Latest changes
Oct 10, 2019
Windows Edition
Pro
OS version
1903
System type
64-bit operating system; x64-based processor
Security updates
Automatically allow security and feature updates
Windows UAC
Always notify
Firewall protection
Custom - Provided by a third-party security vendor
Account privileges
Administrator account
Account type
Sign in with associated Google ID
Account log-in
  1. Account Password
Exposure to malware
No malware samples are downloaded
Real-time Malware protection
Windows Defender with Hard_Configurator
Comodo Firewall
RTP configuration
Windows Defender with some SRP rules
H_C: EXE and TMP allowed
CFW: ComodoFix config
Windows firewall is enabled.
Periodic scanners
--
Browser and Add-ons
Chrome, Edge
Privacy tools and VPN
uBlock Origin
Password manager
Bitwarden
Search engine
Google
Maintenance tools
Hard_Configurator
Photos and Files backup
Dropbox
OneDrive
GoogleDrive
File Backup schedule
Once or multiple times per week
Backup and Restore
Macrium Reflect
Backup schedule
Once or more per week
Computer Activity
  1. Online banking
  2. Browsing the web and checking emails
  3. Regularly installing new software every week
  4. Shared computer is used by other family members
  5. Downloading files from different websites
  6. Office and other work-related software (Work from Home)
Computer Specifications
i5 6500
integrated graphics
8 gb ram
SSD

shmu26

Level 85
Verified
Trusted
Content Creator
If I remember correctly it blocks 3rd party everything by default but check as I haven't had to use the default since forever (save settings on the cloud).
This is right. Out of the box it blocks 3rd party by default.
I tried it out a little. Looks good! Thanks for the suggestion.
 
  • Like
Reactions: Nevi and oldschool

SHvFl

Level 35
Verified
Trusted
Content Creator
This is right. Out of the box it blocks 3rd party by default.
I tried it out a little. Looks good! Thanks for the suggestion.
As usual it will be a bit annoying but the more you use it the less annoying it gets. I usually visit my normal websites from a umatrix browser and any research i want to do that will be on random websites is done on another browser (deletes on close).
 

shmu26

Level 85
Verified
Trusted
Content Creator
Trying out this config:
Kaspersky Internet Security 2020 with Trusted Applications Mode
Hard_Configurator (default-allow)

I don't know what magic spells they uttered over Kaspersky 2020, but it is wicked fast.
 

Andy Ful

Level 64
Verified
Trusted
Content Creator
Sorry Andy, I will never skip H_C :)
Although there is some advantage of using H_C even as default-allow (hardening + blocked Sponsors + forced SmartScreen + Documents Anti-Exploit), I think that KIS & TAM would be strong enough for most users. Please note, that in default - allow setup, PowerShell should be blocked because Constrained Language Mode works only in default - deny setup.:giggle:
 

shmu26

Level 85
Verified
Trusted
Content Creator
What exactly is your H_C default-allow setup? Could you post here the screenshot?
If you used Avast profile or Allow EXE, then it is stronger than default-allow setup.
I used Windows_10_Recommended_Enhanced.hdc as a base, but I allowed EXE and TMP, and blocked *script.exe in Sponsors, and made a couple other modifications.
What is the proper meaning of "default-allow", in terms of H_C?

Annotation 2019-06-11 120721.png
 
Last edited:

Andy Ful

Level 64
Verified
Trusted
Content Creator
I used Windows_10_Recommended_Enhanced.hdc as a base, but I allowed EXE and TMP, and blocked *script.exe in Sponsors, and made a couple other modifications.
What is the proper meaning of "default-allow", in terms of H_C?

View attachment 214833
This is Allow-EXE setup. In your case, it is equal to the Enhanced default-deny setup (scripts, MSI, all files from Designated File Types List, blocked Sponsors). PowerShell works in Constrained Language Mode and only PowerShell command lines are allowed - PowerShell script files cannot be executed from hard local disks. Only EXE files are allowed to run Unrestricted.
It is a hybrid between default-deny and default-allow setup. If you would use it with Avast Hardened Mode Aggressive, then H_C + Avast = default-deny setup.

Default-allow setup has <Default Security Level> = Unrestricted. This forces PowerShell to Full Language Mode (it is not restricted any more) and all extensions from SRP Designated File Types are not protected in UserSpace except LNK files, if <More SRP ...> <Protect Shortcuts> = ON. The chosen Sponsors can be still blocked by SRP if <Block Sponsors> feature was used. Scripting can be blocked by <Disable Win. Script Host> = ON and <No PowerShell Exec> = ON or by blocking script Interpreters via <Bloc Sponsors>.
The below is a typical default-allow setup based on Enhanced profile:
214838
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Trying out this config:
Kaspersky Internet Security 2020 with Trusted Applications Mode
Hard_Configurator (default-allow)
I had a glitch with customized Kaspersky firewall settings, so I downgraded to Kaspersky Free Antivirus 2020, coupled with Hard_Configurator (default-deny, EXE blocked).
It looks like the issue is solved, thanks to @harlan4096 the wizard. So I am checking out the 2021 technical preview...
 
Last edited:

Andy Ful

Level 64
Verified
Trusted
Content Creator
Kaspersky with activated TAM works as a kind of SRP + forced SmartScreen. It can check/block the following file types: .bat, .cmd, .com, .js, .jse, .msc, .msi, .msp, .pif, .ps1, .reg, .scr, settingcontent-ms, .vbe, .vbs, .wsf, .wsh, and maybe some more.
But it seems that .chm and .hta scriptlets are not covered.
 
Last edited:

Andy Ful

Level 64
Verified
Trusted
Content Creator
I had no time to test .cpl, .dll, .ocx, .sys, .tmp (for DLL), .tmp (for .exe). Avast Hardened Mode Aggressive can block .tmp (for .exe) but not the rest.
While activating TAM, the snapshot of executables already present on disk is made. So, these executables are automatically excluded from reputation checking, even when they are not recognized as Trusted.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Kaspersky with activated TAM works as a kind of SRP + forced SmartScreen. It can check/block the following file types: .bat, .cmd, .com, .js, .jse, .msc, .msi, .msp, .pif, .ps1, .reg, .scr, settingcontent-ms, .vbe, .vbs, .wsf, .wsh, and maybe some more.
But it seems that .chm and .hta scriptlets are not covered.
Interesting. TAM does more than I thought.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Unfortunately, Kaspersky's behavior is not quite as consistent as I would hope for. I have a certain program with a firewall block rule, and every once in a while, like tonight for instance, it somehow manages to connect to the internet anyways, causing my whole system to freeze and the program itself to deactivate. So it looks like I am back to:
Windows Defender with ConfigureDefender
Windows Software Restriction Policies with Hard_Configurator

.
 

oldschool

Level 56
Verified
Unfortunately, Kaspersky's behavior is not quite as consistent as I would hope for. I have a certain program with a firewall block rule, and every once in a while, like tonight for instance, it somehow manages to connect to the internet anyways, causing my whole system to freeze and the program itself to deactivate. So it looks like I am back to:
Windows Defender with ConfigureDefender
Windows Software Restriction Policies with Hard_Configurator

.

What a coincidence! I had an issue with KFA and website rendering, so it's been removed.
 
Top