Even if the beta version is...very stableAny plans when the stable version of SWH is coming?
Simple Windows Hardening
- Thread starter Andy Ful
- Start date
- Feb 25, 2017
- 2,585
Yea, just feeling better when I know that it's called "stable"Even if the beta version is...very stable
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
Yea, just feeling better when I know that it's called "stable"
I usually wait if a month or two, because something may come up. It is probable that this beta will become a stable version in April.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
SWH vs. Quakbot
news.sophos.com
This attack vector is blocked with SWH ver. 1.1.1.1.
SWH ver. 2.0.0.0 can block such attacks in Recommended Settings (including the DocumentsAntiExploit tool).
This threat could bypass SWH versions prior to 1.1.1.1 on default settings. It used the Excel XLSB binary workbook which could abuse the DDE feature and Regsvr32 LOLBin. It was not related to macros (VBA or Excel 4.0).
The infection chain (delivery stage in blue):
Email interjection with URL ---> download XLSB document packed in ZIP file ---> open XLSB document (DDE) ---> intermediate payload dropped and executed via Regsvr32 LOLBin ---> ..... ----> main payload injected to Explorer (C&C server connections)
How H_C_Hardening tools could prevent this attack?
Post updated to include the info related to SWH ver. 1.1.1.1 and later.
Qakbot injects itself into the middle of your conversations
The heavily distributed botnet delivers a wide variety of payloads – and scans your network for weaknesses
news.sophos.com
This attack vector is blocked with SWH ver. 1.1.1.1.
SWH ver. 2.0.0.0 can block such attacks in Recommended Settings (including the DocumentsAntiExploit tool).
This threat could bypass SWH versions prior to 1.1.1.1 on default settings. It used the Excel XLSB binary workbook which could abuse the DDE feature and Regsvr32 LOLBin. It was not related to macros (VBA or Excel 4.0).
The infection chain (delivery stage in blue):
Email interjection with URL ---> download XLSB document packed in ZIP file ---> open XLSB document (DDE) ---> intermediate payload dropped and executed via Regsvr32 LOLBin ---> ..... ----> main payload injected to Explorer (C&C server connections)
How H_C_Hardening tools could prevent this attack?
- ConfigureDefender HIGH - Excel will be blocked from using the Regsrv32 LOLBin by the ASR rule "Block Office applications from creating child processes".
- FirewallHardening - cannot block this particular infection (payload is not downloaded from the Internet), but can block (LOLBins blocked) the abused Explorer from connecting the C&C server.
- DocumentsAntiExploit tool - blocks DDE feature n Excel and Regsrv32 LOLBin will not run.
Post updated to include the info related to SWH ver. 1.1.1.1 and later.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
Which bug?
Do you mean your old post?
https://malwaretips.com/threads/simple-windows-hardening.102265/post-974191
If so, then it was already explained and has nothing to do with AppInstaller.
https://malwaretips.com/threads/simple-windows-hardening.102265/post-974141
Your problem is related to web applications that run into a web browser. Their application window is a web browser process although it looks slightly different (most options are removed from the window). If you use a popular web browser then the web applications run in the sandbox. They do not use AppInstaller.
AppInstaller installs Universal Windows Applications that can run without a web browser.
Two different things.
Last edited:
- Apr 5, 2021
- 619
From the article:
I guess another endorsement for OSArmor:
...but of course I realize with H_C on Default or Max settings, OSA is not needed
EDIT
I really should have stated "another endorsement for OSArmor as a complimentary tool to SWH" No intent to steer OT.
I guess another endorsement for OSArmor:
...but of course I realize with H_C on Default or Max settings, OSA is not needed
EDIT
I really should have stated "another endorsement for OSArmor as a complimentary tool to SWH" No intent to steer OT.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
Regsvr32 is used to register and unregister OLE controls. It is too often used for benign processes (also for DLLs in UserSpace). That is why it is in the experimental section. One can adopt an alternative method by using Windows 10 Exploit protection mitigation for regsvr.exe (Code Integrity Guard). This will block all OLE controls not signed by Microsoft (or Microsoft Store).
In most cases, the abused Regsvr32 is used to run the OLE controls from remote locations (including the Internet) and this method is very rarely used by benign processes on home computers. So, it is safe to block the outbound connections via the Firewall rule. This is also the idea adopted in FirewallHardening for many other LOLBins.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
...but of course I realize with H_C on Default or Max settings, OSA is not needed
LOLBins (including Regsvr32) are mostly used by shortcuts, documents, and scripts. So, blocking Regsvr32 is not necessary also in SWH. When using MS Office one has to remember to properly configure SWH or use Defender with ASR rules.
If this configuration is too restrictive, then one has to seek additional protection. There are many possibilities. One of them can be OSA.
Last edited:
- Apr 5, 2021
- 619
Your post gave me reason to check OSA's Exclusions for anything Regsvr32 related and there is nothing so far, so I guess my simple home usage hasn't done anything yet to require the need for Regsvr32 to load DLL's.
Otherwise you keep providing more compelling evidence that I don't really need OSA
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
Your post gave me reason to check OSA's Exclusions for anything Regsvr32 related and there is nothing so far, so I guess my simple home usage hasn't done anything yet to require the need for Regsvr32 to load DLL's.
Otherwise you keep providing more compelling evidence that I don't really need OSA
You probably do not need OSA and SWH.
I do not need many things too. I usually keep them because I like them and I do not have a heart to throw them out.
Last edited:
- Apr 5, 2021
- 619
You probably do not need OSA and SWH.
No I use H_C and that's probably more than enough
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
Yes. Sometimes it is used after Windows Updates for something. I block it via H_C (and over 170 LOLBins including Windows Script Host, PowerShell, and CMD) for a few years on my wife's computer without any issue. But my wife uses only applications from Microsoft Store and two desktop applications.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
Anyway, sometimes it refuses to work on some computers for some reason. It is like eating mushrooms. Most people can eat them all their life without problems, but some die. Furthermore, blocking LOLBins on a home computer (Windows 10) is really not necessary when using properly configured SWH. Of course, there is nothing wrong with blocking some of them if one likes/needs such restrictions. The easiest way is simply using H_C.
There is a difference between SWH (H_C) and common configurations of Applocker or MDAC. So the necessity of blocking LOLBins in Applocker and MDAC does not pass to SWH (H_C). For example, in MDAC the scripts are not blocked (like in SWH or H_C) but only restricted. Furthermore, shortcuts are allowed, and this opens a wide road for using LOLBins. When using SWH or H_C, the scripts, shortcuts, and many files with executable content are blocked. The setup is much more restricted. So, the attacker can hardly use LOLBins, except when exploiting something.
There is a difference between SWH (H_C) and common configurations of Applocker or MDAC. So the necessity of blocking LOLBins in Applocker and MDAC does not pass to SWH (H_C). For example, in MDAC the scripts are not blocked (like in SWH or H_C) but only restricted. Furthermore, shortcuts are allowed, and this opens a wide road for using LOLBins. When using SWH or H_C, the scripts, shortcuts, and many files with executable content are blocked. The setup is much more restricted. So, the attacker can hardly use LOLBins, except when exploiting something.
Last edited:
- Apr 24, 2016
- 7,232
@Andy Ful I have two questions about the DocumentsAntiExploit tool:
1) Does the Adobe Reader setting work with Adobe Reader DC 64bit?
I got no yellow message bar and had to configure it in Adobe Reader myself.
2) What is the best setting for the latest MS office 365 64-bit ON1 or ON2?
The real difference between those two settings is not clear to me.
I'm currently using Windows 11 with Ziggo Safe Online by F-Secure 18.2 (Default Settings), Simple Windows Hardening 1.0.1.1 beta 3 (Basic Recommended Settings) and DocumentsAntiExploit 2.0.0.0 (Adobe Reader ON, MS Office ON2).
1) Does the Adobe Reader setting work with Adobe Reader DC 64bit?
I got no yellow message bar and had to configure it in Adobe Reader myself.
2) What is the best setting for the latest MS office 365 64-bit ON1 or ON2?
The real difference between those two settings is not clear to me.
I'm currently using Windows 11 with Ziggo Safe Online by F-Secure 18.2 (Default Settings), Simple Windows Hardening 1.0.1.1 beta 3 (Basic Recommended Settings) and DocumentsAntiExploit 2.0.0.0 (Adobe Reader ON, MS Office ON2).
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
Yes, it worked. I will test the new version of Adobe Reader DC this week.
The ON2 and ON2 differ only with the access level.
When ON1 is set then the restrictions can be changed with standard rights from the MS Office application. If you do it, then such custom settings will be displayed in DocumentsAntiExploit tool as "Partial".
When ON2 settings are applied, then you cannot change them from the MS Office application and high privileges are required to change these settings (can be done via Windows Registry).
The ON2 settings are safer because the malware with standard rights cannot change them. But, ON1 settings are also rather safe - they will prevent most weaponized documents from running the active content that could change these settings.
That is OK.
- Apr 24, 2016
- 7,232
Thanks, the Adobe Reader thing could also be something just on my system.
I was recently "forced" for work related reasons to use Adobe Reader and noticed no yellow message bar and configured it from Adobe Reader's settings.
Great to know that ON2 is the safest option, and I will keep it like that
I was recently "forced" for work related reasons to use Adobe Reader and noticed no yellow message bar and configured it from Adobe Reader's settings.
Great to know that ON2 is the safest option, and I will keep it like that
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
No. I tested the new version and it has got some changes that will require updating the DocumentsAntiExploit tool.
Thank you, for reporting the issue.
It seems that the default settings in Adobe Reader DC are now pretty much safe because the AppContainer is enabled by default.
The main problem is the way of applying the "Protected View" (disabled on default settings). Adobe insists on showing the option on the yellow bar that allows the user to easily enable all features for the document. There is no way to get rid of it (on the contrary to MS Office macros).
So, even when JavaScript and some other vulnerable features are disabled for all documents, they will be enabled for this particular document. Thank god, that the document is still opened in the AppContainer.
The "Protected View" is very strong - so strong that it even blocks printing. It is not a protection for casual users, who will probably use the option "Enable All Features" on the yellow bar to bypass most restrictions.
On the other side, it can be good protection for more advanced/cautious users.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,482
For casual users, the best Adobe Acrobat Reader settings are probably the default ones (Protected View = OFF) and additionally:
When one uses Protected View and the Defender's ASR rule, then after using "Enable All Features", the protection is also OK. But URLs will be opened in the web browser.
The Protected View, especially without the Defender ASR rule, is not good for casual users.
- Disable JavaScript.
- Disable opening of non-PDF file attachments with external applications.
- Block PDF files to all web sites.
- Enable Defender's ASR rule for Adobe.
When one uses Protected View and the Defender's ASR rule, then after using "Enable All Features", the protection is also OK. But URLs will be opened in the web browser.
The Protected View, especially without the Defender ASR rule, is not good for casual users.
Last edited:
- Apr 24, 2016
- 7,232
What does that mean for Simple Windows Hardening and DocumentsAntiExploit?
Do not use the Abobe Reader settings?
Or are we able to change to those settings in a next version?
Similar threads
