Hard_Configurator - Windows Hardening Configurator

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
SRP and Bouncer can be used as a default deny because they can differ between a DLL with changed extension (for example, malware.dat) from non-executable file with the same name and extension (malware.dat). FIDES cannot do it. It would be hardly possible (or maybe with much effort) to use FIDES as default-deny in UserSpace.
Ah, you are not talking about LOL bins, you are talking about malicious dlls downloaded with a false extension, and FIDES will not even know it is a dll. That makes sense.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I would not recommend this. Both options "Run As SmartScreen" and "Run as administrator" can be easily confused, and then you will run the unsafe file via "Run as administrator" without SmartScreen check.
The new icon for Run as SmartScreen actually helps for this issue. The bright green color catches my eye and pulls me away from the more boring Run as Administrator. The more that icon stands out, the better it is, as far as I am concerned.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

Two questions:
  1. Unless I am overlooking something, but I can't find FSC.exe in the list of SPONSORS (it is the F-sharp compiler, when you block C-sharp you might as well block this also).

  2. With the allow EXE and TMP option, why not use cloud feature as white list?

    214005
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The C# compiler is installed with .NET Framework, so it is a part of the Windows system. The F# compiler has to be installed by the user as the external programming language, usually as a part of Visual Studio. It seems that blocking F# would not be welcome.

The whitelisting option 'Allow EXE and TMP' was initially prepared for Avast Hardened Mode Aggressive as a kind of default-deny setup.
This option can be used with any executable reputation service, and also with WD Cloud Protection Level set to Block + ASR rule:
"Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful

Some additional feature requests for Hard_Configurator
a) Disable CMD and Scripts
b) Align HighRiskFileTypes (for mail & attachments) with the Designed File Types of SRP.
c) Disable remote access and shared desktop
You can already disable CMD and Scripts in H_C.
H_C blocks by default Remote Desktop (remote access), Remote Registry, and Remote Shell.
Windows Desktop Sharing (for Vista and higher versions) is a part of Remote Desktop.

For now, those HighRiskFileTypes are included in RunBySmartScreen. Most of them are related to MS Office, and they are protected by Documents Anti-Exploit in H_C or Switch Default Deny tool. But anyway, I could add the 'Paranoid' set of extensions to <Designated File Types> in H_C. (y)
 
Last edited:

Fel Grossi

Level 13
Verified
Top Poster
Well-known
Jan 17, 2014
619
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
The problem with people who never were infected is similar to people who never were victims of a traffic accident. You cannot be sure if this is due to safe habits or luck.
The second example can be house contents insurance. You could ask, should I pay such insurance If I never had an occasion to use it? I do not know.... There are many people who probably first die, and will never benefit from such insurance.

I think that users who know what vectors of attack are not covered by such a setup (only CF proactive), and are cautious enough, might use it without a problem. They are not 100% safe, but there are many other, more dangerous things that can happen.
Anyway, such a setup is not recommended for average users.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Hello! I have good habits of use on the web and a average knowledge. I've never been infected. I have tested malware in MH before, but I do not have any technical knowledge like you. Although I love technology, computing and security, my area is health.
I use CF (proactive defense), just to use the sandbox in Chrome a few times to access some sites, I practically do not make payments / transactions over the computer. I leave the WD disabled, only CF using 19mb of memory.
What do you recommend me? Just continue with CF? CF + HC or only HC?
Do I have a benefit with one I would not have with another?

Thank you all for the teachings you bring on this topic. :emoji_clap::emoji_clap:
Try enabling Windows Defender, and see if it bothers you. It has improved a lot. If it still bothers you, disable it again. You lose nothing by trying.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
From time to time I work on the new icons (the last two are new to compare with the first one):

View attachment 214144

I tried to use half-spheres (for the new icons) to mimic the letters C and D.
They are beautiful, but I'm still more into the square ones like the one for Configure Defender below:

standalone-png.213499
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I published the Firewall Hardening tool on GitHub:
What it can do:
  1. Block (predefined) LOLBins which use outbound Internet connections in attacks.
  2. Block outbound Internet connections of MS Office applications and Adobe Acrobat Reader.
  3. Block the outbound Internet connection of any application chosen by the user.
  4. Turn ON logging of blocking events.
  5. Display blocked events.
214157


It works, but I did not included the Help text, so please ask if something is not clear. The questions will help me to write the final Help text.

Edit.
The new firewall rules work after restarting Windows.
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I published the Firewall Hardening tool on GitHub:
What it can do:
  1. Block (predefined) LOLBins which use outbound Internet connections in attacks.
  2. Block outbound Internet connections of MS Office applications and Adobe Acrobat Reader.
  3. Block the outbound Internet connection of any application chosen by the user.
  4. Turn ON logging of blocking events.
  5. Display blocked events.
View attachment 214157

It works, but I did not included the Help text, so please ask if something is not clear. The questions will help me to write the final Help text.
We could/should use this tool next to Hard Configurator?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
We could/should use this tool next to Hard Configurator?
It would be a part of Hard_Configurator. The option <Recommended H_C> is prepared for the usual H_C recommended settings. The LOLBins option can block all SysHardener entries and some other important LOLBins which can run the code from the remote locations.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
It would be a part of Hard_Configurator. The option <Recommended H_C> is prepared for the usual H_C recommended settings. The LOLBins option can block all SysHardener entries and some other important LOLBins which can run the code from the remote locations.
Okay thanks. Added LOLBins, MS Office and Recommended.
In blocked events I see Kaspersky Free Antivirus:
Code:
Local Time:  2019/05/25 18:50:21
ProcessId:  4640
Application:  C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction:  Outbound
SourceAddress:  192.168.178.171
SourcePort:  49750
DestAddress:  88.221.144.67
DestPort:  80
Protocol:  6
FilterRTID:  68333
LayerName:  %%14611
LayerRTID:  48
How to unblock/allow Kaspersky?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Okay thanks. Added LOLBins, MS Office and Recommended.
In blocked events I see Kaspersky Free Antivirus:
Code:
Local Time:  2019/05/25 18:50:21
ProcessId:  4640
Application:  C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction:  Outbound
SourceAddress:  192.168.178.171
SourcePort:  49750
DestAddress:  88.221.144.67
DestPort:  80
Protocol:  6
FilterRTID:  68333
LayerName:  %%14611
LayerRTID:  48
How to unblock/allow Kaspersky?
It is not blocked by my tool. You have to look at your firewall settings or Kaspersky settings.

...
DestAddress: 88.221.144.67
...
This address belongs to Akamai International B.V. in Italy.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top