New Update Testing Windows Hybrid Hardening (new hardening application).

[Andy Ful]

For your information, three other programs with probably the same issue:
O&O ShutUp10++
O&O AppBuster
DefenderUI

Yes. All of them are incompatible with WDAC dynamic code trust verification. This can be a problem in businesses if WDAC policies are applied. I think that dynamic code trust verification is not necessary at home, because non-Microsoft applications are already blocked.
The lack of dynamic code trust verification could be important in the case of the vulnerable Microsoft-signed .NET application. But, I did not hear of such an application.

 

[silversurfer]

interjection: do you like O&O AppBuster? Do you recommend? Any other apps similar -- I'm not a big fan of O&O based on my past history...

I am from Germany so it’s my preference to use AppBuster, never had an issue so far unlike my experience with ShutUp10 that might be a risk with a lot of options to break the system…

Honestly, I can’t recommend one other app with same purpose as AppBuster because I haven’t used other tools like that

 

[simmerskool]

I am from Germany so it’s my preference to use AppBuster, never had an issue so far unlike my experience with ShutUp10 that might be a risk with a lot of options to break the system…

Honestly, I can’t recommend one other app with same purpose as AppBuster because I haven’t used other tools like that

I often use German software, my grandfather & grandmother on my father's side were born in Germany, but I'm living US of A.

 

[Gandalf_The_Grey]

I am from Germany so it’s my preference to use AppBuster, never had an issue so far unlike my experience with ShutUp10 that might be a risk with a lot of options to break the system…

Honestly, I can’t recommend one other app with same purpose as AppBuster because I haven’t used other tools like that

Both are portable tools.
Both do advise you to create a restore point before you remove software or adjust a settings.

IMO O&O ShutUp 10 is safe as long as you stick to the recommended actions and don't use the options marked in red with no (not recommended).
Every option had a short description, that tells you the wanted or not wanted effects.

 

[ForgottenSeer 97327]

I often use German software, my grandfather & grandmother on my father's side were born in Germany, but I'm living US of A.

Simmerskool is Frysian for summer school did they live in the North West of Germany (west of Bremen, East of Dutch Border)

 

[cartaphilus]

WindowsHybridHardening Light ver. 1.0.0.0.:

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/WHHLight_Package_1000.exe

This is the first version, so it is recommendable to run the application on the Virtual Machine.

Problems can arise from the AVs, which can tamper with WHH Light. For example, before submitting false positives, Microsoft Defender detected WHH as the malware (3 different behavior-based detections). After my submission, the detections were removed, but the application was still blocked by ASR rules.
Currently (after some negotiations with Microsoft) the application is accepted by:

• SmartScreen and PUA protection (in Edge and Defender),
• Smart App Control,
• ASR rules (except a single rule related to running from USB).

Checkpoint Harmony detects it as a bot via their AI. I think it's due to an unsigned process and the process is using scripting to change the lower levels of windows security options.

 

[Gandalf_The_Grey]

Yes. All of them are incompatible with WDAC dynamic code trust verification. This can be a problem in businesses if WDAC policies are applied. I think that dynamic code trust verification is not necessary at home, because non-Microsoft applications are already blocked.
The lack of dynamic code trust verification could be important in the case of the vulnerable Microsoft-signed .NET application. But, I did not hear of such an application.

Thanks @Andy Ful
These are application for home users, so no problems in businesses.
It would be great if dynamic code trust verification could be skipped or made optional.
So far really enjoying WHH without any (other) issues

 

[ForgottenSeer 97327]

Well, I have used WDAC and SRP since 2019. You have often inspired me (e,g, H_C with AVAST profile). To be honest I have put WDAC + SRP on a few PC's in the following setup (mostly for elderly relatives). I always set an explicit allow on UAC protected folders when I enable ISG to prevent ISG from blocking stuff, I ran into situations where ISG blocked old unsupported versions of a signed program.

WDAC
1. Enable ISG
2. Exclude scripts and dynamic code
3. Add explicit ALLOW FOLDER for Windows + Programfiles x64 and x32 and ProgramData
4. Add explicit DENY FOLDER for Shared Folder, Download Folder and Desktop
5. Block Microsoft advised executables (msHTA.exe etc)

SRP (that is basiccally a simplified version of SWH)

This WDAC runs fine with all sorts of setups (Microsoft Office and OpenOffice). I only combined this with F-Secure (because the largest ISP in the Netherlands offers free licenses for a rebranded F-Secure). Running fine in this context means = unttended set and forget with no calls that something broke or borked up.

@Andy Ful I told you so

Also the redundant allows help prevent problems. but you don't have to take my word for it

 

[cartaphilus]

I often use German software, my grandfather & grandmother on my father's side were born in Germany, but I'm living US of A.

Holy crap my grandad was also from Germany! I also like German software but each time I use it I suddenly have a very strong desire to invade Poland.

 

[Andy Ful]

Holy crap my grandad was also from Germany! I also like German software but each time I use it I suddenly have a very strong desire to invade Poland.

There is no need to invade - we already live in a sort of union.

 

[ForgottenSeer 97327]

There is no need to invade - we already live in a sort of union.

It i sthe other way around, Poland has invaded Germany (source statistica)

I also have a Polish family in our street, they learned me to drink Zubrowka Polish Bison grass wodka.
It tastes as good as the best old Dutch Gin (whiich is called Barley Wine or 'korenwijn' in Dutch) but Bison grass wodka is 50% cheaper.
To return to the previous Simmerskool off topic: Frysians call Barley wine, Frysian whiskey. Both Barley Wine and Frysian Whiskey have the colour of whiskey (not transparant like gin or wodka). Apologize for off topicing an off topic

Spoiler

Picture of Dutch Barley wine

[/SPOILER[

 

[cartaphilus]

There is no need to invade - we already live in a sort of union.

Tak ja wiem


I've spent many years in Germany and Poland. Neat nations. Nothing changed about Poland invading Germany. Back in the day many Polish citizens would work in the DDR side of Germany since according to them the pay was better. I stayed majority of my time in FRG; whenever I crossed to DDR I was followed by Stasi which was fun. Also FRG Mark was worth 10 DDR Marks (on the black market; since officially it was 1 for 1 and the exchange tellers would pocket the FRG franks) since you could purchase FRG items with FRG Marks which were very difficult to obtain (and forbidden) with DDR Marks.
Back then Poland had the same system. They had a store called Pewex (if I recall correctly) it was a state run store that would sell USA items but you could only purchase the items with USD. But I digress.



Edit: I wish my kid takes the love of languages after me. Currently I am trying to teach him Spanish and Latin. Why Latin? Because it's the root of romance languages and one can deduct modern meanings from Latin roots. It also helps with memorization of Romantic languages since you memorize by association of what you already know.

Edit: by the way; swear words when spoken in Polish or German sound more heartfelt and gutteral then they do when spoken in English, Spanish or French

 

[Andy Ful]

In the OP, I described two WHH setups: the default and supersafe.
It is possible to use a setup very similar to the default one on the Admin account together with supersafe setups on any SUA account.

As we can see the whitelist includes most of the default folders for the Admin account (named AdminUser). So, when using this Admin account, almost all applications will work and auto-update. The AdminUser can also install applications via "Run By SmartScreen".
On the contrary, on any standard user account, the files from its AppData will be blocked (they are not included on the whitelist). Furthermore, the AppData locations in the Admin account cannot be easily accessed from the standard user account:

1. AppData locations are hidden in Explorer.
2. Accessing the Admin AppData folder from the standard user account requires entering the Admin credentials.

This is probably the setup, similar to that preferred by @NormanF.

Even if something is exploited on SUA, then it will be blocked on SUA by supersafe setup (supersafe SUA). This can be an advantage when one does not use other WHH tools (ConfigureDefender, DocumentsAntiExploit, FirewallHardening).

 

[simmerskool]

Checkpoint Harmony detects it as a bot via their AI. I think it's due to an unsigned process and the process is using scripting to change the lower levels of windows security options.

to move back to OP, I've been semi-following this topic, and wondering where best, ie, on which VM to install and run WHH. I have the perception that it's written to be to be run with MD, and without apps like VS/CL or 3d-party AV. @Andy Ful so this VM I'm running today with Harmony (my default VM) would / should not be my first choice to run WHH, correct?

 

[Digmor Crusher]

to move back to OP, I've been semi-following this topic, and wondering where best, ie, on which VM to install and run WHH. I have the perception that it's written to be to be run with MD, and without apps like VS/CL or 3d-party AV. @Andy Ful so this VM I'm running today with Harmony (my default VM) would / should not be my first choice to run WHH, correct?

I am running SWH with F-Secure, so I don't think it should matter which AV you are using. ( I could be wrong and Andy will have to smack me though.)

 

[simmerskool]

I am running SWH with F-Secure, so I don't think it should matter which AV you are using. ( I could be wrong and Andy will have to smack me though.)

ok, I could be wrong (I think I am...) but OP started out with WHH is stronger than SWH, so perhaps some distinction??
PS my VM2 is running F-Secure VS/CL & SWH.

 

[Andy Ful]

to move back to OP, I've been semi-following this topic, and wondering where best, ie, on which VM to install and run WHH. I have the perception that it's written to be to be run with MD, and without apps like VS/CL or 3d-party AV. @Andy Ful so this VM I'm running today with Harmony (my default VM) would / should not be my first choice to run WHH, correct?

WHH (like all my applications except ConfigureDefender) is intended to work with any AV. Anyway, it is a new application so some AVs can allow WHH, but still block some of its actions (especially relted to WDAC). After removing false positives by Avast, Bitdefender, Microsoft, and Symantec (Norton) there were no signals about blocking WHH by other vendors. Anyway, we must wait what will happen during the testing phase in a few months.

 

[simmerskool]

Holy crap my grandad was also from Germany! I also like German software but each time I use it I suddenly have a very strong desire to invade Poland.

(I've owned some German cars too, and my mechanical wristwatch is "Made in Germany") fwiw... (emoji omitted)

 

[simmerskool]

View attachment 278343

WHH (like all my applications except ConfigureDefender) is intended to work with any AV. Anyway, it is a new application so some AVs can allow WHH, but still block some of its actions (especially relted to WDAC). After removing false positives by Avast, Bitdefender, Microsoft, and Symantec (Norton) there were no signals about blocking WHH by other vendors. Anyway, we must wait what will happen during the testing phase in a few months.

ok, I try it Harmony and see if I get a meltdown.

 

[Andy Ful]

ok, I could be wrong (I think I am...) but OP started out with WHH is stronger than SWH, so perhaps some distinction??

Yes and No. WHH is stronger in a way as CIA + FBI is stronger than CIA alone.
I mean that SWH is intended to prevent fileless attack vectors and leave typical executables to AV and SmartScreen.
WHH is not stronger against fileless malware, but has got additional module to prevent attacks via typical executables.

PS my VM2 is running F-Secure VS/CL & SWH.

There is no need to change this setup. Adding WHH will make the setup more complex, without adding much security.