New Update Testing Windows Hybrid Hardening (new hardening application).

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Since Simple Windows Hardening is discontinued, could you add the option to turn on and off policies as in old SWH.
For example, Allow AppInstaller and SMBv1.

I plan to add such ability in WHH (full version). Does WHHLight block anything on your computer?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
WWHLight installed on the already infected computer.

If one suspects that the computer is infected, then applying WHHLight can help identify the malware. In such a case the user should run WHHLight, switch ON the WDAC, remove all entries from the WDAC Whitelist, and restart Windows. In most cases, the malware uses files dropped for persistence in the UserSpace. These files (EXE, DLL, scripts, etc.) will be blocked. The blocked events can be seen via the < Events > blue buttons in WHHLight.

Here are some examples:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
A PowerShell script used by Lenovo Vantage.
Lenovo Vantage contains some add-ins that use PowerShell scripts. These add-ins will be blocked by the SWH option.
You must temporarily switch OFF SWH, if you need those add-ins to work.
Did you notice any useful function that could not work?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
WWHLight installed on the already infected computer.

If one suspects that the computer is infected, then applying WHHLight can help identify the malware. In such a case the user should run WHHLight, switch ON the WDAC, remove all entries from the WDAC Whitelist, and restart Windows. In most cases, the malware uses files dropped for persistence in the UserSpace. These files (EXE, DLL, scripts, etc.) will be blocked. The blocked events can be seen via the < Events > blue buttons in WHHLight.

Here are some examples:

It seems that the below WDAC Whitelist can be used to identify/block malware on the already infected computer.

1694777282182.png


Most malware stores the files for persistence in the user AppData or %ProgramData% folders and avoids AppData\Local\Temp .
All examples from my previous post could be blocked after Windows restart. It is a very easy and fast method to identify malware on computers that normally do not use the WHHLight package.
 
Last edited:

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
If I toggle the top most slider to OFF, can I use my own SRP ? I like to forbid Powershell and cmd till I really need to use them.

I would like to request 2 black list option boxes, one for SRP and one for WDAC; to be added to WHH. I am dealing with my 'red team', and they don't use malware; not ones commonly detectable by anti-malware anyways, And I need to disable their favorite Windows native tools as revealed by Comodo's OpenEDR.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
If I toggle the top most slider to OFF, can I use my own SRP ? I like to forbid Powershell and cmd till I really need to use them.

You cannot.
You can forbid PowerShell and CMD by using Windows built-in Exploit Protection. This can be easily done via the Security Center or by a simple reg tweak.
Anyway, the PowerShell and CMD are already highly restricted in WHHLight, as you can see in my post:
https://malwaretips.com/threads/tes...new-hardening-application.125082/post-1057489

... I need to disable their favorite Windows native tools as revealed by Comodo's OpenEDR.

Which tools?
 
Last edited:
F

ForgottenSeer 97327

@Andy Ful

Ah the old DLL Hijack case study again. :) With the very unrealistic scenario on how an ISO file is teleported on the PC and a fabricated LNK is used to execute CMD. Easy to prevent by blocking CMD as a lolbin or protecting LNK or blocking execution in archivers (e.g. with the ecellent Hard_Cofigurator) or blocking file extensions from archivers (e.g with the smart and problem free SimpleWindowsHardening). Quick fixes you certainly must recognize ;)

I am not going into the WHH discussion again, took me ages to get three YES out of you. For people not understading where we were talking about the "your DLL hole is bigger than my DLL hole" must have been hilarisch to read in the WHH thread. I think it is safe to say that Andy and I agree for 95% on the subjects we discuss, but we disagree passionately on the remaining 5%. ***

So I will stick to my advice: WDAC-ISG (with H_C in WSH mode blocking lolbins) is an excellent alternative to SAC for people who are unable to use SAC (e.g. Windows10 or disabled SAC in Windows11 after evaluation). I did not tell people to use WDAC-ISG instead of SAC. I literally posted that "WDAC-ISG is the slightly dumber but more controllable and configurable sibling of SAC". When you run into a problems with SAC, using the WDAC wizzard you can make exceptions to make WDAC-ISG work where SAC does not have any options other than to turn it off.


Note ***
I think it is a pity you choose to combine SWH with WDAC in block mode in WHH, I had hoped you would have combined WDAC-ISG with H_C in SWH mode blocking LoLbins also. Kind of ironic that we disagree in thread A and in thread B, but in thread B you provide a case study which could have made us agree in thread A ;)
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
The post above (made by @Max90) was moved from another thread:

@Max90
Please do not be disappointed.:)
I already said that both SAC and your "WDAC + ISG" setup can be good protection at home.

It is true that adding SWH to "WDAC + ISG" can (currently) prevent most DLL hijacking attacks that could be missed by "WDAC + ISG". I do not think that such a setup is (currently) worse than WHHLight.

My concerns are of different types:
  1. SWH + WDAC + ISG can be mostly reproduced by WHHLight (WDAC OFF) + ConfigureDefender (MAX)
  2. ISG requires Microsoft Defender - WHHLight does not.
  3. ISG will block many software auto-updates - WHHLight will not.
The point 3 is very important to me as a developer. A few days ago I made some tests with ISG on executables/applications/installers executed from the user Temp folder without MOTW (auto-updates do not have MOTW):
  1. About 40% of them were (partially) blocked by ISG in the user Temp folder.
  2. About 30% of applications could not be uninstalled (blocked by ISG in the user Temp folder).
I do not try to convince you that you should use WHHLight because it will be a better solution for you. But, having in mind my concerns, I cannot see sufficient reasons to implement ISG in WHHLight.

I think that I fully explained my concerns, so I will not continue this topic for a while (until additional tests will be made).

Post edited.
 
Last edited:
F

ForgottenSeer 97327

@Andy Ful two questions

1. Did you use ISG with explicit allows for programs files in your test? I also have tested ISG, but only with 10 programs maximum and ISG allowed all.
2. Microsoft says WDAC works with any thrid-party security solution. Where did you read that when ISG enabled Microsoft Defender is required as AV?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
@Andy Ful two questions

1. Did you use ISG with explicit allows for programs files in your test?
Yes.

2. Microsoft says WDAC works with any thrid-party security solution. Where did you read that when ISG enabled Microsoft Defender is required as AV?

Testing ISG was not easy. I tested it as follows:
  1. Prepared over 150 executables/installers/portable applications on the flash drive (FAT 32), that were never executed on my computer with active WDAC ISG.
    Keeping the executables on FAT 32 flash drive removes any MOTW.
  2. Turned OFF Microsoft Defender real-time protection, Cloud-delivered protection, and Automatic sample submission.
  3. Executed files from the flash drive - almost all were blocked (~ 95%).
  4. Turned ON Microsoft Defender.
  5. Restarted the computer.
  6. Executed files again - about 60% were allowed.
  7. Turned OFF Microsoft Defender real-time protection, Cloud-delivered protection, and Automatic sample submission (like in point 2).
  8. Restarted the computer.
  9. Executed files again - about 60% were allowed, despite the fact that Microsoft Defender was disabled.
Conclusion.
If the file were successfully executed with ISG and Microsoft Defender, this is somehow remembered in the system (at least for some time).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
My concerns are of different types:
  1. SWH + WDAC + ISG can be mostly reproduced by WHHLight (WDAC OFF) + ConfigureDefender (MAX)
  2. ISG requires Microsoft Defender - WHHLight does not.
  3. ISG will block many software auto-updates - WHHLight will not.

I edited my post by removing points 2 and 3. They were based on false logic.:sleep:
Although ISG requires MS Defender (as my test can suggest) to work properly, WDAC + ISG works the same as WHHLight when MS Defender is disabled (files are simply blocked if not whitelisted).
In the ISG setup, one can whitelist the same folders as in WHHLight and avoid blocking auto-updates.

Post edited.
Point 2 should look as follows:
ISG can work differently whether Defender is the primary AV or 3rd party AV is installed. WHHLight will work in the same way, no matter which AV is installed.
 
Last edited:
F

ForgottenSeer 97327

I edited my post by removing points 2 and 3. They were based on false logic.:sleep:
Although ISG requires MS Defender (as my test can suggest) to work properly, WDAC + ISG works the same as WHHLight when MS Defender is disabled (files are simply blocked if not whitelisted).
In the ISG setup, one can whitelist the same folders as in WHHLight and avoid blocking auto-updates.

Post edited.
Point 2 should look as follows:
ISG can work differently whether Defender is the primary AV or 3rd party AV is installed. WHHLight will work in the same way, no matter which AV is installed.
:) Okay

Point 1 provides similar protection (MD at max cloud protection level)

Microsoft says SAC+MD@max+SmartScreen+ISG share the same backend, but ISG is the backend with an ISG-API to be used with third-party security.

Smartscreen and SAC are home user layers around this AI-neural network. So in theory the good-bad levels (e.g. like with VoodooShield) could be adjusted differently for home use to block less.

Thanks for explaining how you tested ISG: but results differ so much from mine, could you repeat the test without Defender but with enabling the AppIDservice (as Microsoft advises).
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
... could you repeat the test without Defender but with enabling the AppIDservice (as Microsoft advises).

It is enabled all the time.

1695139613553.png


I found out that when MS Defender is working then ISG requires Cloud-delivered protection.
That is why in my test almost everything was blocked with disabled Defender.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
I installed Avast and repeated the same test. It looks like Avast uses ISG API because the results were the same as with MS Defender (Cloud-delivered protection enabled). Installation of Avast did not stop the services required by ISG. I did not test other AVs.
After uninstalling Avast I noticed that the services required by ISG has been stopped.


Edit.
The ISG tests require using a Virtual Machine. Each test must be done on the fresh snapshot. This is required because when the file has been successfully executed in one test, the result is stored in the system and the file will be allowed also in another test (even if it would be normally blocked).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
With the AppIDservice enabled and explicit allow rules for Windows and ProgramFiles (also x86) folders in combination with H_C in SWH mode plus lolbins blocked (enhanced).

But I only tested around 10 programs, not as many as Andy.

If you will send me the links to the tested installers, I can test them against my ISG policy. (y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top