New Update Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I could not turn it off:
So the * SMB Protocols * setting should be visible as Restricted SMB1. This is a usual Windows built-in restriction on Windows 10 (SMB1 not installed) which was not set by SWH. Does WD TV Play Media Player work well now? Can you see anything blocked via <Blocked Events>?
 

franz

Level 9
Verified
Well-known
May 29, 2021
433
So the * SMB Protocols * setting should be visible as Restricted SMB1. This is a usual Windows built-in restriction on Windows 10 (SMB1 not installed) which was not set by SWH. Does WD TV Play Media Player work well now? Can you see anything blocked via <Blocked Events>?
My WD TV Play Media Player cannot connect to my computer using Simple Windows Hardening.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
My WD TV Play Media Player cannot connect to my computer using Simple Windows Hardening.
Let's sum up.
  1. You are in shadow mode.
  2. Just before running SWH the WD TV Play Media Player works well.
  3. Just after running SWH the WD TV Play Media Player stops working.
  4. There are no blocked events when using <Blocked Events> button (for SRP and PowerShell).
Did you try restoring the Windows defaults via Menu >> Restore Windows Defaults?
 

franz

Level 9
Verified
Well-known
May 29, 2021
433
Let's sum up.
  1. You are in shadow mode.
  2. Just before running SWH the WD TV Play Media Player works well.
  3. Just after running SWH the WD TV Play Media Player stops working.
  4. There are no blocked events when using <Blocked Events> button (for SRP and PowerShell).
Did you try restoring the Windows defaults via Menu >> Restore Windows Defaults?
Correct.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
"Did you try restoring the Windows defaults via Menu >> Restore Windows Defaults?"
No I did not, should I?
Yes. This will remove all changes made by SWH. Try to Log off the account and log in. Next, try the WD TV Play Media Player.
 

franz

Level 9
Verified
Well-known
May 29, 2021
433
Yes. This will remove all changes made by SWH. Try to Log off the account and log in. Next, try the WD TV Play Media Player.
But when I restore with my Macrium image from earlier, it does the same. It makes no different, it works before I try SWH and after, it does not.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
But when I restore with my Macrium image from earlier, it does the same. It makes no different, it works before I try SWH and after, it does not.
If you will restore Windows defaults via SWH (Menu >> Restore Windows Defaults), then only SWH changes will be removed. When you use Macrium image then you also remove all changes made by other programs, system tasks, and updates.
 

franz

Level 9
Verified
Well-known
May 29, 2021
433
If you will restore Windows defaults via SWH (Menu >> Restore Windows Defaults), then only SWH changes will be removed. When you use Macrium image then you also remove all changes made by other programs, system tasks, and updates.
I understand what you asked of me now. I did that earlier before I installed a new image again, and funny enough, it did not work after either. Something had change that was not been reversed.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I understand what you asked of me now. I did that earlier before I installed a new image again, and funny enough, it did not work after either. Something had change that was not been reversed.
I found a difference. With SMB1 installed like on the below picture:

1659307848829.png


SWH setting * SMB Protocols * shows on my computer that SMB123 are allowed:

1659308368364.png


From your post, it follows that on your machine it is not the case and SWH shows that SMB is Restricted. Is this true?:unsure:
 

franz

Level 9
Verified
Well-known
May 29, 2021
433
I found a difference. With SMB1 installed like on the below picture:

View attachment 268285

SWH setting * SMB Protocols * shows on my computer that SMB123 are allowed:

View attachment 268286

From your post, it follows that on your machine it is not the case and SWH shows that SMB is Restricted. Is this true?:unsure:
This is my machine before end after installation of SWH. The windows features did not change, and the settings is what you see on the picture.
 

Attachments

  • 1.jpg
    1.jpg
    71.6 KB · Views: 245
  • 2.jpg
    2.jpg
    28.1 KB · Views: 234
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
This is my machine before end after installation of SWH. The windows features did not change, and the settings is what you see on the picture.

These settings are like on my machine, but they are different from the settings you have posted here:
https://malwaretips.com/threads/possible-ways-to-harden-windows.112933/post-997939

So, the previous testing was done on different Windows settings. In previous settings, SMB1 was not installed and now it is. Now, you can Restrict or Allow SMB via SWH (Settings >> * SMB Protocols *) without the alert that SMB1 is not installed. The SWH restrictions for SMB do not install/uninstall SMB.
It seems that something changed the SMB features. This can be a source of your problem.
Anyway, now the SMB1 is installed and SWH shows that SMB protocols are allowed. If you still cannot use WD TV Play Media Player, then something else is involved here.

Edit.
@upnorth, is it possible to move the posts related to SWH and WD TV Play Media Player to the SWH thread?
 
Last edited:

franz

Level 9
Verified
Well-known
May 29, 2021
433
These settings are like on my machine, but they are different from the settings you have posted here:
https://malwaretips.com/threads/possible-ways-to-harden-windows.112933/post-997939

So, the previous testing was done on different Windows settings. In previous settings, SMB1 was not installed and now it is. Now, you can Restrict or Allow SMB via SWH (Settings >> * SMB Protocols *) without the alert that SMB1 is not installed. The SWH restrictions for SMB do not install/uninstall SMB.
It seems that something changed the SMB features. This can be a source of your problem.
Anyway, now the SMB1 is installed and SWH shows that SMB protocols are allowed. If you still cannot use WD TV Play Media Player, then something else is involved here.

Edit.
@upnorth, is it possible to move the posts related to SWH and WD TV Play Media Player to the SWH thread?
"If you still cannot use WD TV Play Media Player, then something else is involved here."
It looks like it. Thank you anyway :)
 

franz

Level 9
Verified
Well-known
May 29, 2021
433
These settings are like on my machine, but they are different from the settings you have posted here:
https://malwaretips.com/threads/possible-ways-to-harden-windows.112933/post-997939

So, the previous testing was done on different Windows settings. In previous settings, SMB1 was not installed and now it is. Now, you can Restrict or Allow SMB via SWH (Settings >> * SMB Protocols *) without the alert that SMB1 is not installed. The SWH restrictions for SMB do not install/uninstall SMB.
It seems that something changed the SMB features. This can be a source of your problem.
Anyway, now the SMB1 is installed and SWH shows that SMB protocols are allowed. If you still cannot use WD TV Play Media Player, then something else is involved here.

Edit.
@upnorth, is it possible to move the posts related to SWH and WD TV Play Media Player to the SWH thread?
I installed f-secure Safe again instead of Bitdefender Total Security, and everything work fine with SWH installed.
The problem was Bitdefender.
:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
SWH vs. Magniber CPL variant
https://www.socinvestigation.com/magniber-ransomware-payload-extension-changed-detection-response/

Researchers at Asec Lab have observed the new indicators of Magniber. Since February 2022, Magniber has been using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution. The ransomware includes a valid certificate and was distributed in DLL form inside the MSI file. However, starting from July 20th (Wednesday), it is now being distributed as a CPL file extension instead of MSI.
As the cases of using an MSI file for distribution are decreasing, the attacker of Magniber likely has changed the method of distribution.
(...)
Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

The infection chain:
typosquatting --> malicious website ---> Magniber downloaded directly as CPL file or in ZIP archive ---> user opens CPL file (Magniber is executed via LOLBins: control.exe & rundll32.exe)

SWH blocks by default opening CPL files (SRP restrictions).
But, the rest will depend on the user. Magniber is often promoted as a digitally signed update/upgrade, so many users can be fooled to turn off the protection. This is probable especially when they are looking for pirated content. Anyway, the false alarms for updates/upgrades are very low with SWH settings, so many users can be also suspicious about these updates/upgrades. In such rare & unclear situations, the best solution is to wait one day (or more). In most cases, the AVs are able to correctly recognize threats after one day.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top