Hard_Configurator - Windows Hardening Configurator

[shmu26]

Andy, I am getting a few of these lately

Access to C:\WINDOWS\System32\Wbem\wmic.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3155} placed on path Wmic.exe.

Any idea what might be trying to use Wmic?
Is it possibly connected to Office 365?
Because Office stopped working this morning, I am in the middle of an online repair of it right now.
Maybe it uses Wmic to validate itself, or something?
It is Office 365 ProPlus.

 

[Andy Ful]

Andy, I am getting a few of these lately

Access to C:\WINDOWS\System32\Wbem\wmic.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3155} placed on path Wmic.exe.

Any idea what might be trying to use Wmic?
Is it possibly connected to Office 365?
Because Office stopped working this morning, I am in the middle of an online repair of it right now.
Maybe it uses Wmic to validate itself, or something?
It is Office 365 ProPlus.

Sometimes, the wmic.exe is used in scripts to uninstall MS Office applications, for example:
wmic product where name ="<PROGRAM NAME HERE>" call uninstall /nointeractive

It can be also useful to get information about the system and installed applications, updates, etc.:

wmic product where "Name like '%office%'" get Name, IdentifingNumber, PackageName, Vendor 
wmic qfe list > InstalledUpdatesList.txt

 

[shmu26]

Sometimes, the wmic.exe is used in scripts to uninstall MS Office applications, for example:
wmic product where name ="<PROGRAM NAME HERE>" call uninstall /nointeractive

It can be also useful to get information about the system and installed applications, updates, etc.:

wmic product where "Name like '%office%'" get Name, IdentifingNumber, PackageName, Vendor
wmic qfe list > InstalledUpdatesList.txt

Ah, yes, I uninstalled and reinstalled Office, so that must have been it. Thanks!

 

[Andy Ful]

Someone made a video clip about H_C in French (I think):



I am not sure why did the author disable SmartScreen in Explorer?

 

[oldschool]

Someone made a video clip about H_C in French (I think):



I am not sure why did the author disable SmartScreen in Explorer?

Yes, in French. I think he may have disabled RAS by accident because it was a video demonstration of H_C's features and not a test.

 

[Andy Ful]

Hard_Configurator beta ver. 5.0.0.1

• For Windows 32-bit :
  

  AndyFul/Hard_Configurator---old-versions

  Contribute to AndyFul/Hard_Configurator---old-versions development by creating an account on GitHub.

  github.com
• For Windows 64-bit :
  

  AndyFul/Hard_Configurator---old-versions

  Contribute to AndyFul/Hard_Configurator---old-versions development by creating an account on GitHub.

  github.com

The installation executables are accepted by SmartScreen and whitelisted by WD and Avast. I have sent them for whitelisting also to Bitdefender, Emsisoft, and Norton.

The new version includes some important changes in Recommended Settings on Windows 8+. These changes make H_C twice as convenient (probably more) and still, the user has 99% of the old H_C security. The old Recommended Settings are included in H_C profiles as Strict_Recommended_Settings.

In Recommended Settings on Windows 8+, most applications can now auto-update and most new application installations in UserSpace do not require whitelisting. The application installation is the same on Admin account and on SUA.
The user can see the difference when installing applications from CD/DVD drives, CD/DVD images, and other non-standalone installers. In such cases, the protection should be temporarily switched off via SwitchDefaultDeny tool.

This is a working beta. Please let me know if there will be any problem.

 

[Andy Ful]

The full changelog:
Version 5.0.0.1

1. The new version of ConfigureDefender 2.1.1.1
   Extended the maximal number of entries in the Log to 300.
   Corrected a bug related to the error when "Defender Security Log" is empty. Removed event Id=1117 from Defender Security Log.
   Extended the "Cloud Time Check Limit" in <HIGH Protection Level> from 10s to 20s.
2. The new version of FirewallHardening 1.0.1.1
   Added curl.exe to FirewallHardening LolBins, and curl.exe, certutil.exe to FirewallHardening 'Recommended H_C' rules. Removed the bug related to displaying the last blocked event.
3. The new version of DocumentsAntiExploit tool - improved/corrected the Outlook macro protection.
4. The new version of SwitchDefaultDeny 2.0.0.1 - adjusted to work with <Update Mode>.
5. Changed the name of the H_C option <Run As SmartScreen> to <Forced SmartScreen>.
6. Changed the name "Run As SmartScreen" (of the entry in the Explorer context menu) to "Install By SmartScreen".
7. Added prevention against SmartScreen DLL hijacking (included in "Install By SmartScreen" and "Run By SmartScreen").
8. Added three new options <Update Mode>, <Harden Archivers>, and <Harden Email Clients>.
   *** The <Update Mode> allows the execution of EXE (TMP) and MSI files in ProgramData and AppData folders. These folders are hidden for the users in the Explorer default settings.
   *** The <Harden Archivers> and <Harden Email Clients> support the <Update Mode> to prevent bypassing the Hard_Configurator Recommended Settings. The setting <Update Mode> = ON is added to the H_C Recommended Settings on Windows 8+, which allows the applications to auto-update without losing much of the H_C protection.
   *** The <Update Mode> = ON setting still blocks the EXE (TMP) and MSI files in other folders from UserSpace like: Desktop, Documents, Downloads, Music, Movies, Pictures, non-system partitions, and USB drives. The user has to use "Install By SmartScreen" entry to run standalone application installers.
9. Added some new H_C setting profiles. For example:
   Windows_8_Strict_Recommended_Settings
   Windows_10_Strict_Recommended_Settings
   They apply for Recommended Settings used in H_C 5.0.0.0 and prior versions, which did not use the <Update Mode> feature.
10. Whitelisted the folder ImplicitAppShortcuts (only for shortcuts).
11. Whitelisted the shortcuts in the user Desktop, when the Desktop location is redirected. This can happen when the user chooses the Desktop backup in OneDrive or manually changes the path to the Desktop. After changing the path to the user Desktop, it is required to sign off from the account or refresh the Explorer. After that, the shortcuts on the Desktop in the new location will be automatically whitelisted.
12. Added to the H_C manual many details related to Recommended Settings and Avast profiles, which can use now the <Update Mode> feature.

 

[Andy Ful]

The funny thing about the new version is that If @askalan would test this version one year ago, then the results could be probably even better.

Hard_Configurator - February 2019 Report

Containment: VirtualBox 5.1.38 Windows: 10 LTSB VPN: CyberGhost Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions) Office: LibreOffice (standard settings) Disclaimer: Experimental setup for testing effectiveness of Windows SmartScreen and script...

malwaretips.com

The only one sample which bypassed SmartScreen App Rep (and so H_C) in five months of testing (January - May 2019) would be probably mitigated. Simply, in the test from the year 2019, the RunAsSmartScreen was used, which ran the malicious file with high privileges after the SmartScreen check. The malware could use scripting to infect the computer.

The new Recommended Settings on Windows 8+ use InstallBySmartScreen which runs the executable (EXE, MSI) with standard rights and still, H_C can block/restrict scripting.

 

[gonza]

Hello. It seems like Norton also whitelisted the executable.

"De confianza" means "Trusted"

 

[shmu26]

Thanks, Andy! I am looking forward to taking the new recommended settings for a test drive. Sounds like the sweet spot.

 

[Andy Ful]

Norton has probably whitelisted it after my request, but I did not get the confirmation by email. Kaspersky whitelisted H_C without my request, probably due to the trusted certificate - similarly as SmartScreen App Rep.

 

[shmu26]

The issue I previously had, with pinning a shortcut for Microsoft Chromium to the taskbar, has disappeared.

 

[ForgottenSeer 85179]

Hard_Configurator beta ver. 5.0.0.1

Upgrade from 5.0 (x64) stable without problems!

 

[mkoundo]

do you just install 5.0.0.1 over the top of 5.0.0.0 or need to uninstall first?

 

[ForgottenSeer 85179]

do you just install 5.0.0.1 over the top of 5.0.0.0

Yes

 

[SeriousHoax]

Andy, manually adding firewall rules from firewall hardening tool is not working. It's not a bug of the beta version because I remember this happened before too. What could be the issue here?
Rules added from Windows Firewall itself works as expected.

 

[SeriousHoax]

Adding one more thing in addition to my previous comment. I just noticed the firewall hardening rules shows it has created a block rule which is expected of course but why does the explorer window that opens after clicking Add Rule says "Select the files to be whitelisted" above!

 

[mkoundo]

Hi Andy, i'm liking the new features, especially "update mode". Great work and Thank You!

 

[Andy Ful]

Andy, manually adding firewall rules from firewall hardening tool is not working. It's not a bug of the beta version because I remember this happened before too. What could be the issue here?
Rules added from Windows Firewall itself works as expected.
View attachment 234538

The added rules work for me (computer restart is required to apply the new rules). The rules are added first at the end of the list, but after restarting the computer and running FirewallHardening, the rules are visible in alphabetical order:

But, I noticed for the first time that some blocked connections are not logged, if they do not try to send packets.
For example, I added the rules for three email clients (Claws-mail, eM Client, and Postbox). The blocked events for two email clients were added to the Log. But, not for eM Client which was blocked too (I tried to download an attachment without success).

 

[Andy Ful]

Adding one more thing in addition to my previous comment. I just noticed the firewall hardening rules shows it has created a block rule which is expected of course but why does the explorer window that opens after clicking Add Rule says "Select the files to be whitelisted" above!

Thanks. The code was copied from H_C and adjusted to FirewallHardening. I did not notice it.