Latest Changes
Mar 24, 2019
Operating System
Windows 10
Windows Edition
Home
Build
17763.379 ( v. 1809 )
System Architecture
64-bit OS
Security Updates
Automatic Updates - All security and feature updates
User Access Control
Default
Firewall
Windows Firewall - Network security provided by Microsoft
Device Security
Windows Defender SmartScreen (Windows 10)
User Account
Administrator - User has complete control over the device
Recent Security Incidents
No malware or privacy issues
Malware Testing
None - No Malware on host PC or VM
Real-time Web & Malware Protection
  1. Comodo AntiVirus
  2. K9 web protection
Custom Settings For Real-Time Protection
Custom - Major changes for Increased Security
Custom Settings For Real-Time Protection Details
  1. CAV:
    • General settings --> Configuration --> Enabled Proactive Security
    • HIPS --> Disabled
    • Containment --> Auto-containment --> Block unknown
    • Containment --> Auto-containment --> Added exclusion for "Portable SW" folders
  2. Following categories blocked on k9:
    • Illegal / Questionable
    • Illegal Drugs
    • Phishing
    • Spyware / Malware Sources
    • Spyware Effects
    • Suspicious
Virus and Malware Removal Tools
  1. HitmanPro
  2. AdwCleaner
Browsers and Extensions
Chromium portable (launched by chrlauncher) with:
  • ublock origin
  • F.B. Purity
  • Cookie AutoDelete
  • New tab redirect
  • Close&Clean
Web Privacy
  1. Cloudflare DNS
  2. Windows Privacy Dashboard
  3. O&O shutup10
Password Management
None (integrated in the portable browser)
Default Web Search
Google
System Utilities
  • NVT SysHardener
  • UAC Pass
  • PeaZip
  • Geek uninstaller
  • Dism++
  • RAPR
  • SUMo
Data Backup
Lazesoft Recovery Suite Home Edition
Frequency of Data backups
Monthly
System Backup
Lazesoft Recovery Suite Home Edition
Frequency of System backups
Regularly
Computer Activity
Banking
Browsing Internet and email
Computer Specifications
MSI cubi i3 5005U

imuade

Level 7
Verified
What is a SW?(y)
Software, I think.
Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
 

oldschool

Level 23
Verified
Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool (y) I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it" :)
I'm not an evangelist for H_C, however, I posted my Q on the H_C thread and @andy was kind enough to help, as always. He has the patience of Job. If Bandzip was in UserSpace, as opposed to SystemSpace, and not whitelisted - then you may have the reason for your trouble. I will leave it to the guru to unwind the issue, if you wish to know more. And who doesn't love trying different things out, anyway. It's 1/2 the fun.

Edit: @Andy Ful & I posted at the same time! What do you know?
 

imuade

Level 7
Verified
That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.:giggle:(y)
Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
Anyway, I won't call it "issue", it's what a user can expect from H_C :)
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
Anyway, I won't call it "issue", it's what a user can expect from H_C :)
I tested the Bandzip updating and it is the standard issue, related to the fact that Bandzip runs the update from the Temp folder with standard rights (blocked by SRP in H_C settings). It could run it with Administrator rights, and then there was not any problem (in H_C settings). But, as I said in my previous post, the user can simply run Bundzip with Administrator rights (via "Run As SmartScreen") in order to update it from application GUI. You do not do anything else (no making exceptions, no turning off the protection, etc.).
You are right that Windows should show the alert when blocking the update, but this is Windows (far from perfect).:sneaky:
There are two main inconvenniences related to default-deny setup:
  1. Whitelisting user applications.
  2. Updating user applications.
That is why most people like default-allow setup. Everyone has to find an individual balance between security and usability.:emoji_thinking:(y)
 
Last edited:

imuade

Level 7
Verified
Update 06/03/2019
Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

So, summarizing:
  • Web protection: k9
  • Antivirus: Immunet
  • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
  • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
  • Backup: Lazesoft Recovery Suite Home Edition
 

shmu26

Level 75
Content Creator
Trusted
Verified
I haven't had any issue so far, I think they don't overlap too much.
Anyway, first I set SysHardener, then Hard_Configurator.
In certain places, they do the same thing but in different ways. @Andy Ful always says to be careful about mixing his tool with SysHardener because it can make settings that you did not want. I can't claim to understand it fully, but he does.
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
They overlap in many areas in different ways. Furthermore, SysHardener disables some functionality of H_C. For example, both SysHardener and Hard_Configurator prevent the user from running files with dangerous extensions like: VBS, VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF, etc. Syshardener can block 13 file extensions (by file associations) and H_C blocks 42 (by SRP, including all blocked by SysHardener) + additional added by the user. H_C allows to whitelist some blocked files, but SysHardener will block them anyway. H_C allows running those files from the elevated shell, but SysHardener will block them anyway.
Suppose that the user wants to switch off temporarily the H_C protection and run some blocked files. Then files like MSC, CPL, CHM and many others could be opened, but VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF would be still blocked.
If the user turns OFF SysHardener protection, and keep H_C protection, then he/she does not notice any difference, because all dangerous file extensions will be still blocked by H_C.
The problems can happen also with unblocking remote features, PowerShell Constrained Language mode, hardening settings for MS Office and Adobe Acrobat Reader, etc.

Generally, in the home environment on the updated Windows 10 with updated software, SysHardener is redundant when using H_C in Recommended Enhanced settings. In the upcomming H_C version, Recommended Enhanced settings will block more Sponsors:
powershell.exe, powershell_ise.exe, bitsadmin.exe, csc.exe, hh.exe, ieexec.exe, iexplore.exe, installutil.exe, msbuild.exe, mshta.exe, presentationhost.exe, reg.exe, regini.exe, regsvcs.exe, wmic.exe, bash.exe, regasm*, schtasks.exe, scrcons.exe, windbg.exe.

If one wants to use the SysHardener firewall rules for LOLBins, then it is OK, but it is safer to block them in H_C.

There would be some advantage of using both H_C and SysHardener in the enterprise environment, because some SysHardener settings can block processes running with Administrator rights. In H_C, most restrictions blocks (by design) only processes running with standard rights.
 
Last edited:

Andy Ful

Level 38
Content Creator
Trusted
Verified
I haven't had any issue so far, I think they don't overlap too much.
Anyway, first I set SysHardener, then Hard_Configurator.
It will be OK, if you do not change the settings of SysHardener or H_C.:giggle:
But some functionality of H_C, related to whitelisting files with dangerous extensions and turning OFF some H_C settings, will be diminished.(y)
Thanks for testing H_C again.:emoji_ok_hand:
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
Update 06/03/2019
Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW (y)

So, summarizing:
  • Web protection: k9
  • Antivirus: Immunet
  • Firewall: Windows Defender Firewall + Windows 10 Firewall Control
  • Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
  • Backup: Lazesoft Recovery Suite Home Edition
There will be always some problems with application auto-updating when using default-deny setup. Personally, when the auto-update of some application is blocked, I simply turn OFF auto-updates for it, and perform manual updates. On Administrator account, it can be simply done by running the application via "Run As SmartScreen" and perform the update from application GUI. If the update requires the updater downloaded from the Internet, then the updater should be run via "Run As SmartScreen".
Probably something like SUMO (www.kcsoftwares.com) updater can be useful, too.
 

Similar Threads

Similar Threads