Advanced Plus Security imuade's Security Configuration 2019

[imuade]

Update 24/02/2019
Removed Hard_Configurator (great tool, but the lack of prompt is annoying when you have to update a SW)
Added Windows 10 Firewall Control Free

 

[Threadripper]

Immunet, now that's a blast from the past. I hear they've updated the backend, front hasn't changed since 2009 but how is it these days?

 

[Andy Ful]

What is a SW?

 

[oldschool]

What is a SW?

Software, I think.

 

[imuade]

Immunet, now that's a blast from the past. I hear they've updated the backend, front hasn't changed since 2009 but how is it these days?

It has improved a lot since Cisco acquired it. It's very lightweight and not that bad about signatures. I like it so far

 

[imuade]

What is a SW?

Software, I think.

Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it"

 

[Andy Ful]

Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it"

That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.

 

[oldschool]

Yeah, I mean software. For example, yesterday I tried to update Bandizip, but nothing happened. I couldn't figure out why, but then I realized it was H_C to block the updater, so I had to switch default deny shields off to update it.
As I said, H_C is a great tool I just want something more user friendly, something like a prompt saying "H_C blocked XYZ. Switch default deny shields off to allow it"

I'm not an evangelist for H_C, however, I posted my Q on the H_C thread and @andy was kind enough to help, as always. He has the patience of Job. If Bandzip was in UserSpace, as opposed to SystemSpace, and not whitelisted - then you may have the reason for your trouble. I will leave it to the guru to unwind the issue, if you wish to know more. And who doesn't love trying different things out, anyway. It's 1/2 the fun.

Edit: @Andy Ful & I posted at the same time! What do you know?

 

[imuade]

That is OK, thanks for testing H_C. You do not need to switch off the H_C protection. You could run the Bandzip shortcut (or executable) via "Run As SmartScreen" and make the update from elevated Bandzip. That works for most applications.
I am making the FAQ for H_C, and thanks to you, there will be a point related to your issue.

Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
Anyway, I won't call it "issue", it's what a user can expect from H_C

 

[Andy Ful]

Bandizip seraches for updates from the GUI, so I'm not sure from where the updater runs (temp folder or Program Files ?).
To make exceptions of course works, but it's against the purpose of a defaul-deny solution.
Anyway, I won't call it "issue", it's what a user can expect from H_C

I tested the Bandzip updating and it is the standard issue, related to the fact that Bandzip runs the update from the Temp folder with standard rights (blocked by SRP in H_C settings). It could run it with Administrator rights, and then there was not any problem (in H_C settings). But, as I said in my previous post, the user can simply run Bundzip with Administrator rights (via "Run As SmartScreen") in order to update it from application GUI. You do not do anything else (no making exceptions, no turning off the protection, etc.).
You are right that Windows should show the alert when blocking the update, but this is Windows (far from perfect).
There are two main inconvenniences related to default-deny setup:

1. Whitelisting user applications.
2. Updating user applications.

That is why most people like default-allow setup. Everyone has to find an individual balance between security and usability.

 

[LDogg]

That is why most people like default-allow setup. Everyone has to find an individual balance between security and usability.

@Andy Ful, I could not agree with this more really. It's why I'm not a big fan of App Whitelisting software xD

~LDogg

 

[Threadripper]

It has improved a lot since Cisco acquired it. It's very lightweight and not that bad about signatures. I like it so far

Do you use blocking mode and do you have ClamAV disabled?

 

[imuade]

Do you use blocking mode and do you have ClamAV disabled?

I disabled the following settings:

• Monitor program install
• Blocking mode
• Monitor network connections
• Enable ClamAV engine
• Allow definition updates

 

[imuade]

Update 06/03/2019
Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW

So, summarizing:

• Web protection: k9
• Antivirus: Immunet
• Firewall: Windows Defender Firewall + Windows 10 Firewall Control
• Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
• Backup: Lazesoft Recovery Suite Home Edition

 

[shmu26]

Very nice config!
How do you avoid conflicts between H_C and Syshardener?

 

[imuade]

How do you avoid conflicts between H_C and Syshardener?

I haven't had any issue so far, I think they don't overlap too much.
Anyway, first I set SysHardener, then Hard_Configurator.

 

[shmu26]

I haven't had any issue so far, I think they don't overlap too much.
Anyway, first I set SysHardener, then Hard_Configurator.

In certain places, they do the same thing but in different ways. @Andy Ful always says to be careful about mixing his tool with SysHardener because it can make settings that you did not want. I can't claim to understand it fully, but he does.

 

[Andy Ful]

They overlap in many areas in different ways. Furthermore, SysHardener disables some functionality of H_C. For example, both SysHardener and Hard_Configurator prevent the user from running files with dangerous extensions like: VBS, VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF, etc. Syshardener can block 13 file extensions (by file associations) and H_C blocks 42 (by SRP, including all blocked by SysHardener) + additional added by the user. H_C allows to whitelist some blocked files, but SysHardener will block them anyway. H_C allows running those files from the elevated shell, but SysHardener will block them anyway.
Suppose that the user wants to switch off temporarily the H_C protection and run some blocked files. Then files like MSC, CPL, CHM and many others could be opened, but VBE, JS, JSE, WSF, WSH, HTA, SCR, PIF would be still blocked.
If the user turns OFF SysHardener protection, and keep H_C protection, then he/she does not notice any difference, because all dangerous file extensions will be still blocked by H_C.
The problems can happen also with unblocking remote features, PowerShell Constrained Language mode, hardening settings for MS Office and Adobe Acrobat Reader, etc.

Generally, in the home environment on the updated Windows 10 with updated software, SysHardener is redundant when using H_C in Recommended Enhanced settings. In the upcomming H_C version, Recommended Enhanced settings will block more Sponsors:
powershell.exe, powershell_ise.exe, bitsadmin.exe, csc.exe, hh.exe, ieexec.exe, iexplore.exe, installutil.exe, msbuild.exe, mshta.exe, presentationhost.exe, reg.exe, regini.exe, regsvcs.exe, wmic.exe, bash.exe, regasm*, schtasks.exe, scrcons.exe, windbg.exe.

If one wants to use the SysHardener firewall rules for LOLBins, then it is OK, but it is safer to block them in H_C.

There would be some advantage of using both H_C and SysHardener in the enterprise environment, because some SysHardener settings can block processes running with Administrator rights. In H_C, most restrictions blocks (by design) only processes running with standard rights.

 

[Andy Ful]

I haven't had any issue so far, I think they don't overlap too much.
Anyway, first I set SysHardener, then Hard_Configurator.

It will be OK, if you do not change the settings of SysHardener or H_C.
But some functionality of H_C, related to whitelisting files with dangerous extensions and turning OFF some H_C settings, will be diminished.
Thanks for testing H_C again.:emoji_ok_hand:

 

[Andy Ful]

Update 06/03/2019
Re-added Hard_Configurator (Windows 10 Recommended Enhanced) with more whitelisted paths to avoid update issues with installed SW

So, summarizing:

• Web protection: k9
• Antivirus: Immunet
• Firewall: Windows Defender Firewall + Windows 10 Firewall Control
• Hardening: NoVirusThanks SysHardener + AndyFul's Hard_Configurator
• Backup: Lazesoft Recovery Suite Home Edition

There will be always some problems with application auto-updating when using default-deny setup. Personally, when the auto-update of some application is blocked, I simply turn OFF auto-updates for it, and perform manual updates. On Administrator account, it can be simply done by running the application via "Run As SmartScreen" and perform the update from application GUI. If the update requires the updater downloaded from the Internet, then the updater should be run via "Run As SmartScreen".
Probably something like SUMO (www.kcsoftwares.com) updater can be useful, too.