New Update Testing Windows Hybrid Hardening (new hardening application).

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,543
Some conclusions about WHHLight with Smart App Control.

1701462897442.png


Surprisingly, SAC in Evaluate mode can impact the behavior of WDAC policies used in WHHLight. Without WHHLight, SAC in Evaluate mode does not block anything but asks the Microsoft Cloud about the file reputation, and writes it into the Event Log. It looks like the external (non-SAC) policies that use the ISG option can use that information, just like in the case of SmartScreen.
One of the differences between SAC and SmartScreen is that SAC allows digitally signed files with unknown reputations, and SmartScreen mostly blocks such files.
 
Last edited:

Reldel1

Level 2
Verified
Jun 12, 2017
50
Some conclusions about WHHLight with Smart App Control.

View attachment 279959

Surprisingly, SAC in Evaluate mode can impact the behavior of WDAC policies used in WHHLight. Without WHHLight, SAC in Evaluate mode does not block anything but asks the Microsoft Cloud about the file reputation, and writes it into the Event Log. It looks like the external (non-SAC) policies that use the ISG option can use that information, just like in the case of SmartScreen.
One of the differences between SAC and SmartScreen is that SAC allows digitally signed files with unknown reputations, and SmartScreen mostly blocks such files.
So, at this point a user of WHH is better protected turning off active SAC achieved from a clean install of Windows 11 and then applying WDAC and SmartScreen protection of WHH?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,543
So, at this point a user of WHH is better protected turning off active SAC achieved from a clean install of Windows 11 and then applying WDAC and SmartScreen protection of WHH?

It is hard to say if there is any significant difference in the protection of WHHLight + SAC ON compared to WHHLight (default Whitelist) + SAC OFF. The first is not as preventive as the second but will stop most attacks at the later infection stage. If you like to seek any advantage, then the setup with SAC OFF can be more usable for some users due to whitelisting. However, the SAC ON setup can be more usable for people who install digitally signed applications.
Anyway, WHHLight in Super_Safe or Two_Accounts setup can be stronger at home (at the cost of some usability).
 
Last edited:

skiper

Level 1
Apr 6, 2021
16
When < SWH > and < WDAC > switches are ON, the restrictions are similar to the H_C Windows_10_Recommended_Enhanced settings, but additionally, the DLLs are blocked.
When the %ProgramData%, %LocalAppData, and user AppData folders are removed from the WDAC Whitelist, the restrictions are similar to the H_C Windows_10_Strict_Recommended_Enhanced settings, but additionally, the DLLs are blocked.

I see that WHHLight set this way offers better protection than H_C Windows_10_Strict_Recommended_Enhanced. I tried H_C Windows_10_Strict_Recommended_Enhanced and had no additional problems compared to H_C Recommended Settings.

So I thought I'd try something even better. If it behaves much like H_C Windows_10_Strict_Recommended_Enhanced it may be a solution.
I have some questions.

1. In order to activate SUPER_SAFE SETUP do I have to clear the whole WDAC Whitelist?

2. With such a configuration will the operating system (windows/edge updates) continue to be automatic? Will the manual update be only for Third-party apps? To know in advance what I'm getting into. :)

3. I will use it on my admin account with CD MAX, is FirewallHardening LOLBins and Documents_AntiExploit still necessary?

4. Is SUPER_SAFE SETUP like a default-deny from H_C?

Congratulations for the application! I like that it is very compact, and you can adjust the protection level very easily from the WDAC Whitelist. In H_C I was lucky with the profiles, otherwise when I saw so many options I was sweating. :)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,543
1. In order to activate SUPER_SAFE SETUP do I have to clear the whole WDAC Whitelist?

Yes.

2. With such a configuration will the operating system (windows/edge updates) continue to be automatic? Will the manual update be only for Third-party apps? To know in advance what I'm getting into. :)

Yes.
Very popular 3rd party applications can often auto-update, too.

3. I will use it on my admin account with CD MAX, is FirewallHardening LOLBins and Documents_AntiExploit still necessary?

FirewallHardening and DocumentsAntiExploit are not necessary, but your system will be cleaner with them. The SUPER_SAFE setup will mitigate some malware at the later infection stage.

4. Is SUPER_SAFE SETUP like a default-deny from H_C?

Yes, it is similar to the settings profile H_C Windows_10_Strict_Recommended_Enhanced.
 

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Thanks, Andy, for your work on these projects. I'm currently testing WHH 1011 with default settings (SWH only) on my old W10 laptop. I'm also using C_D on Interactive and Firewall Hardening with default rules. So far, so good.

I use many portable apps, most (but not all) of which are signed. My question to whomever is using WHHL: Would activating WDAC likely create more FP's than benefits for someone like me? I'm careful about running new programs and am willing to accept the modest number of FP's I already get from WD. Thanks in advance.
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,365
Thanks, Andy, for your work on these projects. I'm currently testing WHH 1011 with default settings (SWH only) on my old W10 laptop. I'm also using C_D on Interactive and Firewall Hardening with default rules. So far, so good.

I use many portable apps, most (but not all) of which are signed. My question to whomever is using WHHL: Would activating WDAC likely create more FP's than benefits for someone like me? I'm careful about running new programs and am willing to accept the modest number of FP's I already get from WD. Thanks in advance.
From the help included with WHH:
1708762888952.png

See points 4 and 5.
I have added my folder with portable applications to the whitelist and have no issues.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top