New Update Testing Windows Hybrid Hardening (new hardening application).

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,288
Andy, so I am going to try WHH, got the folder on the desktop, what would happen if I dragged the WHH application from the folder to the desktop and then deleted the WHH folder? Will WHH still work? Basically I'm trying to get away from having the folder on my desktop and only having the app icon there.Thanks.
 
F

ForgottenSeer 97327

@Andy Ful

With the extra options (extra because they look more like H_C than SWH) of SRP, how would you rate a ONE account setup with the following configuration in strenght?

Use WHH as admin (SAC in ISG mode, SRP in allow admin) with allow folders in userspace removed with SRP blocking EXE, MSI and TMP also (still right click run by smartscreen when nessecary)

I know the two accounts set is by far the strongest, just asking for lazy admins

Thanks (y)
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
Andy, so I am going to try WHH, got the folder on the desktop, what would happen if I dragged the WHH application from the folder to the desktop and then deleted the WHH folder? Will WHH still work? Basically I'm trying to get away from having the folder on my desktop and only having the app icon there.Thanks.
There is no WHH folder on the Desktop (and never been). The posts made by NormanF in this thread and on Wilders Security thread are incorrect.
The "icon" on the Desktop is a shortcut. If you click on it then the real folder "C:\ProgramData\WindowsHybridHardening_Tools" is opened in Explorer. If you remove the "icon", only the shortcut will be deleted, and not the real folder in %ProgramData%.

I am not sure why you would want to keep the WHH Light executable on the Desktop instead of a shortcut.
Anyway, If you drag the WHH application from the default folder to the desktop, then the file will be moved from the WHH folder to the Desktop, and allowed by WDAC.
But, do not copy the file. Microsoft made ISG in a way that the copy does not inherit the positive reputation (only moving the file does).
 
Last edited:
F

ForgottenSeer 97327

@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks
Please send a report request on this as I have to prioritise what I'm doing at the moment and also can never be sure how long I will be online. But a basic hint/tip, it's normally the threads OP that should request in first hand what you suggest. Send @Andy Ful a PM and ask him first if you haven't already, would be my best advice right here and now.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
@Andy Ful

With the extra options (extra because they look more like H_C than SWH) of SRP, how would you rate a ONE account setup with the following configuration in strenght?

Use WHH as admin (SAC in ISG mode, SRP in allow admin) with allow folders in userspace removed with SRP blocking EXE, MSI and TMP also (still right click run by smartscreen when nessecary)

I know the two accounts set is by far the strongest, just asking for lazy admins

Thanks (y)
Looks very strong.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks

In a few months, I will open a similar thread. I did not do it for now, because the beta phase is not finished. :)(y)
I also updated the content of the opening post in this thread (with links to those videos).
 
Last edited:
F

ForgottenSeer 97327

In a few months, I will open a similar thread. I did not do it for now, because the beta phase is not finished. :)(y)
I also updated the content of the opening post in this thread (with links to those videos).
When it will take a few months, would it be possible to sign the WHH-light already? (works great on my wife's laptop, but I like to block unsigned elevation also)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
Non-problematic use of WHHLight:
  1. Use default-Admin account.
  2. Keep default folders on the Whitelist.
  3. Use "Run By SmartScreen" if the standalone installer is blocked by ISG (usually when the file is on the flash drive, and sometimes for MSI installers).
  4. Do not ignore SmartScreen alerts. On the computers of children, use < SmartScreen Block > = ON.
  5. Keep the WHH_Tools shortcut on the Desktop or remember that WHHLight can be run from "C:\ProgramData\WindowsHybridHardening_Tools".
    WHHLight can be executed from any location (also from the flash drive) via "Run By SmartScreen".
Edit.
In case the user deletes the WHHLight executable, the WHHLight_package can be downloaded from the Internet via the web browser - it can be executed in any WHHLight settings (even the Super_Safe setup on SUA). Simply, ISG will get a reputation from SmartScreen, and the package has a good SmartScreen reputation. :)
 
Last edited:

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
568
@Andy Ful

thank you for providing this Windows hardening tool. I've set it up on Windows 11, version: 21H2 with all options "On" in WHHL and Firewall hardening LolBins, MS Office and Recommended H_C rules applied. So far no issues, seems to be working fine.

For fun I tried launching two different, digitally signed and confirmed safe executables from my Downloads folder from my Standard account. Both were blocked as expected, although in different ways:

Application Control Block.png
Device Guard.png

Application Control and Device Guard. Both of these blocked events were logged in the WDAC-> EXE/DLL logs

Because I also use NVT OSArmor, in the process of installing it and setting it up, I created the following Exclusions so nothing will be blocked:

Code:
[%PROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PROCESSCMDLINE%: "C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Medium]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WHHLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*.tmp\*.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Local\Temp\*.tmp\*=C:\WINDOWS\Hard_ConfiguratorTemp\] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Windows\System32\taskkill.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\taskkill.exe /f /im WindowsHybridHardening*.exe] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: *]

[%PROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\FirewallHardening*.exe] [%PROCESSCMDLINE%: "C:\ProgramData\WindowsHybridHardening_Tools\FirewallHardening*.exe"] [%SIGNER%: Open Source Developer, Andrzej Pluta] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Medium]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WHHLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Unknown]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*.tmp\*_*.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Local\Temp\*.tmp\*.exe"  *C:\WINDOWS\Hard_ConfiguratorTemp\] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLightUnins*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Unknown]

These rules should work for anyone else who uses OSArmor, because I've incorporated some wildcard usage in the rules.
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,426
Just playing around with the new WHHLight ver. 1.0.0.4
WDAC enabled ON. I see no longer blocks for some legit applications what are blocked with the previous version WWH_Light 1.00.4 (Whitelisted folders are the same)
@Andy Ful My question what is the difference compared to when WDAC off ? Guess it's misunderstanding from me 🤔
 

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
568
@Watt

When you run WHH-light with all on. Why are you running OS-Armor also?

Just curious, not judging (security is an emotion, so everyone has his own preference)

Regards Max
Yes, I realize I don't need to run OSA with WHHL with all or even partially On. I wanted to create the necessary OSA rules for those who might want to run OSA paired with WHHL. I've hardly used Windows at all in the last 6 months, using primarily Linux, so of course if I ever do go back to Windows I would reassess my security setup. Because I view Windows security mostly as a kind of hobby and for fun, I'm apt to try all kinds of security setups, even if they are overkill. Andy's latest tool, WHHL, is one I've been keen on trying for some time now.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top