New Update Simple Windows Hardening

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
Gandalf_The_Grey,

What is the source of .xls documents? This is a legacy format from the era before MS Office 2007.:unsure:
I know, but the many suppliers I work with still sent files in the old format probably for compatibility reasons or maybe because they use an alternative to MS Office.
The last part I don't know.
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
These files can be opened directly from Excel, even when they are blocked by SWH. The SWH prevents opening Excel documents from the Desktop or File Explorer. In your case, these extensions can be removed because you applied the hardening via DocumentsAntiExploit tool.:) (y)
For me that's okay, but IMO that limits SWH as set and forget tool.

If I don't have a lot of time my security and privacy hardening would be O&O ShutUp 10+++ at recommended settings and SWH at default.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
For me that's okay, but IMO that limits SWH as set and forget tool.

If I don't have a lot of time my security and privacy hardening would be O&O ShutUp 10+++ at recommended settings and SWH at default.

The situation is even more complex. One can use the free Excel mobile version (UWP app from Microsoft Store) to view/print Excel files. SWH (SRP) does not block opening the Excel files via UWP apps. The Excel mobile version automatically blocks all active content and can run safely in AppContainer.
The problem remains when one has to edit Excel files. I am not sure how often this can happen at home.:unsure:
 
Last edited:

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
The situation is even more complex. One can use the free Excel mobile version (UWP app from Microsoft Store) to view/print Excel files. SWH (SRP) does not block opening the Excel files via UWP apps. The Excel mobile version automatically blocks all active content and run safely in AppContainer.
The problem remains when one has to edit Excel files. I am not sure how often this can happen at home.:unsure:
I don't think that a normal user who pays for Office 365 or has bought Office 2019/2021 will install a limited, but highly secure mobile version.
That would be okay for my mother-in-law (just viewing and printing) but probably not for the schoolwork of my children.
 

JasonUK

Level 5
Apr 14, 2020
240

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,401
With new version I cannot open an Excel file in Libre Office. If settings have to be tweaked to allow this then doesn't that mean this program goes from an easy solution ( just use default settings) to a program that is a bit more complicated because you need to tweak it?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Quick question on this point ~

Is the standalone version of ConfigureDefender still v3.0.1.0 as version 3.0.1.1 is included in Hardening Tools. Similarly standalone RunBySmartscreen is at v4.0.0.1 but Hardening Tools includes v4.0.1.0.

Thanks.
Today, I am going to update the installers on the ConfigureDefender and RunBySmartscreen websites.
ConfigureDefender ver. 3.0.1.1 is the same as ver. 3.0.1.0 except support for Windows Server.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
It seems that the new settings for Excel are too restrictive. I have to think for a while about how to redesign the SWH to make it as usable as before and cover the growing danger of Excel files. It is possible that I will remove the * Documents Anti-Exploit * option and publish SWH together with the DocumentsAntiExploit tool. :unsure:
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
It seems that the new settings for Excel are too restrictive. I have to think for a while about how to redesign the SWH to make it as usable as before and cover the growing danger of Excel files. It is possible that I will remove the * Documents Anti-Exploit * option and publish SWH together with the DocumentsAntiExploit tool. :unsure:
And then there is no need for blocking Excel through Protected SRP Extensions anymore?

EDIT: It could be a good idea to use two tools.
1 to harden Windows
1 to harden Microsoft Office and Adobe Reader.
 
Last edited:

JasonUK

Level 5
Apr 14, 2020
240
Same issue as others ~ excel files blocked ~ not a huge issue as I tend to save all my personal files to a specific directory which I could whitelist by path. Blocking by default isn't a terrible idea though as it encourages you to at least virus check any shared / received office document before opening it and placing it in a whitelisted location.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
And then there is no need for blocking Excel through Protected SRP Extensions anymore?

EDIT: It could be a good idea to use two tools.
1 to harden Windows
1 to harden Microsoft Office and Adobe Reader.
Yes, that is my plan. The SWH version 2.0.0.0 will be published this week so I have removed the ver. 1.1.1.1 from GitHub.(y)
 

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
The XLSX documents cannot contain macros but have got other dangerous features (like DDE, etc.). If you use Defender with ASR rules then the XLSX extension can be safely removed via <Settings><Protected SRP Extensions>.
If you use the DocumentsAntiExploit tool, then the XLSX extension can be safely removed when using any AV.


The problem can arise if one uses custom settings to harden MS Office manually. Home users are focused on Word hardening and often forget to properly harden Excel. It is not easy to make Excel hardening because it has got many dangerous features.
The Excel files are rarely used at home and commonly used in attacks, so they are blocked in SWH ver. 1.1.1.1 by default. I am not sure if this is an optimal solution. What do you think guys?
A few mutual funds still use XLSX files to list their holdings, so I had to unblock that extension so I could open them with GNUmeric.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SWH vs. CHM attack vector
https://malwaretips.com/threads/ukr...-targeted-with-powershell-rat-malware.113839/

Compromising the security layers via ".chm" files is a well known and still very efficient method. I saw several such attacks in the past, for example:
Cryptowall: Cryptowall Makes a Comeback Via Malicious Help Files (CHM)
Silence banking trojan: Silence – a new Trojan attacking financial organizations
LovxCrypt Ransomware: Threat Spotlight: LovxCrypt Ransomware
RURansom Wiper: https://blog.cyble.com/2022/03/11/ongoing-russia-ukraine-warfare-significant-cyber-incidents/
APT41 espionage: https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation

The common infection chain:
Email attachment -----> user downloads an attachment -----> user opens the .chm file -----> payload is dropped/downloaded and executed

SWH blocks opening .chm files by default via SRP restrictions.
The .chm file is opened by the hh.exe LOLBin (HTML Help), which is also a JavaScript interpreter. So, the attacker can embed the JavaScript malicious code into the .chm file.
In the past, the .chm files were often used to download and execute PE payloads, but they can be easily used also in fileless attacks like in the example of recent attacks on German users.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
For casual users, the best Adobe Acrobat Reader settings are probably the default ones (Protected View = OFF) and additionally:
  1. Disable JavaScript.
  2. Disable opening of non-PDF file attachments with external applications.
  3. Block PDF files to all web sites.
  4. Enable Defender's ASR rule for Adobe.
Even if the user will enable JavaScript for the document, it will run in AppContainer. Acrobat Reader cannot use opening non-PDF attachments in external applications or URLs embedded in the documents, and cannot run other applications/LOLBins.

When one uses Protected View and the Defender's ASR rule, then after using "Enable All Features", the protection is also OK. But URLs will be opened in the web browser.

The Protected View, especially without the Defender ASR rule, is not good for casual users.
Coming back to this for the new DocumentsAntiExploit tool 2.0.0.1:
Wouldn't it be better to use ON for Adobe Acrobat Reader?

With CD on High, SWH on default this are now my settings:

1653070945308.png

If I correctly understand what's written in the manual, the settings for the current user are not needed.
Adobe Acrobat Reader only when you want a different setting for the current user then for all (other) users.
MS Office only when you are not using ConfigureDefender and/or Office apps not installed in Program Files or Program Files (x86).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Coming back to this for the new DocumentsAntiExploit tool 2.0.0.1:
Wouldn't it be better to use ON for Adobe Acrobat Reader?

With CD on High, SWH on default this are now my settings:

View attachment 266784

If I correctly understand what's written in the manual, the settings for the current user are not needed.
Adobe Acrobat Reader only when you want a different setting for the current user then for all (other) users.
MS Office only when you are not using ConfigureDefender and/or Office apps not installed in Program Files or Program Files (x86).
:) (y)
 

czesetfan

Level 4
Dec 3, 2021
184
Let me get this right. That is, if I want to use desktop Office, do I need to set the Current user restriction of MS Office to ON2, or ON1? Will it be possible to open .xls, .xlsx files with this setting?
 
  • Like
Reactions: Nevi and Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top