As posted here (
Double cloud whitelist protection) I have AVAST One free in hardened mode (on my wife's Windows11 laptop) running without any problems with
- Smart Application Control enabled (allowing only trusted EXE and MSI programs to run)
- Software Restriction Policies using Hard_Configurator with AVAST profile (allowing EXE, MSI and TMP) with all hardening enabled and sponsors blocked (scriptors + enhanced)
- Blocked CMD, CSCRIPT, MSHTA, MSRA, MSTSC and WMIC by enabling all protections in MD Exploit Protection for those programs (trick first posted by Oerlink).
I have set AVAST to silently resolve everything (in silent mode but you need to disable prompt for USB connection scan).
Really happy with AVAST free
I only removed the web-protection (because it did not seem to block anything when I was playing with
malware URL's )
I thought when Microsoft Defender and Avast perform very well in both professional lab tests and
@Shadowra tests in blacklist mode (blocking bad) , the combination of these two in cloud whitelist mode (allowing only known good) must be a Fort Knox secure setup. Microsoft promises that SAC can run alongside any third-party AntiVirus solution. This provides a super safe double whitelist protection for average PC users without the hassle and limitations of zero trust solutions (still running admin with ability to run programs outside UAC protected folders).
Thanks to
@Andy Ful hard work and predefined settings H_C in Simple Windows Hardening mode is a proven and zero problem atack surface reduction (blocking risky file extensions in user folders which could contain scripts or code). SRP blocking sponsors for standard users is a best practice which has proven itself as problem free for years. Except for CMD the executables blocked with MD exploit protection are also in the Microsoft Recommended Block list for WDAC (so disabling them for admin should not give any problems either).
The only unproven hardening is the disabling of CMD and CSCRIPT, but I have disabled CMD and CSCRIPT on my Windows10 desktop since 2019 without any problems, so I figured that it would be safe to kill this dinosaurus. After all CMD/CSCRIPT dates back to the introduction of Windows Windows 3.1. That was in 1993, that is 30 years ago!
With above setting the monthly Windows update and Avast update succeeded without problems as well as an update of a program installed in user space (a photobook program).