Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Testing Windows Hybrid Hardening (new hardening application).
Message
<blockquote data-quote="Andy Ful" data-source="post: 1056034" data-attributes="member: 32260"><p>Yes. This can be an interesting setup. Let's name it shortly as SWH + ISG. I will show that:</p><p></p><p><strong><span style="font-size: 18px"><span style="color: rgb(0, 168, 133)">SWH + ISG</span> </span><span style="font-size: 22px">~ </span><span style="font-size: 18px"><span style="color: rgb(41, 105, 176)">SWH + ConfigureDefender</span> </span></strong>(Max settings).</p><ul> <li data-xf-list-type="ul"><span style="color: rgb(184, 49, 47)">Both can be bypassed via DLL hijacking (files downloaded from the Internet).</span></li> <li data-xf-list-type="ul"><span style="color: rgb(0, 168, 133)">The first can block DLL hijacking via USB drives.</span></li> <li data-xf-list-type="ul"><span style="color: rgb(41, 105, 176)">The second can block EXE malware dropped to user Appdata (reputation-prevalence ASR rule).</span></li> <li data-xf-list-type="ul"><span style="color: rgb(184, 49, 47)">Both can be bypassed when the EXE or DLL is loaded dynamically.</span></li> <li data-xf-list-type="ul"><span style="color: rgb(0, 168, 133)">The first can block the post-exploitation attacks when DLLs are run via LOLBins, but most of these attacks can be prevented by SWH.</span><br /> <span style="color: rgb(184, 49, 47)"><span style="color: rgb(41, 105, 176)">The second config can prevent most such attacks by SWH, or ASR rules related to MS Office. </span></span></li> <li data-xf-list-type="ul"><span style="color: rgb(41, 105, 176)">The second will block the installation of malicious and vulnerable drivers via the ASR rule (the first can block vulnerable drivers).</span></li> <li data-xf-list-type="ul"><span style="color: rgb(0, 168, 133)">The first will block malware even without an Internet connection (can be important in businesses).</span></li> <li data-xf-list-type="ul"><strong><strong>Other differences are very rare in the wild. Many attacks will be prevented by SWH.</strong></strong></li> </ul><p>It is worth mentioning, that WDAC ISG and ConfigureDefender work when Defender is the main AV. Furthermore, two ASR rules (for USB and reputation-prevalence rule) use ISG for EXE files (without WDAC policy). <span style="color: rgb(0, 168, 133)">The main advantage of ISG over ASR rules is that ISG can block also DLLs.</span></p><p></p><p>From the comparison, it follows that both configurations can cover mostly the same attack surface (with some advantage of the second in the home environment). If we remove the user AppData from the WDAC Whitelist, then there can be a small advantage of the first config.</p><p></p><p>As I noted in my earlier post, this kind of setup can be easily configured by running WHH without custom changes and setting ConfigureDefender to MAX.</p><p></p><p>Edit.</p><p>The SWH + ISG setup with the whitelisted user AppData folder will produce a smaller number of false positives, especially for software auto-updates.</p><p>This can be partially solved in the second setup by setting the reputation-prevalence ASR rule to WARN.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1056034, member: 32260"] Yes. This can be an interesting setup. Let's name it shortly as SWH + ISG. I will show that: [B][SIZE=5][COLOR=rgb(0, 168, 133)]SWH + ISG[/COLOR] [/SIZE][SIZE=6]~ [/SIZE][SIZE=5][COLOR=rgb(41, 105, 176)]SWH + ConfigureDefender[/COLOR] [/SIZE][/B](Max settings). [LIST] [*][COLOR=rgb(184, 49, 47)]Both can be bypassed via DLL hijacking (files downloaded from the Internet).[/COLOR] [*][COLOR=rgb(0, 168, 133)]The first can block DLL hijacking via USB drives.[/COLOR] [*][COLOR=rgb(41, 105, 176)]The second can block EXE malware dropped to user Appdata (reputation-prevalence ASR rule).[/COLOR] [*][COLOR=rgb(184, 49, 47)]Both can be bypassed when the EXE or DLL is loaded dynamically.[/COLOR] [*][COLOR=rgb(0, 168, 133)]The first can block the post-exploitation attacks when DLLs are run via LOLBins, but most of these attacks can be prevented by SWH.[/COLOR] [COLOR=rgb(184, 49, 47)][COLOR=rgb(41, 105, 176)]The second config can prevent most such attacks by SWH, or ASR rules related to MS Office. [/COLOR][/COLOR] [*][COLOR=rgb(41, 105, 176)]The second will block the installation of malicious and vulnerable drivers via the ASR rule (the first can block vulnerable drivers).[/COLOR] [*][COLOR=rgb(0, 168, 133)]The first will block malware even without an Internet connection (can be important in businesses).[/COLOR] [*][B][B]Other differences are very rare in the wild. Many attacks will be prevented by SWH.[/B][/B] [/LIST] It is worth mentioning, that WDAC ISG and ConfigureDefender work when Defender is the main AV. Furthermore, two ASR rules (for USB and reputation-prevalence rule) use ISG for EXE files (without WDAC policy). [COLOR=rgb(0, 168, 133)]The main advantage of ISG over ASR rules is that ISG can block also DLLs.[/COLOR] From the comparison, it follows that both configurations can cover mostly the same attack surface (with some advantage of the second in the home environment). If we remove the user AppData from the WDAC Whitelist, then there can be a small advantage of the first config. As I noted in my earlier post, this kind of setup can be easily configured by running WHH without custom changes and setting ConfigureDefender to MAX. Edit. The SWH + ISG setup with the whitelisted user AppData folder will produce a smaller number of false positives, especially for software auto-updates. This can be partially solved in the second setup by setting the reputation-prevalence ASR rule to WARN. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
