Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
It seems that a kind of Microsoft bot has opened a thread on MT about GooseEgg. :)

It is a copy of the original Microsoft article:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/
There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.

I have nothing against this Bot. I also think that MT staff has control over posts of such Bots (good job). :)
The author of the article from arstechnica.com (mentioned in my previous post) forgot to mention the source article, so I did not know it at all.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Hi @Andy Ful ,
I have a suggestion.
When WHHFull is complete move all or the major components from Hard Configurator to WHHFul.
Deprecate Hard Configurator and Simple Windows Hardening (as WHHFull is superior).

It is already done. But, I am not sure if such a new (superior) application is needed. Furthermore, WHHFul cannot be superior in all aspects. For example, H_C is lighter (no slowdowns) compared to WDAC ISG in WHHFul.

If possible, bring your applications to Microsoft Store.

Too much trouble, but who knows?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Is FirewallHardening needed?

Let's ask another question. Can the WHHLight protection be bypassed?
There is no perfect protection, so the answer is Yes. WHHLight can be bypassed, but the chances for that are very, very small.
Here is an example where the malware could almost compromise WHHLight (but it did not):

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.
(...)
Consequently, many security programs and application control policies are more inclined to trust programs signed with an EV certificate. For instance, Microsoft's SmartScreen filter, which is utilized by Windows and other Microsoft products, evaluates the reputation of an executable at runtime.

Files signed with an EV certificate typically establish a trustworthy reputation faster than those signed with standard certificates or those that are unsigned. This advantage allows most malware to bypass SmartScreen warnings more effectively.


The malware was propagated via Google Ads, and threat actors were impersonating Calendy and Rufus applications. As the article explains, the EXE/MSI files signed with an EV certificate have more chances to bypass the AV+SmartScreen. If SmartScreen is bypassed then <WDAC> with SmartScreen backend can often be bypassed in WHHLight. Furthermore, the malware uses high privileges to drop/run a script in the %ProgramFiles% folder which is whitelisted.
Fortunately, malware Loaders usually use scripting in UserSpace and download some important files from the web. To be stealthy, the download is usually done by LOLBins.

Attack flow:

Google Ad ----> downloaded EV-signed EXE -----> user executes the file and accepts the UAC ----> SmartScreen accepts the EV-signed file ----> two bach scripts dropped/executed ----> first script uses LOLBin (Curl) to download the URL of a malicious server, the second script runs the payload downloaded from that server ----> ....

In this example, the first script was dropped in the UserSpace (user Temp folder) so it could be blocked by <SWH>. The possible connection to a malicious server was disrupted (payloads could not be downloaded).
The second script was dropped in SystemSpace (%ProgramFiles% folder) so it was allowed to run. But, there was no payload to run.:)
If the first script was also dropped to SystemSpace, the connection to the malicious server could be disrupted by FirewallHardening (H_C Recommended settings), because the Curl LOLBin is on the blockList.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
You mean there's an overlap between it and WHHLight? From your comment, you're saying they basically enforce the same policies. You can correct me if I'm wrong.

Using two different solutions based on WDAC is not recommended:
  • too complex setup and management,
  • probable overlap,
  • WDAC from one solution interferes with the second one.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
In the Windows 11 Home 24H2 (Insider build) the WDAC alert looks differently:

1717782780567.png


We can see "App Control for Business" instead of Windows Defender Application Control.
The new alert is correct, because WDAC does not need Microsoft Defender as a main AV (and Windows Defender is an outdated term).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
If you've Microsoft Defender for Business onboarded on top of the built in Microsoft Defender, the alert may look a little different.

It could be possible for the Enterprise protection fully integrated with WDAC. Did you encounter such a non-standard alert?
Anyway, I do not think that someone would need to use WHHLight with such a protection.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Under WDAC events I have the following repeated block:

Event Id = 3077
Local Time: 2024/03/09 12:59:39
Attempted Path = C:\Windows\SysWOW64\wbem\WMIC.exe
Parent Process = C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
PolicyName = UserSpace Lock
UserWriteable = false

WMIC.exe is blocked by WDAC as recommended by Microsoft. It cannot be whitelisted.
WMIC.exe is/was a popular LOLBin that uses WMI infrastructure to bypass the AV and WDAC protection.
It is possible that AOMEI Backupper can work with blocked WMIC.exe, but I do not recommend using both WDAC and AOMEI.(y)

I tested AOMEI Backupper on Windows 11 ver. 24H2 - it works without any issues. I was surprised that the same version of AOMEI Backupper triggers WMIC blocks on Windows 23H2, but there are no blocks on Windows 24H2. The reason is very simple, there is no WMIC LOLBin on Windows 11 ver. 24H2 anymore. These blocks are most probably related to some telemetry.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
WHHLight ver. 1.1.1.1

1. Added new WDAC setting (IAC).
2. Added new digital certificate to all tools.
2. Updated help files.

The new version can be run over the previous one (no need to remove the previous settings).
The new IAC setting will not be interesting for MT members. It is intended to block installations of new applications, except for Microsoft applications and UWP apps from Microsoft Store (Windows-like-Linux). For already installed applications and their auto-updates, IAC works just as the ON setting.
https://malwaretips.com/threads/easy-application-control-on-windows.130803/

1720476524553.png



1720476436094.png


1720478415052.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Windows-like-Linux

Three main security features of Linux are important for home users:
1. The permission-based structure in Linux prevents regular users from performing administrative actions.
2. Software installation is performed by using "app store" package manager.
3. Linux as a home computer operating system is far less targeted than Windows.

Windows-like-Linux has similar features:
1. The user works on a Standard User Account (SUA).
2. Software installation is performed via Microsoft Store (UWP apps and desktop applications).
3. All EXE and MSI files originating from the Internet Zone are blocked by default (no whitelisting).
The EXE, MSI, and DLL files originating from local devices (no MotW) are highly restricted in UserSpace by WDAC ISG (no SmartScreen backend).
Other files with active content (scripts, scriptlets, etc.) are blocked by default (Internet Zone and local devices).

Point 3 highly reduces the possible infection (including exploits) if all UserSpace is restricted. This is true when the SUPER_SAFE setup is applied in WHHLight with <WDAC> = IAC. Almost as safe would be TWO_ACOUNTS setup with <WDAC> = IAC.
But, I would like to propose the light implementation of Windows-like-Linux based on the TROUBLE_FREE setup with <WDAC> = IAC.

1720562173546.png


1720562308412.png


The WDAC default Whitelist on the above example includes two accounts: TestUser (Admin account) and useruser (SUA). In the TROUBLE_FREE setup, the ProgramData and AppData folders are whitelisted.

The cons are that some exploits can possibly use the locations in ProgramData or AppData to run malware, so we must add some post-exploitation protection (ConfigureDefender, FirewallHardening, and DocumentsAntiExploit). If one uses 3rd party applications for viewing & editing documents and 3rd party AV, those applications may require additional hardening.

The pros are that one can install almost any Windows application before applying the restrictions, and it will work/auto-update after applying the Windows-like-Linux light setup.
Of course, when restrictions are active then new software installations will be limited to Microsoft Store. But it is worth mentioning that gaming platform software (Steam, Epic Games, etc.) can still install new games because those installations are performed similarly to gaming platform updates.

I think that Windows-like-Linux setup (light version) can be helpful when protecting children or happy clickers. Despite strong restrictions, users can work with already installed applications, and install new software from Microsoft Store or new games via gaming platforms. Windows and software auto-updates are not restricted.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top