Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
Phishing email with SVG attachment -------> users says "Nope"

User deletes email with SVG attachment

End of attack chain. 🤪

Phishing email ---> User deletes email ----> END :)

The problem is that most computer users will open the attachment - they do not bother to learn or develop safe habits. They even do not know the term "phishing email".
You probably think that people should learn something about security. But sadly, most people will not bother.

Post edited.
 
Last edited:
Mar 10, 2024
459
Phishing email ---> User deletes email ----> END :)

The problem is that most computer users will open the attachment - they do not bother to learn or develop safe habits. They even do not know the term phishing.
The problem that's persistent is when users in forums like this try to teach them, enthusiast jump in pound the living day lights out of thread and bury good advice they can learn from.

How much simpler would it be to teach users how to be "aware".

Literally the user has to interact with this twice to initiate the infection " the very essence of social engineering".

Even grandmas and Grandpa's are starting to learn MS is not going to call them to state they found an infection in their system, or that prince in Nigeria is not really going to give them free money. They are seeing these type of scams now in current movies, in the news, made public, for them to learn by.

This one is classic example that could be used to state the not so obvious for some.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,763
User isn't thinking clearly and opens the attachment
More is needed than opening the attachment, the attachment advises users to download a password-protected (in the case of APT29) archive. I was looking to find out how this archive is magically dropped, unpacked and content is ran as SVG default handler is your default browser, which will most likely be a chromium-based solution. Turns out it is not!

User then needs to unpack the archive and run a weird script which initiates a whole billion-step attack. This highly fragmented attack can be prevented in many ways:
  • Of course, with H_C or similar solution that prevents certain LOLBins from executing. In my case, the bat and vbs will fail to run.
  • By refusing to look at this “invoice” as the email definitely won’t be the monthly email you get from your ISP or whatever
  • By using sophisticated behavioural blocking as no AMSI bypass stage is implemented (according to the infection chain graphic). The whole execution process is extremely anomalous.
  • By using software with threat emulation
 
Last edited:

NormanF

Level 8
Verified
Jan 11, 2018
356
Could you package it as a Windows installer that writes to the Program Folder? It would be convenient to pin the Hardening Configurator to the Windows taskbar or Start Menu.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
Could you package it as a Windows installer that writes to the Program Folder? It would be convenient to pin the Hardening Configurator to the Windows taskbar or Start Menu.

I could but I intentionally did not. WHHLight is intended for Home Administrators, to protect the computers of average home users. So, the WHHLight location is not in the standard places. After configuration, the Administrator can simply remove the WHHLight shortcut from the Desktop, so the home user is not aware of what protection is applied.
Anyway, you can always move the WHHLight shortcut from the Desktop to the Program Folder.
 

Morro

Level 17
Verified
Top Poster
Well-known
Jul 8, 2012
842
For reasons that take too long to explain here, I had to change my security setup. :( It was a pain in the but doing that, and let's just say that March 2025 can not come soon enough. (At that time I can return to using SpyNetGirls Hardening guide again.)

Either way, I ended Trying WHHLight the past few days together with at first Kaspersky Free, and although very good Kaspersky did slow down a few things. So today I ended up installing BitDefender TS. But I forgot I also have WHHLight on my disk and I had activated SWH+Smartscreen Block+WDAC. Would it cause issues if I keep those active, or should I either deactivate some, or simple restore the default settings through WHHLight?
 
  • Like
Reactions: Andy Ful
F

ForgottenSeer 107474

For reasons that take too long to explain here, I had to change my security setup. :( It was a pain in the but doing that, and let's just say that March 2025 can not come soon enough. (At that time I can return to using SpyNetGirls Hardening guide again.)

Either way, I ended Trying WHHLight the past few days together with at first Kaspersky Free, and although very good Kaspersky did slow down a few things. So today I ended up installing BitDefender TS. But I forgot I also have WHHLight on my disk and I had activated SWH+Smartscreen Block+WDAC. Would it cause issues if I keep those active, or should I either deactivate some, or simple restore the default settings through WHHLight?
When WHLL allowed install, it will also most likely also allow updates of Bitdefender TS. Although not exactly the same, but I have ran Bitdefender free with WHHL without problems.

The security mechanisms which are enabled by WHHL were designed to run with third-party antivirus
 

NormanF

Level 8
Verified
Jan 11, 2018
356
WHHLight essentially does the same thing as Cyberlock and NoVirusThanks OSArmor. It hardens Windows via native settings to stop malware conventional AV and antimalware solutions can't always detect - like ransomware and zero day threats.

Its a good complement to them on your PC.
 
  • Thanks
  • Like
Reactions: Andy Ful and Morro

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
WHHLight essentially does the same thing as Cyberlock and NoVirusThanks OSArmor. It hardens Windows via native settings to stop malware conventional AV and antimalware solutions can't always detect - like ransomware and zero day threats.

Yes, the purpose of WHHLight is similar to those applications, but WHHLight is intentionally made as a very simplistic application to protect home users. So, other applications are much more configurable which can be important when applying restrictions in organizations.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
WHHLight vs. Exploit prevention (GooseEgg example)

There are several examples in the wild, when the attackers use Microsoft vulnerabilities to get higher privileges. In many cases, the exploits are applied by using scripts and this is blocked by the WHHLight SWH restrictions. The GooseEgg exploit was applied by using a batch script.

Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented tool, the software maker disclosed Monday.

When Microsoft patched the vulnerability in October 2022—at least two years after it came under attack by the Russian hackers—the company made no mention that it was under active exploitation. As of publication, the company’s advisory still made no mention of the in-the-wild targeting. Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” Microsoft officials wrote.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
It seems that a kind of Microsoft bot has opened a thread on MT about GooseEgg. :)

It is a copy of the original Microsoft article:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/
 
Last edited:
  • Hundred Points
Reactions: vtqhtr413

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
From my understanding WDAC = ON uses Smartscreen for files with MOTW and ISG for files without MOTW.
Am I Correct?

ISG is used In both cases. Without SmartScreen, the ISG does not use SmartScreen reputation to allow files.
WDAC without the ISG option blocks executables and does not care about SmartScreen.
 

Azazel

Level 6
Jun 15, 2023
265
Supposed Windows 12 remove SRP, would it be difficult to develop a driver that could block risky file extensions in the same way SRP does?
 
  • Like
Reactions: vtqhtr413

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
Supposed Windows 12 remove SRP, would it be difficult to develop a driver that could block risky file extensions in the same way SRP does?

Probably not, but I will not do it. I do not use custom drivers.
All my applications configure the security already implemented (hidden) in Windows.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top