New Update Simple Windows Hardening

P

Protomartyr

Level 7
Sep 23, 2019
314
@HarborFront
The standalone version of the Document Anti-Exploit tool can be found here: AndyFul/ConfigureDefender

ON2 refers to a specific setting for Microsoft Office in the standalone version of the tool.

SWH includes a version of the tool under Settings > Document Anti-Exploit. However, I'm not sure what the comparable setting to ON2 from the standalone version is in SWH as the options available are simplified.

Hopefully Andy can expand on that.
 
  • Like
Reactions: Nevi, Deletedmessiah, silversurfer and 6 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,139
Protomartyr said:
@HarborFront
The standalone version of the Document Anti-Exploit tool can be found here: AndyFul/ConfigureDefender

ON2 refers to a specific setting for Microsoft Office in the standalone version of the tool.

SWH includes a version of the tool under Settings > Document Anti-Exploit. However, I'm not sure what the comparable setting to ON2 from the standalone version is in SWH as the options available are simplified.

Hopefully Andy can expand on that.
Click to expand...
So now I have SWH do I need to have the Document Anti-Exploit standalone tool or l disable the Document Anti-Exploit feature in SWH (can disable?) and use the standalone version to complement my SWH?
 
  • Like
Reactions: Nevi and Protomartyr
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
HarborFront said:
I'm using SWH. Is DocumentsAntiExploit tool in SWH? I thought I saw it inside SWH. Or needs to be used independently. If it's the latter where to download the standalone version? BTW, what is ON2?

Thanks
Click to expand...
It is a part of Hard_Configurator project, but it is also available as a standalone tool (not part of SWH):
https://github.com/AndyFul/ConfigureDefender/blob/master/H_C_HardeningTools.zip
The option *Documents Anti-Exploit* in SWH is different - it prevents the attacks based on VBA (Visual Basic for Applications). Most attacks are performed in this way. But, the non-VBA-based attacks are more and more popular so it is good to apply additional protection via the standalone DocumentsAntiExploit tool. SWH and ConfigureDefender are compatible with it.
The ON2 setting and others are explained in the help info of this tool:

1610966745390.png



It is worth to remember that H_C and SWH settings are system-wide. DocumentsAntiExploit tool can apply settings for the particular user account. After uninstalling H_C, the system-wide settings are set to Windows default values. But the user-dependent settings made via DocumentsAntiExploit tool will not be removed. That is why this tool is not removed, too (available on Desktop). To remove the user-dependent settings for MS Office, the DocumentsAntiExploit tool has to be run on each restricted account and set to OFF.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Nevi, Deletedmessiah, Protomartyr and 6 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,139
Andy Ful said:
It is a part of Hard_Configurator project, but it is also available as a standalone tool (not part of SWH):
https://github.com/AndyFul/ConfigureDefender/blob/master/H_C_HardeningTools.zip
The option *Documents Anti-Exploit* in SWH is different - it prevents the attacks based on VBA (Visual Basic for Applications). Most attacks are performed in this way. But, the non-VBA-based attacks are more and more popular so it is good to apply additional protection via the standalone DocumentsAntiExploit tool. SWH and ConfigureDefender are compatible with it.
The ON2 setting and others are explained in the help info of this tool:

View attachment 253096


It is worth to remember that SWH settings are system-wide. DocumentsAntiExploit tool can apply settings for the particular user account.
Click to expand...
Thanks. I'll add the Document Anti-Exploit standalone tool to SWH then.
 
  • Like
Reactions: Nevi, Protomartyr, silversurfer and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
This config is more restrictive. Some people cannot use it if they need advanced MS Office functions. In such a case there is another solution.
  1. Install Word Mobile, Excel Mobile, and PowerPoint Mobile alongside the normal MS Office and configure these apps as default programs for opening MS Office documents. These are Microsoft apps (from Microsoft Store) and they can be used for free to view the documents (editing requires the paid version).
  2. You can still use the previously installed MS Office for opening trusted documents. Simply, start the normal MS Office and open the trusted document from it.
In such a config when you double click (or press the Enter key on the document) it will be opened in the Office Mobile app. The Office Mobile apps run in AppContainer and do not run any active content embedded in documents. The trusted documents (made by the user) can be still opened without restrictions by opening the normal (desktop) MS Office.
I use these apps for viewing documents and they are most compatible with normal (desktop) MS Office versions (do not use normal MS Office at all). The document content can be copied (without active elements) or printed from these apps.

Edit.
The mobile apps are not visible in Microsoft Store until the Mobile option under the Availability tab is chosen. They can be also found there:
Get Excel Mobile - Microsoft Store
Get PowerPoint Mobile - Microsoft Store
Get Word Mobile - Microsoft Store
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Nevi, Jan Willy, Protomartyr and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SecurityNightmares said:
Should i switch from Windows internal Wordpad?
(I also have Office 365 but not installed, as i can use them in browser if i want)
Click to expand...
If you use H_C / SWH and Wordpad is OK for you, then you can keep it.
Wordpad allows running attachments embedded in the document as OLE (warning has to be ignored). The user can be fooled by social engineering to click the OLE and the attachment will be opened. These attachments are mostly scripts or scriptlets that are covered by H_C or SWH settings.
Wordpad will open properly simple documents, but in complex documents, some content can be displayed improperly (mathematical equations, diagrams, etc.).
 
Last edited:
  • Like
  • Thanks
Reactions: Nevi, Protomartyr, blackice and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Thank Malware Hub testing I confirmed which combinations of AV + SWH are strongest.

First, I would like to recall that Kaspersky with Application Control can be set to work similarly to Trusted Application Mode, so all executables and some popular script types run in the Untrusted group if they are unknown in KSN. Such settings + disabling the option which trusts applications that have a digital signature are sufficiently strong and do not require additional protection via SWH.

Generally, I recommend all other AVs that can apply astounding protection against executables (EXE, DLL, etc.) due to File Reputation in the Cloud:
  • Avast/AVG (Hardened Mode + CyberCapture)
  • Microsoft Defender (MAX or INTERACTIVE Protection Level, CFA can be disabled)
  • Norton 360
The above AVs use different File Reputation features. The most comprehensive is Norton (Symantec) Insight.
There are very small differences in the protection between all mentioned solutions:
Norton + SWH ~ KIS (highly tweaked) > MSD MAX + SWH ~ Avast/AVG HD & CC + SWH
 
Last edited:
  • Like
Reactions: Nevi, ErzCrz, CyberPanther and 3 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,233
Andy Ful said:
Thank Malware Hub testing I confirmed which combinations of AV + SWH are strongest.

First, I would like to recall that Kaspersky with Application Control can be set to work similarly to Trusted Application Mode, so all executables and some popular script types are run in the Untrusted group if they are unknown in KSN. Such settings + disabling the option which trusts applications that have a digital signature are sufficiently strong and do not require additional protection via SWH.

Generally, I recommend all other AVs that can apply astounding protection against executables (EXE, DLL, etc.) due to File Reputation in the Cloud:
  • Avast/AVG (Hardened Mode + CyberCapture)
  • Microsoft Defender (MAX or INTERACTIVE Protection Level)
  • Norton 360
The above AVs use different File Reputation features. The most comprehensive is Norton (Symantec) Insight.
There are very small differences in the protection between all mentioned solutions:
Norton + SWH ~ KIS (highly tweaked) > MSD MAX + SWH ~ Avast/AVG HD & CC + SWH
Click to expand...
What is the INTERACTIVE Protection Level of Microsoft Defender?
The same as your HIGH settings?
 
  • Like
Reactions: Nevi, harlan4096 and Andy Ful
F

ForgottenSeer 85179

Andy Ful said:
The above AVs use different File Reputation features. The most comprehensive is Norton (Symantec) Insight.
There are very small differences in the protection between all mentioned solutions:
Norton + SWH ~ KIS (highly tweaked) > MSD MAX + SWH ~ Avast/AVG HD & CC + SWH
Click to expand...
Can you please add a comparison to MD with H_C ?
 
  • Like
Reactions: Nevi, ErzCrz and Andy Ful

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,420
Hard_Configurator Tools
South Park
South Park
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Patch Tuesday update (KB5041571) hits Copilot+ PCs running Windows 11 24H2
Replies
0
Views
293
Windows 11
Gandalf_The_Grey
Gandalf_The_Grey
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,098
Hard_Configurator Tools
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top