Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[AMD1]

Hi,

Just giving WHHL a try to see how I get on with it so still on a learning curve.

Under WDAC events I have the following repeated block:

Event Id = 3077
Local Time: 2024/03/09 12:59:39
Attempted Path = C:\Windows\SysWOW64\wbem\WMIC.exe
Parent Process = C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
PolicyName = UserSpace Lock
UserWriteable = false

Unsure if/how to whitelist this or prevent repeated blocks ?

Thanks

 

[Andy Ful]

Under WDAC events I have the following repeated block:

Event Id = 3077
Local Time: 2024/03/09 12:59:39
Attempted Path = C:\Windows\SysWOW64\wbem\WMIC.exe
Parent Process = C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
PolicyName = UserSpace Lock
UserWriteable = false

Unsure if/how to whitelist this or prevent repeated blocks ?

Thanks

WMIC.exe is blocked by WDAC as recommended by Microsoft. It cannot be whitelisted.
WMIC.exe is/was a popular LOLBin that uses WMI infrastructure to bypass the AV and WDAC protection.
It is possible that AOMEI Backupper can work with blocked WMIC.exe, but I do not recommend using both WDAC and AOMEI.

 

[Digmor Crusher]

So I guess the same applies here, I don't see any issues using Sync though. Do you recommend not using WDAC and Sync as well?

 

[Andy Ful]

View attachment 282023
So I guess the same applies here, I don't see any issues using Sync though. Do you recommend not using WDAC and Sync as well?

The block is related to the Sync taskbar and not to the synchronization processes. So the block is probably unimportant.

 

[Digmor Crusher]

The block is related to the Sync taskbar and not to the synchronization processes. So the block is probably unimportant.

Thanks Andy.

 

[AMD1]

WMIC.exe is blocked by WDAC as recommended by Microsoft. It cannot be whitelisted.
WMIC.exe is/was a popular LOLBin that uses WMI infrastructure to bypass the AV and WDAC protection.
It is possible that AOMEI Backupper can work with blocked WMIC.exe, but I do not recommend using both WDAC and AOMEI.

Thanks Andy

 

[AMD1]

Still getting to grips with WHHL and recently had the following block triggered when I attempted to fix VSS via my backup program:

Event[0]:
Event Id = 865
Local Time: 2024/03/18 17:49:08
EventRecordID = 62875
Execution ProcessID = '14980' ThreadID='12148'
UserID='S-1-5-21-464157410-1965187014-947272154-1001'
Attempted Path = c:\vssfix.bat
Description: Default Level SRP block

Need some help to whitelist this process if thats the recommended solution?

Fot the time being I disabled SWH and then re-enabled once I had run the Fix VSS again.

Thanks in advance for any help in this matter.

 

[Andy Ful]

Need some help to whitelist this process if thats the recommended solution?

You have two methods to whitelist that BAT file:

1. Whitelist by hash.
2. Whitelist by path.

 

[AMD1]

You have two methods to whitelist that BAT file:

1. Whitelist by hash.
2. Whitelist by path.

View attachment 282306

If I attempt to browse to c:\vssfix.bat it is not there even after I enable show hidden windows folders and unsure where to browse to whitelist by hash ?

 

[Andy Ful]

If I attempt to browse to c:\vssfix.bat it is not there even after I enable show hidden windows folders and unsure where to browse to whitelist by hash ?

That .bat is probably somewhere in your backup application.

 

[AMD1]

That .bat is probably somewhere in your backup application.

Do I simply whitelist the path with a wildcard?

 

[Andy Ful]

Do I simply whitelist the path with a wildcard?

Most probably yes.

 

[pxxb1]

Andy@Ful

Should not SWH WHH have its own frame like CD and H_C on the head site at Github instead of being an item IN H_C. Now they are not seen to people who go to the sight and therefore are unknown to many. Whenever i link people to the site i have to explain what to do on it because these mentioned items are sort of hidden.

That seems to me to be the logical way since they are standalone programs, or are they not!?

 

[Andy Ful]

I do not want WHHLight to be popular, for now. It is a completely new idea so let's wait some time.

 

[Azazel]

How can Whhlight (Super Safe Setup) protect from exploits?

 

[pxxb1]

I do not want WHHLight to be popular, for now. It is a completely new idea so let's wait some time.

Ok.
And SWH, why does it not have its own space?

 

[ForgottenSeer 107474]

@pxxb1 my guess is that it started as a simplified version of Hard_Configurator (SWH also uses SRP and also adds some hardening), hence the name SimpleWindowsHardening

 

[Andy Ful]

How can Whhlight (Super Safe Setup) protect from exploits?

I wrote in the WDAC help that it is robust against exploits. It is not the same as protecting from exploits. I meant that even if something would be exploited, the attack could be stopped anyway. Exploits often use temporary files dropped to the user's Temp folder, and such an attack vector can be blocked in the Super_Safe setup. One of many examples can be abusing OLE objects in MS Office documents.
The default WDAC settings allow executables dropped there, so one can consider using additional anti-exploit protection (for example tools included in the WHHLight package).

 

[Andy Ful]

Ok.
And SWH, why does it not have its own space?

Because it is logical if one does not care much about popularity.

Edit.
To make it popular, one should create a good website with a forum. But, marketing is not attractive to me.

 

[pxxb1]

Because it is logical if one does not care much about popularity.

Edit.
To make it popular, one should create a good website with a forum. But, marketing is not attractive to me.

With that logic they all might as well be put in 1 frame instead of the 4 that exists now .