Advice Request WD + ConfigureDefender set HIGH + OSA: A Match Made in Heaven?

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
@Andy Ful,
Thank you, I always appreciate your kind and useful hints!

However I have noticed that I do not seem to have any need for running PowerShell Scripts, even at elevated integrity levels, except a few backup scripts of mine. For this reason I have come to the conclusion to use OSA to first block PowerShell scripts globally and then selectively whitelist only my backup scripts. This seems to be serving my needs pretty well (well, at least so far... :)).

But as I mentioned, what is best for one, may not be the best solution for someone else.
Understand, you simply like to use OSA.:)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
@Marana,
There is another thing you should remember. The SRP in H_C restricts PowerShell to Constrained Language Mode. This restriction is still active if you set <Block PowerShell Scripts> = OFF. The Constrained Language Mode will block advanced PowerShell functions related to .Net Framework, etc. It is good to look at the H_C <Blocked Events / Security Logs> for the event Id = 4100 (Error Message = Cannot create type. Only core types are supported in this language mode.), to see if the script did its work without issues.
This restriction is not applied for scripts executed with Admin privileges.(y)
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Finally, many here are VoodooShield afficionados so I was wondering if using this instead of OSA would provide better protection?
Voodooshield provides much more protection than OSA, because it is a full anti-exe program. OSA blocks some scripts, which is good, but it does not come near the comprehensive protection of VS. You could compare the big sister of OSA, she is named EXE Radar Pro, to Voodooshield. That's a fair comparison.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
@Marana,
You are trying to find all the best ways to commit computer suicide.:) (y)
 
  • Like
Reactions: Cortex

Shiz

Level 2
Verified
Nov 16, 2018
53
One issue I encountered when using the firewall hardening is that some programs use lass. Example it took me 2 days to figure out that call of duty warzone uses lass to do the update that occurs in-game. So I permitted that one IP address it's trying to connect and it's been working fine. I expect other IPs to be needed later. It's just hard to troubleshoot since logs don't show cod being blocked.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
One issue I encountered when using the firewall hardening is that some programs use lass. Example it took me 2 days to figure out that call of duty warzone uses lass to do the update that occurs in-game. So I permitted that one IP address it's trying to connect and it's been working fine. I expect other IPs to be needed later. It's just hard to troubleshoot since logs don't show cod being blocked.
Thanks for reporting (you probably mean lsass.exe, not lass).
The Windows Firewall Log shows only the process that is blocked, but there is no information about the parent processes. One has to deduce it from time correlations.
In the home environment on Windows 10, the lsass can be removed from the blocklist without losing much protection. The most important LOLBins are included in the ''Recommended H_C" option.
 
Last edited:

SearchLight

Level 13
Thread author
Verified
Top Poster
Well-known
Jul 3, 2017
626
Btw in H_C upon installation, an icon for Default/Deny appears on the desktop. What does it do, and how does it work once selected? Thanks
 
  • Like
Reactions: ErzCrz

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,225
Btw in H_C upon installation, an icon for Default/Deny appears on the desktop. What does it do, and how does it work once selected? Thanks

Default Deny Switch temporarily disables SRP default deny protection if your having issues with an installation or update. You can also setup your Document Exploit and Validate Code signatures. As per "Help" under Menu..

1596497884641.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top