New Update Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,541
Run by smart screen to achieve elevated status.

It does not work in this way (has nothing to do with elevated status).
"Run By SmartScreen" simply triggers SmartScreen for Explorer, when normally the file would be executed without SmartScreen check. It has also an additional feature that prevents bypassing SmartScreen via DLL hijacking.

Basically, don't click these without verification of file, back to the basics.

This is the shortest description of "Run By SmartScreen".
It allows a quick file verification in the SmartScreen reputation cloud (EXE / MSI files). It is more reliable in most cases than Virus Total.

Of course, the advanced users can do more, like using Any.run or other online services to analyze the samples. But, this is beyond the abilities of most home users.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,541
Such a test as Advanced Threat Protection Test 2023 - Consumer, can have some value for AV developers. But, I do not think that it might help the consumers. The results are out of touch with reality due to applied methodology.
For example, Spearphishing attacks have great chances to succeed, even if stopped by the AV. Simply, the user is convinced that the sample is not malicious and expects a false positive. It is a kinda paradox, but novice users can be safer than more experienced ones. Many novice users do not know what is a false positive and will not allow the sample. A more experienced user will look at VirusTotal and see that most AVs consider the sample as non-malicious. This will most probably end with infection. :confused:
 
Last edited:
F

ForgottenSeer 103564

It does not work in this way (has nothing to do with elevated status).
"Run By SmartScreen" simply triggers SmartScreen for Explorer, when normally the file would be executed without SmartScreen check. It has also an additional feature that prevents bypassing SmartScreen via DLL hijacking.



This is the shortest description of "Run By SmartScreen".
It allows a quick file verification in the SmartScreen reputation cloud (EXE / MSI files). It is more reliable in most cases than Virus Total.

Of course, the advanced users can do more, like using Any.run or other online services to analyze the samples. But, this is beyond the abilities of most home users.
That was supposed to say UAC last night when i typed it but i was tired and typed what i was reading instead, as it was midnight my time. I fully understand how windows works.

The point though was that having to "execute" the file and give it "the go ahead" is a ridiculous form of testing. Its like stating, i can break through my system defense by executing this script on my desktop. Why sure you can, you just told the system its ok to run it. Its a farce when they do that, its like a slight of hand card trick.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,541
SWH vs. URL ATTACKS
https://malwaretips.com/threads/hac...en-zero-day-flaw-to-deploy-remcos-rat.127330/
https://infosecwriteups.com/cve-202...ing-windows-smartscreen-security-6ff05c8b69d0

Infection chain:
phishing email ---> URL file ---> malicious website or harmful code execution via exploit

SWH can block such attacks by default (via SRP + system tweak).

1700834505310.png



******** SRP blocks ********
****************************

Event[0]:
Event Id = 865
Local Time: 2023/11/24 15:02:04
EventRecordID = 20148
Execution ProcessID = '1724' ThreadID='2312'
Computer = XXXX
UserID='XXXX
Attempted Path = k:\extensions\Read Me.url
Description: Default Level SRP block


**************************************
**************************************
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,715
runbysmartscreen indirect question / comment, I recently installed Windows Firewall Control 6.9.9.0 (malwarebytes via binisoft), first time using it, set it to medium filtering (recommended), and I opened something, perhaps Edge, and wfc blocked smartscreen apparently because it is not signed or has "special" MS signature, VirusTotal reports it as "file is not signed" -- why isn't this security file signed, or why doesn't wfc recognize an MS signed file?? I see that wfc has default rules that include many MS files. Just wondering as it seems like an "odd" block.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,673
runbysmartscreen indirect question / comment, I recently installed Windows Firewall Control 6.9.9.0 (malwarebytes via binisoft), first time using it, set it to medium filtering (recommended), and I opened something, perhaps Edge, and wfc blocked smartscreen apparently because it is not signed or has "special" MS signature, VirusTotal reports it as "file is not signed" -- why isn't this security file signed, or why doesn't wfc recognize an MS signed file?? I see that wfc has default rules that include many MS files. Just wondering as it seems like an "odd" block.
@Mod - This post belongs in a firewalls thread.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,541
runbysmartscreen indirect question / comment, I recently installed Windows Firewall Control 6.9.9.0 (malwarebytes via binisoft), first time using it, set it to medium filtering (recommended), and I opened something, perhaps Edge, and wfc blocked smartscreen apparently because it is not signed or has "special" MS signature, VirusTotal reports it as "file is not signed" -- why isn't this security file signed, or why doesn't wfc recognize an MS signed file?? I see that wfc has default rules that include many MS files. Just wondering as it seems like an "odd" block.
I do not know why your WFC settings block SmartScreen, but this issue is unrelated to RunBySmartscreen (it does not use any outbound/inbound connections).
I think that the issue can be solved by inspecting the WFC Log and adding some rules:
https://www.windowsphoneinfo.com/th...l-how-to-add-rule-to-allow.71118/#post-685404
https://www.wilderssecurity.com/thr...-by-binisoft-org.347370/page-239#post-2971628
https://malwaretips.com/threads/default-deny-windows-firewall-setup-how-to.124928/post-1052005

Post edited/updated
 
Last edited:
  • Thanks
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,541
smartscreen just seems special for some firewalls. Glasswire also doesn't allow it per default and you have to be careful that it doesn't get blocked by mistake. VT says not signed, Cyberlock says it's signed atleast on my win 11.
Did you mean that RunBySmartscreen is recognized as unsigned by VT? (the original one is always recognized as signed on VT).
If you thought about smartscreen.exe, it is signed by the catalog file. The certificate is not visible via file properties.
 
Last edited:

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,211
From experience, smartscreen.exe connects out TCP/UDP to http port 443. Not a lot of experience with WFC but with Comodo Firewall I do have to create a allow outbound rule for it. I should have a fresh look at WFC but I think last time I installed it, I had to turn off something in device security for it to run on my Win11 machine but that was some months ago.
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,211
WFC does throw an alert for smartscreen.exe Outbound.
1704312611669.png

Interestingly, when you do a Search online via WFC, it shows on VirusTotal as Signature Verification : Not Signed VirusTotal - Smartscreen.exe the alert is for outgoing HTTPS to port 443 but you can just create a specific allow rule for this.
 
  • Thanks
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,541
Interestingly, when you do a Search online via WFC, it shows on VirusTotal as Signature Verification : Not Signed VirusTotal - Smartscreen.exe ...

VirusTotal cannot find the certificate because it is not present in the executable smartscreen.exe . This file is signed in another way (by catalog file).
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,715
WFC does throw an alert for smartscreen.exe Outbound.

Interestingly, when you do a Search online via WFC, it shows on VirusTotal as Signature Verification : Not Signed VirusTotal - Smartscreen.exe the alert is for outgoing HTTPS to port 443 but you can just create a specific allow rule for this.
thanks for confirming what I saw :cool:
 
  • Like
Reactions: ErzCrz

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,211
VirusTotal cannot find the certificate because it is not present in the executable smartscreen.exe . This file is signed in another way (by catalog file).
Thanks for confirming. Going with WFC instead of CF as I'm running VoodooShield (CyberLock) so just getting to grips with it though I expect CF and VS/CL work along side each other as well.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,715
Thanks for confirming. Going with WFC instead of CF as I'm running VoodooShield (CyberLock) so just getting to grips with it though I expect CF and VS/CL work along side each other as well.
several years ago, I ran VS and CF together, I do not recall having issues, but unnecessary. I am testing CF on VM but on hardware pc running CL. (& CL in this VM).
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,211
several years ago, I ran VS and CF together, I do not recall having issues, but unnecessary. I am testing CF on VM but on hardware pc running CL. (& CL in this VM).
Agreed, the two together isn't necessary. With me only having Home version of Win11 sandbox part of CL isn't possible but will still block/quarantine unknowns/malware ;)

Back to topic: Looking forward to SWH/LHH development and how that might tie in with my setup :)
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
After many tries, this and many others seems to be pure psychodrama... sure... if you are heedless about your 'net use you may run into some baddies.... but all the tweaks, and whitelisting, etc., etc., are busy work with no real benefit. Simple imaging can thwart most all bad stuff. Even so, my few needs of re-imaging are primarily due to registry experimentation on my part, rather than some baddie, beating my OS to death.

Keep it simple... Stock Windows Defender is fine.
 

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,424
After many tries, this and many others seems to be pure psychodrama... sure... if you are heedless about your 'net use you may run into some baddies.... but all the tweaks, and whitelisting, etc., etc., are busy work with no real benefit. Simple imaging can thwart most all bad stuff. Even so, my few needs of re-imaging are primarily due to registry experimentation on my part, rather than some baddie, beating my OS to death.

Keep it simple... Stock Windows Defender is fine.
A data stealer could steal all your data before you even know its there. Imaging will get rid of it but please explain how it will prevent your data getting stolen. It won't.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,541
... but all the tweaks, and whitelisting, etc., etc., are busy work with no real benefit.

This observation has nothing to do with Simple Windows Hardening. There is no busy work at all. The benefit is substantial.
The above can confirm any user that tried SWH.(y)
The AV on default settings is probably enough for many users and not enough for others. Anyway, this thread is not the right place to discuss it.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top