New Update Testing Windows Hybrid Hardening (new hardening application).

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
Yes and No. WHH is stronger in a way as CIA + FBI is stronger than CIA alone.
I mean that SWH is intended to prevent fileless attack vectors and leave typical executables to AV and SmartScreen.
WHH is not stronger against fileless malware, but has got additional module to prevent attacks via typical executables.


There is no need to change this setup. Adding WHH will make the setup more complex, without adding much security.
yeah, ok, you talked me out of it. I have some other VM where probably a better fit. thanks!!! :D
 
  • Like
  • Applause
Reactions: Nevi and vtqhtr413

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
536
Yes and No. WHH is stronger in a way as CIA + FBI is stronger than CIA alone.
I mean that SWH is intended to prevent fileless attack vectors and leave typical executables to AV and SmartScreen.
WHH is not stronger against fileless malware, but has got additional module to prevent attacks via typical executables.


There is no need to change this setup. Adding WHH will make the setup more complex, without adding much security.
FBI wishes they had the budget of the CIA. :)
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
@Andy Ful Thanks for taking your time to create some new nice software for us. I just read through your instruction pictures from your first post.

2. Windows OS components, Microsoft signed applications, and MS Strore apps (whitelisted by EKU)
5. Location in UserSpace on the SYSTEM-drive, but unblocked in WDAC by modifying the ACL permissions

Could you consider writing the full name for it (at least once) please? I can't be the only person that would otherwise have to DDG it's meaning (atleast that's what I hope). If I have missed it in the huge amount of text I'm sorry. My first results were like EKU=Eastern Kentucky University :D
It's just easier if you have the correct search term if you want to find later more information about what e.g. EKU is.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
@Andy Ful Thanks for taking your time to create some new nice software for us. I just read through your instruction pictures from your first post.

2. Windows OS components, Microsoft signed applications, and MS Strore apps (whitelisted by EKU)
5. Location in UserSpace on the SYSTEM-drive, but unblocked in WDAC by modifying the ACL permissions

Could you consider writing the full name for it (at least once) please? I can't be the only person that would otherwise have to DDG it's meaning (atleast that's what I hope). If I have missed it in the huge amount of text I'm sorry. My first results were like EKU=Eastern Kentucky University :D
It's just easier if you have the correct search term if you want to find later more information about what e.g. EKU is.
EKU = Extended Key Usage or Enhanced Key Usage
ACL = Access Control List

 
F

ForgottenSeer 97327

@Andy Ful

Last time I beg you, please run WDAC with (in smart mode)

1. Allow Microsoft + ISG (ISG is sort of similar to SAC)
2. Explicit allow rules for
a) Program Files
b Program files (x86)
c) Users\Admin\Apdata
d) Users\Admin\Local\temp
3. Microsoft advised block Rules for User space and kernel
4. SWH (SRP blocking risky file extensions and allowing exe, msi. tmp)
5. fall back to Audit mode when a driver fails to load
6. Exclude dynamic code and scripts (I told you so ;) )

This is really a huge improvement for most home users in terms of security, while it allows for most programs updates.

Your version is as strong as the UAC protection of 2 C and 2 D, so allowing ISG (which is similar to SAC) does not weaken it substantionally, only increasing useability. You provided us with excellent freebies (H_C, CD, SWH), I really have no idea why you would provide such a complex hybride hardening. I don't understand the logic behind it (when you allow UAC holes, you might as well add ISG). Normally I can follow you and applaude your tweaks, but you got me lost here.

Don't be offended, but I would propose three levels of protection
a) Basic (only old SWH)
b) Smart (as I outlined above)
c) Deny all (block all in user folders)

With option B and C the user additionally has an option to exclude user folders
 
Last edited by a moderator:
F

ForgottenSeer 97327

You have no choice when using WHH. It turns off the WDAC part automatically.
Great, but ...

I find it hard to critigue a man who has offered us with great programs and I value highly.
I recognize your genius, but why did you felt the need to combine stuff?

What is wrong with keeping the old style SWH for windows 11 (used alongside SAC or WDAC) as a seperate program?

Offer a new Hybrid hardening (as replacement for H_C) with two modes (for people not haviing SAC enabled)

Hybrid hardening offers a smart mode and a super safe mode

Smart mode
1. Allow Microsoft + ISG (ISG is sort of similar to SAC)
2. Explicit allow rules for
a) Program Files
b Program files (x86)
c) Users\Admin\Apdata
d) Users\Admin\Local\temp
3. Microsoft advised block Rules for User space and kernel
4. Exclude dynamic code and scripts (I told you so ;) )


Super safe mode
1. Allow Microsoft
2. Explicit allow rules for
a) Program Files
b Program files (x86)
3. Microsoft advised block Rules for User space and kernel

Both of these have an option to whitelist user folders
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
@Max90,

I think that most of your concerns could disappear if you simply tested WHHLight for a week.(y)

The ISG makes sense only when blocking Desktop, Downloads, USB drives, removable drives (disk images), etc.
Such a setup is more complicated. We already talked about it. The right place for ISG is probably WHH (full version) and not the WHH Light.

Your version is as strong as the UAC protection of 2 C and 2 D, so allowing ISG (which is similar to SAC) does not weaken it substantionally, only increasing useability.

I do not think so. WHH Light (SWH + default WDAC settings) will prevent almost all attacks before the UAC can be triggered.
ISG can help only when something is exploited. But, we have other tools that can prevent or mitigate such rare events (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).
Using ISG cannot increase usability without adding nasty vulnerabilities. These vulnerabilities can be avoided when blocking Desktop, Downloads, removable drives, etc. but then WHHLight is more usable (with Run By SmartScreen).

You provided us with excellent freebies (H_C, CD, SWH), I really have no idea why you would provide such a complex hybride hardening.
Is it complex? You have only 3 possible settings. It is probably the simplest application made by me.


I don't understand the logic behind it (when you allow UAC holes, you might as well add ISG). Normally I can follow you and applaude your tweaks, but you got me lost here.

Don't be offended, but I would propose three levels of protection
a) Basic (only old SWH)
b) Smart (as I outlined above)
c) Deny all (block all in user folders)

With option B and C the user additionally has an option to exclude user folders
The logic is simple.
a) Prevent fileless attacks which are poorly covered by many AVs. Use other tools from the SWHLight package (RunBySmartScreen, DocumentsAntiExploit, FirewallHardening, ConfigureDefender) to support your AV.
b) Extend the protection in a smart way for PE (EXE, DLL, etc.) and MSI files. Do this only if you think that it is necessary or if you use a semi-static setup.
c) Prepare a super-safe setup with a limited set of applications. You can use it in a vulnerable environment.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
... why did you felt the need to combine stuff?
The hybrid SRP + WDAC is natural in the home environment.
In SRP, it is hard to separately whitelist/blacklist scripts and PE files. At home, the scripts can be blocked almost everywhere. This is not possible for PE and MSI files. So, you need different whitelists for them. This can be done in a simple way by using SRP + WDAC.

What is wrong with keeping the old style SWH for windows 11 (used alongside SAC or WDAC) as a seperate program?
You can do it with one click in WHHLight. I am only a human, and cannot handle too many applications. So, SWH will probably survive as a part of WHH.

Offer a new Hybrid hardening (as replacement for H_C) with two modes (for people not haviing SAC enabled)

Hybrid hardening offers a smart mode and a super safe mode

Smart mode
1. Allow Microsoft + ISG (ISG is sort of similar to SAC)
2. Explicit allow rules for
a) Program Files
b Program files (x86)
c) Users\Admin\Apdata
d) Users\Admin\Local\temp
3. Microsoft advised block Rules for User space and kernel
4. Exclude dynamic code and scripts (I told you so ;) )
That is my plan (except for ISG and kernel drivers).

Super safe mode
1. Allow Microsoft
2. Explicit allow rules for
a) Program Files
b Program files (x86)
3. Microsoft advised block Rules for User space and kernel

Both of these have an option to whitelist user folders
You can get it in a simple way by removing 3 entries from the WDAC Whitelist.
I will not add the policy for kernel drivers. WHHLight is for home administrators. Blocking kernel drivers would require some additional features like scanning for drivers, auditing, etc. Furthermore, Windows 10/11 has some driver protection that is probably sufficient at home.
 
Last edited:

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,430
I'll admit it is a tad confusing if we are going to have SWH, WHH Light and WHH, ( is this correct or not, too lazy to go back and re-read the thread) throw in HC and its getting "crowded". If you are going to keep all 3 applications I would rename them so that each one is totally different from the others, they all sound basically the same now and thus are harder to differentiate. Of course what do I know?
 
F

ForgottenSeer 97327

@Max90,

I think that most of your concerns could disappear if you simply tested WHHLight for a week.(y)
I run WDAC since 2019. I adviced to disable dynamic code protection. I also posted that WDAC is easier to use with reduncdant allows for UAC protected folders. When you loosen up the protection by allowing dynamic code and punching an admin/temp hole in the default deny, it makes more sence to use ISG for useability as well. But I realize you can't win them all. so I thank for you implementing two out three. ;)
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
When you loosen up the protection by allowing dynamic code and punching an admin/temp hole in the default deny, it makes more sence to use ISG for useability as well. But I realize you can't win them all. so I thank for you implementing two out three. ;)

Yes. It is not possible to safely implement ISG in WHHLight. The safe way would require a more complex application probably something like this:

1693651718527.png


The above settings restrict Desktop & Downloads folders and all non-System drives. The user cannot run anything from these locations without using "Run By Smartscreen". Other locations can be protected by ISG (WDAC). Such a setup can be probably used without whitelisting %ProgramData% and user AppData folders, but then, some applications can be blocked after the installation/update (they can still run in the WHH Light setup).

The advantage of using ISG in a safe way is a slightly more robust setup at the post-exploitation stage at the cost of increasing false positives. One could probably skip other tools (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).
If you skip other tools, then for some users WHH alone can be as usable as WHHLight + tools.
 

Attachments

  • 1693651326927.png
    1693651326927.png
    26.3 KB · Views: 110
Last edited:
F

ForgottenSeer 97327

Yes. It is not possible to safely implement ISG in WHHLight. The safe way would require a more complex application probably something like this:

View attachment 278374

The above settings restrict Desktop & Downloads folders and all non-System drives. The user cannot run anything from these locations without using "Run By Smartscreen". Other locations can be protected by ISG (WDAC). Such a setup can be probably used without whitelisting %ProgramData% and user AppData folders, but then, some applications can be blocked after the installation/update (they can still run in the WHH Light setup).

The advantage of using ISG in a safe way is a slightly more robust setup at the post-exploitation stage at the cost of increasing false positives. One could probably skip other tools (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).
If you skip other tools, then for some users WHH alone can be as usable as WHHLight + tools.
Andy, you are making it complex to make your point. Also your Polish WDAC version must behave completelely different from the US version I am using, because I can't relate this to my experience with the WDAC wizzard.

1. Downside you mention that ISG might generate some false positives. That is true but compared to a default deny it does not make sense, a default deny blocks way more.
2. To overcome the default deny restrictions you leave large holes in the setup to facilitate installs/updates. With ISG you don't need those holes so it is more secure.
3. Because ISG is less secure (true) against possible advanced staged DLL attacks you are adding extra restrictions. Which is strange because you already said you would not include dynamic code (like dotNet) restrictiions in your setup which by itself creates a DLL attack hole, so I am completely lost (to me your making a buzz about a small hole and ignoring a large hole on the same topic)
4. ISG might be safer in post-intrusion according to you, but in my setup (to prevent partly succeeded updates and blocking issues) I allow UAC protected folders (which you also do in the default deny), when you add UAC protected folders to the allow list, there is no post intrusion advantage, again I can't follow you

Let's agree to disagree.

Let me again express my gratitude for making available (for free) great sofware like CD, SWH an H_C. To me you are the champion in making available complex business options of the OS for average PC users. (y)(y)(y)(y)(y) You are a hero and I will stop criticising you on WHH 😥
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Andy, you are making it complex to make your point. Also your Polish WDAC version must behave completelely different from the US version I am using, because I can't relate this to my experience with the WDAC wizzard.

It is normal that you cannot relate the WDAC used in WHHLight to your experience. Simply, WHHLight uses WDAC in a different way.
Your setup is based on ISG and WHHLight avoids ISG for some reasons.

1. Downside you mention that ISG might generate some false positives. That is true but compared to a default deny it does not make sense, a default deny blocks way more.

It does not, because WHHLight is not a default deny, but a smart-default deny similar to ISG. You will see it when using WHHLight. Almost all applications are installed/updated in folders whitelisted by default in WHHLight. Many of them will be blocked by ISG (especially software updates).

2. To overcome the default deny restrictions you leave large holes in the setup to facilitate installs/updates. With ISG you don't need those holes so it is more secure.

It is not true. The holes would be important while only using the WDAC restrictions. The WHHLight settings + tools included in the package make these holes negligible at home. Allowing ISG introduces larger holes via DLL hijacking.

3. Because ISG is less secure (true) against possible advanced staged DLL attacks you are adding extra restrictions.

The attacks via DLL hijacking are pretty common nowadays and very simple, the extra restrictions are necessary. You clearly underestimate this attack vector.

Which is strange because you already said you would not include dynamic code (like dotNet) restrictiions in your setup which by itself creates a DLL attack hole, so I am completely lost (to me your making a buzz about a small hole and ignoring a large hole on the same topic)

It is simple. I can skip dynamic code trust verification because in WHH it is only a theoretical problem limited to Microsoft-signed .NET applications. So far, no one found any such vulnerable application. On the contrary, the ISG vulnerability is large and commonly abused in the wild (DLL hijacking). Furthermore, ISG is much more vulnerable to abusing dynamic code, because it will allow all reputable applications (not only Microsoft-signed).


4. ISG might be safer in post-intrusion according to you, but in my setup (to prevent partly succeeded updates and blocking issues) I allow UAC protected folders (which you also do in the default deny), when you add UAC protected folders to the allow list, there is no post intrusion advantage, again I can't follow you

The post-intrusion attacks are performed mostly via user AppData or %ProgramData% folders. WHHLight protects these locations for scripts, also when the script is executed with high privileges. But the EXE, DLL, and MSI files are allowed (user AppData and %ProgramData% are on the WDAC Whitelist). The ISG setup can help to block them.

Let's agree to disagree.

If you will test WHHLight then there will not be any disagreement. I understand that is not easy to grasp all details without using the application.

Let me again express my gratitude for making available (for free) great sofware like CD, SWH an H_C.

Thank you. Your critique and my answers can help others understand how WHHLight (and WHH full version) works.(y)
Let's only remember to avoid repeating the same questions & answers.:)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top