New Update Simple Windows Hardening

[Andy Ful]

Run by smart screen to achieve elevated status.

It does not work in this way (has nothing to do with elevated status).
"Run By SmartScreen" simply triggers SmartScreen for Explorer, when normally the file would be executed without SmartScreen check. It has also an additional feature that prevents bypassing SmartScreen via DLL hijacking.

GitHub - AndyFul/Run-By-Smartscreen

Contribute to AndyFul/Run-By-Smartscreen development by creating an account on GitHub.

github.com

Basically, don't click these without verification of file, back to the basics.

This is the shortest description of "Run By SmartScreen".
It allows a quick file verification in the SmartScreen reputation cloud (EXE / MSI files). It is more reliable in most cases than Virus Total.

Of course, the advanced users can do more, like using Any.run or other online services to analyze the samples. But, this is beyond the abilities of most home users.

 

[Andy Ful]

Such a test as Advanced Threat Protection Test 2023 - Consumer, can have some value for AV developers. But, I do not think that it might help the consumers. The results are out of touch with reality due to applied methodology.
For example, Spearphishing attacks have great chances to succeed, even if stopped by the AV. Simply, the user is convinced that the sample is not malicious and expects a false positive. It is a kinda paradox, but novice users can be safer than more experienced ones. Many novice users do not know what is a false positive and will not allow the sample. A more experienced user will look at VirusTotal and see that most AVs consider the sample as non-malicious. This will most probably end with infection.

 

[ForgottenSeer 103564]

It does not work in this way (has nothing to do with elevated status).
"Run By SmartScreen" simply triggers SmartScreen for Explorer, when normally the file would be executed without SmartScreen check. It has also an additional feature that prevents bypassing SmartScreen via DLL hijacking.

GitHub - AndyFul/Run-By-Smartscreen

Contribute to AndyFul/Run-By-Smartscreen development by creating an account on GitHub.

github.com

This is the shortest description of "Run By SmartScreen".
It allows a quick file verification in the SmartScreen reputation cloud (EXE / MSI files). It is more reliable in most cases than Virus Total.

Of course, the advanced users can do more, like using Any.run or other online services to analyze the samples. But, this is beyond the abilities of most home users.

That was supposed to say UAC last night when i typed it but i was tired and typed what i was reading instead, as it was midnight my time. I fully understand how windows works.

The point though was that having to "execute" the file and give it "the go ahead" is a ridiculous form of testing. Its like stating, i can break through my system defense by executing this script on my desktop. Why sure you can, you just told the system its ok to run it. Its a farce when they do that, its like a slight of hand card trick.

 

[Andy Ful]

The point though was that having to "execute" the file and give it "the go ahead" is a ridiculous form of testing.

Yes, such tests probably assume that the user is a happy-clicker.

 

[Andy Ful]

SWH vs. URL ATTACKS
https://malwaretips.com/threads/hac...en-zero-day-flaw-to-deploy-remcos-rat.127330/
https://infosecwriteups.com/cve-202...ing-windows-smartscreen-security-6ff05c8b69d0

Infection chain:
phishing email ---> URL file ---> malicious website or harmful code execution via exploit

SWH can block such attacks by default (via SRP + system tweak).

******** SRP blocks ********
****************************

Event[0]:
Event Id = 865
Local Time: 2023/11/24 15:02:04
EventRecordID = 20148
Execution ProcessID = '1724' ThreadID='2312'
Computer = XXXX
UserID='XXXX
Attempted Path = k:\extensions\Read Me.url
Description: Default Level SRP block


**************************************
**************************************

 

[simmerskool]

runbysmartscreen indirect question / comment, I recently installed Windows Firewall Control 6.9.9.0 (malwarebytes via binisoft), first time using it, set it to medium filtering (recommended), and I opened something, perhaps Edge, and wfc blocked smartscreen apparently because it is not signed or has "special" MS signature, VirusTotal reports it as "file is not signed" -- why isn't this security file signed, or why doesn't wfc recognize an MS signed file?? I see that wfc has default rules that include many MS files. Just wondering as it seems like an "odd" block.

 

[Freki123]

smartscreen just seems special for some firewalls. Glasswire also doesn't allow it per default and you have to be careful that it doesn't get blocked by mistake. VT says not signed, Cyberlock says it's signed atleast on my win 11.

 

[oldschool]

runbysmartscreen indirect question / comment, I recently installed Windows Firewall Control 6.9.9.0 (malwarebytes via binisoft), first time using it, set it to medium filtering (recommended), and I opened something, perhaps Edge, and wfc blocked smartscreen apparently because it is not signed or has "special" MS signature, VirusTotal reports it as "file is not signed" -- why isn't this security file signed, or why doesn't wfc recognize an MS signed file?? I see that wfc has default rules that include many MS files. Just wondering as it seems like an "odd" block.

@Mod - This post belongs in a firewalls thread.

 

[Andy Ful]

runbysmartscreen indirect question / comment, I recently installed Windows Firewall Control 6.9.9.0 (malwarebytes via binisoft), first time using it, set it to medium filtering (recommended), and I opened something, perhaps Edge, and wfc blocked smartscreen apparently because it is not signed or has "special" MS signature, VirusTotal reports it as "file is not signed" -- why isn't this security file signed, or why doesn't wfc recognize an MS signed file?? I see that wfc has default rules that include many MS files. Just wondering as it seems like an "odd" block.

I do not know why your WFC settings block SmartScreen, but this issue is unrelated to RunBySmartscreen (it does not use any outbound/inbound connections).
I think that the issue can be solved by inspecting the WFC Log and adding some rules:
https://www.windowsphoneinfo.com/th...l-how-to-add-rule-to-allow.71118/#post-685404
https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-239#post-2971628
https://malwaretips.com/threads/default-deny-windows-firewall-setup-how-to.124928/post-1052005

Post edited/updated

 

[Andy Ful]

smartscreen just seems special for some firewalls. Glasswire also doesn't allow it per default and you have to be careful that it doesn't get blocked by mistake. VT says not signed, Cyberlock says it's signed atleast on my win 11.

Did you mean that RunBySmartscreen is recognized as unsigned by VT? (the original one is always recognized as signed on VT).
If you thought about smartscreen.exe, it is signed by the catalog file. The certificate is not visible via file properties.

 

[ErzCrz]

From experience, smartscreen.exe connects out TCP/UDP to http port 443. Not a lot of experience with WFC but with Comodo Firewall I do have to create a allow outbound rule for it. I should have a fresh look at WFC but I think last time I installed it, I had to turn off something in device security for it to run on my Win11 machine but that was some months ago.

 

[ErzCrz]

WFC does throw an alert for smartscreen.exe Outbound.

Spoiler: WFC Blocking SmartScreen.exe

Interestingly, when you do a Search online via WFC, it shows on VirusTotal as Signature Verification : Not Signed VirusTotal - Smartscreen.exe the alert is for outgoing HTTPS to port 443 but you can just create a specific allow rule for this.

 

[Andy Ful]

Interestingly, when you do a Search online via WFC, it shows on VirusTotal as Signature Verification : Not Signed VirusTotal - Smartscreen.exe ...

VirusTotal cannot find the certificate because it is not present in the executable smartscreen.exe . This file is signed in another way (by catalog file).

 

[simmerskool]

WFC does throw an alert for smartscreen.exe Outbound.

Spoiler: WFC Blocking SmartScreen.exe

View attachment 280677

Interestingly, when you do a Search online via WFC, it shows on VirusTotal as Signature Verification : Not Signed VirusTotal - Smartscreen.exe the alert is for outgoing HTTPS to port 443 but you can just create a specific allow rule for this.

thanks for confirming what I saw

 

[ErzCrz]

VirusTotal cannot find the certificate because it is not present in the executable smartscreen.exe . This file is signed in another way (by catalog file).

Thanks for confirming. Going with WFC instead of CF as I'm running VoodooShield (CyberLock) so just getting to grips with it though I expect CF and VS/CL work along side each other as well.

 

[simmerskool]

Thanks for confirming. Going with WFC instead of CF as I'm running VoodooShield (CyberLock) so just getting to grips with it though I expect CF and VS/CL work along side each other as well.

several years ago, I ran VS and CF together, I do not recall having issues, but unnecessary. I am testing CF on VM but on hardware pc running CL. (& CL in this VM).

 

[ErzCrz]

several years ago, I ran VS and CF together, I do not recall having issues, but unnecessary. I am testing CF on VM but on hardware pc running CL. (& CL in this VM).

Agreed, the two together isn't necessary. With me only having Home version of Win11 sandbox part of CL isn't possible but will still block/quarantine unknowns/malware

Back to topic: Looking forward to SWH/LHH development and how that might tie in with my setup

 

[codswollip]

After many tries, this and many others seems to be pure psychodrama... sure... if you are heedless about your 'net use you may run into some baddies.... but all the tweaks, and whitelisting, etc., etc., are busy work with no real benefit. Simple imaging can thwart most all bad stuff. Even so, my few needs of re-imaging are primarily due to registry experimentation on my part, rather than some baddie, beating my OS to death.

Keep it simple... Stock Windows Defender is fine.

 

[Digmor Crusher]

After many tries, this and many others seems to be pure psychodrama... sure... if you are heedless about your 'net use you may run into some baddies.... but all the tweaks, and whitelisting, etc., etc., are busy work with no real benefit. Simple imaging can thwart most all bad stuff. Even so, my few needs of re-imaging are primarily due to registry experimentation on my part, rather than some baddie, beating my OS to death.

Keep it simple... Stock Windows Defender is fine.

A data stealer could steal all your data before you even know its there. Imaging will get rid of it but please explain how it will prevent your data getting stolen. It won't.

 

[Andy Ful]

... but all the tweaks, and whitelisting, etc., etc., are busy work with no real benefit.

This observation has nothing to do with Simple Windows Hardening. There is no busy work at all. The benefit is substantial.
The above can confirm any user that tried SWH.
The AV on default settings is probably enough for many users and not enough for others. Anyway, this thread is not the right place to discuss it.