New Update Testing Windows Hybrid Hardening (new hardening application).

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,556
For your information, three other programs with probably the same issue:
O&O ShutUp10++
O&O AppBuster
DefenderUI
Yes. All of them are incompatible with WDAC dynamic code trust verification. This can be a problem in businesses if WDAC policies are applied. I think that dynamic code trust verification is not necessary at home, because non-Microsoft applications are already blocked.
The lack of dynamic code trust verification could be important in the case of the vulnerable Microsoft-signed .NET application. But, I did not hear of such an application.
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,224
interjection: do you like O&O AppBuster? Do you recommend? Any other apps similar -- I'm not a big fan of O&O based on my past history...
I am from Germany so it’s my preference to use AppBuster, never had an issue so far 😉 unlike my experience with ShutUp10 that might be a risk with a lot of options to break the system…

Honestly, I can’t recommend one other app with same purpose as AppBuster because I haven’t used other tools like that 🤷‍♂️
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,729
I am from Germany so it’s my preference to use AppBuster, never had an issue so far 😉 unlike my experience with ShutUp10 that might be a risk with a lot of options to break the system…

Honestly, I can’t recommend one other app with same purpose as AppBuster because I haven’t used other tools like that 🤷‍♂️
I often use German software, my grandfather & grandmother on my father's side were born in Germany, but I'm living US of A.
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,389
I am from Germany so it’s my preference to use AppBuster, never had an issue so far 😉 unlike my experience with ShutUp10 that might be a risk with a lot of options to break the system…

Honestly, I can’t recommend one other app with same purpose as AppBuster because I haven’t used other tools like that 🤷‍♂️
Both are portable tools.
Both do advise you to create a restore point before you remove software or adjust a settings.

IMO O&O ShutUp 10 is safe as long as you stick to the recommended actions and don't use the options marked in red with no (not recommended).
Every option had a short description, that tells you the wanted or not wanted effects.
 
F

ForgottenSeer 97327

I often use German software, my grandfather & grandmother on my father's side were born in Germany, but I'm living US of A.
Simmerskool is Frysian for summer school did they live in the North West of Germany (west of Bremen, East of Dutch Border)
1693504148170.png
 

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
531
WindowsHybridHardening Light ver. 1.0.0.0.:

This is the first version, so it is recommendable to run the application on the Virtual Machine.

Problems can arise from the AVs, which can tamper with WHH Light. For example, before submitting false positives, Microsoft Defender detected WHH as the malware (3 different behavior-based detections). After my submission, the detections were removed, but the application was still blocked by ASR rules.
Currently (after some negotiations with Microsoft) the application is accepted by:
  • SmartScreen and PUA protection (in Edge and Defender),
  • Smart App Control,
  • ASR rules (except a single rule related to running from USB).
Checkpoint Harmony detects it as a bot via their AI. I think it's due to an unsigned process and the process is using scripting to change the lower levels of windows security options.
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,389
Yes. All of them are incompatible with WDAC dynamic code trust verification. This can be a problem in businesses if WDAC policies are applied. I think that dynamic code trust verification is not necessary at home, because non-Microsoft applications are already blocked.
The lack of dynamic code trust verification could be important in the case of the vulnerable Microsoft-signed .NET application. But, I did not hear of such an application.
Thanks @Andy Ful
These are application for home users, so no problems in businesses.
It would be great if dynamic code trust verification could be skipped or made optional.
So far really enjoying WHH without any (other) issues (y)
 
F

ForgottenSeer 97327

Well, I have used WDAC and SRP since 2019. You have often inspired me (e,g, H_C with AVAST profile). To be honest I have put WDAC + SRP on a few PC's in the following setup (mostly for elderly relatives). I always set an explicit allow on UAC protected folders when I enable ISG to prevent ISG from blocking stuff, I ran into situations where ISG blocked old unsupported versions of a signed program.

WDAC
1. Enable ISG
2. Exclude scripts and dynamic code
3. Add explicit ALLOW FOLDER for Windows + Programfiles x64 and x32 and ProgramData
4. Add explicit DENY FOLDER for Shared Folder, Download Folder and Desktop
5. Block Microsoft advised executables (msHTA.exe etc)

SRP (that is basiccally a simplified version of SWH)

This WDAC runs fine with all sorts of setups (Microsoft Office and OpenOffice). I only combined this with F-Secure (because the largest ISP in the Netherlands offers free licenses for a rebranded F-Secure). Running fine in this context means = unttended set and forget with no calls that something broke or borked up.
@Andy Ful I told you so :)

Also the redundant allows help prevent problems. but you don't have to take my word for it ;)
 
F

ForgottenSeer 97327

There is no need to invade - we already live in a sort of union.:)
:) It i sthe other way around, Poland has invaded Germany :ROFLMAO: (source statistica)

1693505742879.png

I also have a Polish family in our street, they learned me to drink Zubrowka Polish Bison grass wodka. (y)
It tastes as good as the best old Dutch Gin (whiich is called Barley Wine or 'korenwijn' in Dutch) but Bison grass wodka is 50% cheaper.
To return to the previous Simmerskool off topic: Frysians call Barley wine, Frysian whiskey. Both Barley Wine and Frysian Whiskey have the colour of whiskey (not transparant like gin or wodka). Apologize for off topicing an off topic :oops:

Picture of Dutch Barley wine
1693583621496.png

[/SPOILER[
 
Last edited by a moderator:

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
531
There is no need to invade - we already live in a sort of union.:)
Tak ja wiem


I've spent many years in Germany and Poland. Neat nations. Nothing changed about Poland invading Germany. Back in the day many Polish citizens would work in the DDR side of Germany since according to them the pay was better. I stayed majority of my time in FRG; whenever I crossed to DDR I was followed by Stasi which was fun. Also FRG Mark was worth 10 DDR Marks (on the black market; since officially it was 1 for 1 and the exchange tellers would pocket the FRG franks) since you could purchase FRG items with FRG Marks which were very difficult to obtain (and forbidden) with DDR Marks.
Back then Poland had the same system. They had a store called Pewex (if I recall correctly) it was a state run store that would sell USA items but you could only purchase the items with USD. But I digress.



Edit: I wish my kid takes the love of languages after me. Currently I am trying to teach him Spanish and Latin. Why Latin? Because it's the root of romance languages and one can deduct modern meanings from Latin roots. It also helps with memorization of Romantic languages since you memorize by association of what you already know.

Edit: by the way; swear words when spoken in Polish or German sound more heartfelt and gutteral then they do when spoken in English, Spanish or French
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,556
In the OP, I described two WHH setups: the default and supersafe.
It is possible to use a setup very similar to the default one on the Admin account together with supersafe setups on any SUA account.

1693505946203.png


As we can see the whitelist includes most of the default folders for the Admin account (named AdminUser). So, when using this Admin account, almost all applications will work and auto-update. The AdminUser can also install applications via "Run By SmartScreen".
On the contrary, on any standard user account, the files from its AppData will be blocked (they are not included on the whitelist). Furthermore, the AppData locations in the Admin account cannot be easily accessed from the standard user account:
  1. AppData locations are hidden in Explorer.
  2. Accessing the Admin AppData folder from the standard user account requires entering the Admin credentials.
This is probably the setup, similar to that preferred by @NormanF.

Even if something is exploited on SUA, then it will be blocked on SUA by supersafe setup (supersafe SUA). This can be an advantage when one does not use other WHH tools (ConfigureDefender, DocumentsAntiExploit, FirewallHardening).
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,729
Checkpoint Harmony detects it as a bot via their AI. I think it's due to an unsigned process and the process is using scripting to change the lower levels of windows security options.
to move back to OP, I've been semi-following this topic, and wondering where best, ie, on which VM to install and run WHH. I have the perception that it's written to be to be run with MD, and without apps like VS/CL or 3d-party AV. @Andy Ful so this VM I'm running today with Harmony (my default VM) would / should not be my first choice to run WHH, correct? :unsure:
 

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,424
to move back to OP, I've been semi-following this topic, and wondering where best, ie, on which VM to install and run WHH. I have the perception that it's written to be to be run with MD, and without apps like VS/CL or 3d-party AV. @Andy Ful so this VM I'm running today with Harmony (my default VM) would / should not be my first choice to run WHH, correct? :unsure:
I am running SWH with F-Secure, so I don't think it should matter which AV you are using. ( I could be wrong and Andy will have to smack me though.:cry:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,556
to move back to OP, I've been semi-following this topic, and wondering where best, ie, on which VM to install and run WHH. I have the perception that it's written to be to be run with MD, and without apps like VS/CL or 3d-party AV. @Andy Ful so this VM I'm running today with Harmony (my default VM) would / should not be my first choice to run WHH, correct? :unsure:

1693516157298.png


WHH (like all my applications except ConfigureDefender) is intended to work with any AV. Anyway, it is a new application so some AVs can allow WHH, but still block some of its actions (especially relted to WDAC). After removing false positives by Avast, Bitdefender, Microsoft, and Symantec (Norton) there were no signals about blocking WHH by other vendors. Anyway, we must wait what will happen during the testing phase in a few months.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,729
Holy crap my grandad was also from Germany! I also like German software but each time I use it I suddenly have a very strong desire to invade Poland.
(I've owned some German cars too, and my mechanical wristwatch is "Made in Germany") fwiw... (emoji omitted)
 
  • Like
Reactions: vtqhtr413

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,729
View attachment 278343

WHH (like all my applications except ConfigureDefender) is intended to work with any AV. Anyway, it is a new application so some AVs can allow WHH, but still block some of its actions (especially relted to WDAC). After removing false positives by Avast, Bitdefender, Microsoft, and Symantec (Norton) there were no signals about blocking WHH by other vendors. Anyway, we must wait what will happen during the testing phase in a few months.
ok, I try it Harmony and see if I get a meltdown.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,556
ok, I could be wrong (I think I am...) but OP started out with WHH is stronger than SWH, so perhaps some distinction?? :unsure:
Yes and No. WHH is stronger in a way as CIA + FBI is stronger than CIA alone.
I mean that SWH is intended to prevent fileless attack vectors and leave typical executables to AV and SmartScreen.
WHH is not stronger against fileless malware, but has got additional module to prevent attacks via typical executables.

PS my VM2 is running F-Secure VS/CL & SWH. :)
There is no need to change this setup. Adding WHH will make the setup more complex, without adding much security.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top