New Update Testing Windows Hybrid Hardening (new hardening application).

vtqhtr413

vtqhtr413

Level 26
Well-known
Aug 17, 2017
1,508
I also received an error, WD at default and NeuShield data sentinel.
Screenshot 2023-08-17 114603.png
I just did a clean install, Win 11 home and SAC is still in evaluation mode, I received this message.
Screenshot 2023-08-17 114831.png
 
  • Like
Reactions: Nevi, plat, simmerskool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
BryanB said:
I also received an error, WD at default and NeuShield data sentinel.
View attachment 277927
I just did a clean install, Win 11 home and SAC is still in evaluation mode, I received this message.
View attachment 277929
Click to expand...
These are normal WHH warnings. WHH found and corrected the PolicyScope SRP setting to fit WHH restrictions.
The second alert simply informs that SAC is not OFF. In such a case WHH enables only the SWH protection (WDAC is disabled in WHH) just like in the case when SAC is ON. Enabled SAC overrides the WDAC in WHH. When the SAC will turn OFF, just run the WHH again.
 
  • Like
  • Thanks
Reactions: Nevi, plat, vtqhtr413 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
Digmor Crusher said:
Took her for a quick test drive, no issues, other security software is F Secure and Firewall Hardening. I had to whitelist a folder I keep all my portable programs/tools in.

What happens if we move folder from desktop to another location.
Click to expand...
If the location will be in UserSpace, then you will have to whitelist the new location.
 
  • Like
  • Thanks
Reactions: Nevi, simmerskool, wat0114 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
plat said:
There is still a security warning when attempting to run the exe from Firefox. Also, Sandboxie does not make this eligible for Immediate Recovery, only Quick Recovery when Firefox is closed. I guess Andy Ful will get this signed by Microsoft once he's finished fully developing this program and its Help Files.
:thumb:
Click to expand...
I noticed your post on Wilderssecurity.

1692301314529.png


Such an alert is usually triggered when SmartScreen is disabled in the Security Center. It is a precursor of SmartScreen (also on Windows 7).
Normally, Firefox (unsandboxed) does not show this alert. I did not try Firefox in Sandboxie, so the cause of this alert can be also Sandboxie settings.

For now, WHH is not signed. I will sign it after some months. I must be sure that suddenly my digital certificate will not be connected with a false positive HackTool.:)
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Nevi, simmerskool, wat0114 and 4 others
N

NormanF

Level 8
Verified
Jan 11, 2018
356
Andy Ful said:
Windows Hybrid Hardening.

View attachment 277761

Menu options:

View attachment 277762

View attachment 277763

View attachment 277764

SRP and Windows Policies settings:

View attachment 277765

View attachment 277766

View attachment 277767

SmartScreen Block:

View attachment 277768

View attachment 277769

WDAC restrictions (Windows built-in Application Control):

View attachment 277770


View attachment 277771

View attachment 277772
Click to expand...

Don't like the folder placed on the desktop; fix the installer so its placed in the same place to which its downloaded. Default behaviour prevents people from having a clean desktop.
 
  • Like
Reactions: vtqhtr413
N

NormanF

Level 8
Verified
Jan 11, 2018
356
Andy Ful said:
Windows Hybrid Hardening.

View attachment 277761

Menu options:

View attachment 277762

View attachment 277763

View attachment 277764

SRP and Windows Policies settings:

View attachment 277765

View attachment 277766

View attachment 277767

SmartScreen Block:

View attachment 277768

View attachment 277769

WDAC restrictions (Windows built-in Application Control):

View attachment 277770


View attachment 277771

View attachment 277772
Click to expand...

Administrators should NEVER be blocked! The whole point of being Administrator is to modify system settings. Its better to block limited accounts to prevent tampering or dangerous changes from being made.
 
  • Like
Reactions: Nevi and vtqhtr413
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
NormanF said:
Don't like the folder placed on the desktop; fix the installer so its placed in the same place to which its downloaded. Default behaviour prevents people from having a clean desktop.
Click to expand...
There is no folder on the Desktop - it is a shortcut to the folder. The installer is a container for a few portable tools. In the help, I explained why the tools are placed in that particular folder in %ProgramData%.:

1692341036999.png
 
  • Like
  • +Reputation
Reactions: Nevi, vtqhtr413, Freki123 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
NormanF said:
Administrators should NEVER be blocked! The whole point of being Administrator is to modify system settings.
Click to expand...

Home Administrators are not blocked. They can run WHH and switch OFF the protection (without restarting Windows).
Furthermore, most Administrative tasks can be done without switching OFF the protection, because Windows & Microsoft native tools are allowed (except blocked LOLBins).

NormanF said:
Its better to block limited accounts to prevent tampering or dangerous changes from being made.
Click to expand...

It would be better for many reasons, and it is still possible if someone uses SUA.

I think that there is some misunderstanding about WHH.
  1. WHH is not for Enterprise Administrators but for Home Administrators. The first mostly uses remote management and the second mostly uses physical access.
  2. The WHH restrictions are intended to work also on the computers of users who do not want to use SUA.
  3. The WDAC restrictions cannot be configured to allow Administrators and block others (with some exceptions related to ACL permissions). This can be done when using SRP or AppLocker.
Post edited.
 
Last edited:
  • Like
  • Applause
Reactions: Nevi, vtqhtr413, Freki123 and 1 other person
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,632
I see a block in WDAC blocked events for EXE and DLL files:
Event[0]:
Event Id = 3077
Local Time: 2023/08/17 17:40:28
Attempted Path = \Device\HarddiskVolume3\Windows\System32\WebClnt.dll
Parent Process = \Device\HarddiskVolume3\Windows\System32\svchost.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}
Click to expand...
No idea why.
Everything seems to be working fine.
 
  • Like
Reactions: Nevi, vtqhtr413 and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
Gandalf_The_Grey said:
I see a block in WDAC blocked events for EXE and DLL files:

No idea why.
Everything seems to be working fine.
Click to expand...

Microsoft added it to the BlockList:

<Deny ID="ID_DENY_DAVSVC_0" FriendlyName="BlockWebDAV" FileName="davsvc.dll" MinimumFileVersion="65535.65535.65535.65535" />


1692343749927.png


In your case, the Web Dav protocol is probably triggered when using MS Office. It allows access to the network drives if the server uses Web Dav for this. It is improbable that this could impact your activities, but if you will encounter problems with accessing some network resources, then you should inspect if Web Dav is the source of the issue.
 
  • Like
  • +Reputation
  • Applause
Reactions: Nevi, simmerskool, ForgottenSeer 97327 and 3 others
N

NormanF

Level 8
Verified
Jan 11, 2018
356
Andy Ful said:
Microsoft added it to the BlockList:

<Deny ID="ID_DENY_DAVSVC_0" FriendlyName="BlockWebDAV" FileName="davsvc.dll" MinimumFileVersion="65535.65535.65535.65535" />


View attachment 277949

In your case, the Web Dav protocol is probably triggered when using MS Office. It allows access to the network drives if the server uses Web Dav for this. It is improbable that this could impact your activities, but if you will encounter problems with accessing some network resources, then you should inspect if Web Dav is the source of the issue.
Click to expand...

A legitimate dll. that can be abused by malware. If you really need it, you could exclude it. Its safe if it remains blocked.
 
  • Like
Reactions: Nevi, simmerskool, vtqhtr413 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
eonline said:
WFC nothing more.

Update: Everything working, but WFC was blocked even whitelist the folder. The policies by WDAC are similar to have SAC on I think. :)
Click to expand...
They are different. The user who runs an executable with SAC protection can miss more digitally signed malware than after applying WHH + WDAC (RunBySmartscreen).
WHH + WDAC (default Whitelist) is more preventive as compared to WHH + SAC. But, the setup with SAC is more robust when the system is exploited.
The differences become smaller when using other tools (DocumentsAntiExploit, FirewallHardening, and ConfigureDefender).

The super-safe setup (WDAC with empty Whitelist) is stronger than SAC, because it will prevent running almost all digitally signed malware in the wild.
 
Last edited:
  • Like
Reactions: Nevi, eonline, simmerskool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,176
Digmor Crusher, NormanF

When applying WDAC with %LocalAppData%\Temp on the Whitelist (c:\Users\user_name\AppData\Local\Temp) the folder with portable standalone applications (one application = one executable) can be moved anywhere (even to the flash drive) without whitelisting. But then, one has to use the "Run By SmartScreen" option from the Explorer context menu to run those applications.
When the portable application contains several PE files (EXE, DLL, etc.) then the application folder has to be whitelisted or the %ProgramData% folder can be used as I explained in the help:

1692368911685.png
 
Last edited:
  • Like
Reactions: Nevi, vtqhtr413, oldschool and 3 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
263
Views
19,227
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
569
General Security Discussions
Andy Ful
Andy Ful
SpyNetGirl
    • +Reputation
    • Like
    • Hundred Points
New Update Advanced Windows hardening with WDAC - Windows Defender Application Control
Replies
50
Views
6,414
Other security for Windows, Mac, Linux
SpyNetGirl
SpyNetGirl

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top