Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
I use SysHardener outbound firewall rules. Are they about the same as Recommended H_C rules? Maybe I'm missing something? SysHardener added 71 rules to my firewall. SH is not on my PC anymore, but I kept its rules.
The SysHardener and FirewallHardening rules are similar. The FirewallHardening Blocklist has got some additional important rules, like blocking curl.exe. There are some advantages over SysHardener:
  1. A few additional rules.
  2. Log of all blocked outbound connections. This log shows the blocked entries from the FirewallHardening Blocklist + entries blocked by other rules made in Windows Firewall by other applications (also SysHardener).
  3. The user can add custom rules to the FirewallHardening Blocklist.(y)
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
My SysHardener firewall rules are already in my firewall. If I add H_C recommended firewall rules, I can see that all the rules from both apps are in my firewall. Is there a problem if some rules are duplicated? For instance, I have H_C Cscript.exe and NVTSYSH cscript.exe. It's easy with H_C to remove the duplicates, but I won't do it if I don't have to.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
My SysHardener firewall rules are already in my firewall. If I add H_C recommended firewall rules, I can see that all the rules from both apps are in my firewall. Is there a problem if some rules are duplicated? For instance, I have H_C Cscript.exe and NVTSYSH cscript.exe. It's easy with H_C to remove the duplicates, but I won't do it if I don't have to.
There is no problem, except when something will be blocked. In such a case you have to remove both SysHardener and FirewallHardening rules for the particular blocked item. Please remember, that changing the FirewallHardening rules require restarting Windows.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
My goal was to enhance the protection I already had with Andy Ful recommended firewall hardening rules.

What I did: I installed Malwarebytes Windows Firewall Control on my PC. I counted again all the SysHardener rules that have been on my Windows firewall for the last two years. I had 67 outbound rules and no issues with them. Furthermore, I then checked those rules with the recommended list from H_C Firewall Hardening. I found 13 rules that were relevant to my PC and were not duplicates. I manually installed those rules and made a backup of all my rules with WFC. My Windows Firewall is now hardened with 80 outbound firewall rules. WFC is a good layer to work easily with Windows Firewall.
 

Attachments

  • Capture.PNG
    Capture.PNG
    54.9 KB · Views: 319
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
My goal was to enhance the protection I already had with Andy Ful recommended firewall hardening rules.

What I did: I installed Malwarebytes Windows Firewall Control on my PC. I counted again all the SysHardener rules that have been on my Windows firewall for the last two years. I had 67 outbound rules and no issues with them. Furthermore, I then checked those rules with the recommended list from H_C Firewall Hardening. I found 13 rules that were relevant to my PC and were not duplicates. I manually installed those rules and made a backup of all my rules with WFC. My Windows Firewall is now hardened with 80 outbound firewall rules. WFC is a good layer to work easily with Windows Firewall.
You have to check if these rules (made in WFC) can block all available protocols.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
@Andy Ful

Any chance block sponsors (three options only: off - block scripts - enhanced) and Protect Windows Folders will be available on Simple Windows Hardening also?

I could do it, but I am afraid that this would make SWH overcomplicated. Furthermore, LOLBins are dangerous in the home environment when the user can accidentally run command-lines via shortcuts, scripts, scriptlets, macros, or files with active content. But, such actions are already prevented by SWH. The users who have MS Office installed can use ConfigureDefender HIGH Protection Level (or DocumentsAntiExploit tool) to prevent running LOLBins via weaponized documents.

Blocking LOLBins in Windows 10 could make sense when using MS Office with allowed macros and shortcuts - that is a common case in businesses. It could also make sense to prevent targeted attacks. That is why LOLBins are often blocked via SRP, Applocker, or Defender Application Control. For similar reasons, they are blocked/blacklisted when using business-oriented applications like AppGuard or VoodooShield (shortcuts and some files with active content are allowed).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
@Andy Ful do you know if there is any test showing the benefit of setting configure defender to high or default?
I'd like to know how this could impact performance and detection/protection rate!

ty
The detection/protection/performance is tested in AV-Test and AV-Comparatives tests for businesses.
The performance of Defender can be different on different machines. So, you have to try it by yourself.

AV-Comparatives
PUA Protection enabled, Cloud protection level set to “High”, Cloud-delivered protection set to “Advanced”. Google Chrome extension “Windows Defender Browser Protection” installed and enabled.

MRG Effitas
ASR rules enabled - other settings unknown (probably the same as for AV-Comparatives).

The cumulative statistics for AV-Comparatives:

The cumulative statistics for MRG Effitas:

Normally the Defender default setup would probably score slightly worse than Avast Business Antivirus. After adding the advanced settings, the protection is much better (especially in Exploit/Fileless tests). You can see the difference when looking a the test where Defender was tested on default settings:

1614364383882.png

 
Last edited:

Tiamati

Level 12
Verified
Top Poster
Well-known
Nov 8, 2016
574
@Andy Ful did you notice that softpedia version of H_C is different from the one offered with github?

Softpedia version:
1616209324664.png



GitHub version

1616209644049.png


Only the last one match the info you provided on your website

Version 5.1.1.2

  • MD5: bce659dbbdd9c2da93df81ebbb728f00
  • SHA-1: 2836d6d079cb04dbdce0f7c8f895b0afbc344856
  • SHA-256: 8a2d4841345e98e2bc80d1ef02cae5a29d4db8484d9808dde19aff72dc651ea8
 

Attachments

  • 1616209383928.png
    1616209383928.png
    79.8 KB · Views: 262

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
It is OK. Look at the hashes included in the file Virustotal.txt on GitHub:

When you will update the H_C from version 5.1.1.2 (using the Update button in H_C) only the file Hard_Configurator_setup_5.1.1.2.exe will be used both for Windows 64-bit and 32-bit. For compatibility with older versions, I also uploaded to GitHub the files Hard_Configurator_setup(x64)_5.1.1.2.exe and Hard_Configurator_setup(x86)_5.1.1.2.exe that are used when updating from H_C ver. 5.0.0.0 and prior.
 
Last edited:

Tiamati

Level 12
Verified
Top Poster
Well-known
Nov 8, 2016
574
The rules are applied via Windows Policies. They cannot be removed/changed by using the Windows Firewall console. Binisoft Windows Firewall Control probably do not check firewall rules introduced via Windows Policies.

Dear @Andy Ful

About WFC doesn't recognizing the H_C rules. Those rules still work even WFC doesn't recognize them?
Ty!

BTW: for the 1st time i'm using all features from H_C. I guess you're tired of hearing this, but i'll say again, excellent work man! 👏👏👏
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
Two years ago, I installed SysHardener on my PC to get the outbound firewall rules. After a few months, I uninstalled SH but kept the firewall rules. A month ago, I checked the firewall rules of H_C and manually installed with Firewall App Blocker 13 rules that were not duplicates (on my PC) of SH. I uninstalled WFC that I had on my PC then made a backup of my rules with FAB and another backup with Windows Firewall. Five days ago, I had to use Macrium. After that, it took me a few seconds with FAB to get my rules back. And WFC can display those rules.
What I want to say: the firewall rules of H_C are very good and became a permanent fixture of my firewall with no issues at all.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Is that true, @Andy Ful ?
also best to enable block remote connections in H_C
reboot
and then apply SRP
otherwise SRP blocks the disable script (it basically runs a powershell script to block remote access)
Not true.
  1. SRP configured by H_C does not block any H_C actions (also ConfigureDefender and FirewallHardening actions).
  2. H_C also does not use PowerShell to configure H_C settings, except for ConfigureDefender.
 

mkoundo

Level 8
Verified
Well-known
Jul 21, 2017
358
Hi Andy,

If you have a few minutes can you please look into this: I'm using H_C 5.1.1.2 with basic recommended profile in a SUA. I am trying to install a Dell graphics application, which I downloaded directly from dell. The first time I ran it, the installer failed and the H_C tools/log showed that poweshell was restricted.

Untitled.png

So i used Switchdefault deny to turn off SRP and logged out/in again. I also turned off the block powershell scripts. Like so:

Untitled3.png

I then re-tried installing (run by smartscreen, prompted for admin elevation) but failed again. This time the log output from H_C tools showed the following and the log output from the installer is listed below:

Untitled2.png

਍਍[Sun May 2 09:40:01 2021] Update Package Execution Started
[Sun May 2 09:40:01 2021] Original command line: "D:\tmp\Intel-Graphics-User-Interface-Application_CK8J4_WIN64_1.100.2727.0_A05.EXE"
[Sun May 2 09:40:01 2021] DUP Framework EXE Version: 4.6.2.52
[Sun May 2 09:40:01 2021] DUP Release: CK8J4A05
[Sun May 2 09:40:01 2021] Initializing framework...
[Sun May 2 09:40:01 2021] Data in smbios table is (hex)value = a , Chasis type (hex)value = a , System type is : Client
[Sun May 2 09:40:01 2021] logo.png
[Sun May 2 09:40:21 2021] User Command: attended
[Sun May 2 09:40:21 2021] DUP Capabilities Value: 35651583 (0x21FFFFF)
[Sun May 2 09:40:21 2021] DUP Vendor Software Version: 1.100.2727.0
[Sun May 2 09:40:21 2021] Local System/Model Compatible with this Package? Yes
[Sun May 2 09:40:21 2021] Local System OS Version: 10.0.0.0
[Sun May 2 09:40:21 2021] OS Compatible with this Package? Yes
[Sun May 2 09:40:21 2021] Local System OS Language: EN
[Sun May 2 09:40:21 2021] Language Compatible with this Package? Yes
[Sun May 2 09:40:21 2021] Identified Behavior : attended
[Sun May 2 09:40:21 2021] Extraction-miniunz path: c:\PROGRA~3\dell\drivers\8C6E4C~1\miniunz.exe
[Sun May 2 09:40:21 2021] Extraction-arguments: -x D:\tmp\Intel-Graphics-User-Interface-Application_CK8J4_WIN64_1.100.2727.0_A05.EXE -o -d c:\PROGRA~3\dell\drivers\8C6E4C~1
[Sun May 2 09:40:22 2021] Extraction-GetExitCode: 0
[Sun May 2 09:40:22 2021] Temporary payload log file name: C:\ProgramData\dell\drivers\8c6e4c71-d3fa-4641-adcc-c7fb0e740fd0\DUPD9B3.tmp
[Sun May 2 09:40:22 2021] payloadExe: InstallApp.bat
[Sun May 2 09:40:22 2021] payloadArgs:
[Sun May 2 09:40:22 2021] payloadDir: C:\ProgramData\dell\drivers\8c6e4c71-d3fa-4641-adcc-c7fb0e740fd0
[Sun May 2 09:40:22 2021] MUP Spec version is less than 3 or Not a DCH Package.
[Sun May 2 09:40:22 2021] Legacy installation is selected. Calling Vendor Installer...
[Sun May 2 09:40:23 2021] Appending Vendor Software Log.
[Sun May 2 09:40:23 2021]
--- Start of Vendor Software Log ---

[Sun May 2 09:40:23 2021]
--- End of Vendor Software Log ---

[Sun May 2 09:40:23 2021] Vendor Software Return Code: 1
[Sun May 2 09:40:23 2021] logo.png
[Sun May 2 09:40:23 2021] Name of Exit Code: ERROR
[Sun May 2 09:40:23 2021] Exit Code set to: 1 (0x1)
[Sun May 2 09:40:23 2021] Result: FAILURE
[Sun May 2 09:40:25 2021] Open file: C:\ProgramData\Dell\UpdatePackage\Log\Intel-Graphics-User-Interface-Application_CK8J4_WIN64_1.100.2727.0_A05.txt

Any hint/tips what might be the issue?


thank you for your help Andy (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
I then re-tried installing (run by smartscreen, prompted for admin elevation) but failed again. This time the log output from H_C tools showed the following and the log output from the installer is listed below:


There is a problem with the PowerShell cmdlet Add-AppxProvisionedPackage. It probably wants to download something from Microsoft Store. Please, check if PowerShell outbound connections are blocked by FirewallHardening - if this is the issue it should be visible in the FirewallHardening Log.
 

mkoundo

Level 8
Verified
Well-known
Jul 21, 2017
358
There is a problem with the PowerShell cmdlet Add-AppxProvisionedPackage. It probably wants to download something from Microsoft Store. Please, check if PowerShell outbound connections are blocked by FirewallHardening - if this is the issue it should be visible in the FirewallHardening Log.

I've removed all the H_C firewall rules and the installation still fails. The firewall log doesn't show any events. :unsure:

Untitled.png
 

mkoundo

Level 8
Verified
Well-known
Jul 21, 2017
358
Hi Andy,
an update on my last post: I rebooted the computer for the firewall rule changes to take effect and now I get a firewall log event like so:

Event[0]:
Local Time: 2021/05/02 14:48:14
ProcessId: 4016
Application: C:\windows\system32\spoolsv.exe
Direction: Outbound
SourceAddress: 192.168.1.107
SourcePort: 57732
DestAddress: 192.168.1.202
DestPort: 80
Protocol: 6
FilterRTID: 66249
LayerName: %%14611
LayerRTID: 48

**************************************
 
  • Like
Reactions: Kongo and Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top