Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

vtqhtr413

Level 26
Well-known
Aug 17, 2017
1,574
It seems that a kind of Microsoft bot has opened a thread on MT about GooseEgg. :)

It is a copy of the original Microsoft article:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/
There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.

I have nothing against this Bot. I also think that MT staff has control over posts of such Bots (good job). :)
The author of the article from arstechnica.com (mentioned in my previous post) forgot to mention the source article, so I did not know it at all.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Hi @Andy Ful ,
I have a suggestion.
When WHHFull is complete move all or the major components from Hard Configurator to WHHFul.
Deprecate Hard Configurator and Simple Windows Hardening (as WHHFull is superior).

It is already done. But, I am not sure if such a new (superior) application is needed. Furthermore, WHHFul cannot be superior in all aspects. For example, H_C is lighter (no slowdowns) compared to WDAC ISG in WHHFul.

If possible, bring your applications to Microsoft Store.

Too much trouble, but who knows?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Is FirewallHardening needed?

Let's ask another question. Can the WHHLight protection be bypassed?
There is no perfect protection, so the answer is Yes. WHHLight can be bypassed, but the chances for that are very, very small.
Here is an example where the malware could almost compromise WHHLight (but it did not):

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.
(...)
Consequently, many security programs and application control policies are more inclined to trust programs signed with an EV certificate. For instance, Microsoft's SmartScreen filter, which is utilized by Windows and other Microsoft products, evaluates the reputation of an executable at runtime.

Files signed with an EV certificate typically establish a trustworthy reputation faster than those signed with standard certificates or those that are unsigned. This advantage allows most malware to bypass SmartScreen warnings more effectively.


The malware was propagated via Google Ads, and threat actors were impersonating Calendy and Rufus applications. As the article explains, the EXE/MSI files signed with an EV certificate have more chances to bypass the AV+SmartScreen. If SmartScreen is bypassed then <WDAC> with SmartScreen backend can often be bypassed in WHHLight. Furthermore, the malware uses high privileges to drop/run a script in the %ProgramFiles% folder which is whitelisted.
Fortunately, malware Loaders usually use scripting in UserSpace and download some important files from the web. To be stealthy, the download is usually done by LOLBins.

Attack flow:

Google Ad ----> downloaded EV-signed EXE -----> user executes the file and accepts the UAC ----> SmartScreen accepts the EV-signed file ----> two bach scripts dropped/executed ----> first script uses LOLBin (Curl) to download the URL of a malicious server, the second script runs the payload downloaded from that server ----> ....

In this example, the first script was dropped in the UserSpace (user Temp folder) so it could be blocked by <SWH>. The possible connection to a malicious server was disrupted (payloads could not be downloaded).
The second script was dropped in SystemSpace (%ProgramFiles% folder) so it was allowed to run. But, there was no payload to run.:)
If the first script was also dropped to SystemSpace, the connection to the malicious server could be disrupted by FirewallHardening (H_C Recommended settings), because the Curl LOLBin is on the blockList.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
You mean there's an overlap between it and WHHLight? From your comment, you're saying they basically enforce the same policies. You can correct me if I'm wrong.

Using two different solutions based on WDAC is not recommended:
  • too complex setup and management,
  • probable overlap,
  • WDAC from one solution interferes with the second one.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
In the Windows 11 Home 24H2 (Insider build) the WDAC alert looks differently:

1717782780567.png


We can see "App Control for Business" instead of Windows Defender Application Control.
The new alert is correct, because WDAC does not need Microsoft Defender as a main AV (and Windows Defender is an outdated term).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
If you've Microsoft Defender for Business onboarded on top of the built in Microsoft Defender, the alert may look a little different.

It could be possible for the Enterprise protection fully integrated with WDAC. Did you encounter such a non-standard alert?
Anyway, I do not think that someone would need to use WHHLight with such a protection.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top