New Update Testing Windows Hybrid Hardening (new hardening application).

Gandalf_The_Grey · Aug 12, 2023

WHH looks interesting, as the new simple windows hardening is getting more complicated, WHH will be really simple windows hardening

Now we had SWH as easy option and HC as a powerusers option.
How do you see WHH?

Andy Ful · Aug 12, 2023

What about help messages from the OP. Do they need some important corrections?

Gandalf_The_Grey · Aug 12, 2023

At first glance they look okay.
I will read them again later tonight and let you know if I can find something.

Gandalf_The_Grey · Aug 12, 2023

Looked at the helpfiles more thoroughly and they (still) look okay to me

Andy Ful · Aug 12, 2023

Gandalf_The_Grey said:
Looked at the helpfiles more thoroughly and they (still) look okay to me

Thanks.

Andy Ful · Aug 13, 2023

When we looked at the application's features, we have:

SWH (old) < WHH < SWH (new)

This can be somewhat misguiding. It would be better to rename the applications:

SWH < WHH_light < WHH

The WHH from this thread will be renamed to WHH light version. So, SWH will be discontinued as a separate application and will survive as part of WHH_light and WHH.
The default configuration of WHH_light will be similar to the SWH settings (the SWH switch = ON, WDAC switch = OFF).

oldschool · Aug 13, 2023

Andy Ful said:
SWH will be discontinued as a separate application and will survive as part of WHH_light and WHH.

I'll miss the stand-alone version but understand lightening the workload.

Andy Ful · Aug 16, 2023

WindowsHybridHardening Light ver. 1.0.0.0.:

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/WHHLight_Package_1000.exe

This is the first version, so it is recommendable to run the application on the Virtual Machine.

Problems can arise from the AVs, which can tamper with WHH Light. For example, before submitting false positives, Microsoft Defender detected WHH as the malware (3 different behavior-based detections). After my submission, the detections were removed, but the application was still blocked by ASR rules.
Currently (after some negotiations with Microsoft) the application is accepted by:

SmartScreen and PUA protection (in Edge and Defender),
Smart App Control,
ASR rules (except a single rule related to running from USB).

Gandalf_The_Grey · Aug 17, 2023

The WHHLight_Package_1000.exe was quarantined by F-Secure.
After reporting it to F-Secure, it got an safe verdict and was advised to restore it from quarantine.
Running it now with SWH and WDAC enabled.
Got 2 WDAC EXE/DLL blocks:

Event[9]:
Event Id = 3077
Local Time: 2023/08/17 09:06:31
Attempted Path = \Device\HarddiskVolume3\Users\Gandalf\Downloads\Software\PatchMyPC\PatchMyPC.exe
Parent Process = \Device\HarddiskVolume3\Windows\explorer.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}

This one is solved by adding the folder Users\Gandalf\Downloads\Software to the Whitelist.

Event[0]:
Event Id = 3077
Local Time: 2023/08/17 09:36:39
Attempted Path = \Device\HarddiskVolume3\Windows\System32\wbem\WMIC.exe
Parent Process = \Device\HarddiskVolume3\Program Files\WindowsApps\38002AlexanderFrangos.TwinkleTray_1.15.4.0_x64__m7qx9dzpwqaze\app\Twinkle Tray.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}

I don't know how to solve this one.
The program TwinkleTray uses WMIC.exe to control the brightness of my external monitor.
Any ideas?

silversurfer · Aug 17, 2023

Testing here too on Windows 11 (SAC disabled by MS, no ASR rules...)
WindowsHybridHardening Light: SWH and WDAC enabled, no issues via manually whitelisting EXCEPT one block related to Windows-Firewall-Control (Binisoft/Malwarebytes). wfc.exe is still blocked, when trying to execute via "Run by Smart Screen" shows the following message:

WDAC blocked events for EXE and DLL files

Event[0]:
Event Id = 3077
Local Time: 2023/08/17 10:27:47
Attempted Path = \Device\HarddiskVolume3\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe
Parent Process = \Device\HarddiskVolume3\Windows\explorer.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}

Andy Ful · Aug 17, 2023

silversurfer said:
Testing here too on Windows 11 (SAC disabled by MS, no ASR rules...)
WindowsHybridHardening Light: SWH and WDAC enabled, no issues via manually whitelisting EXCEPT one block related to Windows-Firewall-Control (Binisoft/Malwarebytes). wfc.exe is still blocked, when trying to execute via "Run by Smart Screen" shows the following message:

View attachment 277906

Was the file a shortcut? This alert comes up when one tries to run the shortcut to the application via RunBySmartscreen, and the shortcut uses CMDLines.
In this case, running the application via RunBySmartscreen will not help because the target application is blocked anyway in %ProgramFiles%.

WDAC blocked events for EXE and DLL files

Event[0]:
Event Id = 3077
Local Time: 2023/08/17 10:27:47
Attempted Path = \Device\HarddiskVolume3\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe
Parent Process = \Device\HarddiskVolume3\Windows\explorer.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}

Did you remove the folder "c:\Program Files" from the WDAC Whitelist? In default WDAC settings, the %ProgramFiles% folder is whitelisted, so this block should not happen. WDAC recognized the location "c:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe" as writable (unsafe) and blocked execution.
You must whitelist the folder:
c:\Program Files\Malwarebytes\Windows Firewall Control

Andy Ful · Aug 17, 2023

Gandalf_The_Grey said:
Event[0]:
Event Id = 3077
Local Time: 2023/08/17 09:36:39
Attempted Path = \Device\HarddiskVolume3\Windows\System32\wbem\WMIC.exe
Parent Process = \Device\HarddiskVolume3\Program Files\WindowsApps\38002AlexanderFrangos.TwinkleTray_1.15.4.0_x64__m7qx9dzpwqaze\app\Twinkle Tray.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}

I don't know how to solve this one.
The program TwinkleTray uses WMIC.exe to control the brightness of my external monitor.
Any ideas?

The LOLBin WMIC.exe was commonly used in attacks and can be used to bypass WDAC. Microsoft added it to the LOLBin BlockList. The LOLBins from the BlockList cannot be whitelisted. In your case, there is no problem because you do not need WDAC protection. If the computer would be used by an inexperienced person, then I would suggest changing TwinkleTray to another application that works with blocked WMIC.

Gandalf_The_Grey · Aug 17, 2023

For the sake of testing I replaced Twinkel Tray with LG's own OnScreen Control.
And for better security because that program is not using WMIC.exe

Gandalf_The_Grey · Aug 17, 2023

Would it be possible to add Run By SmartScreen in the simple right click menu of Windows 11 and not under more options?

Andy Ful · Aug 17, 2023

Gandalf_The_Grey said:
Would it be possible to add Run By SmartScreen in the simple right click menu of Windows 11 and not under more options?

I do not know. I will think about it.

silversurfer · Aug 17, 2023

Andy Ful said:
Was the file a shortcut? This alert comes up when one tries to run the shortcut to the application via RunBySmartscreen, and the shortcut uses CMDLines.
In this case, running the application via RunBySmartscreen will not help because the target application is blocked anyway in %ProgramFiles%.

Yes this block was from the shortcut of WFC. I tried just for testing purposes what WDAC alert will be displayed

Andy Ful said:
Did you remove the folder "c:\Program Files" from the WDAC Whitelist? In default WDAC settings, the %ProgramFiles% folder is whitelisted, so this block should not happen. WDAC recognized the location "c:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe" as writable (unsafe) and blocked execution.
You must whitelist the folder:
c:\Program Files\Malwarebytes\Windows Firewall Control

My changed whitelist has both locations of Program Files and ProgramData. But the block does happen even when executed wfc.exe from location Program Files, 2nd screenshot shows the block with information...

silversurfer · Aug 17, 2023

What might be an issue, I have installed the new pre-release Windows Firewall Control 6.9.3.0 The developer may changed something in the software what WDAC does block

Windows Firewall Control (WFC) by BiniSoft.org

You have a software that keeps insisting to be allowed. WFC can't prevent the creation of the rule, but it can disable/delete such unwanted rules when...

www.wilderssecurity.com

Andy Ful · Aug 17, 2023

silversurfer said:
...
My changed whitelist has both locations of Program Files and ProgramData. But the block does happen even when executed wfc.exe from location Program Files, ...

Yes. The issue is due to the Deny rule on the Microsoft BlockList:
<Deny ID="ID_DENY_WFC_0" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />

This rule blocks all executables named wfc.exe executed from any location. I will think if it is possible to improve the BlockList by adding also Microsoft as a publisher.

eonline · Aug 17, 2023

I got this errors.

Andy Ful · Aug 17, 2023

eonline said:
View attachment 277924
View attachment 277925 View attachment 277926

I got this errors.

Something tampers with WHH. What AV do you use?

New Update Testing Windows Hybrid Hardening (new hardening application).

Level 76

From Hard_Configurator Tools

Level 76

Level 76

From Hard_Configurator Tools

From Hard_Configurator Tools

Level 82

From Hard_Configurator Tools

Level 76

Level 85

From Hard_Configurator Tools

From Hard_Configurator Tools

Level 76

Level 76

From Hard_Configurator Tools

Level 85

Level 85

From Hard_Configurator Tools

Level 21

From Hard_Configurator Tools

Similar threads