Advanced Plus Security imuade's Security Configuration 2019

Last updated
Nov 23, 2019
Windows Edition
Home
Security updates
Allow security updates and latest features
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
Windows Defender
Firewall security
Microsoft Defender Firewall
About custom security
Windows Defender tweaked by ConfigureDefender (everything ON, cloud protection set to Block)
Periodic malware scanners
  1. HitmanPro
  2. AdwCleaner
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chromium portable (launched by chrlauncher) with:
  • Blocksi Web Filter
  • Close & Clean
  • Dark new tab
  • ublock origin
  • Windows Defender Browser Protection
Maintenance tools
  1. Dism++
  2. Explzh
  3. FastStone viewer
  4. Geek uninstaller
  5. NVT SysHardener
  6. Privacy Eraser
  7. RAPR
  8. SUMo
File and Photo backup
Lazesoft Recovery Suite Home Edition
System recovery
Lazesoft Recovery Suite Home Edition
Risk factors
    • Logging into my bank account
    • Browsing to popular websites
Computer specs
MSI cubi i3 5005U

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
Immunet, now that's a blast from the past. I hear they've updated the backend, front hasn't changed since 2009 but how is it these days?
 
  • Like
Reactions: bribon77

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
What is a SW?(y)
Software, I think.
Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)

I'm not an evangelist for H_C, however, I posted my Q on the H_C thread and @andy was kind enough to help, as always. He has the patience of Job. If Bandzip was in UserSpace, as opposed to SystemSpace, and not whitelisted - then you may have the reason for your trouble. I will leave it to the guru to unwind the issue, if you wish to know more. And who doesn't love trying different things out, anyway. It's 1/2 the fun.

Edit: @Andy Ful & I posted at the same time! What do you know?
 

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
Anyway, I won't call it "issue", it's what a user can expect from H_C :)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
Anyway, I won't call it "issue", it's what a user can expect from H_C :)
I tested the Bandzip updating and it is the standard issue, related to the fact that Bandzip runs the update from the Temp folder with standard rights (blocked by SRP in H_C settings). It could run it with Administrator rights, and then there was not any problem (in H_C settings). But, as I said in my previous post, the user can simply run Bundzip with Administrator rights (via "Run As SmartScreen") in order to update it from application GUI. You do not do anything else (no making exceptions, no turning off the protection, etc.).
You are right that Windows should show the alert when blocking the update, but this is Windows (far from perfect).:sneaky:
There are two main inconvenniences related to default-deny setup:
  1. Whitelisting user applications.
  2. Updating user applications.
That is why most people like default-allow setup. Everyone has to find an individual balance between security and usability.:unsure:(y)
 
Last edited:

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
Update 06/03/2019
Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

So, summarizing:
  • Web protection: k9
  • Antivirus: Immunet
  • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
  • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
  • Backup: Lazesoft Recovery Suite Home Edition
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I haven't had any issue so far, I think they don't overlap too much.
Anyway, first I set SysHardener, then Hard_Configurator.
In certain places, they do the same thing but in different ways. @Andy Ful always says to be careful about mixing his tool with SysHardener because it can make settings that you did not want. I can't claim to understand it fully, but he does.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
They overlap in many areas in different ways. Furthermore, SysHardener disables some functionality of H_C. For example, both SysHardener and Hard_Configurator prevent the user from running files with dangerous extensions like: VBS, VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF, etc. Syshardener can block 13 file extensions (by file associations) and H_C blocks 42 (by SRP, including all blocked by SysHardener) + additional added by the user. H_C allows to whitelist some blocked files, but SysHardener will block them anyway. H_C allows running those files from the elevated shell, but SysHardener will block them anyway.
Suppose that the user wants to switch off temporarily the H_C protection and run some blocked files. Then files like MSC, CPL, CHM and many others could be opened, but VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF would be still blocked.
If the user turns OFF SysHardener protection, and keep H_C protection, then he/she does not notice any difference, because all dangerous file extensions will be still blocked by H_C.
The problems can happen also with unblocking remote features, PowerShell Constrained Language mode, hardening settings for MS Office and Adobe Acrobat Reader, etc.

Generally, in the home environment on the updated Windows 10 with updated software, SysHardener is redundant when using H_C in Recommended Enhanced settings. In the upcomming H_C version, Recommended Enhanced settings will block more Sponsors:
powershell.exe, powershell_ise.exe, bitsadmin.exe, csc.exe, hh.exe, ieexec.exe, iexplore.exe, installutil.exe, msbuild.exe, mshta.exe, presentationhost.exe, reg.exe, regini.exe, regsvcs.exe, wmic.exe, bash.exe, regasm*, schtasks.exe, scrcons.exe, windbg.exe.

If one wants to use the SysHardener firewall rules for LOLBins, then it is OK, but it is safer to block them in H_C.

There would be some advantage of using both H_C and SysHardener in the enterprise environment, because some SysHardener settings can block processes running with Administrator rights. In H_C, most restrictions blocks (by design) only processes running with standard rights.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
I haven't had any issue so far, I think they don't overlap too much.
Anyway, first I set SysHardener, then Hard_Configurator.
It will be OK, if you do not change the settings of SysHardener or H_C.:giggle:
But some functionality of H_C, related to whitelisting files with dangerous extensions and turning OFF some H_C settings, will be diminished.(y)
Thanks for testing H_C again.:emoji_ok_hand:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
Update 06/03/2019
Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

So, summarizing:
  • Web protection: k9
  • Antivirus: Immunet
  • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
  • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
  • Backup: Lazesoft Recovery Suite Home Edition
There will be always some problems with application auto-updating when using default-deny setup. Personally, when the auto-update of some application is blocked, I simply turn OFF auto-updates for it, and perform manual updates. On Administrator account, it can be simply done by running the application via "Run As SmartScreen" and perform the update from application GUI. If the update requires the updater downloaded from the Internet, then the updater should be run via "Run As SmartScreen".
Probably something like SUMO (www.kcsoftwares.com) updater can be useful, too.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top