Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

I would say it's in the same folder, H_C is installed

There I, of course, immediately looked, but there it is not. It turns out that saving takes place in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\Whitelist
Maybe you need a button to save WhiteList to a regfile?

You can export/import setting profiles & whitelist profiles into one backup file by using:
<Tools><Manage Profiles BACKUP>
The backup is in the folder .\Backup.
Do not use the name DefaultBackup.hbp for your custom backup, because this will overwrite the H_C native backup.

 

[plat]

What would cause H_C to crash? It's isolated, no other errors in conjunction with it and it hasn't crashed since.

Just curious but request details so as not to instigate this again. Can't recall having done anything except change a setting from OFF to ON. Nothing overtly happened.

Spoiler

[/spoiler[

 

[aldist]

You can export/import setting profiles & whitelist profiles into one backup file by using:
<Tools><Manage Profiles BACKUP>
The backup is in the folder .\Backup.

Thank! This is useful knowledge.

Furthermore, the H_C is intentionally hidden to avoid the uninstallation by casual users, children, etc. (when their computers are configured by advanced users).

When installing Р_С, the "hidden" attribute is automatically set for this folder? My folder is visible, I did not remove the attribute. In any case, it's not a problem to set this attribute yourself.

 

[aldist]

It may be necessary to protect the "safer" registry hive from outside changes (without Hard_Configurator), options "Secure Profile" or "Secure Rules".
Regfile srp_disable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00040000
disables SRP protection, and after that SwitchDefaultDeny (SDD) determines the SRP status correctly, but cannot enable it until the regfile is applied srp_enable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00000000

 

[aldist]

In the main window H_C, the protection status (ON / OFF) can be determined only from the values in the VALUE table. Agree, this is very unfriendly and uninformative even for an advanced user. Replacing the button with a switch like the SDD would make it clear even to an inexperienced home user.

 

[Andy Ful]

Thank! This is useful knowledge.When installing Р_С, the "hidden" attribute is automatically set for this folder? My folder is visible, I did not remove the attribute. In any case, it's not a problem to set this attribute yourself.

H_C installation is not visible (hidden) when you use "Apps & features" to see the installed applications. It is not related to the "hidden" file/folder attribute.

 

[Andy Ful]

What would cause H_C to crash? It's isolated, no other errors in conjunction with it and it hasn't crashed since.

Just curious but request details so as not to instigate this again. Can't recall having done anything except change a setting from OFF to ON. Nothing overtly happened.

Spoiler

View attachment 244596[/spoiler[

Probably some other security feature tries to prevent H_C.

 

[aldist]

@Andy Ful
Thank you for your program and for the fact that you are constantly improving it, bringing it to an ideal state. Also thanks for your responsiveness and friendliness, technical assistance to users. Good luck and a wonderful future!

 

[Andy Ful]

It may be necessary to protect the "safer" registry hive from outside changes (without Hard_Configurator), options "Secure Profile" or "Secure Rules".
Regfile srp_disable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00040000
disables SRP protection, and after that SwitchDefaultDeny (SDD) determines the SRP status correctly, but cannot enable it until the regfile is applied srp_enable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00000000
View attachment 244620

The changes in the HKLM Registry Hive require elevation of privileges.
The SRP settings in the H_C are intentionally configured to allow processes with Admin rights (to avoid problems related to blocking system processes). It means that the malware running with Admin rights do not need to disable SRP, because SRP does not see it anymore.
This scenario is not an issue in the home environment on well updated Windows with well updated software. The H_C Recommended Settings are very restrictive for processes running with standard privileges, so the malware has very small chances to run and even fewer chances to elevate.

Switching OFF the restrictions does a lot more than simply changing the SRP DefaultLevel. It is intended to remove the SRP restrictions temporarily, but remembers the last restrictions (so they can be restored with one mouse click). Changing the SRP DefaultLevel does not switch OFF the restrictions, so they cannot be switched ON. SwitchDefaultDeny is not intended to solve the configuration problems, but it is intended to simplify the installation of applications in the UserSpace.

All the above and probably most of your future questions were already explained (several times) on this forum. But, the quickest way is simply to read the H_C manual. You can start from FAQ.

 

[aldist]

so the malware has very small chances to run and even fewer chances to elevate.

Do you think that the (link ->) protection of such a plan (<- link) would be excessive? In the example shown, the rules cannot be changed from outside this program. You do not need to disable this protection to change the rules from within this program.

 

[Andy Ful]

Do you think that the (link ->) protection of such a plan (<- link) would be excessive? In the example shown, the rules cannot be changed from outside this program. You do not need to disable this protection to change the rules from within this program.

I do not use WFC, so I cannot help. Although restricting firewall connections can help, it cannot stop the connections of many malwares except when blocking svchost and taskhost connections (and maybe some others). Such a setup requires much attention/maintenance and can be painful for most users.

In the example shown, the rules cannot be changed from outside this program.

From the www.binisoft.org:
"Windows Firewall Control doesn't do any packet filtering and does not block or allow any connection. This is done by Windows Firewall itself based on the existing firewall rules. "
It means that the settings applied by WFC can be changed from outside WFC by elevated malware.

Edit (thanks to @SeriousHoax).
There is also additional information about WFC tamper protection:
"Disable the ability of other programs to tamper Windows Firewall rules and state."
So, tampering by the malware can be harder than I thought.

 

[Andy Ful]

In the main window H_C, the protection status (ON / OFF) can be determined only from the values in the VALUE table. Agree, this is very unfriendly and uninformative even for an advanced user. Replacing the button with a switch like the SDD would make it clear even to an inexperienced home user.
View attachment 244621

The H_C is too complex for a simple GUI. Current GUI looks strange in the beginning, but in fact, it is probably most usable in practice after some time of using the H_C. But, nothing is perfect, so probably a better GUI exists. Unfortunately, this GUI has sometimes problems with display rescaling. Please try to make another GUI and we can discuss if it could be better for advanced users.
The arguments related to inexperienced users are not relevant, because H_C should not be used by them. I prepared the SwitchDefaultDeny tool for them.

 

[SeriousHoax]

From the www.binisoft.org:
"Windows Firewall Control doesn't do any packet filtering and does not block or allow any connection. This is done by Windows Firewall itself based on the existing firewall rules. "
It means that the settings applied by WFC can be changed from outside WFC by elevated malware.

It has an option to secure rules though which states that windows firewall rules can't be alerted outside of WFC . The statement above is totally the opposite. I'm confused now

 

[Andy Ful]

It has an option to secure rules though which states that windows firewall rules can't be alerted outside of WFC . The statement above is totally the opposite. I'm confused now

Any such protection can be bypassed by elevated processes. But how hard this would be, can depend on the protection applied. It can be the protection against tampering with standard rights, or it can be performed via the special driver, etc. In my previous post, I referred to the first possibility. I do not know how strong can be WFC tampering protection (against the processes running with high or system integrity level), that is a question to the developer. From what you have posted, it can be stronger than I concluded from the :
"Windows Firewall Control doesn't do any packet filtering and does not block or allow any connection. This is done by Windows Firewall itself based on the existing firewall rules. "

 

[aldist]

I do not use WFC, so I cannot help.

No, no, I don't need help with WFC, I know him very well. I just suggested that you consider using the same registry hiew protection in H_C as implemented in WFC.

It means that the settings applied by WFC can be changed (without a problem) from outside WFC by elevated malware.

This is not possible with Secure Rules and Secure Profiles enabled.

Current GUI looks strange in the beginning

You can get used to the current interface, I'm used to it. Without changing the interface globally and without changing the two bottom buttons, is it possible to add such a simple indicator?

 

[aldist]

@Andy Ful
For the first time such protection was proposed (link ->) here (<- link) and then in an improved version it was implemented in the WFC.

How to publish a link on a forum so that it can be seen without hovering the mouse pointer?

 

[Andy Ful]

No, no, I don't need help with WFC, I know him very well. I just suggested that you consider using the same registry hiew protection in H_C as implemented in WFC.This is not possible with Secure Rules and Secure Profiles enabled.You can get used to the current interface, I'm used to it. Without changing the interface globally and without changing the two bottom buttons, is it possible to add such a simple indicator?
View attachment 244675

Adding more buttons is not necessary and they do not look well in the H_C window. I have already solved this problem in version 6.0.0.0 by simply changing the colors (OFF --> blue).

 

[Andy Ful]

No, no, I don't need help with WFC, I know him very well. I just suggested that you consider using the same registry hiew protection in H_C as implemented in WFC.
...

This would be useless. Did you read my previous post?
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-896094

Shortly:

1. SRP in H_C is intentionally configured to not restrict the elevated processes. So, the elevated malware is not restricted by SRP with or without the Registry protection.
2. There is no need to protect the SRP Registry values, because no malware bothers to change them. Furthermore, with the H_C restrictions malware has no chance to change them, because it will not be allowed to run.
3. The Registry protection you think of will require a 3rd party, real-time driver. The H_C is a configurator, so the H_C processes can run only in a short time when you configure the settings and disappear from the system when you close the H_C (no real-time 3rd party software).

 

[aldist]

I have already solved this problem in version 6.0.0.0 by simply changing the colors (OFF --> blue).

Okay, I welcome this decision. But you will be confused if you arrive at a blue traffic light. Colors are poorly chosen. Red - protection disabled, green - protection enabled. And the APPLY CHANGES button can be left red.
Ok, I read all your posts.

 

[Andy Ful]

Colors are poorly chosen. Red - protection disabled, green - protection enabled. And the APPLY CHANGES button can be left red.
Ok, I read all your posts.

The red color in H_C has different meaning. It warns the user that the option should be used with caution (see also <Tools> features). So, it would be adequate for disabling the protection. I like the blue choice - the restrictions are not disabled, but switched OFF (which is far more than disabling) and can be easily switched ON (red color not required). But, it is probably only a choice based on taste.