- Apr 24, 2016
- 7,414
Same hereJust to inform, all my reported "blocks" are solved now since new WHHL version 1.0.0.2
Same hereJust to inform, all my reported "blocks" are solved now since new WHHL version 1.0.0.2
Since Simple Windows Hardening is discontinued, could you add the option to turn on and off policies as in old SWH.
For example, Allow AppInstaller and SMBv1.
A PowerShell script used by Lenovo Vantage.I plan to add such ability in WHH (full version). Does WHHLight block anything on your computer?
Lenovo Vantage contains some add-ins that use PowerShell scripts. These add-ins will be blocked by the SWH option.A PowerShell script used by Lenovo Vantage.
WWHLight installed on the already infected computer.
If one suspects that the computer is infected, then applying WHHLight can help identify the malware. In such a case the user should run WHHLight, switch ON the WDAC, remove all entries from the WDAC Whitelist, and restart Windows. In most cases, the malware uses files dropped for persistence in the UserSpace. These files (EXE, DLL, scripts, etc.) will be blocked. The blocked events can be seen via the < Events > blue buttons in WHHLight.
Here are some examples:
App Review - A Raccoon Stealer Quick Dance
malwaretips.comCan You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk - Check Point Research
Research by: Golan Cohen Introduction Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult...research.checkpoint.comAPT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
Introduction With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an...research.checkpoint.com“Gootloader” expands its payload delivery options
The Javascript-based infection framework for the Gootkit RAT increasingly delivers a wider variety of malware, including ransomware payloads, filelesslynews.sophos.comNew Threat Campaign: AsyncRAT Introduces a New Delivery Technique
Morphisec Labs identified a new threat campaign. Through a simple phishing tactic with an HTML attachment, threat attackers are delivering AsyncRAT.blog.morphisec.comSolarMarker campaign used novel registry changes to establish persistence
Inserting custom file handling rules for a randomly-created file extension and a .LNK in Windows’ startup folder, malware installer created a stealthy persistence mechanism for backdoor.news.sophos.comSunSeed Malware Targets Refugees & EU Government | Proofpoint US
Proofpoint has identified a campaign using a Lua-based malware dubbed SunSeed. Learn more about the attack with Proofpoint's in-depth report.www.proofpoint.comQakbot injects itself into the middle of your conversations
The heavily distributed botnet delivers a wide variety of payloads – and scans your network for weaknessesnews.sophos.comVidar Malware Launcher Concealed in Help File | Trustwave
Appending a malicious file to an unsuspecting file format is one of the tricks our adversaries use to evade detection. Recently, we came across an interesting email campaign employing this technique to deliver the info stealer Vidar malware.www.trustwave.comTHREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...www.cybereason.comGootloader - Red Canary Threat Detection Report
A common entry point for Cobalt Strike into enterprises, Gootloader made significant changes to its execution flow in 2022.redcanary.com
If I toggle the top most slider to OFF, can I use my own SRP ? I like to forbid Powershell and cmd till I really need to use them.
... I need to disable their favorite Windows native tools as revealed by Comodo's OpenEDR.
Yes.
2. Microsoft says WDAC works with any thrid-party security solution. Where did you read that when ISG enabled Microsoft Defender is required as AV?
My concerns are of different types:
- SWH + WDAC + ISG can be mostly reproduced by WHHLight (WDAC OFF) + ConfigureDefender (MAX)
ISG requires Microsoft Defender - WHHLight does not.ISG will block many software auto-updates - WHHLight will not.
OkayI edited my post by removing points 2 and 3. They were based on false logic.
Although ISG requires MS Defender (as my test can suggest) to work properly, WDAC + ISG works the same as WHHLight when MS Defender is disabled (files are simply blocked if not whitelisted).
In the ISG setup, one can whitelist the same folders as in WHHLight and avoid blocking auto-updates.
Post edited.
Point 2 should look as follows:
ISG can work differently whether Defender is the primary AV or 3rd party AV is installed. WHHLight will work in the same way, no matter which AV is installed.
How did you tested ISG? Maybe it would help Andy Ful to see what is the difference between your/his results. //Edit for typo.Thanks for explaining how you tested ISG: but results differ so much from mine, could you repeat the test without Defender but with enabling the AppIDservice (as Microsoft advises).
With the AppIDservice enabled and explicit allow rules for Windows and ProgramFiles (also x86) folders in combination with H_C in SWH mode plus lolbins blocked (enhanced).Hot did you tested ISG? Maybe it would help Andy Ful to see what is the difference between yours/his results.
... could you repeat the test without Defender but with enabling the AppIDservice (as Microsoft advises).
With the AppIDservice enabled and explicit allow rules for Windows and ProgramFiles (also x86) folders in combination with H_C in SWH mode plus lolbins blocked (enhanced).
But I only tested around 10 programs, not as many as Andy.