New Update Simple Windows Hardening

Azerty123

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.
 
  • Like
Reactions: Nevi, [correlate] and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,480
Azerty123 said:
@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.
Click to expand...

I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.

This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.
 
  • Like
Reactions: SeriousHoax, Azerty123, Nevi and 2 others
Azerty123

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
Andy Ful said:
I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.

This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.
Click to expand...

Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.

or we can even disable the startup of BITS service.
 
  • Like
Reactions: [correlate]
Azerty123

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.

Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
 
  • Like
Reactions: [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,480
Azerty123 said:
Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.

or we can even disable the startup of BITS service.
Click to expand...

There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.
 
  • +Reputation
  • Like
Reactions: [correlate] and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,480
Azerty123 said:
by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.

Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
Click to expand...
You did not disable BITS but only stopped the service. When BITS service is disabled, then it cannot be started with standard rights. But, it can be enabled with higher privileges and used to download the payload, anyway.
 
Last edited:
  • Like
Reactions: oldschool
Azerty123

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
Yes they can with admin privileges

Powershell Command:
Set-Service bits -StartupType manual
start-service bits

any ideas how to prevent them
 
Last edited:
  • Like
Reactions: [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,480
Azerty123 said:
Yes they can with admin privileges

Powershell Command:
Set-Service bits -StartupType manual
start-service bits

any ideas how to prevent them
Click to expand...
Use SWH or another method to restrict scripting and access to the CmdLine.
 
Last edited:
  • Like
Reactions: [correlate]
Azerty123

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
i deleted bits service but somehow windows updates is working while powershell or bitsadmin aren't

Powershell Command:
sc.exe delete "bits"
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,480
SWH and Spider-Miner

This malware is intended to attack home users. It mimics the torrent file of a movie but in fact it is an EXE file. The hash is still absent on Virus Total.

1640296974538.png


The file identifies itself as “spiderman_net_putidomoi.torrent.exe,” which translates from Russian to “spiderman_no_wayhome.torrent.exe.” The origin of the file is most likely from a Russian torrenting website.
...
The program starts two powershell encoded commands, that adds the following extended exclusions to Microsoft Defender: ignore all folders under the user profile, the system drive (i.e. “c:\\”), and all files with extensions of “.exe” or “.dll”.
blog.reasonsecurity.com

Spider-Miner: With Great Power Comes Great Problems!

ReasonLabs-spider-miner-with-great-power-comes-great-problems
blog.reasonsecurity.com blog.reasonsecurity.com
Click to expand...

SWH is not intended to block EXE files and leaves the protection to SmartScreen and Antivirus. Anyway, SWH can support Microsoft Defender in this attack due to restricting PowerShell commands via SRP (it forces Constrained Language Mode for PowerShell).
From the malware analysis it follows that it does not drop the script files (like *.ps1) but can execute PowerShell encoded commands to abuse Defender. This will be blocked by Constrained Language Mode.

If one is not a happy-clicker then this attack is not dangerous and will be blocked by Windows 10 default protection (SmartScreen for Explorer). Furthermore, the attack requires admin rights to inject the Monero miner code into Svchost. So, the user will see the UAC prompt - from the malware analysis, we know that the malware does not use UAC bypass.

It seems that paradoxically the users of Microsoft Defender can be more secure (compared to some other AVs) against similar malware that could use UAC bypass. A few days ago I tested Defender and other AVs. Defender blocked the known Windows 10 UAC bypasses and they were not fully blocked by some 3rd party AVs.
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: Zartarra, plat, silversurfer and 6 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,232
  • Like
Reactions: codswollip, oldschool, Andy Ful and 2 others
codswollip

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
Andy Ful said:
No.
Click to expand...
This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.

Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.
 
  • Wow
  • Like
Reactions: Andy Ful, oldschool and Gandalf_The_Grey
L

Local Host

Andy Ful said:
There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.
Click to expand...
The Windows Firewall logs can tell the difference between Inbound and Outbound traffic (among many other details), it only needs to be enabled (native option).

SVHost is the key to make your Firewall made of steel against malware as well, so is wise to only allow specific connections through it, the malware described above would never work on my PC, despite having WD turned OFF.
 
Last edited:
  • Like
Reactions: Andy Ful and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,480
Telos said:
This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.

Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.
Click to expand...
It is very strange. SWH on default settings does not block the processes with high privileges and does not block EXE files at all. The symptoms you have noted are probably related to the incompatibility of the firmware driver with one of the Windows policies or SRP.
The incompatibility problem can be solved by rebooting the computer 3 times and then the option to use the Restore Point should be available. After restoring, all SWH settings are removed.
 
  • Like
Reactions: [correlate], Nevi, SeriousHoax and 2 others

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Patch Tuesday update (KB5041571) hits Copilot+ PCs running Windows 11 24H2
Replies
0
Views
293
Windows 11
Gandalf_The_Grey
Gandalf_The_Grey
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,081
Hard_Configurator Tools
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top