New Update Testing Windows Hybrid Hardening (new hardening application).

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
I also received an error, WD at default and NeuShield data sentinel.
Screenshot 2023-08-17 114603.png
I just did a clean install, Win 11 home and SAC is still in evaluation mode, I received this message.
Screenshot 2023-08-17 114831.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I also received an error, WD at default and NeuShield data sentinel.
View attachment 277927
I just did a clean install, Win 11 home and SAC is still in evaluation mode, I received this message.
View attachment 277929
These are normal WHH warnings. WHH found and corrected the PolicyScope SRP setting to fit WHH restrictions.
The second alert simply informs that SAC is not OFF. In such a case WHH enables only the SWH protection (WDAC is disabled in WHH) just like in the case when SAC is ON. Enabled SAC overrides the WDAC in WHH. When the SAC will turn OFF, just run the WHH again.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Took her for a quick test drive, no issues, other security software is F Secure and Firewall Hardening. I had to whitelist a folder I keep all my portable programs/tools in.

What happens if we move folder from desktop to another location.
If the location will be in UserSpace, then you will have to whitelist the new location.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
There is still a security warning when attempting to run the exe from Firefox. Also, Sandboxie does not make this eligible for Immediate Recovery, only Quick Recovery when Firefox is closed. I guess Andy Ful will get this signed by Microsoft once he's finished fully developing this program and its Help Files.
:thumb:
I noticed your post on Wilderssecurity.

1692301314529.png


Such an alert is usually triggered when SmartScreen is disabled in the Security Center. It is a precursor of SmartScreen (also on Windows 7).
Normally, Firefox (unsandboxed) does not show this alert. I did not try Firefox in Sandboxie, so the cause of this alert can be also Sandboxie settings.

For now, WHH is not signed. I will sign it after some months. I must be sure that suddenly my digital certificate will not be connected with a false positive HackTool.:)
 

NormanF

Level 9
Verified
Jan 11, 2018
404

Don't like the folder placed on the desktop; fix the installer so its placed in the same place to which its downloaded. Default behaviour prevents people from having a clean desktop.
 
  • Like
Reactions: vtqhtr413

NormanF

Level 9
Verified
Jan 11, 2018
404

Administrators should NEVER be blocked! The whole point of being Administrator is to modify system settings. Its better to block limited accounts to prevent tampering or dangerous changes from being made.
 
  • Like
Reactions: Nevi and vtqhtr413

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Don't like the folder placed on the desktop; fix the installer so its placed in the same place to which its downloaded. Default behaviour prevents people from having a clean desktop.
There is no folder on the Desktop - it is a shortcut to the folder. The installer is a container for a few portable tools. In the help, I explained why the tools are placed in that particular folder in %ProgramData%.:

1692341036999.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Administrators should NEVER be blocked! The whole point of being Administrator is to modify system settings.

Home Administrators are not blocked. They can run WHH and switch OFF the protection (without restarting Windows).
Furthermore, most Administrative tasks can be done without switching OFF the protection, because Windows & Microsoft native tools are allowed (except blocked LOLBins).

Its better to block limited accounts to prevent tampering or dangerous changes from being made.

It would be better for many reasons, and it is still possible if someone uses SUA.

I think that there is some misunderstanding about WHH.
  1. WHH is not for Enterprise Administrators but for Home Administrators. The first mostly uses remote management and the second mostly uses physical access.
  2. The WHH restrictions are intended to work also on the computers of users who do not want to use SUA.
  3. The WDAC restrictions cannot be configured to allow Administrators and block others (with some exceptions related to ACL permissions). This can be done when using SRP or AppLocker.
Post edited.
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
I see a block in WDAC blocked events for EXE and DLL files:
Event[0]:
Event Id = 3077
Local Time: 2023/08/17 17:40:28
Attempted Path = \Device\HarddiskVolume3\Windows\System32\WebClnt.dll
Parent Process = \Device\HarddiskVolume3\Windows\System32\svchost.exe
Policy Name = UserSpace Lock
Policy GUID = {a5ee6c14-b6ae-488c-8fc1-9ce316cc2461}
No idea why.
Everything seems to be working fine.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I see a block in WDAC blocked events for EXE and DLL files:

No idea why.
Everything seems to be working fine.

Microsoft added it to the BlockList:

<Deny ID="ID_DENY_DAVSVC_0" FriendlyName="BlockWebDAV" FileName="davsvc.dll" MinimumFileVersion="65535.65535.65535.65535" />


1692343749927.png


In your case, the Web Dav protocol is probably triggered when using MS Office. It allows access to the network drives if the server uses Web Dav for this. It is improbable that this could impact your activities, but if you will encounter problems with accessing some network resources, then you should inspect if Web Dav is the source of the issue.
 

NormanF

Level 9
Verified
Jan 11, 2018
404
Microsoft added it to the BlockList:

<Deny ID="ID_DENY_DAVSVC_0" FriendlyName="BlockWebDAV" FileName="davsvc.dll" MinimumFileVersion="65535.65535.65535.65535" />


View attachment 277949

In your case, the Web Dav protocol is probably triggered when using MS Office. It allows access to the network drives if the server uses Web Dav for this. It is improbable that this could impact your activities, but if you will encounter problems with accessing some network resources, then you should inspect if Web Dav is the source of the issue.

A legitimate dll. that can be abused by malware. If you really need it, you could exclude it. Its safe if it remains blocked.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
WFC nothing more.

Update: Everything working, but WFC was blocked even whitelist the folder. The policies by WDAC are similar to have SAC on I think. :)
They are different. The user who runs an executable with SAC protection can miss more digitally signed malware than after applying WHH + WDAC (RunBySmartscreen).
WHH + WDAC (default Whitelist) is more preventive as compared to WHH + SAC. But, the setup with SAC is more robust when the system is exploited.
The differences become smaller when using other tools (DocumentsAntiExploit, FirewallHardening, and ConfigureDefender).

The super-safe setup (WDAC with empty Whitelist) is stronger than SAC, because it will prevent running almost all digitally signed malware in the wild.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Digmor Crusher, NormanF

When applying WDAC with %LocalAppData%\Temp on the Whitelist (c:\Users\user_name\AppData\Local\Temp) the folder with portable standalone applications (one application = one executable) can be moved anywhere (even to the flash drive) without whitelisting. But then, one has to use the "Run By SmartScreen" option from the Explorer context menu to run those applications.
When the portable application contains several PE files (EXE, DLL, etc.) then the application folder has to be whitelisted or the %ProgramData% folder can be used as I explained in the help:

1692368911685.png
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top