Q&A Simple Windows Hardening

Protomartyr

Level 7
Verified
Sep 23, 2019
322
@HarborFront
The standalone version of the Document Anti-Exploit tool can be found here: AndyFul/ConfigureDefender

ON2 refers to a specific setting for Microsoft Office in the standalone version of the tool.

SWH includes a version of the tool under Settings > Document Anti-Exploit. However, I'm not sure what the comparable setting to ON2 from the standalone version is in SWH as the options available are simplified.

Hopefully Andy can expand on that.
 

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,835
@HarborFront
The standalone version of the Document Anti-Exploit tool can be found here: AndyFul/ConfigureDefender

ON2 refers to a specific setting for Microsoft Office in the standalone version of the tool.

SWH includes a version of the tool under Settings > Document Anti-Exploit. However, I'm not sure what the comparable setting to ON2 from the standalone version is in SWH as the options available are simplified.

Hopefully Andy can expand on that.
So now I have SWH do I need to have the Document Anti-Exploit standalone tool or l disable the Document Anti-Exploit feature in SWH (can disable?) and use the standalone version to complement my SWH?
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,023
I'm using SWH. Is DocumentsAntiExploit tool in SWH? I thought I saw it inside SWH. Or needs to be used independently. If it's the latter where to download the standalone version? BTW, what is ON2?

Thanks
It is a part of Hard_Configurator project, but it is also available as a standalone tool (not part of SWH):
https://github.com/AndyFul/ConfigureDefender/blob/master/H_C_HardeningTools.zip
The option *Documents Anti-Exploit* in SWH is different - it prevents the attacks based on VBA (Visual Basic for Applications). Most attacks are performed in this way. But, the non-VBA-based attacks are more and more popular so it is good to apply additional protection via the standalone DocumentsAntiExploit tool. SWH and ConfigureDefender are compatible with it.
The ON2 setting and others are explained in the help info of this tool:

1610966745390.png



It is worth to remember that H_C and SWH settings are system-wide. DocumentsAntiExploit tool can apply settings for the particular user account. After uninstalling H_C, the system-wide settings are set to Windows default values. But the user-dependent settings made via DocumentsAntiExploit tool will not be removed. That is why this tool is not removed, too (available on Desktop). To remove the user-dependent settings for MS Office, the DocumentsAntiExploit tool has to be run on each restricted account and set to OFF.
 
Last edited:

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,835
It is a part of Hard_Configurator project, but it is also available as a standalone tool (not part of SWH):
https://github.com/AndyFul/ConfigureDefender/blob/master/H_C_HardeningTools.zip
The option *Documents Anti-Exploit* in SWH is different - it prevents the attacks based on VBA (Visual Basic for Applications). Most attacks are performed in this way. But, the non-VBA-based attacks are more and more popular so it is good to apply additional protection via the standalone DocumentsAntiExploit tool. SWH and ConfigureDefender are compatible with it.
The ON2 setting and others are explained in the help info of this tool:

View attachment 253096


It is worth to remember that SWH settings are system-wide. DocumentsAntiExploit tool can apply settings for the particular user account.
Thanks. I'll add the Document Anti-Exploit standalone tool to SWH then.
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,023
This config is more restrictive. Some people cannot use it if they need advanced MS Office functions. In such a case there is another solution.
  1. Install Word Mobile, Excel Mobile, and PowerPoint Mobile alongside the normal MS Office and configure these apps as default programs for opening MS Office documents. These are Microsoft apps (from Microsoft Store) and they can be used for free to view the documents (editing requires the paid version).
  2. You can still use the previously installed MS Office for opening trusted documents. Simply, start the normal MS Office and open the trusted document from it.
In such a config when you double click (or press the Enter key on the document) it will be opened in the Office Mobile app. The Office Mobile apps run in AppContainer and do not run any active content embedded in documents. The trusted documents (made by the user) can be still opened without restrictions by opening the normal (desktop) MS Office.
I use these apps for viewing documents and they are most compatible with normal (desktop) MS Office versions (do not use normal MS Office at all). The document content can be copied (without active elements) or printed from these apps.

Edit.
The mobile apps are not visible in Microsoft Store until the Mobile option under the Availability tab is chosen. They can be also found there:
Get Excel Mobile - Microsoft Store
Get PowerPoint Mobile - Microsoft Store
Get Word Mobile - Microsoft Store
 
Last edited:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,023
Should i switch from Windows internal Wordpad?
(I also have Office 365 but not installed, as i can use them in browser if i want)
If you use H_C / SWH and Wordpad is OK for you, then you can keep it.
Wordpad allows running attachments embedded in the document as OLE (warning has to be ignored). The user can be fooled by social engineering to click the OLE and the attachment will be opened. These attachments are mostly scripts or scriptlets that are covered by H_C or SWH settings.
Wordpad will open properly simple documents, but in complex documents, some content can be displayed improperly (mathematical equations, diagrams, etc.).
 
Last edited:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,023
Thank Malware Hub testing I confirmed which combinations of AV + SWH are strongest.

First, I would like to recall that Kaspersky with Application Control can be set to work similarly to Trusted Application Mode, so all executables and some popular script types run in the Untrusted group if they are unknown in KSN. Such settings + disabling the option which trusts applications that have a digital signature are sufficiently strong and do not require additional protection via SWH.

Generally, I recommend all other AVs that can apply astounding protection against executables (EXE, DLL, etc.) due to File Reputation in the Cloud:
  • Avast/AVG (Hardened Mode + CyberCapture)
  • Microsoft Defender (MAX or INTERACTIVE Protection Level, CFA can be disabled)
  • Norton 360
The above AVs use different File Reputation features. The most comprehensive is Norton (Symantec) Insight.
There are very small differences in the protection between all mentioned solutions:
Norton + SWH ~ KIS (highly tweaked) > MSD MAX + SWH ~ Avast/AVG HD & CC + SWH
 
Last edited:

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,772
Thank Malware Hub testing I confirmed which combinations of AV + SWH are strongest.

First, I would like to recall that Kaspersky with Application Control can be set to work similarly to Trusted Application Mode, so all executables and some popular script types are run in the Untrusted group if they are unknown in KSN. Such settings + disabling the option which trusts applications that have a digital signature are sufficiently strong and do not require additional protection via SWH.

Generally, I recommend all other AVs that can apply astounding protection against executables (EXE, DLL, etc.) due to File Reputation in the Cloud:
  • Avast/AVG (Hardened Mode + CyberCapture)
  • Microsoft Defender (MAX or INTERACTIVE Protection Level)
  • Norton 360
The above AVs use different File Reputation features. The most comprehensive is Norton (Symantec) Insight.
There are very small differences in the protection between all mentioned solutions:
Norton + SWH ~ KIS (highly tweaked) > MSD MAX + SWH ~ Avast/AVG HD & CC + SWH
What is the INTERACTIVE Protection Level of Microsoft Defender?
The same as your HIGH settings?
 
Top