@Andy Ful
It gave a warning (see screenshot) In doubt I did not click OK, just closed the prompt. It went ahead anyway. After, apprehensivelydid checks for yesterday issues, it seems to be working fine.
View attachment 262976
That is OK.
Simple Windows Hardening
- Thread starter Andy Ful
- Start date
That is OK.
@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.
I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.
This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.
Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.
or we can even disable the startup of BITS service.
by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.
Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.
You did not disable BITS but only stopped the service. When BITS service is disabled, then it cannot be started with standard rights. But, it can be enabled with higher privileges and used to download the payload, anyway.
Last edited:
Use SWH or another method to restrict scripting and access to the CmdLine.
Last edited:
for anyone looking more info on BITS this the most detailed article i found
blog.menasec.net
Hunting for Suspicious Usage of Background Intelligent Transfer Service (BITS)
BITS Overview Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or ...
SWH and Spider-Miner
This malware is intended to attack home users. It mimics the torrent file of a movie but in fact it is an EXE file. The hash is still absent on Virus Total.
SWH is not intended to block EXE files and leaves the protection to SmartScreen and Antivirus. Anyway, SWH can support Microsoft Defender in this attack due to restricting PowerShell commands via SRP (it forces Constrained Language Mode for PowerShell).
From the malware analysis it follows that it does not drop the script files (like *.ps1) but can execute PowerShell encoded commands to abuse Defender. This will be blocked by Constrained Language Mode.
If one is not a happy-clicker then this attack is not dangerous and will be blocked by Windows 10 default protection (SmartScreen for Explorer). Furthermore, the attack requires admin rights to inject the Monero miner code into Svchost. So, the user will see the UAC prompt - from the malware analysis, we know that the malware does not use UAC bypass.
It seems that paradoxically the users of Microsoft Defender can be more secure (compared to some other AVs) against similar malware that could use UAC bypass. A few days ago I tested Defender and other AVs. Defender blocked the known Windows 10 UAC bypasses and they were not fully blocked by some 3rd party AVs.
This malware is intended to attack home users. It mimics the torrent file of a movie but in fact it is an EXE file. The hash is still absent on Virus Total.
SWH is not intended to block EXE files and leaves the protection to SmartScreen and Antivirus. Anyway, SWH can support Microsoft Defender in this attack due to restricting PowerShell commands via SRP (it forces Constrained Language Mode for PowerShell).
From the malware analysis it follows that it does not drop the script files (like *.ps1) but can execute PowerShell encoded commands to abuse Defender. This will be blocked by Constrained Language Mode.
If one is not a happy-clicker then this attack is not dangerous and will be blocked by Windows 10 default protection (SmartScreen for Explorer). Furthermore, the attack requires admin rights to inject the Monero miner code into Svchost. So, the user will see the UAC prompt - from the malware analysis, we know that the malware does not use UAC bypass.
It seems that paradoxically the users of Microsoft Defender can be more secure (compared to some other AVs) against similar malware that could use UAC bypass. A few days ago I tested Defender and other AVs. Defender blocked the known Windows 10 UAC bypasses and they were not fully blocked by some 3rd party AVs.
Last edited:
Just upgraded to W11. Are there compatibility issues between SWH and W11? Does reset to W11 default work cleanly?
TIA!
TIA!
I'm using it on my newish laptop with W11 that I rarely open, but no issues that I can see.
Its fully compatible: Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator
Just be sure to use the latest version Simple Windows Hardening ver. 1.0.1.0.
github.com
Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator
GUI to Manage Software Restriction Policies and harden Windows Home OS - Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator
github.com
This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.
Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.
The Windows Firewall logs can tell the difference between Inbound and Outbound traffic (among many other details), it only needs to be enabled (native option).
SVHost is the key to make your Firewall made of steel against malware as well, so is wise to only allow specific connections through it, the malware described above would never work on my PC, despite having WD turned OFF.
Last edited:
It is very strange. SWH on default settings does not block the processes with high privileges and does not block EXE files at all. The symptoms you have noted are probably related to the incompatibility of the firmware driver with one of the Windows policies or SRP.
The incompatibility problem can be solved by rebooting the computer 3 times and then the option to use the Restore Point should be available. After restoring, all SWH settings are removed.
Similar threads
