New Update Testing Windows Hybrid Hardening (new hardening application).

Digmor Crusher

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,265
Andy, so I am going to try WHH, got the folder on the desktop, what would happen if I dragged the WHH application from the folder to the desktop and then deleted the WHH folder? Will WHH still work? Basically I'm trying to get away from having the folder on my desktop and only having the app icon there.Thanks.
 
  • Like
Reactions: simmerskool, Dave Russo and Andy Ful
F

ForgottenSeer 97327

@Andy Ful

With the extra options (extra because they look more like H_C than SWH) of SRP, how would you rate a ONE account setup with the following configuration in strenght?

Use WHH as admin (SAC in ISG mode, SRP in allow admin) with allow folders in userspace removed with SRP blocking EXE, MSI and TMP also (still right click run by smartscreen when nessecary)

I know the two accounts set is by far the strongest, just asking for lazy admins

Thanks (y)
 
Last edited by a moderator:
  • Like
Reactions: simmerskool, vtqhtr413, Andy Ful and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Digmor Crusher said:
Andy, so I am going to try WHH, got the folder on the desktop, what would happen if I dragged the WHH application from the folder to the desktop and then deleted the WHH folder? Will WHH still work? Basically I'm trying to get away from having the folder on my desktop and only having the app icon there.Thanks.
Click to expand...
There is no WHH folder on the Desktop (and never been). The posts made by NormanF in this thread and on Wilders Security thread are incorrect.
The "icon" on the Desktop is a shortcut. If you click on it then the real folder "C:\ProgramData\WindowsHybridHardening_Tools" is opened in Explorer. If you remove the "icon", only the shortcut will be deleted, and not the real folder in %ProgramData%.

I am not sure why you would want to keep the WHH Light executable on the Desktop instead of a shortcut.
Anyway, If you drag the WHH application from the default folder to the desktop, then the file will be moved from the WHH folder to the Desktop, and allowed by WDAC.
But, do not copy the file. Microsoft made ISG in a way that the copy does not inherit the positive reputation (only moving the file does).
 
Last edited:
  • +Reputation
  • Like
  • Wow
Reactions: simmerskool, vtqhtr413, ErzCrz and 2 others
F

ForgottenSeer 97327

@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks
 
  • Like
Reactions: simmerskool, vtqhtr413, Andy Ful and 2 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Max90 said:
@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks
Click to expand...
Please send a report request on this as I have to prioritise what I'm doing at the moment and also can never be sure how long I will be online. But a basic hint/tip, it's normally the threads OP that should request in first hand what you suggest. Send @Andy Ful a PM and ask him first if you haven't already, would be my best advice right here and now.
 
  • Like
  • Applause
Reactions: Nevi, simmerskool, vtqhtr413 and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Max90 said:
@Andy Ful

With the extra options (extra because they look more like H_C than SWH) of SRP, how would you rate a ONE account setup with the following configuration in strenght?

Use WHH as admin (SAC in ISG mode, SRP in allow admin) with allow folders in userspace removed with SRP blocking EXE, MSI and TMP also (still right click run by smartscreen when nessecary)

I know the two accounts set is by far the strongest, just asking for lazy admins

Thanks (y)
Click to expand...
Looks very strong.
 
  • Like
Reactions: simmerskool and vtqhtr413
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Max90 said:
@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks
Click to expand...

In a few months, I will open a similar thread. I did not do it for now, because the beta phase is not finished. :)(y)
I also updated the content of the opening post in this thread (with links to those videos).
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: simmerskool, vtqhtr413, wat0114 and 4 others
F

ForgottenSeer 97327

Andy Ful said:
In a few months, I will open a similar thread. I did not do it for now, because the beta phase is not finished. :)(y)
I also updated the content of the opening post in this thread (with links to those videos).
Click to expand...
When it will take a few months, would it be possible to sign the WHH-light already? (works great on my wife's laptop, but I like to block unsigned elevation also)
 
  • Like
Reactions: Nevi, simmerskool, vtqhtr413 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Non-problematic use of WHHLight:
  1. Use default-Admin account.
  2. Keep default folders on the Whitelist.
  3. Use "Run By SmartScreen" if the standalone installer is blocked by ISG (usually when the file is on the flash drive, and sometimes for MSI installers).
  4. Do not ignore SmartScreen alerts. On the computers of children, use < SmartScreen Block > = ON.
  5. Keep the WHH_Tools shortcut on the Desktop or remember that WHHLight can be run from "C:\ProgramData\WindowsHybridHardening_Tools".
    WHHLight can be executed from any location (also from the flash drive) via "Run By SmartScreen".
Edit.
In case the user deletes the WHHLight executable, the WHHLight_package can be downloaded from the Internet via the web browser - it can be executed in any WHHLight settings (even the Super_Safe setup on SUA). Simply, ISG will get a reputation from SmartScreen, and the package has a good SmartScreen reputation. :)
 
Last edited:
  • Like
Reactions: Nevi, simmerskool, vtqhtr413 and 4 others
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
571
@Andy Ful

thank you for providing this Windows hardening tool. I've set it up on Windows 11, version: 21H2 with all options "On" in WHHL and Firewall hardening LolBins, MS Office and Recommended H_C rules applied. So far no issues, seems to be working fine.

For fun I tried launching two different, digitally signed and confirmed safe executables from my Downloads folder from my Standard account. Both were blocked as expected, although in different ways:

Application Control Block.png
Device Guard.png

Application Control and Device Guard. Both of these blocked events were logged in the WDAC-> EXE/DLL logs

Because I also use NVT OSArmor, in the process of installing it and setting it up, I created the following Exclusions so nothing will be blocked:

Code: 
[%PROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PROCESSCMDLINE%: "C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Medium]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WHHLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*.tmp\*.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Local\Temp\*.tmp\*=C:\WINDOWS\Hard_ConfiguratorTemp\] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Windows\System32\taskkill.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\taskkill.exe /f /im WindowsHybridHardening*.exe] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: *]

[%PROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\FirewallHardening*.exe] [%PROCESSCMDLINE%: "C:\ProgramData\WindowsHybridHardening_Tools\FirewallHardening*.exe"] [%SIGNER%: Open Source Developer, Andrzej Pluta] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Medium]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WHHLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Unknown]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*.tmp\*_*.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Local\Temp\*.tmp\*.exe"  *C:\WINDOWS\Hard_ConfiguratorTemp\] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLightUnins*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Unknown]

These rules should work for anyone else who uses OSArmor, because I've incorporated some wildcard usage in the rules.
 
Last edited:
  • Like
Reactions: Nevi, Back3, Andy Ful and 1 other person
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Just playing around with the new WHHLight ver. 1.0.0.4
WDAC enabled ON. I see no longer blocks for some legit applications what are blocked with the previous version WWH_Light 1.00.4 (Whitelisted folders are the same)
@Andy Ful My question what is the difference compared to when WDAC off ? Guess it's misunderstanding from me 🤔
 
  • Like
Reactions: Nevi, Gandalf_The_Grey, Andy Ful and 5 others
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
571
Max90 said:
@Watt

When you run WHH-light with all on. Why are you running OS-Armor also?

Just curious, not judging (security is an emotion, so everyone has his own preference)

Regards Max
Click to expand...
Yes, I realize I don't need to run OSA with WHHL with all or even partially On. I wanted to create the necessary OSA rules for those who might want to run OSA paired with WHHL. I've hardly used Windows at all in the last 6 months, using primarily Linux, so of course if I ever do go back to Windows I would reassess my security setup. Because I view Windows security mostly as a kind of hobby and for fun, I'm apt to try all kinds of security setups, even if they are overkill. Andy's latest tool, WHHL, is one I've been keen on trying for some time now.
 
  • Like
  • Applause
Reactions: Nevi, Back3, vtqhtr413 and 3 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
255
Views
17,420
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
495
General Security Discussions
Andy Ful
Andy Ful
SpyNetGirl
    • +Reputation
    • Like
    • Hundred Points
New Update Advanced Windows hardening with WDAC - Windows Defender Application Control
Replies
50
Views
6,261
Other security for Windows, Mac, Linux
SpyNetGirl
SpyNetGirl

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top