Using Hard_Configurator in HARDENEDmode with ConfigureDefender in HIGHEST protection on Windows10

Product name
Hard_Configurator (get it on GitHub https://github.com/AndyFul/Hard_Configurator)
Installation (rating)
5.00 star(s)
User interface (rating)
4.00 star(s)
Accessibility notes
Color scheme of the buttons is .... well ....colorful like Andy Ful
Performance (rating)
5.00 star(s)
Core Protection (rating)
5.00 star(s)
Additional Protection notes
Windows Defender in default settings scored a 100% protection at AV-Comparatives in latest Real-World Protection tests (https://www.av-comparatives.org/tests/real-world-protection-test-february-march-2019-factsheet/) and a 6 out of 6 score in latest AV-TEST (https://www.av-test.org/en/antivirus/home-windows/windows-10/february-2019/microsoft-windows-defender-4.18-190516/), so how well will this hardened setup with highest protection perform? My bet: better than any top tier Antivirus solutions!
Positives
    • Freeware
    • Low impact on system resources
    • Easy to use
    • Simple and non-intrusive
    • Strong and reliable protection
    • Detects or blocks in the wild malware
    • Excellent scores in independent tests
    • Features you can't get elsewhere for free
    • Multi-layer protection approach
Negatives
    • Clumsy or awkward interface (UI)
Time spent using product
Computer specs
Asus Transformer with Intel Atom Z3740 @ 1,33 Ghz 2 GB RAM memory, 32 GB SSD and 64 GB SD-card
Recommended for
  1. All types of users
  2. Multi-user devices
  3. Financial banking or trading
  4. Low spec PCs
Overall rating
5.00 star(s)

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
I do not think this UAC setting useful with H_C Recommended settings.
This profile does not require whitelisting applications in UserSpace, so it is easier to manage.
It is worth to remember that the UAC setting 'Only elevate executables that are signed and validated', will block application updates if the updater is not digitally signed and requires admin rights.

This for me would be a PITA. Your "Recommended" settings are more restrictive when using some W10 features from SUA, e.g Control Panel, but are simply easier overall.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This for me would be a PITA. Your "Recommended" settings are more restrictive when using some W10 features from SUA, e.g Control Panel, but are simply easier overall.
With H_C Windows_Security profile + UAC setting 'Only elevate executables that are signed and validated', the user on admin account can install/run/update applications as usual if the applications are:
  • digitally signed;
  • unsigned but do not require elevation.
Furthermore, "Run By SmartScreen" from Explorer context menu can be used to safely open/play/execute files which does not require elevation or signed files which require elevation.
Except for EXE files, this profile uses similar settings as H_C Recommended profile (default deny).

The only problem can occur with installing/running/updating unsigned applications which require elevation. They will be blocked even when whitelisted in SRP.

Edit.
MSI installers usually require elevation, so can be run (if digitally signed) by using "Run as administrator" from Explorer context menu.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Andy

First, thanks for the work around. Second; why not start a crowd funding initiative, to get H_C signed?

I will participate with 10 euro's
I am still thinking.:unsure::giggle:
I did not take money from other people in my life.

Edit.
H_C project uses many executables made by me (16 for now). I am not sure how much money will be required for signing all these executables.
There is also another problem. H_C is not intended for organizations and enterprises, and I do not want to make it paid. So, the two main reasons for signing the application are out.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
we

you could ask, IMO security software should be signed, for average users it is a sign of trust.
Although H_C will not be installed by average users, you are probably right, that many users would trust more the signed application. That is why I am still thinking ...
H_C is default-deny configurator, so it will never be popular among average users. I made it a few years ago to show the idea of joining SRP with forced SmartScreen which can safely bypass SRP restrictions. I have never thought to make it popular.
I think that even a better idea would be signing ConfigureDefender.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
There is only one open question. H_C (and ConfigureDefender) enables in Windows Home some features which were intentionally hidden by Microsoft in Windows Home. Also, the forced SmartScreen has some impact on SmartScreen reputation servers. I am not sure if Microsoft will like the signing idea.:unsure:
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I think that even a better idea would be signing ConfigureDefender.
So try first with ConfigureDefender. It is easy enough and needed enough to become relatively popular, and it would be entirely acceptable according to Internet ethics to discreetly ask for a modest donation, to defray the costs of signing and website maintenance.
Like @Windows_Security said, if you never try, you will never know.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hello, I'm currently using this security settings, a question is Defalut Deny the profile settings you attach in this topic? Sorry if the question has already been answered, but I'm a newbie! Thank you very much. Best regards.
If you use Windows_Security profile, then it is not typical Default Deny, but SRP with allowed EXE files + Windows Hardening.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
The Software restriction Policy does block all sorts of risky file extensions to execute but allows executable programs to run. That is where Windows Defender in highest settings comes in, WD will block known malware, but also unknown programs. Only programs seen by Microsoft earlier and classified as good ware are allowed.

215621
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
If you use Windows_Security profile, then it is not typical Default Deny, but SRP with allowed EXE files + Windows Hardening.
Just a short addition to prevent confusion

  1. My Windows_Security profile on MalwareTips
    This is the security setting i use personally on my own PC. This is a default deny policy. In the past I used to promote this as Windows_Security because I only used Windows internal mechanisms (through GPO, ACL and registry tweaks). Because it is so much easier to use H_C, I don't bother to do set this manually anymore.

  2. The Windows_Security profile in Hard_Configurator
    This is the setup I use for family members (since 2007). It originally was a basic user setup with a ' hole' in it. It allows the most common executables used to install and update software, so it ALLOWS the file exetensions EXE, MSI, MSU and TMP. Combined with Avast (in aggressive mode), Comodo Cloud (blocking untrusted) or Windows Defender (in HIGHEST mode) it is a perfect way to protect security unaware average home users because it uses the extensive cloud whitelist of the antivirus***.

    Andy added some improvements, in the setup, so it is possible to use a default deny default level without the usability drawbacks of the default deny. Again I don't bother to painfully implement all those tweaks by hand, but simple use H_C. Because WD can be strengthened using ConfigureDefender from H_C and WD has become a tier-1 antivirus and I like to use Windows build in features, WD is now my choice of AV to accompany this H_C setup.

    In 12 years time, I had zero assistance calls and zero infections using the H_C Windows_Security profile for family members with either AVAST (aggresive), Comodo Cloud (block untrusted) or Windows_Defender(highest). The only manual registry tweak I always added was UAC to deny elevation of unsigned. With H_C and D_C becoming signed in the furture, I hope this tweak will also become available withing H_C.

    *** just lookup the video Cruel Sister did on Avast in Aggressive mode. It scored a 100% against plain executables, but CC knew to evade this using trickier executable file formats. This is where the hardening of this H_C profile will help protect you against sneaky/hidden code in other file formats.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top