- Aug 19, 2019
- 1,157
Update @Andy Ful Well, no blockings. Must be something running in the background affecting it instead then. Very odd. Anyway, will investigate further, thanks for the help.
Hard_Configurator - Windows Hardening Configurator
- Thread starter Andy Ful
- Start date
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
Compatelrunner.exe and Explorer.exe were blocked by LOLBins rules. Some legal applications and services can use Explorer to make outbound connections.
- Aug 19, 2019
- 1,157
I think the culprit turned out to be Edge Chromium Stable updating in the background as I had run apps while closed enabled. So far, that's the only thing I can pin it down to
- Apr 24, 2016
- 7,233
Can somebody help me with this error when clicking a link in Outlook I get an error instead of opening Edge.
Not having that problem with outlook.com on the web.
Not having that problem with outlook.com on the web.
- Aug 19, 2019
- 1,157
What version of Outlook? What level have you set ConfigureDefender to?
No issue with Outlook 2010 at my end with H_C at recommended, ConfigureDefender at High. Tried with several links.
Erz
- Apr 24, 2016
- 7,233
Outlook 2016 (version 1910 build 12130.20272 Microsoft Store).
H_C at recommended settings, ConfigureDefender at High and Firewall Hardening at recommended H_C.
This issue is not always happening, but very annoying.
Yesterday no problems, today I can't open any link form Outlook anymore...
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
This block comes from the ASR rule: "Block only Office communication applications from creating child processes". It is a protection against exploiting Outlook. If you did not have this issue before, then it means that Microsoft did not whitelist your version of Edge Chromium, yet.
Do you use Edge Chromium Dev or another non-stable version?
Do you have the same problem if you change the default web browser to native Edge?
Can you open the web links from Word?
- Apr 24, 2016
- 7,233
I use Edge Chromium Stable 79.0.309.14.
If I change the default webbrowser to native Edge, links open without any problem in Edge chromium
I have no problem opening web links from Word with Edge chromium set as default.
So for now native Edge is set as default
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
While working on new H_C features, I realized that adding MOTW to the file can force CyberCapture feature in Avast - similarly to forcing the SmartScreen. CyberCapture is turned on by default, but normally is triggered only for files downloaded from the Internet (just like for Windows SmartScreen Application Reputation).
The suspicious EXE file is blocked, uploaded to the Avast cloud, and detonated in Sandbox. This feature is similar to the WD feature available only on Windows E5 editions.
For now, there are Avast_Hardened_Mode_Aggressive profiles in H_C to work with Avast set to Hardened Mode Aggressive. This setting is not available via modern Avast GUI, because the option "Enable Hardened Mode" can apply only Hardened Mode Moderate settings. The Hardened Mode Aggressive settings can be still activated via:
Menu > Settings > Troubleshooting > Open old settings
I can create an additional H_C profile that will force Avast CyberCapture instead of using Hardened Mode Aggressive settings. This profile will also apply the lowered EXE / MSI Restrictions which will be introduced in the new H_C version, so the applications will be allowed to auto-update without problems. This profile will work with Avast on Windows Vista, 7, 8, 8.1, and 10 as the set-and-forget smart-default-deny setup.
The suspicious EXE file is blocked, uploaded to the Avast cloud, and detonated in Sandbox. This feature is similar to the WD feature available only on Windows E5 editions.
For now, there are Avast_Hardened_Mode_Aggressive profiles in H_C to work with Avast set to Hardened Mode Aggressive. This setting is not available via modern Avast GUI, because the option "Enable Hardened Mode" can apply only Hardened Mode Moderate settings. The Hardened Mode Aggressive settings can be still activated via:
Menu > Settings > Troubleshooting > Open old settings
I can create an additional H_C profile that will force Avast CyberCapture instead of using Hardened Mode Aggressive settings. This profile will also apply the lowered EXE / MSI Restrictions which will be introduced in the new H_C version, so the applications will be allowed to auto-update without problems. This profile will work with Avast on Windows Vista, 7, 8, 8.1, and 10 as the set-and-forget smart-default-deny setup.
Last edited:
- Apr 24, 2016
- 7,233
Sounds very interesting. Would Avast be a more secure combo with H_C , better than Windows Defender with H_C?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
The most advantage will be on Windows Vista and Windows 7, because CyberCapture will work and SmartScreen is not available.
On Windows 8+, the advantage will be for users who use SmartScreen only as a suggestion for further investigation to know if the file is safe. CyberCapture is very strong for EXE files, stronger than WD MAX Protection Level and probably very close to SmartScreen and Avast Harden Mode Aggressive. Yet still, CyberCapture will give much less false positives than Virus Total, SmartScreen, or Avast Harden Mode Aggressive.
On Windows 10, there will be no real difference as compared to WD + H_C (with ConfigureDefender HIGH Protection Level), if the user respects the SmartScreen and does not bypass SmartScreen alert.
Both protections are similar. Forced SmartScreen or forced CyberCapture can prevent users from running malicious EXE installers, which are run via the right-click Explorer entry - otherwise, the files (EXE, scripts, etc.) are blocked in UserSpace by H_C. This is the most important and very strong protection, which can hardly be bypassed in the home environment, except for some exploits.
WD + H_C (no SmartScreen) and Avast + H_C (no CyberCapture) work as post-exploitation protection against all kinds of payloads (EXE, scripts, etc.) downloaded without MOTW by undetected/unblocked exploits.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
How strong is Avast CyberCapture, can be easily tested on Malware Hub, by downloading from the Internet the archive with samples via a web browser, and unpack it via Bandizip (MOTW will be transferred to unpacked EXE files).
- Jul 3, 2015
- 8,153
Is this feature basically the same as whitelisting the AppData and ProgramData directories?
Are you referring to Win8 (it's in the same block as for win8 but it's unclear to me if that's the context) ? On Win10 such functionality exists in ASR for runtime checks.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
Not exactly. It can do the below things:
- Whitelist AppData and ProgramData folders.
- Block execution from archives (also in Appdata in ProgramData).
- Add an entry "Install application" to the right-click Explorer context menu on Windows Vista and Windows 7. This entry can add the MOTW to the file and can be used with Avast CyberCapture as a smart-default-deny setup on Windows Vista and Windows 7.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
If the user respects SmartScreen then there is no real difference in the preventive protection on Windows 8+, because SmartScreen is probably stronger than WD MAX Protection level and Avast CyberCapture.
There will be a difference in the post-exploitation stage for primary EXE/MSI payloads, because WD on Windows 8.1 is stronger than on Windows 8, and WD on Windows 10 is stronger than on Windows 8.1. But, this can be important in the home environment only when the user installs vulnerable/unpatched applications or uses the unpatched system.
If you mean the ASR rule "Block executable files from running unless they meet a prevalence or trusted list criteria", then no one knows the criteria used by Microsoft for EXE files. So, it is hard to say if it is stronger than the Avast CyberCapture feature (I do not know).
Last edited:
Hello. Is this a direct result of the work of the Firewall Hardening Tool? Have not done anything to the System otherwise.
Edit: Previously and currently, I use this to block outbound telemetry-related connections. Clearly this method is no longer optimum. Perhaps Microsoft added new paths (wouldn't be a major surprise there)? Re-edit: yes, just checked, this is a "new" one.
Have not done anything to the System otherwise.Edit: Previously and currently, I use this to block outbound telemetry-related connections. Clearly this method is no longer optimum. Perhaps Microsoft added new paths (wouldn't be a major surprise there)? Re-edit: yes, just checked, this is a "new" one.
Last edited:
- Jan 15, 2019
- 56
Very good app!
I'll use it on my daughter's Pc.
Thanks for the suggestion!
I'll use it on my daughter's Pc.
Thanks for the suggestion!
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
It seems that Intel® RealSense™ SDK Runtime : Lantern Rock, is blocked. But, it is probably not related to FirewallHardening block rules, except when it uses scripts or one of LOLBins.Hello. Is this a direct result of the work of the Firewall Hardening Tool?
Edit: Previously and currently, I use this to block outbound telemetry-related connections. Clearly this method is no longer optimum. Perhaps Microsoft added new paths (wouldn't be a major surprise there)? Re-edit: yes, just checked, this is a "new" one.
You can see more by using <Blocked Events> log in FirewallHardening ("Start logging events" has to be set to ON).
You can also remove FirewallHardening rules temporarily (reboot required) and see if Lantern Rock is still blocked.
Intel...it seems it likely is the XTU running the cpu undervolt . The error occurs at the same time every morning, so I opened Task Scheduler, found and disabled the related Task. Good, any less telemetry is OK-fine by me. Thank you for solving that mystery, Andy Ful.
Similar threads
-
- Sticky
