New Update Testing Windows Hybrid Hardening (new hardening application).

[Victor M]

Hi @Andy Ful ,

I asked my red team ( aka hacker acquaintances ) to test the effects of your new tool on my freshly installed Windows 11 Home laptop.

In addition to your tool, I also have Kaspersky Premium installed in default configuration.

There is a known problem with this laptop - WiFi cannot be disabled thru BIOS, and I am WiFi connected this time.

The only thing I changed to your tool is WDAC - removing 2 Appdata folders from the WDAC whitelist.

Result was that machine is pwned. MS Edge is not able to load the default Bing page. And typing in google.com into the address bar resulted in a "Not Secure" google.com address with a page that says "Not Found".

I then tried opening a Terminal window and doing a "ping google.com", and it was successful.

Then II did a Network Reset, but to no effect. Also Google Home is still functioning.

I am reasonably sure, that the attack was thru WiFi, maybe thru Peer to Peer mode.

Then I disabled WiFi and switched to Ethernet, connected to a different router, And MS Edge is now able to connect.

Maybe this isn't a fair test , you let me know.

If you think I should ask my red team to re-test, show me the steps to configure your Tool to the most secure settings.

My red team are only acquaintances, not friends. And they do not divulge their TTP to me.

 

[Victor M]

Downloaded nmap. Opened WHH and set WDAC exceptions to default. Placed nmap, pcap installers into Appdata...\temp and installed both.

nmap revealed 2 machines, one Linux and one Windows 10. They are Not mine.

 

[Victor M]

Now I am not so sure that I was pwned. It might have just been a network attack. Because changing the network re-enabled my machine's networking features.

 

[Andy Ful]

Hi @Andy Ful ,

I asked my red team ( aka hacker acquaintances ) to test the effects of your new tool on my freshly installed Windows 11 Home laptop.

Thanks. It can be interesting.

In addition to your tool, I also have Kaspersky Premium installed in default configuration.

There is a known problem with this laptop - WiFi cannot be disabled thru BIOS, and I am WiFi connected this time.

The only thing I changed to your tool is WDAC - removing 2 Appdata folders from the WDAC whitelist.

Result was that machine is pwned. MS Edge is not able to load the default Bing page. And typing in google.com into the address bar resulted in a "Not Secure" google.com address with a page that says "Not Found".

I do not think that your laptop was pwned. It could be a network attack, or you have some software related to WiFi that runs from UserSpace and was blocked by WDAC or SRP restrictions. You should inspect the blocked events.
If you want, you can post here or make a PM with blocked events (use the blue buttons < Events > ).

Edit.
After removing the AppData-related folders from the WDAC Whilelist, you can expect similar issues. Such a setup requires more whitelisting.

 

[Victor M]

@Andy Ful

Yes. I agree, it does look like a network attack.

Another question, if I WDAC whitelist the Downloads directory, will I be weakening security?

 

[Andy Ful]

@Andy Ful

...
Another question, if I WDAC whitelist the Downloads directory, will I be weakening security?

Why would you like to do it? This folder should be restricted in the first place.
You can run application installers by using the option "Run By SmartScreen" from the right-click Explorer context menu.

 

[Victor M]

Thanks Andy

 

[Gandalf_The_Grey]

I have whitelisted the folder I use for some portable apps C:\Users\Gandalf\Downloads\Software in WDAC.
How do I get a new downloaded Rapr.exe to work when I place it in C:\Users\Gandalf\Downloads\Software\DriverStoreExplorer.v0.11.92 ?
It has probably something to do with :

But how do I do that, use elevated shell?
Explorer and run as administrator does not work...

 

[Andy Ful]

I have whitelisted the folder I use for some portable apps C:\Users\Gandalf\Downloads\Software in WDAC.
How do I get a new downloaded Rapr.exe to work when I place it in C:\Users\Gandalf\Downloads\Software\DriverStoreExplorer.v0.11.92 ?

You should be able to run any EXE file in "C:\Users\Gandalf\Downloads\Software" and its subfolders.
Is something blocked by WDAC in this folder? Did you press <Apply and Close> after adding this folder to the whitelist?

It has probably something to do with :
View attachment 278023

No. This procedure can work only in %ProgramData%.

But how do I do that, use elevated shell?

You can use "Run as Administrator" from the Explorer context menu to run any 3rd party file explorer.

 

[Andy Ful]

Gandalf_The_Grey,

It is blocked by dynamic code trust verification. The ObjectListView.dll is dynamically created and it is not included into the whitelisted folder. So, the application is blocked.

Code Integrity determined that \Device\HarddiskVolume4\Users\username\Downloads\Software\DriverStoreExplorer.v0.11.92\Rapr.exe is trying to load ObjectListView.dll which failed the dynamic code trust verification with error code of 0xC0E90002.

Thanks for this example of the block. I will investigate this problem. This event is related to the event ID=3114 which is poorely documented and currently not included in the WHH Log.

 

[Andy Ful]

The example posted by Gandalf_The_Grey is interesting. The .NET executables can read the data from external resources and create the DLLs filelessly (in memory). Many malware can do it too. If the external resource is modified by the attacker, then the legal .NET executable will create the DLL with malicious code.
This method is similar to DLL hijacking, but instead of using malicious DLL, the attacker replaces the original resource with a malicious one. This method can be a challenge for many AVs.
I can predict such attacks, but I do not know how popular they can be.

The dynamic code trust verification can be skipped in WDAC by skipping in the policy the option:
<Option> Enabled: Dynamic Code Security </Option>
It is skipped in Smart App Control. I may consider skipping it in WHH.

 

[Victor M]

@Andy Ful

How do I install CyberLock with WDAC on in WHH ? I tried Run with Smartscreen and the insrtaller did not entirely finish. It did not get to the part where it registers the service, and starts the mini whitelist scanner. There are 2 parts to the installation.

 

[Andy Ful]

@Andy Ful

How do I install CyberLock with WDAC on in WHH ? I tried Run with Smartscreen and the insrtaller did not entirely finish. It did not get to the part where it registers the service, and starts the mini whitelist scanner. There are 2 parts to the installation.

Switch OFF the WDAC temporarily. It is possible that running CyberLock with WHH will require additional whitelisting.

Edit.
I am not sure if these two security layers (WHH and CyberLock) can be easily run together. It is probably better to try them separately and choose only one of them.

 

[silversurfer]

I am still "testing" WHH on my secondary older laptop, after this issue #30 just uninstalled Windows Firewall Control, since 5 days later no other entries on blocked events log
My custom "basic" whitelist for WDAC, except a few other software for personal use...

C:\Program Files (x86)
C:\Program Files
C:\ProgrammData
C:\Users\user name\AppData\Local\Temp

 

[Andy Ful]

I am still "testing" WHH on my secondary older laptop, after this issue #30 just uninstalled Windows Firewall Control, since 5 days later no other entries on blocked events log
My custom "basic" whitelist for WDAC, except a few other software for personal use...

C:\Program Files (x86)
C:\Program Files
C:\ProgrammData
C:\Users\user name\AppData\Local\Temp

Yes - this is the default BlockList with removed user AppData. It should work well for users who do not install applications in UserSpace.
Many users can probably remove also %ProgramData%.

 

[silversurfer]

Yes - this is the default BlockList with removed user AppData. It should work well for users who do not install applications in UserSpace.
Many users can probably remove also %ProgramData%.

In case for Defender users, MD has the main part of installation in ProgramData, guess no problem for blocks by WDAC because Microsoft usually doesn't block own signed files.

 

[Gandalf_The_Grey]

Would it be possible to add Run By SmartScreen in the simple right click menu of Windows 11 and not under more options?

I do not know. I will think about it.

I found a temporary solution: the shift key:

Open the classic context menu with one click in Windows 11

With a simple click on your keyboard, you can instantly open the more extensive classic context menu in Windows 11:

Hold down the Shift key while right-clicking on a file with your mouse and you will get the old context menu from Windows 10

Open het klassieke context-menu in Windows 11 met één klik | GratisSoftware.nl

Windows 11 heeft ten opzichte van Windows 10 een moderner, meer gestroomlijnd uiterlijk. Toch vallen niet alle vernieuwingen bij iedereen in de smaak. Zo is het contextmenu, rechtsklikken op een bestand in Verkenner, wel mooier geworden, maar niet altijd even handig, omdat je soms voor meer...

www.gratissoftwaresite.nl

 

[Gandalf_The_Grey]

The example posted by Gandalf_The_Grey is interesting. The .NET executables can read the data from external resources and create the DLLs filelessly (in memory). Many malware can do it too. If the external resource is modified by the attacker, then the legal .NET executable will create the DLL with malicious code.
This method is similar to DLL hijacking, but instead of using malicious DLL, the attacker replaces the original resource with a malicious one. This method can be a challenge for many AVs.
I can predict such attacks, but I do not know how popular they can be.

The dynamic code trust verification can be skipped in WDAC by skipping in the policy the option:
<Option> Enabled: Dynamic Code Security </Option>
It is skipped in Smart App Control. I may consider skipping it in WHH.

For your information, three other programs with probably the same issue:
O&O ShutUp10++
O&O AppBuster
DefenderUI

 

[silversurfer]

For your information, three other programs with probably the same issue:
O&O ShutUp10++
O&O AppBuster
DefenderUI

Confirmed here for both tools O&O ShutUp10++ and AppBuster, here both doesn't run even if whitelisted nor via "Run By SmartSceen".
Furthermore, no related entries in WDAC_BlockedEvents.log (EXE/DLL)

 

[simmerskool]

Confirmed here for both tools O&O ShutUp10++ and AppBuster, here both doesn't run even if whitelisted nor via "Run By SmartSceen".
Furthermore, no related entries in WDAC_BlockedEvents.log (EXE/DLL)

interjection: do you like O&O AppBuster? Do you recommend? Any other apps similar -- I'm not a big fan of O&O based on my past history...