Question Simple Windows Hardening

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,183
@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.

I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.

This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.
 

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.

This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.

Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.

or we can even disable the startup of BITS service.
 
  • Like
Reactions: Correlate

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.

Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
 
  • Like
Reactions: Correlate

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,183
Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.

or we can even disable the startup of BITS service.

There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,183
by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.

Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
You did not disable BITS but only stopped the service. When BITS service is disabled, then it cannot be started with standard rights. But, it can be enabled with higher privileges and used to download the payload, anyway.
 
Last edited:
  • Like
Reactions: oldschool

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
Yes they can with admin privileges

Powershell Command:
Set-Service bits -StartupType manual
start-service bits

any ideas how to prevent them
 
Last edited:
  • Like
Reactions: Correlate

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,183
Yes they can with admin privileges

Powershell Command:
Set-Service bits -StartupType manual
start-service bits

any ideas how to prevent them
Use SWH or another method to restrict scripting and access to the CmdLine.
 
Last edited:
  • Like
Reactions: Correlate

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
i deleted bits service but somehow windows updates is working while powershell or bitsadmin aren't

Powershell Command:
sc.exe delete "bits"
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,183
SWH and Spider-Miner

This malware is intended to attack home users. It mimics the torrent file of a movie but in fact it is an EXE file. The hash is still absent on Virus Total.

1640296974538.png


The file identifies itself as “spiderman_net_putidomoi.torrent.exe,” which translates from Russian to “spiderman_no_wayhome.torrent.exe.” The origin of the file is most likely from a Russian torrenting website.
...
The program starts two powershell encoded commands, that adds the following extended exclusions to Microsoft Defender: ignore all folders under the user profile, the system drive (i.e. “c:\\”), and all files with extensions of “.exe” or “.dll”.

SWH is not intended to block EXE files and leaves the protection to SmartScreen and Antivirus. Anyway, SWH can support Microsoft Defender in this attack due to restricting PowerShell commands via SRP (it forces Constrained Language Mode for PowerShell).
From the malware analysis it follows that it does not drop the script files (like *.ps1) but can execute PowerShell encoded commands to abuse Defender. This will be blocked by Constrained Language Mode.

If one is not a happy-clicker then this attack is not dangerous and will be blocked by Windows 10 default protection (SmartScreen for Explorer). Furthermore, the attack requires admin rights to inject the Monero miner code into Svchost. So, the user will see the UAC prompt - from the malware analysis, we know that the malware does not use UAC bypass.

It seems that paradoxically the users of Microsoft Defender can be more secure (compared to some other AVs) against similar malware that could use UAC bypass. A few days ago I tested Defender and other AVs. Defender blocked the known Windows 10 UAC bypasses and they were not fully blocked by some 3rd party AVs.
 
Last edited:

Telos

Level 22
Verified
Top poster
Content Creator
Well-known
Jan 29, 2017
1,129
Just upgraded to W11. Are there compatibility issues between SWH and W11? Does reset to W11 default work cleanly?

TIA!
 
  • Like
Reactions: Gandalf_The_Grey

Gandalf_The_Grey

Level 63
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,148

Telos

Level 22
Verified
Top poster
Content Creator
Well-known
Jan 29, 2017
1,129
This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.

Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.
 

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,455
There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.
The Windows Firewall logs can tell the difference between Inbound and Outbound traffic (among many other details), it only needs to be enabled (native option).

SVHost is the key to make your Firewall made of steel against malware as well, so is wise to only allow specific connections through it, the malware described above would never work on my PC, despite having WD turned OFF.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,183
This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.

Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.
It is very strange. SWH on default settings does not block the processes with high privileges and does not block EXE files at all. The symptoms you have noted are probably related to the incompatibility of the firmware driver with one of the Windows policies or SRP.
The incompatibility problem can be solved by rebooting the computer 3 times and then the option to use the Restore Point should be available. After restoring, all SWH settings are removed.