Latest Changes
Jul 28, 2019
Operating System
  • Windows 10
  • Windows Edition
    Home
    Version or Build no.
    18362.267 ( v. 1903 )
    System type
    64-bit operating system; x64-based processor
    Security Updates
    Automatic Updates (recommended)
    User Access Control
    Default
    Network Security (Firewall)
    Windows Defender Firewall
    Device Security
  • Windows Defender SmartScreen (Windows 10)
  • User Account
    Administrator
    Malware Testing
    I do not participate in downloading malware samples
    Real-time Web & Malware Protection
    Avast Free Antivirus
    RTP - Custom security settings
  • Major changes for Increased security
  • RTP - Details of Custom security settings
    • Custom installation --> Select "File Shield" only
    • Evjl's Rain's tweaks
    List of blocked IPs to avoid telemetry issues:
    52.16.132.201
    76.13.28.7
    72.30.3.10
    54.243.113.132
    74.6.34.34
    52.48.246.16
    184.73.217.242
    69.147.64.34
    184.73.148.59
    74.6.144.143
    68.180.240.56
    107.22.214.66
    206.54.170.109
    74.125.70.157
    74.125.124.97
    74.125.132.154
    54.72.6.27
    72.30.3.80
    107.20.33.202
    77.234.42.253
    77.234.42.252
    136.243.9.208
    23.45.134.219
    77.234.44.93
    104.91.202.101
    Virus and Malware Removal Tools
    1. HitmanPro
    2. AdwCleaner
    Browsers and Extensions
    Chromium portable (launched by chrlauncher) with:
    • Blocksi Web Filter
    • Close & Clean
    • Dark new tab
    • ublock origin
    Privacy-focused Apps and Extensions
    1. CleanBrowsing DNS
    2. O&O shutup10
    3. Windows Privacy Dashboard
    Password Managers
  • None (integrated in the portable browser)
  • Web Search
  • Google
  • System Utilities
    1. Bandizip
    2. Dism++
    3. FastStone viewer
    4. Geek uninstaller
    5. NVT SysHardener
    6. Privacy Eraser
    7. RAPR
    8. SUMo
    Data Backup
    Lazesoft Recovery Suite Home Edition
    Frequency of Data backups
    Monthly
    System Backup
    Lazesoft Recovery Suite Home Edition
    Frequency of System backups
    Regularly
    Computer Activity
  • Online banking
  • Browsing web and email
  • Computer Specifications
    MSI cubi i3 5005U

    imuade

    Level 8
    Verified
    What is a SW?(y)
    Software, I think.
    Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
    As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
    As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
    That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
    I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
     

    oldschool

    Level 32
    Verified
    Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
    As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
    I'm not an evangelist for H_C, however, I posted my Q on the H_C thread and @andy was kind enough to help, as always. He has the patience of Job. If Bandzip was in UserSpace, as opposed to SystemSpace, and not whitelisted - then you may have the reason for your trouble. I will leave it to the guru to unwind the issue, if you wish to know more. And who doesn't love trying different things out, anyway. It's 1/2 the fun.

    Edit: @Andy Ful & I posted at the same time! What do you know?
     

    imuade

    Level 8
    Verified
    That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
    I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
    Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
    To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
    Anyway, I won't call it "issue", it's what a user can expect from H_C :)
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
    To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
    Anyway, I won't call it "issue", it's what a user can expect from H_C :)
    I tested the Bandzip updating and it is the standard issue, related to the fact that Bandzip runs the update from the Temp folder with standard rights (blocked by SRP in H_C settings). It could run it with Administrator rights, and then there was not any problem (in H_C settings). But, as I said in my previous post, the user can simply run Bundzip with Administrator rights (via "Run As SmartScreen") in order to update it from application GUI. You do not do anything else (no making exceptions, no turning off the protection, etc.).
    You are right that Windows should show the alert when blocking the update, but this is Windows (far from perfect).:sneaky:
    There are two main inconvenniences related to default-deny setup:
    1. Whitelisting user applications.
    2. Updating user applications.
    That is why most people like default-allow setup. Everyone has to find an individual balance between security and usability.:emoji_thinking:(y)
     
    Last edited:

    imuade

    Level 8
    Verified
    Update 06/03/2019
    Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

    So, summarizing:
    • Web protection: k9
    • Antivirus: Immunet
    • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
    • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
    • Backup: Lazesoft Recovery Suite Home Edition
     

    shmu26

    Level 82
    Verified
    Trusted
    Content Creator
    I haven't had any issue so far, I think they don't overlap too much.
    Anyway, first I set SysHardener, then Hard_Configurator.
    In certain places, they do the same thing but in different ways. @Andy Ful always says to be careful about mixing his tool with SysHardener because it can make settings that you did not want. I can't claim to understand it fully, but he does.
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    They overlap in many areas in different ways. Furthermore, SysHardener disables some functionality of H_C. For example, both SysHardener and Hard_Configurator prevent the user from running files with dangerous extensions like: VBS, VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF, etc. Syshardener can block 13 file extensions (by file associations) and H_C blocks 42 (by SRP, including all blocked by SysHardener) + additional added by the user. H_C allows to whitelist some blocked files, but SysHardener will block them anyway. H_C allows running those files from the elevated shell, but SysHardener will block them anyway.
    Suppose that the user wants to switch off temporarily the H_C protection and run some blocked files. Then files like MSC, CPL, CHM and many others could be opened, but VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF would be still blocked.
    If the user turns OFF SysHardener protection, and keep H_C protection, then he/she does not notice any difference, because all dangerous file extensions will be still blocked by H_C.
    The problems can happen also with unblocking remote features, PowerShell Constrained Language mode, hardening settings for MS Office and Adobe Acrobat Reader, etc.

    Generally, in the home environment on the updated Windows 10 with updated software, SysHardener is redundant when using H_C in Recommended Enhanced settings. In the upcomming H_C version, Recommended Enhanced settings will block more Sponsors:
    powershell.exe, powershell_ise.exe, bitsadmin.exe, csc.exe, hh.exe, ieexec.exe, iexplore.exe, installutil.exe, msbuild.exe, mshta.exe, presentationhost.exe, reg.exe, regini.exe, regsvcs.exe, wmic.exe, bash.exe, regasm*, schtasks.exe, scrcons.exe, windbg.exe.

    If one wants to use the SysHardener firewall rules for LOLBins, then it is OK, but it is safer to block them in H_C.

    There would be some advantage of using both H_C and SysHardener in the enterprise environment, because some SysHardener settings can block processes running with Administrator rights. In H_C, most restrictions blocks (by design) only processes running with standard rights.
     
    Last edited:

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    I haven't had any issue so far, I think they don't overlap too much.
    Anyway, first I set SysHardener, then Hard_Configurator.
    It will be OK, if you do not change the settings of SysHardener or H_C.:giggle:
    But some functionality of H_C, related to whitelisting files with dangerous extensions and turning OFF some H_C settings, will be diminished.(y)
    Thanks for testing H_C again.:emoji_ok_hand:
     

    Andy Ful

    Level 45
    Verified
    Trusted
    Content Creator
    Update 06/03/2019
    Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

    So, summarizing:
    • Web protection: k9
    • Antivirus: Immunet
    • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
    • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
    • Backup: Lazesoft Recovery Suite Home Edition
    There will be always some problems with application auto-updating when using default-deny setup. Personally, when the auto-update of some application is blocked, I simply turn OFF auto-updates for it, and perform manual updates. On Administrator account, it can be simply done by running the application via "Run As SmartScreen" and perform the update from application GUI. If the update requires the updater downloaded from the Internet, then the updater should be run via "Run As SmartScreen".
    Probably something like SUMO (www.kcsoftwares.com) updater can be useful, too.