Advanced Plus Security Thaumiel's Windows Security 2020

Last updated
May 21, 2020
About
Personal, primary device
Desktop OS
Windows 10
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Microsoft account
Primary user
Standard user - Limited permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
All Laptops: OS Hardening, Norton Security Online (Xfinity build) v. 22.20.2.57, HardConfiguarator
Linux VM for Banking: MX Linux clean snapshot environment with Firefox for online banking and other sensitive tasks
Software firewall
Provided by a third-party security vendor. Refer to 'Real-time protection' for details.
Custom RTP, Firewall and OS settings
OS Hardening
  • Some tweaks enabled from SysHardener to disable network enumeration protocols and services.
  • Some tips from www.HardenWindows10ForSecurity.com (some WIndows features, settings, registry, and services modified or disabled).
Norton Security Online (Xfinity build) v. 22.20.2.57:
  • Antivirus: Boot Time Protection - Aggressive.
  • Firewall: Network Trust - Restricted (to block all inbound connections), Block Traffic for Malicious Applications - Aggressive.
  • Antispam, Backup, and Task Scheduling: disabled.
HardConfigurator v. 5.0.0.0
  • Recommended SRP Settings with exceptions: Whitelist by Hash Rules Added, 60+ filetypes supported (Default, Powershell, and Python), 30+ Sponsors Blocked (LOLbins from Script Interpreters, Enhanced, and Recommended Rules for Windows Defender Application Control)
  • Recommended Restrictions with exceptions: Block Powershell Scripts - Off, Hide ‘Run As Administrator’ - Off/On, Run As Smartscreen - Standard User/Administrator, Disable SMB - ON123, MSI Elevation - On, Disable Elevation on SUA - Off/On. NOTE: Settings of restrictions are different for each laptop.
Malware testing
No malware samples
Periodic security scanners
Norton Power Eraser, Emsisoft Emergency Kit, VT Hash Check (for VirusTotal file reputation), Malwarebytes Anti-Malware
Browsers, Search and Addons
Laptop 1
  • Microsoft “Chromium” Edge (security): uMatrix, Trace, Smart HTTPS, NetCraft
  • Mozilla Firefox (privacy): uMatrix, NetCraft, HTTPZ, Trace, CanvasBlocker, Multi-Account Containers, Temporary Containers.
  • Opera (stable): uMatrix, NetCraft, Trace, Smart HTTPS
Laptop 2
  • Opera: NetCraft, Smart HTTPS.
  • Microsoft “Chromium” Edge (builtin): NetCraft, Smart HTTPS.
Linux VM for Banking
  • Firefox: uMatrix, NetCraft, HTTPZ, Norton Safe Web with Banking Protection enabled.
Maintenance and Cleaning
Uncommon Ones On This Forum: Ditto, Intel Xtreme Tuning Utility, TimerResolution, Prey Anti-Theft, VirtualBox
Miscellaneous: SysHardener
Software Suites: Nirsoft, Sysinternals, Windows Repair Toolbox
Portable Suites: PortableApps, LibreKey, and SyMenu
NOTE: Most of my utilities are on a flash drive associated with the portable suites or standalone provided above.
Personal Files & Photos backup
Google Drive, MEGA, OneDrive, Sync.com, AOMEI Backupper Standard
Personal backup routine
Device recovery & backup
Macrium Reflect Free
Device backup routine
PC activity
  1. PC and cloud gaming. 
  2. Banking. 
  3. Browsing the web. 
  4. Streaming. 
  5. Shared access. 
  6. Browsing to unknown sites. 
  7. Working from home. 
Computer specs
Laptop 1: Acer Predator Helios 300 (2019 model), 16GB RAM, Intel Core i7-9750H CPU @ 2.60 GHz, NVIDIA Geforce GTX 1660 Ti, 500 GB SSD
Laptop 2: HP Notebook 15-f271wm, 4GB RAM, Intel Pentium N3540 Processor @ 2.16 GHz, 256 GB HDD
Personal changelog
Too Long To List: Private Internet Access, Windows Defender Real-Time Protection, Box, Old Microsoft Edge, Malwarebytes Windows Firewall Control, SpyShelter Free, ConfigureDefender, Google Chrome, Wise Disk Cleaner, Box.net, DuckDuckGo Search Engine, Process Hacker, BCUninstaller, RevoUninstaller, CCleaner.
Too Long to List: Panda Dome Free Antivirus, Norton Security Online, Linux VM for Banking, NordVPN, O&O ShutUp10, WPD (Windows Privacy Dashboard), fix-modero-privacy, PortableApps, LibreKey, OneDrive, Sync.com, Windows Hello PIN, Device Specifications, Opera, HTTPZ, Smart HTTPS, Norton Safe Web, Multi-Account Containers, Temporary Containers, VirtualBox.
May 21, 2020 - Replaced Windows Firewall, remove custom rules for Windows Defender Exploit Guard, and Panda Dome Free Antivirus.

SunMan09

New Member
Thread author
Jan 15, 2020
9
This is my config.
Mozilla Software, Google Chrome*, Firefox, Chromium “New” Edge*, Adobe Reader (with Protected View enabled) - Chrome.exe, Firefox.exe, Thunderbird.exe, Seamonkey.exe, Msedge.exe, AcroRd32.exe, AcroRd32Info.exe
  • ACG (off)*
  • BLII (on)
  • BRI (on)
  • BUF (off)
  • CIG (off)* - loading (off) this setting can be turned ON if you use ChromEdge, however don't run it in 3rd party sandbox if you do enable it.
  • CFG (on) - Strict (Off)*
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)*
  • Child Process (off)
  • EAF (off)*
  • Mandatory ASLR (on) - Stripped (on)
  • IAF (off)*
  • BottomUp ASLR (on)
  • SimExec (off)*
  • CallerCheck (off)*
  • SEHOP (on)
  • VHU (on)
  • VHI (on)
  • VIDI (on)
  • StackPivot (off)
*Rules from @Umbra

MicrosoftEdge.exe (Old Microsoft Edge) from @Windows_Security
  • Arbitrary code guard (ACG) - ENABLED
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
MicrosoftEdgeCP.exe from @Windows_Security
  • Arbitrary code guard (ACG) - ENABLED (important: allow Thread Opt-Out)
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (important: don't enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes - ENABLED
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
PDFXEdit.exe (PDF-X Change Editor Plus), i_view64.exe (Irfanview)
  • ACG (off)
  • BLII (on)
  • BRI (on)
  • BUF (on)
  • CIG (off) - loading (off)
  • CFG (on) - Strict (off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (on)
  • EAF (on), Validate (on)
  • Mandatory ASLR (on) - Stripped (on)
  • IAF (on)
  • BottomUp ASLR (on) - High entropy (on)
  • SimExec (on)
  • CallerCheck (on)
  • SEHOP (on)
  • VHU (on)
  • VHI (on)
  • VIDI (on)
  • StackPivot (on)
VLC.exe (VLC Media Player)
  • ACG (on)
  • BLII (on)
  • BRI (on)
  • BUF (on)
  • CIG (off) - loading (off)
  • CFG (on) - Strict (off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (on)
  • EAF (on), Validate (on)
  • Mandatory ASLR (on) - Stripped (on)
  • IAF (on)
  • BottomUp ASLR (on) - High entropy (on)
  • SimExec (on)
  • CallerCheck (on)
  • SEHOP (on)
  • VHU (on)
  • VHI (on)
  • VIDI (on)
  • StackPivot (on)
Microsoft Office (Excel.exe, Mspub.exe, MsAccess.exe, Onenote.exe, Outlook.exe, Powerpnt.exe, Winword.exe) from @Windows_Security
  • ACG (off)
  • BLII (on)
  • BRI (on)
  • BUF (off)
  • CIG (on) - loading (on)
  • CFG (on) - Strict (off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (on)
  • EAF (off)
  • Mandatory ASLR (on)
  • IAF (off)
  • BottomUp ASLR (on)
  • SimExec (off)
  • CallerCheck (off)
  • SEHOP (on)
  • VHU (off)
  • VHI (on)
  • VIDI (on)
  • StackPivot (off)
 

SunMan09

New Member
Thread author
Jan 15, 2020
9
Update for 5/15/2020
Removed or Replaced

Private Internet Access, Windows Defender Real-Time Protection, Box, Old Microsoft Edge, Malwarebytes Windows Firewall Control, SpyShelter Free, ConfigureDefender, Google Chrome, Wise Disk Cleaner, Box.net, DuckDuckGo Search Engine, Process Hacker, BCUninstaller, RevoUninstaller, CCleaner.
Added:
Panda Dome Free Antivirus, Norton Security Online, Linux VM for Banking, NordVPN, O&O ShutUp10, WPD (Windows Privacy Dashboard), fix-modero-privacy, PortableApps, LibreKey, OneDrive, Sync.com, Windows Hello PIN, Device Specifications, Opera, HTTPZ, Smart HTTPS, Norton Safe Web, Multi-Account Containers, Temporary Containers, VirtualBox.
 

SunMan09

New Member
Thread author
Jan 15, 2020
9
I found out the Acer Predator Helios 300 is undervolted from the factory by default at -0.125V from the Core Voltage Offset as shown below in the following screenshot. Acer PredatorSense uses Intel Xtreme Utility software and services to manage different profiles for XTU settings as shown in the screenshot below from File Explorer. I installed Intel Xtreme Tuning Utility on my gaming laptop a couple of months ago after getting an unexpected reboot and reading a thread on Acer Predator forums indicating that I should test custom undervolt settings on my computer. I did install the utility as if I was going to make changes to settings but left it the way it was since I did not know what I was doing at the time. I think the default undervolt settings in XTU are relevant for 2019 models but not relevant for older Acer Predator models.
Internet Sources I Used That Help Me Understand This:

Are there Undervolting Guides for Acer Predator Helios 300 1660ti? - Reddit

Helios 300 (PH315-52) Rebooting at Random - Acer Predator Forums



PerfTune_bxGeH0YWIY.png
PerfTune_fQCtHPI0Wc.png
explorer_yjvXcFrDUN.png
 

Vitali Ortzi

Level 22
Verified
Top poster
Well-known
Dec 12, 2016
1,115
I found out the Acer Predator Helios 300 is undervolted from the factory by default at -0.125V from the Core Voltage Offset as shown below in the following screenshot. Acer PredatorSense uses Intel Xtreme Utility software and services to manage different profiles for XTU settings as shown in the screenshot below from File Explorer. I installed Intel Xtreme Tuning Utility on my gaming laptop a couple of months ago after getting an unexpected reboot and reading a thread on Acer Predator forums indicating that I should test custom undervolt settings on my computer. I did install the utility as if I was going to make changes to settings but left it the way it was since I did not know what I was doing at the time. I think the default undervolt settings in XTU are relevant for 2019 models but not relevant for older Acer Predator models.
Internet Sources I Used That Help Me Understand This:

Are there Undervolting Guides for Acer Predator Helios 300 1660ti? - Reddit

Helios 300 (PH315-52) Rebooting at Random - Acer Predator Forums



View attachment 240132View attachment 240133View attachment 240155

Didn't see it's 2019 model almost forgotten about it .
One of the best laptops of 2019 .
Very few companies use liquid metel and undervolt from the factory!
I hope this trend goes on!
Off topic :
I might finally upgrade to Golden chove in 2022 ( waiting a year for price decrease) or wait till Zen 5 Wich both seem interesting from leaks.
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,074
Hi @Thaumiel,
The below information about your config:

HardConfigurator v. 5.0.0.0
  • Documents Anti-Exploit, Firewall Hardening, and Run-By-Smartscreen tools enabled.
  • Recommended SRP Settings with exceptions: Whitelist by Hash Rules Added, 60+ filetypes supported (Default, Powershell, and Python), 30+ Sponsors Blocked (LOLbins from Script Interpreters, Enhanced, and Recommended Rules for Windows Defender Application Control)
should be probably updated.
RunBySmartScreen should not be used with the H_C Recommended Settings, except if you have chosen it for some special reason.(y)
 

SunMan09

New Member
Thread author
Jan 15, 2020
9
Removed or Replaced - Update 5-21-2020:
Windows Firewall to Norton Firewall
Windows Defender Exploit Guard to Norton Exploit Protection
Panda Dome Free Antivirus to Norton Security Online
Not Needed
Firewall_Hardening in H_C but it is still configured.

Here some AVs that are too problematic. I am curious if someone else had something similar:
  • Comodo - gave me registry errors, left modifications in my laptop that were not easy to remove after uninstalling it.
  • AVG and Avast - causes my 4GB laptop to freeze after some web browsing.
  • Qihoo - leaves Windows Defender threat service stopped running automatically after uninstalling it to where I have to clean install or reimage my system just to get Windows Defender back up and running again.
I removed custom rules in Windows Defender Exploit Guard since this creates a conflict with Norton Exploit Protection. Remove Panda Free Antivirus after realizing how weak it truly is.
I updated my Windows Exploit Protection rules since some correction needs to be made after further testing. I specify the Network Trust setting in Norton is set to Restricted which means to block all inbound connections. I specify the restriction settings for HardConfigurator.
 

SunMan09

New Member
Thread author
Jan 15, 2020
9
Panda dome free isn't really good
Look it this Unlimited Giveaway - Symantec Endpoint Unmanaged without time limit
Although it might slow it down .
If it has a slowdown try replacing the auto protect/ proactive compenets with wise vector stopX or configure defender (Wich you probably already use)

I get Norton free from my Internet service provider, so I do not need to worry about installing Symantec Endpoint Unmanaged client on my system. I do want to install an antivirus that is light on my system. Panda Free Antivirus takes up about between 10-20 MB of RAM and Norton about 20-30 MB, these are least problematic when doing activities on my computers.


Hi @Thaumiel,
The below information about your config:

HardConfigurator v. 5.0.0.0
  • Documents Anti-Exploit, Firewall Hardening, and Run-By-Smartscreen tools enabled.
  • Recommended SRP Settings with exceptions: Whitelist by Hash Rules Added, 60+ filetypes supported (Default, Powershell, and Python), 30+ Sponsors Blocked (LOLbins from Script Interpreters, Enhanced, and Recommended Rules for Windows Defender Application Control)
should be probably updated.
RunBySmartScreen should not be used with the H_C Recommended Settings, except if you have chosen it for some special reason.(y)

I did install and uninstall your Hard_Configurator utility before. It did copy the Document’s Anti-Exploit tool to my Desktop, but I have not configured it differently from Hard_Configurator recommended settings. I only configure the Firewall Hardening tool in Hard_Configurator. I did not use Run-By-Smartscreen as an independent tool.

NOTE:
Google Chrome, Chromium, Microsoft Edge, Adobe Reader (with Protected View enabled) - Chrome, Msedge.exe, AcroRd32.exe, AcroRd32Info.exe

  • ACG (off)
  • BLII (on)
  • BRI (on)
  • BUF (off)
  • CIG (off) - loading (off); If using Microsoft Edge: CIG (on) - loading (on)
  • CFG (on) - Strict (Off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (off)
  • EAF (off)
  • Mandatory ASLR (on) - Stripped (on)
  • IAF (off)
  • BottomUp ASLR (on)
  • SimExec (off)
  • CallerCheck (off)
  • SEHOP (on)
  • VHU (on)
  • VHI (on)
  • VIDI (on)
  • StackPivot (off)
Mozilla Firefox, Mozilla Thunderbird, Mozilla Seamonkey - Firefox.exe, Thunderbird.exe, Seamonkey.exe

  • ACG (off)
  • BLII (on)
  • BRI (on)
  • BUF (off)
  • CIG (off) - loading (off)
  • CFG (on) - Strict (Off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (off)
  • EAF (on)
  • Mandatory ASLR (on) - Stripped (on)
  • IAF (on)
  • BottomUp ASLR (on)
  • SimExec (off)
  • CallerCheck (off)
  • SEHOP (on)
  • VHU (on)
  • VHI (on)
  • VIDI (on)
  • StackPivot (off)
MicrosoftEdge.exe (Old Microsoft Edge) from @Windows_Security

  • Arbitrary code guard (ACG) - ENABLED
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
MicrosoftEdgeCP.exe from @Windows_Security

  • Arbitrary code guard (ACG) - ENABLED (important: allow Thread Opt-Out)
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (important: don't enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes - ENABLED
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
Opera.exe (from Hardening Windows 10 for Security)

  • Arbitrary code guard: off
  • Block low integrity images: on
  • Block remote images: on
  • Block untrusted fonts: on
  • Code Integrity guard: off
  • Control flow guard: on
  • Data Execution prevention: on, enforce ATL
  • Disable extension points: on
  • Disable Win32k system calls: off
  • Do not allow child processes: off
  • Export address filtering: on. Validate access for modules: on
  • Force randomization for images: on. Do not allow stipped images: on
  • Import address filtering: on
  • Randomize memory allocation (bottom up ASLR): on
  • Simulate execution( (SimExec): on
  • Validate API invocation (CallerCheck): on
  • Validate exception chains (SEHOP): on
  • Validate handle usage: on
  • Validate heap integrity: on
  • Validate image dependency integrity: on
  • Validate stack integrity (StackPivot): on
PDFXEdit.exe (PDF-X Change Editor Plus), i_view64.exe (Irfanview)

  • ACG (off)
  • BLII (on)
  • BRI (on)
  • BUF (on)
  • CIG (off) - loading (off)
  • CFG (on) - Strict (off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (on)
  • EAF (on), Validate (on)
  • Mandatory ASLR (on) - Stripped (on)
  • IAF (on)
  • BottomUp ASLR (on)
  • SimExec (on)
  • CallerCheck (on)
  • SEHOP (on)
  • VHU (on)
  • VHI (on)
  • VIDI (on)
  • StackPivot (on)
VLC.exe (VLC Media Player)

  • ACG (on)
  • BLII (on)
  • BRI (on)
  • BUF (on)
  • CIG (off) - loading (off)
  • CFG (on) - Strict (off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (on)
  • EAF (on), Validate (on)
  • Mandatory ASLR (on) - Stripped (on)
  • IAF (on)
  • BottomUp ASLR (on)
  • SimExec (on)
  • CallerCheck (on)
  • SEHOP (on)
  • VHU (on)
  • VHI (on)
  • VIDI (on)
  • StackPivot (on)
Microsoft Office (Excel.exe, excelenv.exe Mspub.exe, MsAccess.exe, Onenote.exe, onenotem.exe, Outlook.exe, Powerpnt.exe, Winword.exe) from @Windows_Security

  • ACG (off)
  • BLII (on)
  • BRI (on)
  • BUF (off)
  • CIG (on) - loading (on)
  • CFG (on) - Strict (off)
  • DEP (on) - ATL (on)
  • Dextp (on)
  • Win32k (off)
  • Child Process (on)
  • EAF (off)
  • Mandatory ASLR (on)
  • IAF (off)
  • BottomUp ASLR (on)
  • SimExec (off)
  • CallerCheck (off)
  • SEHOP (on)
  • VHU (off)
  • VHI (on)
  • VIDI (on)
  • StackPivot (off)
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,074
...
I did install and uninstall your Hard_Configurator utility before. It did copy the Document’s Anti-Exploit tool to my Desktop, but I have not configured it differently from Hard_Configurator recommended settings. I only configure the Firewall Hardening tool in Hard_Configurator. I did not use Run-By-Smartscreen as an independent tool.
That is why you should update your opening post. For now, it says that:
HardConfigurator v. 5.0.0.0
  • Recommended SRP Settings with exceptions: Whitelist by Hash Rules Added, 60+ filetypes supported (Default, Powershell, and Python), 30+ Sponsors Blocked (LOLbins from Script Interpreters, Enhanced, and Recommended Rules for Windows Defender Application Control)
  • Recommended Restrictions with exceptions: Block Powershell Scripts - Off, Hide ‘Run As Administrator’ - Off/On, Run As Smartscreen - Standard User/Administrator, Disable SMB - ON123, MSI Elevation - On, Disable Elevation on SUA - Off/On. NOTE: Settings of restrictions are different for each laptop.
If you uninstalled the H_C then all restrictions from SRP settings and non-SRP settings, and also from FirewallHardening were removed, just like you never used H_C. Documents Anti-Exploit tool is not configured in the Recommended Settings, so it did not apply any additional protection (you have to configure the settings or you can delete it if the settings are OFF). So, it seems that you can delete all info about H_C in your config.(y)