Andy Ful

Level 60
Verified
Trusted
Content Creator
@Andy Ful,
Thank you, I always appreciate your kind and useful hints!

However I have noticed that I do not seem to have any need for running PowerShell Scripts, even at elevated integrity levels, except a few backup scripts of mine. For this reason I have come to the conclusion to use OSA to first block PowerShell scripts globally and then selectively whitelist only my backup scripts. This seems to be serving my needs pretty well (well, at least so far... :)).

But as I mentioned, what is best for one, may not be the best solution for someone else.
Understand, you simply like to use OSA.:)
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
@Marana,
There is another thing you should remember. The SRP in H_C restricts PowerShell to Constrained Language Mode. This restriction is still active if you set <Block PowerShell Scripts> = OFF. The Constrained Language Mode will block advanced PowerShell functions related to .Net Framework, etc. It is good to look at the H_C <Blocked Events / Security Logs> for the event Id = 4100 (Error Message = Cannot create type. Only core types are supported in this language mode.), to see if the script did its work without issues.
This restriction is not applied for scripts executed with Admin privileges.(y)
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Finally, many here are VoodooShield afficionados so I was wondering if using this instead of OSA would provide better protection?
Voodooshield provides much more protection than OSA, because it is a full anti-exe program. OSA blocks some scripts, which is good, but it does not come near the comprehensive protection of VS. You could compare the big sister of OSA, she is named EXE Radar Pro, to Voodooshield. That's a fair comparison.
 
Last edited:

Shiz

Level 1
One issue I encountered when using the firewall hardening is that some programs use lass. Example it took me 2 days to figure out that call of duty warzone uses lass to do the update that occurs in-game. So I permitted that one IP address it's trying to connect and it's been working fine. I expect other IPs to be needed later. It's just hard to troubleshoot since logs don't show cod being blocked.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
One issue I encountered when using the firewall hardening is that some programs use lass. Example it took me 2 days to figure out that call of duty warzone uses lass to do the update that occurs in-game. So I permitted that one IP address it's trying to connect and it's been working fine. I expect other IPs to be needed later. It's just hard to troubleshoot since logs don't show cod being blocked.
Thanks for reporting (you probably mean lsass.exe, not lass).
The Windows Firewall Log shows only the process that is blocked, but there is no information about the parent processes. One has to deduce it from time correlations.
In the home environment on Windows 10, the lsass can be removed from the blocklist without losing much protection. The most important LOLBins are included in the ''Recommended H_C" option.
 
Last edited:

SearchLight

Level 9
Verified
Btw in H_C upon installation, an icon for Default/Deny appears on the desktop. What does it do, and how does it work once selected? Thanks
 
Top