New Update Testing Windows Hybrid Hardening (new hardening application).

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
Hi @Andy Ful ,

I asked my red team ( aka hacker acquaintances ) to test the effects of your new tool on my freshly installed Windows 11 Home laptop.

In addition to your tool, I also have Kaspersky Premium installed in default configuration.

There is a known problem with this laptop - WiFi cannot be disabled thru BIOS, and I am WiFi connected this time.

The only thing I changed to your tool is WDAC - removing 2 Appdata folders from the WDAC whitelist.

Result was that machine is pwned. MS Edge is not able to load the default Bing page. And typing in google.com into the address bar resulted in a "Not Secure" google.com address with a page that says "Not Found".

I then tried opening a Terminal window and doing a "ping google.com", and it was successful.

Then II did a Network Reset, but to no effect. Also Google Home is still functioning.

I am reasonably sure, that the attack was thru WiFi, maybe thru Peer to Peer mode.

Then I disabled WiFi and switched to Ethernet, connected to a different router, And MS Edge is now able to connect.

Maybe this isn't a fair test , you let me know.

If you think I should ask my red team to re-test, show me the steps to configure your Tool to the most secure settings.

My red team are only acquaintances, not friends. And they do not divulge their TTP to me.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Hi @Andy Ful ,

I asked my red team ( aka hacker acquaintances ) to test the effects of your new tool on my freshly installed Windows 11 Home laptop.

Thanks. It can be interesting.

In addition to your tool, I also have Kaspersky Premium installed in default configuration.

There is a known problem with this laptop - WiFi cannot be disabled thru BIOS, and I am WiFi connected this time.

The only thing I changed to your tool is WDAC - removing 2 Appdata folders from the WDAC whitelist.

Result was that machine is pwned. MS Edge is not able to load the default Bing page. And typing in google.com into the address bar resulted in a "Not Secure" google.com address with a page that says "Not Found".

I do not think that your laptop was pwned. It could be a network attack, or you have some software related to WiFi that runs from UserSpace and was blocked by WDAC or SRP restrictions. You should inspect the blocked events.
If you want, you can post here or make a PM with blocked events (use the blue buttons < Events > ). (y)

Edit.
After removing the AppData-related folders from the WDAC Whilelist, you can expect similar issues. Such a setup requires more whitelisting.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
@Andy Ful

...
Another question, if I WDAC whitelist the Downloads directory, will I be weakening security?
Why would you like to do it? This folder should be restricted in the first place.
You can run application installers by using the option "Run By SmartScreen" from the right-click Explorer context menu.

1692525117028.png
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
I have whitelisted the folder I use for some portable apps C:\Users\Gandalf\Downloads\Software in WDAC.
How do I get a new downloaded Rapr.exe to work when I place it in C:\Users\Gandalf\Downloads\Software\DriverStoreExplorer.v0.11.92 ?
It has probably something to do with :
1692640609562.png

But how do I do that, use elevated shell?
Explorer and run as administrator does not work...
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I have whitelisted the folder I use for some portable apps C:\Users\Gandalf\Downloads\Software in WDAC.
How do I get a new downloaded Rapr.exe to work when I place it in C:\Users\Gandalf\Downloads\Software\DriverStoreExplorer.v0.11.92 ?

You should be able to run any EXE file in "C:\Users\Gandalf\Downloads\Software" and its subfolders.
Is something blocked by WDAC in this folder? Did you press <Apply and Close> after adding this folder to the whitelist?

It has probably something to do with :
View attachment 278023

No. This procedure can work only in %ProgramData%.

But how do I do that, use elevated shell?

You can use "Run as Administrator" from the Explorer context menu to run any 3rd party file explorer.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Gandalf_The_Grey,

It is blocked by dynamic code trust verification. The ObjectListView.dll is dynamically created and it is not included into the whitelisted folder. So, the application is blocked.

Code Integrity determined that \Device\HarddiskVolume4\Users\username\Downloads\Software\DriverStoreExplorer.v0.11.92\Rapr.exe is trying to load ObjectListView.dll which failed the dynamic code trust verification with error code of 0xC0E90002.

Thanks for this example of the block. I will investigate this problem. This event is related to the event ID=3114 which is poorely documented and currently not included in the WHH Log.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The example posted by Gandalf_The_Grey is interesting. The .NET executables can read the data from external resources and create the DLLs filelessly (in memory). Many malware can do it too. If the external resource is modified by the attacker, then the legal .NET executable will create the DLL with malicious code.
This method is similar to DLL hijacking, but instead of using malicious DLL, the attacker replaces the original resource with a malicious one. This method can be a challenge for many AVs.
I can predict such attacks, but I do not know how popular they can be.

The dynamic code trust verification can be skipped in WDAC by skipping in the policy the option:
<Option> Enabled: Dynamic Code Security </Option>
It is skipped in Smart App Control. I may consider skipping it in WHH.
 
Last edited:

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
@Andy Ful

How do I install CyberLock with WDAC on in WHH ? I tried Run with Smartscreen and the insrtaller did not entirely finish. It did not get to the part where it registers the service, and starts the mini whitelist scanner. There are 2 parts to the installation.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
@Andy Ful

How do I install CyberLock with WDAC on in WHH ? I tried Run with Smartscreen and the insrtaller did not entirely finish. It did not get to the part where it registers the service, and starts the mini whitelist scanner. There are 2 parts to the installation.

Switch OFF the WDAC temporarily. It is possible that running CyberLock with WHH will require additional whitelisting.

Edit.
I am not sure if these two security layers (WHH and CyberLock) can be easily run together. It is probably better to try them separately and choose only one of them.
 
Last edited:

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
I am still "testing" WHH on my secondary older laptop, after this issue #30 just uninstalled Windows Firewall Control, since 5 days later no other entries on blocked events log 👍
My custom "basic" whitelist for WDAC, except a few other software for personal use... ;)
C:\Program Files (x86)
C:\Program Files
C:\ProgrammData
C:\Users\user name\AppData\Local\Temp
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I am still "testing" WHH on my secondary older laptop, after this issue #30 just uninstalled Windows Firewall Control, since 5 days later no other entries on blocked events log 👍
My custom "basic" whitelist for WDAC, except a few other software for personal use... ;)

C:\Program Files (x86)
C:\Program Files
C:\ProgrammData
C:\Users\user name\AppData\Local\Temp

Yes - this is the default BlockList with removed user AppData. It should work well for users who do not install applications in UserSpace.
Many users can probably remove also %ProgramData%.
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
Yes - this is the default BlockList with removed user AppData. It should work well for users who do not install applications in UserSpace.
Many users can probably remove also %ProgramData%.
In case for Defender users, MD has the main part of installation in ProgramData, guess no problem for blocks by WDAC because Microsoft usually doesn't block own signed files.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
Would it be possible to add Run By SmartScreen in the simple right click menu of Windows 11 and not under more options?
I do not know. I will think about it.
I found a temporary solution: the shift key:
Open the classic context menu with one click in Windows 11

With a simple click on your keyboard, you can instantly open the more extensive classic context menu in Windows 11:

Hold down the Shift key while right-clicking on a file with your mouse and you will get the old context menu from Windows 10
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
The example posted by Gandalf_The_Grey is interesting. The .NET executables can read the data from external resources and create the DLLs filelessly (in memory). Many malware can do it too. If the external resource is modified by the attacker, then the legal .NET executable will create the DLL with malicious code.
This method is similar to DLL hijacking, but instead of using malicious DLL, the attacker replaces the original resource with a malicious one. This method can be a challenge for many AVs.
I can predict such attacks, but I do not know how popular they can be.

The dynamic code trust verification can be skipped in WDAC by skipping in the policy the option:
<Option> Enabled: Dynamic Code Security </Option>
It is skipped in Smart App Control. I may consider skipping it in WHH.
For your information, three other programs with probably the same issue:
O&O ShutUp10++
O&O AppBuster
DefenderUI
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,783
Confirmed here for both tools O&O ShutUp10++ and AppBuster, here both doesn't run even if whitelisted nor via "Run By SmartSceen".
Furthermore, no related entries in WDAC_BlockedEvents.log (EXE/DLL)
interjection: do you like O&O AppBuster? Do you recommend? Any other apps similar -- I'm not a big fan of O&O based on my past history...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top