Advice Request Replacing AppGuard 5.2.9.1 with AppLocker (possibly)

Please provide comments and solutions that are helpful to the author of this topic.

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
You say Andy's "product" is only for security geeks but that is a wild claim and there is no evidence you provide to support it. You act like people cannot handle a product that is basically an ON-OFF product like a light switch. Please show us a single instance where a H_C user couldn't figure out how to use the product or a bug that persisted to the extent that the user abandoned the product.

Since you asked for evidence, I am happy to provide it.



Andy makes great products for security enthusiasts. I have actually always been surprised that a lot of security enthusiasts have a fondness for VS, simply because it was not designed for advanced users who like to tweak security software.

BTW, I COMPLETELY understand why you think deny-by-default products are such a difficult sell. On many different levels ;).
 
  • Like
Reactions: Nevi

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,041
As @mazskolnieces have noticed, the H_C settings can be used by anyone. Such a setup is intended especially for inexperienced users, children, etc. The only requirement is that from time to time the help from an advanced user is needed. If the software setup on the computer is simple, such help is needed sporadically. So it can be used without any problem by inexperienced users in 99.9% of the time and will require a geek in the rest 0.1%.
I would like to end the discussion about H_C because it is not needed here. We already have a separate thread for such discussions and @MrSecure007 can get comprehensive information there. (y)
 
Last edited:

Hutch

New Member
Sep 23, 2021
1
Microsoft still supports SRP with a huge online doc database. The evidence that Microsoft still includes SRP as part of its security best practices are pages such as this: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) - Windows security | Microsoft Docs

Since WDAC only applies to W10 (and Microsoft has never stated that it has plans to make it backward compatible), and AppLocker only applies to post-Windows 7 systems, the only native Microsoft option remains SRP for earlier systems. Microsoft clearly notes that SRP is the only one that works across mixed version enterprise environments.

Within the context of AppLocker, there are ways to bypass it including rundll32 and regsvr32. Microsoft Security even quotes the researchers who find this stuff such as Casey Smith and Matt Graeber.

There's literally hundreds of thousands of organizations and others that run Windows with rundll32 and regsvr32 disabled without there being any undue inconvenience or a system crash. There's no way to provide evidence except for a person to try it and see for themselves. Furthermore, Microsoft has never stated not to disable LOLBins because they are shipped with the OS and therefore not meant to be disabled. Any notion that permanently disabling Windows processes is wrong is ludicrous. If that were the case, then why does Microsoft still rely upon SRP (SRP, AppLocker and WDAC) as the foundation of its highest security where processes are permanently disabled ?

You want a link that provides a complete set of Microsoft best practices. Well there isn't one. Microsoft best practices are literally spread out across thousands of web pages and other resources such as Microsoft docs, support, blogs, and whitepapers. Just because I don't provide a link doesn't mean that what is being said is speculation. Go to any Microsoft Ignite and attend security presentations.

You seem to imply that just because Microsoft has "deprecated" SRP that it is no longer to be used. Then explain how Microsoft is not telling companies to stop using SRP with mixed environments and expensive Intune licenses, and infrastructure that is not possible to upgrade and upon which SRP is the only working option ?

ASR is Microsoft's foundational security with the objective to disable LOLBins. Within the context of reading Microsoft docs and security blogs this fact is plainly clear.

You assertion that WDAC is not SRP because it uses a kernel mode driver is ludicrous. SRP is not defined by how it does it, it is defined by what it does.

I will just end with this fact... Hard_Configurator is wildly popular and shall continue to grow in popularity. It's because @Andy Ful is a gentleman. H_C is a freeware open source project. Plus it provides for an almost completely trouble free security user experience. It uses not only SRP but various native Microsoft security options that Microsoft has no incentive to eliminate from the OS any time soon. There's no evidence to suggest otherwise. Absolutely none. Microsoft is not throwing the baby out with the bath water; SRP will be around for a long time.

We are all aware that you have your own peculiar motivated bias in certain topic matters. It's OK. You're entitled to your wrong opinions.
Deprecation means that it is no longer developed or supported, therefore it may or may not continue to work with further Windows upgrades. SRP certificate rules no longer work for instance, and MS will not do anything about it because SRP is deprecated and they warned you about it. So use deprecated features at your own risk.
 
  • Like
Reactions: Nevi

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,041
Deprecation means that it is no longer developed or supported, therefore it may or may not continue to work with further Windows upgrades. SRP certificate rules no longer work for instance, and MS will not do anything about it because SRP is deprecated and they warned you about it. So use deprecated features at your own risk.

With all respect, your post is nonsense. You should not post about something you do not know well.
  1. Microsoft stated that from Windows 1803, SRP is no longer developed. It is not the same as depreciated (Microsoft never said such a thing).
  2. SRP still works well on Windows Vista and higher versions including the upcoming Windows 11.
  3. All SRP features including certificate rules work well (tested today on WIndows 10 21H1).
SRP is still used in businesses:

SRP has some advantages and disadvantages compared to newer solutions (Applocker, WDAC/MDAC).
The advantages follow from the ability to selectively block/allow file opening by file extension. So, SRP can be also used alongside Applocker or WDAC/MDAC.
The big disadvantage for businesses is the lack of appropriate driver protection. Furthermore, the design of SRP is not as strong as in the case of Applocker and WDAC - easier to bypass in targeted attacks. That is why Microsoft recommends using Applocker or WDAC/MDAC in Enterprises.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top