@Andy Ful
It gave a warning (see screenshot) In doubt I did not click OK, just closed the prompt. It went ahead anyway. After, apprehensivelydid checks for yesterday issues, it seems to be working fine.
View attachment 262976
That is OK.
@Andy Ful
It gave a warning (see screenshot) In doubt I did not click OK, just closed the prompt. It went ahead anyway. After, apprehensivelydid checks for yesterday issues, it seems to be working fine.
View attachment 262976
@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.
I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.
This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.
Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.
or we can even disable the startup of BITS service.
You did not disable BITS but only stopped the service. When BITS service is disabled, then it cannot be started with standard rights. But, it can be enabled with higher privileges and used to download the payload, anyway.by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.
Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
Use SWH or another method to restrict scripting and access to the CmdLine.Yes they can with admin privileges
Powershell Command:
Set-Service bits -StartupType manual
start-service bits
any ideas how to prevent them
The file identifies itself as “spiderman_net_putidomoi.torrent.exe,” which translates from Russian to “spiderman_no_wayhome.torrent.exe.” The origin of the file is most likely from a Russian torrenting website.
...
The program starts two powershell encoded commands, that adds the following extended exclusions to Microsoft Defender: ignore all folders under the user profile, the system drive (i.e. “c:\\”), and all files with extensions of “.exe” or “.dll”.
Its fully compatible: Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_ConfiguratorJust upgraded to W11. Are there compatibility issues between SWH and W11? Does reset to W11 default work cleanly?
TIA!
This version works on Windows 10 and Windows 11.
No.Are there compatibility issues between SWH and W11?
Yes.Does reset to W11 default work cleanly?
TIA!
This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.
The Windows Firewall logs can tell the difference between Inbound and Outbound traffic (among many other details), it only needs to be enabled (native option).There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.
It is very strange. SWH on default settings does not block the processes with high privileges and does not block EXE files at all. The symptoms you have noted are probably related to the incompatibility of the firmware driver with one of the Windows policies or SRP.This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.
Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.