New Update Testing Windows Hybrid Hardening (new hardening application).

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,256
WHH looks interesting, as the new simple windows hardening is getting more complicated, WHH will be really simple windows hardening :D
Now we had SWH as easy option and HC as a powerusers option.
How do you see WHH?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
When we looked at the application's features, we have:

SWH (old) < WHH < SWH (new)

This can be somewhat misguiding. It would be better to rename the applications:

SWH < WHH_light < WHH

The WHH from this thread will be renamed to WHH light version. So, SWH will be discontinued as a separate application and will survive as part of WHH_light and WHH.
The default configuration of WHH_light will be similar to the SWH settings (the SWH switch = ON, WDAC switch = OFF).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
WindowsHybridHardening Light ver. 1.0.0.0.:

This is the first version, so it is recommendable to run the application on the Virtual Machine.

Problems can arise from the AVs, which can tamper with WHH Light. For example, before submitting false positives, Microsoft Defender detected WHH as the malware (3 different behavior-based detections). After my submission, the detections were removed, but the application was still blocked by ASR rules.
Currently (after some negotiations with Microsoft) the application is accepted by:
  • SmartScreen and PUA protection (in Edge and Defender),
  • Smart App Control,
  • ASR rules (except a single rule related to running from USB).
 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,256
The WHHLight_Package_1000.exe was quarantined by F-Secure.
After reporting it to F-Secure, it got an safe verdict and was advised to restore it from quarantine.
Running it now with SWH and WDAC enabled.
Got 2 WDAC EXE/DLL blocks:
Event[9]:
Event Id = 3077
Local Time: 2023/08/17 09:06:31
Attempted Path = \Device\HarddiskVolume3\Users\Gandalf\Downloads\Software\PatchMyPC\PatchMyPC.exe
Parent Process = \Device\HarddiskVolume3\Windows\explorer.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}
This one is solved by adding the folder Users\Gandalf\Downloads\Software to the Whitelist.
Event[0]:
Event Id = 3077
Local Time: 2023/08/17 09:36:39
Attempted Path = \Device\HarddiskVolume3\Windows\System32\wbem\WMIC.exe
Parent Process = \Device\HarddiskVolume3\Program Files\WindowsApps\38002AlexanderFrangos.TwinkleTray_1.15.4.0_x64__m7qx9dzpwqaze\app\Twinkle Tray.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}
I don't know how to solve this one.
The program TwinkleTray uses WMIC.exe to control the brightness of my external monitor.
Any ideas?
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108
Testing here too on Windows 11 (SAC disabled by MS, no ASR rules...)
WindowsHybridHardening Light: SWH and WDAC enabled, no issues via manually whitelisting EXCEPT one block related to Windows-Firewall-Control (Binisoft/Malwarebytes). wfc.exe is still blocked, when trying to execute via "Run by Smart Screen" shows the following message:

WHH#1.png

WDAC blocked events for EXE and DLL files

Event[0]:
Event Id = 3077
Local Time: 2023/08/17 10:27:47
Attempted Path = \Device\HarddiskVolume3\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe
Parent Process = \Device\HarddiskVolume3\Windows\explorer.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Testing here too on Windows 11 (SAC disabled by MS, no ASR rules...)
WindowsHybridHardening Light: SWH and WDAC enabled, no issues via manually whitelisting EXCEPT one block related to Windows-Firewall-Control (Binisoft/Malwarebytes). wfc.exe is still blocked, when trying to execute via "Run by Smart Screen" shows the following message:

View attachment 277906

Was the file a shortcut? This alert comes up when one tries to run the shortcut to the application via RunBySmartscreen, and the shortcut uses CMDLines.
In this case, running the application via RunBySmartscreen will not help because the target application is blocked anyway in %ProgramFiles%.

WDAC blocked events for EXE and DLL files

Event[0]:
Event Id = 3077
Local Time: 2023/08/17 10:27:47
Attempted Path = \Device\HarddiskVolume3\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe
Parent Process = \Device\HarddiskVolume3\Windows\explorer.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}

Did you remove the folder "c:\Program Files" from the WDAC Whitelist? In default WDAC settings, the %ProgramFiles% folder is whitelisted, so this block should not happen. WDAC recognized the location "c:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe" as writable (unsafe) and blocked execution.
You must whitelist the folder:
c:\Program Files\Malwarebytes\Windows Firewall Control
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Event[0]:
Event Id = 3077
Local Time: 2023/08/17 09:36:39
Attempted Path = \Device\HarddiskVolume3\Windows\System32\wbem\WMIC.exe
Parent Process = \Device\HarddiskVolume3\Program Files\WindowsApps\38002AlexanderFrangos.TwinkleTray_1.15.4.0_x64__m7qx9dzpwqaze\app\Twinkle Tray.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}

I don't know how to solve this one.
The program TwinkleTray uses WMIC.exe to control the brightness of my external monitor.
Any ideas?

The LOLBin WMIC.exe was commonly used in attacks and can be used to bypass WDAC. Microsoft added it to the LOLBin BlockList. The LOLBins from the BlockList cannot be whitelisted. In your case, there is no problem because you do not need WDAC protection. If the computer would be used by an inexperienced person, then I would suggest changing TwinkleTray to another application that works with blocked WMIC.
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108
Was the file a shortcut? This alert comes up when one tries to run the shortcut to the application via RunBySmartscreen, and the shortcut uses CMDLines.
In this case, running the application via RunBySmartscreen will not help because the target application is blocked anyway in %ProgramFiles%.
Yes this block was from the shortcut of WFC. I tried just for testing purposes what WDAC alert will be displayed ;)

Did you remove the folder "c:\Program Files" from the WDAC Whitelist? In default WDAC settings, the %ProgramFiles% folder is whitelisted, so this block should not happen. WDAC recognized the location "c:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe" as writable (unsafe) and blocked execution.
You must whitelist the folder:
c:\Program Files\Malwarebytes\Windows Firewall Control
My changed whitelist has both locations of Program Files and ProgramData. But the block does happen even when executed wfc.exe from location Program Files, 2nd screenshot shows the block with information...

WL.pngwl new.png
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108
What might be an issue, I have installed the new pre-release Windows Firewall Control 6.9.3.0 The developer may changed something in the software what WDAC does block 🤷‍♂️
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
...
My changed whitelist has both locations of Program Files and ProgramData. But the block does happen even when executed wfc.exe from location Program Files, ...

Yes. The issue is due to the Deny rule on the Microsoft BlockList:
<Deny ID="ID_DENY_WFC_0" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />

This rule blocks all executables named wfc.exe executed from any location. I will think if it is possible to improve the BlockList by adding also Microsoft as a publisher.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top