData\Microsoft\Windows Defender.

UserSpace
All locations on the user's local drives (also USB external drives) which are not included in SystemSpace, are defined as UserSpace. Network locations are excluded either from UserSpace or SystemSpace. UserSpace locations are writable by processes running with standard rights. All executables in the UserSpace are blocked by default with H_C's default-deny setup, except when whitelisted or initiated by the user via "Run As SmartScreen" (see also the Elevated Shell).

PLEASE NOTE: The terms SystemSpace and UserSpace are specific to H_C settings. They should not be confused with the terms ‘System Space’ and ‘User Space’, which can have a more general meaning.

Elevated Shell
Normally, the user on AA or SUA may initiate applications only with standard rights. However, this can be changed by accessing an elevated shell: PowerShell (Administrator), Command Prompt (Administrator), etc. An alternative solution is to run Total Commander via "Run As SmartScreen". The user who wants to access the elevated shell must first accept the UAC prompt. As long as the applications are initiated from the elevated shell, SRP and UAC will ignore them (i.e., no UAC alerts or SRP restrictions). This can be useful when doing administrative tasks on the computer.

What is conventional default-deny protection?
It allows all installed applications and system processes but blocks by default all new executables, except those which are whitelisted. Some executables may be whitelisted automatically, e.g. by certificate or path rules. Others must first be whitelisted by the user in order to run. It is the user's responsibility to whitelist clean files.

What are the advantages of H_C's smart default-deny vs conventional default-deny protection?
Smart default-deny makes the computer more usable, while maintaining a high level of protection in the home environment. Hard_Configurator includes three smart features:
  1. Forced SmartScreen (replaces "Run as Administrator"), which can be activated by the setting <Run As SmartScreen> = Administrator. Forced SmartScreen is supported on Windows 8, 8.1, and 10.
  2. SRP set to allow executables initiated with Administrator rights.
  3. SystemSpace folders/subfolders whitelisted by default.
    Some files in C:\Windows may be blacklisted by the user when using <Block Sponsors> settings.
These features allow installing most applications without whitelisting or turning OFF the protection. Furthermore, Windows Updates and system scheduled tasks can automatically bypass SRP restrictions. It is worth mentioning that Forced SmartScreen significantly extends the SmartScreen protection.

Are H_C's smart features safe?
They are very safe in the home environment, against malware in the wild. Smart features can be bypassed in Enterprises because of targeted attacks. Also, certain H_C restrictions, e.g. "Block remote access", are not practical in enterprises.

Will H_C smart default-deny setup block system processes, Windows Updates, or system scheduled tasks?
No. System processes, Windows Updates, and system scheduled tasks are not started directly by the user. These are initiated with higher than standard rights and automatically bypass SRP restrictions configured with H_C.

Will H_C smart default-deny block updates of user applications?
Occasionally. Some applications download the updater and run it from the Temp folder in user profile with standard rights. In this case, the update will be blocked by the H_C default-deny settings.

How to update applications on Administrator account with H_C's default-deny settings.
If the update is blocked, then the application or updater should be run with Administrator rights by using "Run As SmartScreen" (on Windows 8, 8.1, 10) or "Run as administrator" (on Windows Vista or Windows 7).

How to update applications on SUA with H_C's default-deny settings.
There may be a problem if the application is installed in the user profile, because then an update should not be performed with Administrator rights. Why? If it is run with Administrator rights, then it will usually search the application files in the administrator profile and not in the SUA profile. The update will thus fail, or will be installed in the wrong user profile.
H_C users should check as follows:
  1. If the application is not installed in the user profile, then the update can be done on Administrator account as described above.
  2. If the application is installed in the user profile (e.g. in the folder C:\Users\Alice when the user name is Alice), then the user must:
    • turn OFF protection temporarily using "Switch Default-Deny";
    • run the update with standard rights;
    • turn ON the protection using "Switch Default-Deny".
Is it safe to whitelist SystemSpace?
Generally, it is safe in smart default-deny setup. SystemSpace locations are usually not writable with standard rights. There are known exceptions, but they are covered by H_C's <Protect Windows Folder> setting. The exploit or malware cannot silently drop payloads to SystemSpace when running with standard rights.

Are all applications installed in SystemSpace?
Usually they are, and this is recommended by Microsoft. However, some legal applications still install in UserSpace. These applications have to be whitelisted manually. For users who frequently install such applications, default-deny protection may be inconvenient.

What is the difference between an AA and SUA?
Processes initiated by the user cannot run with Administrator rights on SUA. If a process running on SUA requires Administrator rights, then the UAC prompt appears, and the user must provide an Administrator password to log on to the AA. After accepting the UAC, the process is no longer running on SUA, but on AA (user account is switched for that process only: SUA ---> AA).

This behavior is quite different when a process is initiated on AA, because the user is not obliged to provide the Administrator password. Instead, the UAC prompt asks for a simple "Yes" or "No". After accepting the UAC prompt, the process continues running on the same AA (user account is not switched for that process).

Is SUA more secure than AA?
Yes, most definitely. On SUA, unelevated processes (running with standard rights or lower) do not share the same user account as elevated processes. This is not true on AA. It is much easier to exploit something when both unelevated and elevated processes are running on the same AA account. Malware or exploits cannot run with Administrator rights on SUA - they must first escape to an Administrator account. This is hardly possible, because Microsoft usually patches any system vulnerabilities which might allow malware to escape from SUA. H_C's smart default-deny setup relies on blocking unelevated programs (running with standard rights), so SUA is an ideal companion to H_C.

When should SUA be used instead of AA?
SUA should be considered a vital part of any security solution when using a vulnerable system, or popular & vulnerable software. However, it is not necessary to use SUA with H_C's smart default-deny when Windows 10 and all installed software are updated regularly. A well maintained system which includes H_C is a dead end for malware/exploits in the home environment.

Does Forced SmartScreen work well on SUA?
Yes, if the application installs in SystemSpace (usually in C:\Program Files). There can be a problem if it installs in user profile, which lies in UserSpace. Why? Because with H_C smart default-deny, Forced SmartScreen uses Administrator rights. Applications which are intended to install in SUA profile, are installed in Administrator profile - even when the installation is initiated from SUA. The user on SUA cannot run applications from Administrator profile, since Windows isolates user profiles from one another. In this case, the user must disable default-deny protection temporarily, and install the application without using "Run As SmartScreen".

How to install applications on SUA.
  1. Run the application installer by using "Run As SmartScreen" option from the Explorer right-click context menu.
  2. Check the default installation folder.
  3. If it is in the Administrator profile, then cancel the installation and continue with Steps #4-7. If not, then continue with the installation and skip Steps #4-7.
  4. Use “Switch Default-Deny“ to turn OFF the protection temporarily.
  5. Install the application normally (by left mouse-click or pressing the Enter key).
  6. Whitelist the application in the UserSpace.
  7. Use “Switch Default-Deny“ to turn ON the protection.
Why Recommended H_C settings are best as a starting setup?
New users of default-deny protection should be aware that it requires more skill than using an AV alone. Please use only the Recommended H_C settings along with your AV, until you are comfortable and familiar with H_C. Prematurely adding advanced H_C settings or more security software to this configuration may lead to complications, and user discouragement, with default-deny protection.

Who should consider applying advanced H_C settings?
Recommended H_C settings provide strong preventive protection against running malware in the system.
Advanced H_C settings can mitigate the malware or an exploit which is already running in the system. When using well-patched software on updated Windows 10, advanced settings are not required.

Will advanced settings spoil the system?
On most computers, even maximum H_C settings cannot break anything important in the system, but some applications may be not fully functional. Enabling advanced settings will usually require more whitelisting, more researching of logs, etc., and may be annoying for most users. If so, then the user should restore Recommended settings.

How to restore Recommended settings.
  1. Press <Recommended SRP> left panel button,
  2. Press <Recommended Restrictions> right panel button,
  3. Press <APPLY CHANGES> button.
Restoring the Recommended settings preserves the user's whitelisted entries and blocked file extensions.

PLEASE NOTE: If SRP is deactivated, then order of the pressed buttons is important! Pressing the buttons in another order (for example 2,1,3) will prevent installation of new applications. This kind of a locked setup is much more restricted as compared to Recommended settings.

How to apply advanced H_C settings.
Advanced settings can be activated by turning ON additional individual H_C options, or by loading the setting profile (<Load Profile> button).
It is advisable to begin with the Recommended_Enhanced profile. This may be done by loading the file: Windows_*_Recommended_Enhanced.hdc, where the asterisk replaces the Windows version (7, 8, or 10). This will enable the Recommended settings, and some well known Sponsors will be blocked (including Script Interpreters).

PLEASE NOTE: It is not advisable to use multiple advanced settings at once. When using advanced settings, the user should occasionally check for blocked entries (<Tools><Blocked Events / Security Logs>). This is because sometimes there is no alert when a process is blocked by Windows policies.

What is a Sponsor?
A Sponsor is an executable from the SystemSpace (usually from C:\Windows), that can be used by an attacker to bypass default-deny protection. Sponsors are frequently used in targeted attacks on organizations and businesses, especially via exploits. Blocking some Sponsors in the home environment can be important for people who use a vulnerable system or software. In H_C's Recommended settings, Windows Script Host Sponsors (wscript.exe and cscript.exe) are blocked by SRP. Furthermore, PowerShell Sponsors (powershell.exe and powershell_ise.exe) are restricted by Constrained Language mode in Windows 10 and blocked by SRP in Windows Vista, 7, 8, 8.1. These Sponsors are the most popular Script Interpreters. Some other Interpreters (mshta.exe, hh.exe, wmic.exe, scrcons.exe) can be blocked in H_C by <Block Sponsors> option. Unfortunately, a few of them can be used occasionally by older software, usually those related to peripherals. Applications and web browser plugins may also use Interpreters for some actions, though most applications and plugins do not use them at all.
In H_C, Sponsors are blocked for processes running with standard rights, but allowed for administrative processes running with higher rights.

Can wildcards be used for whitelisting files and folders?
Yes, they can. Here are some examples, where the random characters are replaced by wildcards to whitelist the particular EXE file:
Code:
C:\Users\Alice\Fly2theMoon\App.1928327467-092837\setup_101989873.exe
C:\Users\Alice\Fly2theMoon\App.??????????-??????\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_*.exe
C:\Users\Alice\Fly2theMoon\App.*\*
Those rules (except the first) are correct, and the EXE file will be whitelisted even when the random numbers will change after some time. The last rule is most general, because it will whitelist many other files and folders, for example:
C:\Users\Alice\Fly2theMoon\App.malware\virus.js
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@RoboMan,
you have nonstandard location of StartMenu folder: %UserProfile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu
With the standard Windows settings there is not such a folder, and even when I manually create such folder with a shortcut, then this shortcut does not appear in StartMenu.
That is why it is not whitelisted in H_C. But, the standard locations like:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
%UserProfile%\Desktop
and some more, are already whitelisted.

Why block shortcuts? The shortcuts can run command lines to run LOLBins or Sponsors from c:\Windows folder to bypass SRP.
H_C's Recommended settings are configured to block access to command lines, so the user cannot run by accident something that could bypass SRP. See for example:
 
Last edited:

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
@RoboMan,
you have nonstandard location of StartMenu folder: %UserProfile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu
With the standard Windows settings there is not such a folder, and even when I manually create such folder with a shortcut, then this shortcut does not appear in StartMenu.
That is why it is not whitelisted in H_C. But, the standard locations like:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
%UserProfile%\Desktop
and some more, are already whitelisted.

Why block shortcuts? The shortcuts can run command lines to run LOLBins or Sponsors from c:\Windows folder to bypass SRP.
H_C's Recommended settings are configured to block access to command lines, so the user cannot run by accident something that could bypass SRP. See for example:
Fantastic explanation! Thank you very much. The nonstandard location of the startmenu folder is probably caused because I use a secondary Start Menu (StartIsBack) because I don't like the Windows 10's default, therefore this may cause the different location.

Regarding to how to correctly whitelist a program, let's say Discord, should I...?
  1. Whitelist DiscordApp.exe from Program Files folder
  2. Also whitelist Discord.ink shortcut in Desktop?
If I used the regular start menu, then executing Discord from the start menu (if I have whitelisted Discord) should be allowed, right?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Regarding to how to correctly whitelist a program, let's say Discord, should I...?
  1. Whitelist DiscordApp.exe from Program Files folder
  2. Also whitelist Discord.ink shortcut in Desktop?
If I used the regular start menu, then executing Discord from the start menu (if I have whitelisted Discord) should be allowed, right?
Normally, there is no need to whitelist anything. The 'C:\Program Files' folder is already whitelisted. Also, the standard Desktop folders ( %UserProfile%\Desktop and c:\Users\Public\Desktop ) are whitelisted for shortcuts. If you have a nonstandard location for the Desktop folder, then shortcuts in it can be whitelisted by using <Whitelist By Path ><Add Path*Wildcards>.(y)
 
Last edited:

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
@RoboMan Not sure if i did it correct, but i added C:\Users\YOURUSERNAME\AppData\Local\Discord\Update.exe under "whitelist by hash".
When run as "Run with smartscreen" it worked for me. (Atm im admin on win 10 64bit till all stuff is installed, no clue if it matters).
Was even able to sandbox it with sandboxie :D
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Freki123
If you use "Run As SmartScreen" to run: C:\Users\YOURUSERNAME\AppData\Local\Discord\Update.exe
then whitelistingit is not needed, because "Run As SmartScreen" bypasses SRP.
Generally, whitelisting is required if you want to run application in UserSpace normally (by a mouse-click or pressing the Enter key).
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@oldschool and I have finally finished the FAQ. It was hard work, and we have also managed to integrate some of @shmu26 corrections. The FAQ is a true group work because it includes also the problems posted by other MT members who tested H_C. Thank you, guys.
I think that @askalan will manage to put the FAQ on his website, soon.

Abbreviations used in this FAQ:

H_C
- Hard_Configurator
AV - Antivirus application
SRP - Software Restriction Policies (Windows built-in security feature)
UAC - User Account Control
SUA - Standard User Account
AA - Administrator Account; not to be confused with 'Built-in Administrator Account' (disabled by default), that can be used to boot Windows to 'Audit mode'.


Basic concepts:

Standard rights (standard user rights)

These are standard (default) rights granted by the Windows system to processes initiated by the user on AA or SUA. Access to higher rights is controlled by User Account Control (UAC). This feature was introduced with Windows Vista.
An Administrator Account (AA) created during a fresh installation of Windows, or any account created manually by the user (AA or SUA), is limited to standard rights by UAC.

Administrator rights (Administrative rights)
A process initiated by the user on AA or SUA may be elevated to Administrator rights and access important, new privileges. Process elevation is controlled by User Account Control (UAC). If the elevated process is initiated on AA (with standard rights), then process creation and elevation take place on AA, and the process continues to run on AA (account change not required). If it is initiated on SUA, then process creation and elevation also take place on AA, except the process no longer runs on SUA (account change SUA ---> AA, admin password required).

H_C smart default-deny setup
Selected Windows built-in security features can restrict Windows, MS Office, and Adobe Acrobat Reader with smart default-deny protection. These features are normally disabled in Windows. H_C allows the user to enable them, make configuration changes, and displays the user's chosen settings. After configuration, real-time protection comes only from Windows' built-in security features.

SystemSpace
The following file locations (folders and subfolders) are defined as SystemSpace and are whitelisted by default in H_C:
C:\Windows
C:\Program Files
C:\Program Files (x86) - only on Windows 64-bit
C:\ProgramData\Microsoft\Windows Defender.

UserSpace
All locations on the user's local drives (also USB external drives) which are not included in SystemSpace, are defined as UserSpace. Network locations are excluded either from UserSpace or SystemSpace. UserSpace locations are writable by processes running with standard rights. All executables in the UserSpace are blocked by default with H_C's default-deny setup, except when whitelisted or initiated by the user via "Run As SmartScreen" (see also the Elevated Shell).

PLEASE NOTE: The terms SystemSpace and UserSpace are specific to H_C settings. They should not be confused with the terms ‘System Space’ and ‘User Space’, which can have a more general meaning.

Elevated Shell
Normally, the user on AA or SUA may initiate applications only with standard rights. However, this can be changed by accessing an elevated shell: PowerShell (Administrator), Command Prompt (Administrator), etc. An alternative solution is to run Total Commander via "Run As SmartScreen". The user who wants to access the elevated shell must first accept the UAC prompt. As long as the applications are initiated from the elevated shell, SRP and UAC will ignore them (i.e., no UAC alerts or SRP restrictions). This can be useful when doing administrative tasks on the computer.

What is conventional default-deny protection?
It allows all installed applications and system processes but blocks by default all new executables, except those which are whitelisted. Some executables may be whitelisted automatically, e.g. by certificate or path rules. Others must first be whitelisted by the user in order to run. It is the user's responsibility to whitelist clean files.

What are the advantages of H_C's smart default-deny vs conventional default-deny protection?
Smart default-deny makes the computer more usable, while maintaining a high level of protection in the home environment. Hard_Configurator includes three smart features:
  1. Forced SmartScreen (replaces "Run as Administrator"), which can be activated by the setting <Run As SmartScreen> = Administrator. Forced SmartScreen is supported on Windows 8, 8.1, and 10.
  2. SRP set to allow executables initiated with Administrator rights.
  3. SystemSpace folders/subfolders whitelisted by default.
    Some files in C:\Windows may be blacklisted by the user when using <Block Sponsors> settings.
These features allow installing most applications without whitelisting or turning OFF the protection. Furthermore, Windows Updates and system scheduled tasks can automatically bypass SRP restrictions. It is worth mentioning that Forced SmartScreen significantly extends the SmartScreen protection.

Are H_C's smart features safe?
They are very safe in the home environment, against malware in the wild. Smart features can be bypassed in Enterprises because of targeted attacks. Also, certain H_C restrictions, e.g. "Block remote access", are not practical in enterprises.

Will H_C smart default-deny setup block system processes, Windows Updates, or system scheduled tasks?
No. System processes, Windows Updates, and system scheduled tasks are not started directly by the user. These are initiated with higher than standard rights and automatically bypass SRP restrictions configured with H_C.

Will H_C smart default-deny block updates of user applications?
Occasionally. Some applications download the updater and run it from the Temp folder in user profile with standard rights. In this case, the update will be blocked by the H_C default-deny settings.

How to update applications on Administrator account with H_C's default-deny settings.
If the update is blocked, then the application or updater should be run with Administrator rights by using "Run As SmartScreen" (on Windows 8, 8.1, 10) or "Run as administrator" (on Windows Vista or Windows 7).

How to update applications on SUA with H_C's default-deny settings.
There may be a problem if the application is installed in the user profile, because then an update should not be performed with Administrator rights. Why? If it is run with Administrator rights, then it will usually search the application files in the administrator profile and not in the SUA profile. The update will thus fail, or will be installed in the wrong user profile.
H_C users should check as follows:
  1. If the application is not installed in the user profile, then the update can be done on Administrator account as described above.
  2. If the application is installed in the user profile (e.g. in the folder C:\Users\Alice when the user name is Alice), then the user must:
    • turn OFF protection temporarily using "Switch Default-Deny";
    • run the update with standard rights;
    • turn ON the protection using "Switch Default-Deny".
Is it safe to whitelist SystemSpace?
Generally, it is safe in smart default-deny setup. SystemSpace locations are usually not writable with standard rights. There are known exceptions, but they are covered by H_C's <Protect Windows Folder> setting. The exploit or malware cannot silently drop payloads to SystemSpace when running with standard rights.

Are all applications installed in SystemSpace?
Usually they are, and this is recommended by Microsoft. However, some legal applications still install in UserSpace. These applications have to be whitelisted manually. For users who frequently install such applications, default-deny protection may be inconvenient.

What is the difference between an AA and SUA?
Processes initiated by the user cannot run with Administrator rights on SUA. If a process running on SUA requires Administrator rights, then the UAC prompt appears, and the user must provide an Administrator password to log on to the AA. After accepting the UAC, the process is no longer running on SUA, but on AA (user account is switched for that process only: SUA ---> AA).

This behavior is quite different when a process is initiated on AA, because the user is not obliged to provide the Administrator password. Instead, the UAC prompt asks for a simple "Yes" or "No". After accepting the UAC prompt, the process continues running on the same AA (user account is not switched for that process).

Is SUA more secure than AA?
Yes, most definitely. On SUA, unelevated processes (running with standard rights or lower) do not share the same user account as elevated processes. This is not true on AA. It is much easier to exploit something when both unelevated and elevated processes are running on the same AA account. Malware or exploits cannot run with Administrator rights on SUA - they must first escape to an Administrator account. This is hardly possible, because Microsoft usually patches any system vulnerabilities which might allow malware to escape from SUA. H_C's smart default-deny setup relies on blocking unelevated programs (running with standard rights), so SUA is an ideal companion to H_C.

When should SUA be used instead of AA?
SUA should be considered a vital part of any security solution when using a vulnerable system, or popular & vulnerable software. However, it is not necessary to use SUA with H_C's smart default-deny when Windows 10 and all installed software are updated regularly. A well maintained system which includes H_C is a dead end for malware/exploits in the home environment.

Does Forced SmartScreen work well on SUA?
Yes, if the application installs in SystemSpace (usually in C:\Program Files). There can be a problem if it installs in user profile, which lies in UserSpace. Why? Because with H_C smart default-deny, Forced SmartScreen uses Administrator rights. Applications which are intended to install in SUA profile, are installed in Administrator profile - even when the installation is initiated from SUA. The user on SUA cannot run applications from Administrator profile, since Windows isolates user profiles from one another. In this case, the user must disable default-deny protection temporarily, and install the application without using "Run As SmartScreen".

How to install applications on SUA.
  1. Run the application installer by using "Run As SmartScreen" option from the Explorer right-click context menu.
  2. Check the default installation folder.
  3. If it is in the Administrator profile, then cancel the installation and continue with Steps #4-7. If not, then continue with the installation and skip Steps #4-7.
  4. Use “Switch Default-Deny“ to turn OFF the protection temporarily.
  5. Install the application normally (by left mouse-click or pressing the Enter key).
  6. Whitelist the application in the UserSpace.
  7. Use “Switch Default-Deny“ to turn ON the protection.
Why Recommended H_C settings are best as a starting setup?
New users of default-deny protection should be aware that it requires more skill than using an AV alone. Please use only the Recommended H_C settings along with your AV, until you are comfortable and familiar with H_C. Prematurely adding advanced H_C settings or more security software to this configuration may lead to complications, and user discouragement, with default-deny protection.

Who should consider applying advanced H_C settings?
Recommended H_C settings provide strong preventive protection against running malware in the system.
Advanced H_C settings can mitigate the malware or an exploit which is already running in the system. When using well-patched software on updated Windows 10, advanced settings are not required.

Will advanced settings spoil the system?
On most computers, even maximum H_C settings cannot break anything important in the system, but some applications may be not fully functional. Enabling advanced settings will usually require more whitelisting, more researching of logs, etc., and may be annoying for most users. If so, then the user should restore Recommended settings.

How to restore Recommended settings.
  1. Press <Recommended SRP> left panel button,
  2. Press <Recommended Restrictions> right panel button,
  3. Press <APPLY CHANGES> button.
Restoring the Recommended settings preserves the user's whitelisted entries and blocked file extensions.

PLEASE NOTE: If SRP is deactivated, then order of the pressed buttons is important! Pressing the buttons in another order (for example 2,1,3) will prevent installation of new applications. This kind of a locked setup is much more restricted as compared to Recommended settings.

How to apply advanced H_C settings.
Advanced settings can be activated by turning ON additional individual H_C options, or by loading the setting profile (<Load Profile> button).
It is advisable to begin with the Recommended_Enhanced profile. This may be done by loading the file: Windows_*_Recommended_Enhanced.hdc, where the asterisk replaces the Windows version (7, 8, or 10). This will enable the Recommended settings, and some well known Sponsors will be blocked (including Script Interpreters).

PLEASE NOTE: It is not advisable to use multiple advanced settings at once. When using advanced settings, the user should occasionally check for blocked entries (<Tools><Blocked Events / Security Logs>). This is because sometimes there is no alert when a process is blocked by Windows policies.

What is a Sponsor?
A Sponsor is an executable from the SystemSpace (usually from C:\Windows), that can be used by an attacker to bypass default-deny protection. Sponsors are frequently used in targeted attacks on organizations and businesses, especially via exploits. Blocking some Sponsors in the home environment can be important for people who use a vulnerable system or software. In H_C's Recommended settings, Windows Script Host Sponsors (wscript.exe and cscript.exe) are blocked by SRP. Furthermore, PowerShell Sponsors (powershell.exe and powershell_ise.exe) are restricted by Constrained Language mode in Windows 10 and blocked by SRP in Windows Vista, 7, 8, 8.1. These Sponsors are the most popular Script Interpreters. Some other Interpreters (mshta.exe, hh.exe, wmic.exe, scrcons.exe) can be blocked in H_C by <Block Sponsors> option. Unfortunately, a few of them can be used occasionally by older software, usually those related to peripherals. Applications and web browser plugins may also use Interpreters for some actions, though most applications and plugins do not use them at all.
In H_C, Sponsors are blocked for processes running with standard rights, but allowed for administrative processes running with higher rights.

Can wildcards be used for whitelisting files and folders?
Yes, they can. Here are some examples, where the random characters are replaced by wildcards to whitelist the particular EXE file:
Code:
C:\Users\Alice\Fly2theMoon\App.1928327467-092837\setup_101989873.exe
C:\Users\Alice\Fly2theMoon\App.??????????-??????\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_?????????.exe
C:\Users\Alice\Fly2theMoon\App.*\setup_*.exe
C:\Users\Alice\Fly2theMoon\App.*\*
Those rules (except the first) are correct, and the EXE file will be whitelisted even when the random numbers will change after some time. The last rule is most general, because it will whitelist many other files and folders, for example:
C:\Users\Alice\Fly2theMoon\App.malware\virus.js
Looks good!
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Regarding to how to correctly whitelist a program, let's say Discord, should I...?
  1. Whitelist DiscordApp.exe from Program Files folder
  2. ...
If I used the regular start menu, then executing Discord from the start menu (if I have whitelisted Discord) should be allowed, right?
I cannot find Discord in C:\Program Files. It (Discord - Free Voice and Text Chat) normally installs in %UserProfile%\AppData\Local\Discord.
If you put the shortcut to the regular Start Menu or regular Desktop, then the shortcut will be allowed to run, but if the executable from the shortcut is located in UserSpace (like %UserProfile%\AppData\Local\Discord) then it must be whitelisted (and probably all other executables from that folder). You can also whitelist the Discord folder by path.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top