New Update Simple Windows Hardening

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,485
franz said:
I could not turn it off:
Click to expand...
So the * SMB Protocols * setting should be visible as Restricted SMB1. This is a usual Windows built-in restriction on Windows 10 (SMB1 not installed) which was not set by SWH. Does WD TV Play Media Player work well now? Can you see anything blocked via <Blocked Events>?
 
franz

franz

Level 9
Verified
Well-known
May 29, 2021
424
Andy Ful said:
So the * SMB Protocols * setting should be visible as Restricted SMB1. This is a usual Windows built-in restriction on Windows 10 (SMB1 not installed) which was not set by SWH. Does WD TV Play Media Player work well now? Can you see anything blocked via <Blocked Events>?
Click to expand...
My WD TV Play Media Player cannot connect to my computer using Simple Windows Hardening.
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,485
franz said:
My WD TV Play Media Player cannot connect to my computer using Simple Windows Hardening.
Click to expand...
Let's sum up.
  1. You are in shadow mode.
  2. Just before running SWH the WD TV Play Media Player works well.
  3. Just after running SWH the WD TV Play Media Player stops working.
  4. There are no blocked events when using <Blocked Events> button (for SRP and PowerShell).
Did you try restoring the Windows defaults via Menu >> Restore Windows Defaults?
 
franz

franz

Level 9
Verified
Well-known
May 29, 2021
424
Andy Ful said:
Let's sum up.
  1. You are in shadow mode.
  2. Just before running SWH the WD TV Play Media Player works well.
  3. Just after running SWH the WD TV Play Media Player stops working.
  4. There are no blocked events when using <Blocked Events> button (for SRP and PowerShell).
Did you try restoring the Windows defaults via Menu >> Restore Windows Defaults?
Click to expand...
Correct.
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,485
franz said:
"Did you try restoring the Windows defaults via Menu >> Restore Windows Defaults?"
No I did not, should I?
Click to expand...
Yes. This will remove all changes made by SWH. Try to Log off the account and log in. Next, try the WD TV Play Media Player.
 
franz

franz

Level 9
Verified
Well-known
May 29, 2021
424
Andy Ful said:
Yes. This will remove all changes made by SWH. Try to Log off the account and log in. Next, try the WD TV Play Media Player.
Click to expand...
But when I restore with my Macrium image from earlier, it does the same. It makes no different, it works before I try SWH and after, it does not.
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,485
franz said:
But when I restore with my Macrium image from earlier, it does the same. It makes no different, it works before I try SWH and after, it does not.
Click to expand...
If you will restore Windows defaults via SWH (Menu >> Restore Windows Defaults), then only SWH changes will be removed. When you use Macrium image then you also remove all changes made by other programs, system tasks, and updates.
 
franz

franz

Level 9
Verified
Well-known
May 29, 2021
424
Andy Ful said:
If you will restore Windows defaults via SWH (Menu >> Restore Windows Defaults), then only SWH changes will be removed. When you use Macrium image then you also remove all changes made by other programs, system tasks, and updates.
Click to expand...
I understand what you asked of me now. I did that earlier before I installed a new image again, and funny enough, it did not work after either. Something had change that was not been reversed.
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,485
franz said:
I understand what you asked of me now. I did that earlier before I installed a new image again, and funny enough, it did not work after either. Something had change that was not been reversed.
Click to expand...
I found a difference. With SMB1 installed like on the below picture:

1659307848829.png


SWH setting * SMB Protocols * shows on my computer that SMB123 are allowed:

1659308368364.png


From your post, it follows that on your machine it is not the case and SWH shows that SMB is Restricted. Is this true?:unsure:
 
franz

franz

Level 9
Verified
Well-known
May 29, 2021
424
Andy Ful said:
I found a difference. With SMB1 installed like on the below picture:

View attachment 268285

SWH setting * SMB Protocols * shows on my computer that SMB123 are allowed:

View attachment 268286

From your post, it follows that on your machine it is not the case and SWH shows that SMB is Restricted. Is this true?:unsure:
Click to expand...
This is my machine before end after installation of SWH. The windows features did not change, and the settings is what you see on the picture.
 

Attachments

  • 1.jpg
    1.jpg
    71.6 KB · Views: 236
  • 2.jpg
    2.jpg
    28.1 KB · Views: 224
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,485
franz said:
This is my machine before end after installation of SWH. The windows features did not change, and the settings is what you see on the picture.
Click to expand...

These settings are like on my machine, but they are different from the settings you have posted here:
https://malwaretips.com/threads/possible-ways-to-harden-windows.112933/post-997939

So, the previous testing was done on different Windows settings. In previous settings, SMB1 was not installed and now it is. Now, you can Restrict or Allow SMB via SWH (Settings >> * SMB Protocols *) without the alert that SMB1 is not installed. The SWH restrictions for SMB do not install/uninstall SMB.
It seems that something changed the SMB features. This can be a source of your problem.
Anyway, now the SMB1 is installed and SWH shows that SMB protocols are allowed. If you still cannot use WD TV Play Media Player, then something else is involved here.

Edit.
@upnorth, is it possible to move the posts related to SWH and WD TV Play Media Player to the SWH thread?
 
Last edited:
  • Like
Reactions: Nevi, silversurfer and upnorth
franz

franz

Level 9
Verified
Well-known
May 29, 2021
424
Andy Ful said:
These settings are like on my machine, but they are different from the settings you have posted here:
https://malwaretips.com/threads/possible-ways-to-harden-windows.112933/post-997939

So, the previous testing was done on different Windows settings. In previous settings, SMB1 was not installed and now it is. Now, you can Restrict or Allow SMB via SWH (Settings >> * SMB Protocols *) without the alert that SMB1 is not installed. The SWH restrictions for SMB do not install/uninstall SMB.
It seems that something changed the SMB features. This can be a source of your problem.
Anyway, now the SMB1 is installed and SWH shows that SMB protocols are allowed. If you still cannot use WD TV Play Media Player, then something else is involved here.

Edit.
@upnorth, is it possible to move the posts related to SWH and WD TV Play Media Player to the SWH thread?
Click to expand...
"If you still cannot use WD TV Play Media Player, then something else is involved here."
It looks like it. Thank you anyway :)
 
  • Like
Reactions: silversurfer and Andy Ful
franz

franz

Level 9
Verified
Well-known
May 29, 2021
424
Andy Ful said:
These settings are like on my machine, but they are different from the settings you have posted here:
https://malwaretips.com/threads/possible-ways-to-harden-windows.112933/post-997939

So, the previous testing was done on different Windows settings. In previous settings, SMB1 was not installed and now it is. Now, you can Restrict or Allow SMB via SWH (Settings >> * SMB Protocols *) without the alert that SMB1 is not installed. The SWH restrictions for SMB do not install/uninstall SMB.
It seems that something changed the SMB features. This can be a source of your problem.
Anyway, now the SMB1 is installed and SWH shows that SMB protocols are allowed. If you still cannot use WD TV Play Media Player, then something else is involved here.

Edit.
@upnorth, is it possible to move the posts related to SWH and WD TV Play Media Player to the SWH thread?
Click to expand...
I installed f-secure Safe again instead of Bitdefender Total Security, and everything work fine with SWH installed.
The problem was Bitdefender.
:)
 
  • Like
Reactions: Nevi, silversurfer, Gandalf_The_Grey and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,485
SWH vs. Magniber CPL variant
https://www.socinvestigation.com/magniber-ransomware-payload-extension-changed-detection-response/

Researchers at Asec Lab have observed the new indicators of Magniber. Since February 2022, Magniber has been using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution. The ransomware includes a valid certificate and was distributed in DLL form inside the MSI file. However, starting from July 20th (Wednesday), it is now being distributed as a CPL file extension instead of MSI.
As the cases of using an MSI file for distribution are decreasing, the attacker of Magniber likely has changed the method of distribution.
(...)
Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.
Click to expand...

The infection chain:
typosquatting --> malicious website ---> Magniber downloaded directly as CPL file or in ZIP archive ---> user opens CPL file (Magniber is executed via LOLBins: control.exe & rundll32.exe)

SWH blocks by default opening CPL files (SRP restrictions). But, the rest will depend on the user. Magniber is often promoted as a digitally signed update/upgrade, so many users can be fooled to turn off the protection. This is probable especially when they are looking for pirated content. Anyway, the false alarms for updates/upgrades are very low with SWH settings, so many users can be also suspicious about these updates/upgrades. In such rare & unclear situations, the best solution is to wait one day (or more). In most cases, the AVs are able to correctly recognize threats after one day.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, EascapenMatrix, franz and 5 others

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,431
Hard_Configurator Tools
South Park
South Park
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Patch Tuesday update (KB5041571) hits Copilot+ PCs running Windows 11 24H2
Replies
0
Views
293
Windows 11
Gandalf_The_Grey
Gandalf_The_Grey
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,121
Hard_Configurator Tools
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top