Hard_Configurator - Windows Hardening Configurator

Marana

Level 1
Verified
Jan 21, 2018
43
What is new? (as compared to stable version 5.0.0.0)

Version 5.0.1.1
  • - -
  • Removed the "All files" SRP Enforcement setting due to possible incompatibilities with 3rd party security solutions. Furthermore, this setting is not used in Hard_Configurator predefined profiles and it is not well integrated with Recommended Settings on Windows 8+.
  • - -
@Andy Ful I wonder if you could consider keeping this feature available in H_C?

Especially now, when considering the coming CUP and SSS for more casual users, I think that H_C will be profiled towards more advanced users that can be considered responsible for what they do with H_C.

I have been blocking User Space DLLs for years, already in times I was still using SSRP, and have never had any problems with that. And should one ever meet any problems, it would always be easy to switch off that extra layer of protection...
 

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
Hello,
Does H_C disable wscript by using registry key? How about, if malware reverts it back by using reg add command line(cmd)? How i can protect wscript registry key? I've already disabled powershell, powershell_ISE via local group policy editor.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful I wonder if you could consider keeping this feature available in H_C?
...
I have been blocking User Space DLLs for years, already in times I was still using SSRP, and have never had any problems with that. And should one ever meet any problems, it would always be easy to switch off that extra layer of protection...
The 'All files' enforcement can be still used, by an advanced user (after making the setup via the H_C and closing H_C) by a simple reg tweak:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"= dword:00000002

I am sorry, but I cannot keep it in H_C, because it can be a source of the hidden incompatibilities that are hard to find out. For example, I noticed that blocking DLLs feature is incompatible with some AVs (like Avast) and some Microsoft applications (like OneDrive Personal Vault). This does not follow from blocking any particular DLL, so it cannot be solved by whitelisting DLLs. Furthermore, the .NET DLLs and DLLs loaded by some other popular methods (like reflective DLL injection) cannot be blocked by SRP, so this feature is not as useful as in times of Windows Vista and can give the user a false sense of security. The user has to use something else (AppLocker, WD Application Control, etc.) to block DLLs or apply SRP setup which makes using malicious DLLs improbable.(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hello,
Does H_C disable wscript by using registry key? How about, if malware reverts it back by using reg add command line(cmd)? How i can protect wscript registry key? I've already disabled powershell, powershell_ISE via local group policy editor.
Yes, by <Block Windows Script Host>. As any Windows Policy, it can be reverted by malware running with high privileges. Of course, the H_C setup is for preventing such events like running the malware in the first place, and allowing it to elevate in the second place.
If you are using GPO to block something, then please do not use H_C to block the same thing (GPO can revert the H_C settings due to Refresh Feature).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful Can u do something about it?
I have got an answer from McAfee:
mcafee.png

They say:
"Dear Sir/madam,

When we checked the certificate status of the below reported file , its having valid digitalcertificate
File’s certificate is valid.
...
Based on below mail , your customers are getting error as “invalid signer” , because of the root certificate is installed in their system.

Please contact the certificate authority in order to sort out this issue.

Thanks
"

Being honest, the information is not clear to me, except that the certificate of the installer (Hard_Configurator_beta_setup_5.1.1.1.exe) is OK.
 

Chri.Mi

Level 7
Well-known
Apr 30, 2020
337
I have got an answer from McAfee:
View attachment 241975
They say:
"Dear Sir/madam,

When we checked the certificate status of the below reported file , its having valid digitalcertificate
File’s certificate is valid.
...
Based on below mail , your customers are getting error as “invalid signer” , because of the root certificate is installed in their system.

Please contact the certificate authority in order to sort out this issue.

Thanks
"

Being honest, the information is not clear to me, except that the certificate of the installer (Hard_Configurator_beta_setup_5.1.1.1.exe) is OK.
For what i understand, reading web, a certification authority is missing (a third part society that confirm that a file signed come from a trusted proprietary, something like verisign,etc). Talking generally, have a digital signed file dont means it is safe, but some1 need to "review" that file.
Anyway thanks for the help @Andy Ful
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
For what i understand, reading web, a certification authority is missing (a third part society that confirm that a file signed come from a trusted proprietary, something like verisign,etc). Talking generally, have a digital signed file dont means it is safe, but some1 need to "review" that file.
Anyway thanks for the help @Andy Ful
There are three types of certificates in Certum (which sold this certificate): open source (cheap), standard (not cheap), EV (expensive). The verification of the open-source certificate is made in the case of H_C only by Certum. It seems that McAfee AV does not accept the open-source certificates, probably due to the requirement of additional confirmation.
The EV certificate has to be additionally accepted by Microsoft and then it is automatically accepted by SmartScreen. The open-source and standard certificates have to gain a good reputation first and then they are automatically accepted by SmartScreen. I did not check the details of the standard certificate.
Anyway, in this moment the H_C certificate is automatically accepted by SmartScreen like the EV certificate.
 

Chri.Mi

Level 7
Well-known
Apr 30, 2020
337
There are three types of certificates in Certum (which sold this certificate): open source (cheap), standard (not cheap), EV (expensive). The verification of the open-source certificate is made in the case of H_C only by Certum. It seems that McAfee AV does not accept the open-source certificates, probably due to the requirement of additional confirmation.
The EV certificate has to be additionally accepted by Microsoft and then it is automatically accepted by SmartScreen. The open-source and standard certificates have to gain a good reputation first and then they are automatically accepted by SmartScreen. I did not check the details of the standard certificate.
Anyway, in this moment the H_C certificate is automatically accepted by SmartScreen like the EV certificate.
So the point is or them no like certum or them no like the open source certificates, if i understand correctly
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So the point is or them no like certum or them no like the open source certificates, if i understand correctly
If I have bought the standard or EV certificate in Certum it would be as good as from any other vendor. These certificates (especially EV) require extended verification.
Most malware uses the stolen standard certificates, but of course the same might be true for open-source certificates. The most dangerous malware can use the stolen EV certificate (automatically bypasses SmartScreen).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Mcafee Endpoint dont like the beta version, still continue to isolate it. This not happen to stable version. Another thing is dont like the sign of hard configurator and sumatrapdf
It seems that there is no problem with McAfee Total Protection. I installed the trial version 16.0 R25 and can use H_C without any alerts from McAfee. Unfortunately, I cannot see any option to check the certificate (probably the file has to be first added to the quarantine).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I can also run the new compiled H_C executables on McAfee Total Security. It is very nice to H_C, because WD usually detects H_C as a trojan, until I submit the executables to whitelisting.
So, the McAfee Endpoint version complains probably due to some ATP modules, that are absent in Total Security.
 

PotentialUser

Level 1
May 28, 2020
35
Yes, for stable versions. No, for beta versions.

Install over the old version. Read the update info, follow update instructions.

Use <Load Profile> button to load the prebuild setting profile.

It is opensource.

Thank you for your answers Andy! I have installed H_C on a VM and definitely am impressed by what I saw. I have some in-depth questions regarding Windows’ built in security. I have sent you a private message (PM) with those questions so I don’t de-rail the topic here. Those questions aren’t closely related to using H_C or Configure Defender; more like what exactly they automate. So I decided to PM you instead of posting them here.

If you have some free time, I would love to hear from you via PM regarding those questions. Anything you can share is always appreciated! If you don’t see them in your Inbox, it may be because I’m a new user on MT and my messages sometimes need “approval.” Please let me know either way though so I can re-send if necessary. Many thanks again :)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Not using anymore.
It seems that the endpoint version has some ATP module that can isolate "not trusted" applications:
Such solutions can block many legal applications unless the additional root certificates are installed in the system. So, I think that the problem could be solved by installing the Certum Root Certificate.
But, the H_C is not intended to work in the enterprise environment, so the solution is purely theoretical.:)(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top