Latest changes
Nov 23, 2019
Windows Edition
Home
OS build or version
18363.476 ( v. 1909 )
System type
64-bit operating system; x64-based processor
Update and Security
Allow all automatic updates
User Access Control
Notify me only when programs try to make changes to my computer
Firewall and Network protection
Microsoft Defender Firewall is active
User permissions
Administrator account
Malware exposure
No malware samples are downloaded
Real-time Malware protection
Windows Defender
Modified security settings
Windows Defender tweaked by ConfigureDefender (everything ON, cloud protection set to Block)
Periodic scanners
  1. HitmanPro
  2. AdwCleaner
Browser and Extensions
Chromium portable (launched by chrlauncher) with:
  • Blocksi Web Filter
  • Close & Clean
  • Dark new tab
  • ublock origin
  • Windows Defender Browser Protection
Privacy tools and VPN
  1. CleanBrowsing DNS
  2. O&O shutup10
  3. Windows Privacy Dashboard
Password manager
None (integrated in the portable browser)
Search engine
Google
Maintenance tools
  1. Dism++
  2. Explzh
  3. FastStone viewer
  4. Geek uninstaller
  5. NVT SysHardener
  6. Privacy Eraser
  7. RAPR
  8. SUMo
Photos and Files backup
Lazesoft Recovery Suite Home Edition
File Backup schedule
Once or multiple times per month
Backup and Restore
Lazesoft Recovery Suite Home Edition
Backup schedule
Once or more per week
Computer Activity
  • Online banking
  • Browsing the web and checking emails
  • Computer Specifications
    MSI cubi i3 5005U

    imuade

    Level 11
    Verified
    What is a SW?(y)
    Software, I think.
    Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
    As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
     

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
    As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
    That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
    I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
     

    oldschool

    Level 52
    Verified
    Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
    As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
    I'm not an evangelist for H_C, however, I posted my Q on the H_C thread and @andy was kind enough to help, as always. He has the patience of Job. If Bandzip was in UserSpace, as opposed to SystemSpace, and not whitelisted - then you may have the reason for your trouble. I will leave it to the guru to unwind the issue, if you wish to know more. And who doesn't love trying different things out, anyway. It's 1/2 the fun.

    Edit: @Andy Ful & I posted at the same time! What do you know?
     

    imuade

    Level 11
    Verified
    That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
    I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
    Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
    To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
    Anyway, I won't call it "issue", it's what a user can expect from H_C :)
     

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
    To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
    Anyway, I won't call it "issue", it's what a user can expect from H_C :)
    I tested the Bandzip updating and it is the standard issue, related to the fact that Bandzip runs the update from the Temp folder with standard rights (blocked by SRP in H_C settings). It could run it with Administrator rights, and then there was not any problem (in H_C settings). But, as I said in my previous post, the user can simply run Bundzip with Administrator rights (via "Run As SmartScreen") in order to update it from application GUI. You do not do anything else (no making exceptions, no turning off the protection, etc.).
    You are right that Windows should show the alert when blocking the update, but this is Windows (far from perfect).:sneaky:
    There are two main inconvenniences related to default-deny setup:
    1. Whitelisting user applications.
    2. Updating user applications.
    That is why most people like default-allow setup. Everyone has to find an individual balance between security and usability.:unsure:(y)
     
    Last edited:

    imuade

    Level 11
    Verified
    Update 06/03/2019
    Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

    So, summarizing:
    • Web protection: k9
    • Antivirus: Immunet
    • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
    • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
    • Backup: Lazesoft Recovery Suite Home Edition
     

    shmu26

    Level 85
    Verified
    Trusted
    Content Creator
    I haven't had any issue so far, I think they don't overlap too much.
    Anyway, first I set SysHardener, then Hard_Configurator.
    In certain places, they do the same thing but in different ways. @Andy Ful always says to be careful about mixing his tool with SysHardener because it can make settings that you did not want. I can't claim to understand it fully, but he does.
     

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    They overlap in many areas in different ways. Furthermore, SysHardener disables some functionality of H_C. For example, both SysHardener and Hard_Configurator prevent the user from running files with dangerous extensions like: VBS, VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF, etc. Syshardener can block 13 file extensions (by file associations) and H_C blocks 42 (by SRP, including all blocked by SysHardener) + additional added by the user. H_C allows to whitelist some blocked files, but SysHardener will block them anyway. H_C allows running those files from the elevated shell, but SysHardener will block them anyway.
    Suppose that the user wants to switch off temporarily the H_C protection and run some blocked files. Then files like MSC, CPL, CHM and many others could be opened, but VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF would be still blocked.
    If the user turns OFF SysHardener protection, and keep H_C protection, then he/she does not notice any difference, because all dangerous file extensions will be still blocked by H_C.
    The problems can happen also with unblocking remote features, PowerShell Constrained Language mode, hardening settings for MS Office and Adobe Acrobat Reader, etc.

    Generally, in the home environment on the updated Windows 10 with updated software, SysHardener is redundant when using H_C in Recommended Enhanced settings. In the upcomming H_C version, Recommended Enhanced settings will block more Sponsors:
    powershell.exe, powershell_ise.exe, bitsadmin.exe, csc.exe, hh.exe, ieexec.exe, iexplore.exe, installutil.exe, msbuild.exe, mshta.exe, presentationhost.exe, reg.exe, regini.exe, regsvcs.exe, wmic.exe, bash.exe, regasm*, schtasks.exe, scrcons.exe, windbg.exe.

    If one wants to use the SysHardener firewall rules for LOLBins, then it is OK, but it is safer to block them in H_C.

    There would be some advantage of using both H_C and SysHardener in the enterprise environment, because some SysHardener settings can block processes running with Administrator rights. In H_C, most restrictions blocks (by design) only processes running with standard rights.
     
    Last edited:

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    I haven't had any issue so far, I think they don't overlap too much.
    Anyway, first I set SysHardener, then Hard_Configurator.
    It will be OK, if you do not change the settings of SysHardener or H_C.:giggle:
    But some functionality of H_C, related to whitelisting files with dangerous extensions and turning OFF some H_C settings, will be diminished.(y)
    Thanks for testing H_C again.:emoji_ok_hand:
     

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    Update 06/03/2019
    Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

    So, summarizing:
    • Web protection: k9
    • Antivirus: Immunet
    • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
    • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
    • Backup: Lazesoft Recovery Suite Home Edition
    There will be always some problems with application auto-updating when using default-deny setup. Personally, when the auto-update of some application is blocked, I simply turn OFF auto-updates for it, and perform manual updates. On Administrator account, it can be simply done by running the application via "Run As SmartScreen" and perform the update from application GUI. If the update requires the updater downloaded from the Internet, then the updater should be run via "Run As SmartScreen".
    Probably something like SUMO (www.kcsoftwares.com) updater can be useful, too.
     
    Top