Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

No, there I do not have this problem:

I will try to reproduce the issue. Can you do a simple test?

1. Use version 4.0.0.1 and apply DEFAULT settings + REFRRESH.
2. Next, use the version 4.0.1.0 and apply HIGH settings + REFRESH
3. Finally, close ConfigureDefender and rerun version 4.0.1.0.
4. Post the screenshot of the last few ASR rules.

 

[Gandalf_The_Grey]

I will try to reproduce the issue. Can you do a simple test?

1. Use version 4.0.0.1 and apply DEFAULT settings + REFRRESH.
2. Next, use the version 4.0.1.0 and apply HIGH settings + REFRESH
3. Finally, close ConfigureDefender and rerun version 4.0.1.0.
4. Post the screenshot of the last few ASR rules.

Here is the screenshot:

 

[Andy Ful]

Here is the screenshot:

So, in your case ver. 4.0.1.0 applied all HIGH settings except new ones. That is OK because new settings can be applied as a preview in Windows 24H2.

 

[Gandalf_The_Grey]

So, in your case ver. 4.0.1.0 applied all HIGH settings except new ones. That is OK because new settings can be applied as a preview in Windows 24H2.

Are the new ones part of the HIGH settings?

I am on 24H2 build 26100.1591.

August 27, 2024—KB5041865 (OS Build 26100.1591) Preview - Microsoft Support

support.microsoft.com

 

[Andy Ful]

Are the new ones part of the HIGH settings?

Yes. The first one is set to Warn.

I am on 24H2 build 26100.1591.

I will test this build in a few days. Those rules may require a new Defender version which is tested in Windows Insider.

 

[Andy Ful]

Hi Andy, I get the following error when clicking refresh with the new ConfigureDefender 4.0.1.0:

View attachment 285375

Thanks for the help.
After some additional tests, I confirmed a bug in ConfigureDefender. The new rules can be enabled one by one without using <HIGH>, <INTERACTIVE>, or <MAX> buttons.
The corrected version will be published next week.

 

[Andy Ful]

New rules currently work on my Windows 11 Home 23H2 (updated). No need to use Windows Insider.
I used ConfigureDefender 4.0.1.0 and set new rules by comboboxes (REFRESH and Windows restart required after changing the settings).
The simplest metod of checking if new rules work is as follows:

1. Copy regedit.exe from C:\Windows to the Desktop
2. Run regedit.exe from the Desktop (blocked).
3. Use <Defender Security Log> from ConfigureDefender to see the blocked event:

Event[0]:
Time Created : 07.09.2024 19:45:49
ProviderName : Microsoft-Windows-Windows Defender
Id : 1122
Message : Funkcja Microsoft Defender Exploit Guard wykonała inspekcję operacji, na którą nie zezwala administrator IT.
Aby uzyskać więcej informacji, skontaktuj się ze swoim administratorem IT.
Identyfikator: C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB <------ the ID of ASR rule "Block use of copied or impersonated system tools"
Godzina wykrycia: 2024-09-07T17:45:49.777Z
Użytkownik: -----------------------------------------------------
Ścieżka: -----------------------------------\regedit.exe
Nazwa procesu: C:\Program Files\totalcmd\TOTALCMD64.EXE
Docelowy wiersz polecenia "-----------------------------------\regedit.exe"
Nadrzędny wiersz polecenia: "C:\Program Files\totalcmd\TOTALCMD64.EXE"
Plik, którego to dotyczy:
Flagi dziedziczenia: 0x00000000
Wersja analizy zabezpieczeń: 1.417.553.0
Wersja aparatu: 1.1.24070.3
Wersja produktu: 4.18.24070.5

 

[Andy Ful]

Here is the information related to the ASR rule "Block rebooting machine in Safe Mode":

Event[1]:
Time Created : 07.09.2024 19:52:41
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Funkcja Microsoft Defender Exploit Guard zablokowała operację, na którą nie zezwala administrator IT.
Aby uzyskać więcej informacji, skontaktuj się ze swoim administratorem IT.
Identyfikator: 33DDEDF1-C6E0-47CB-833E-DE6133960387 <------ the ID of ASR rule "Block rebooting machine in Safe Mode"
Godzina wykrycia: 2024-09-07T17:52:41.980Z
Użytkownik: ----------------------------------------------
Ścieżka: C:\Windows\System32\bcdedit.exe
Nazwa procesu: C:\Windows\System32\cmd[.]exe
Docelowy wiersz polecenia bcdedit /.......................... <-------- I removed the CmdLine
Nadrzędny wiersz polecenia: "C:\WINDOWS\system32\cmd[.]exe"
Plik, którego to dotyczy:
Flagi dziedziczenia: 0x00000000
Wersja analizy zabezpieczeń: 1.417.553.0
Wersja aparatu: 1.1.24070.3
Wersja produktu: 4.18.24070.5

 

[Andy Ful]

New rules also work on my Windows 10 Pro 22H2. So it seems they should work on all Windows 10+ versions supported by Microsoft.

 

[oldschool]

ConfiigureDefender included in the new beta has two additional rules

When will you release the new version ConfigureDefender as a standalone, or am I able to get it without the whole WHHLight package?

 

[Andy Ful]

When will you release the new version ConfigureDefender as a standalone, or am I able to get it without the whole WHHLight package?

In one or two weeks.

 

[franz]

Maybe I need new glasses, but can anyone give me the link to where I can download WHH LIGHT

 

[lokamoka820]

Maybe I need new glasses, but can anyone give me the link to where I can download WHH LIGHT

https://github.com/AndyFul/Hard_Configurator/raw/master/WindowsHybridHardening/WHHLight_Package_1111.exe

 

[Andy Ful]

Maybe I need new glasses, but can anyone give me the link to where I can download WHH LIGHT

I removed the beta build from the GitHub.

The link to the official build is always updated in the OP of this thread:

Serious Discussion - WHHLight - simplified application control for Windows Home and Pro.

WindowsHybridHardening Light (WHHLight) (post updated in July 2024) WHHLight ver. 1.1.1.1 https://github.com/AndyFul/Hard_Configurator/raw/master/WindowsHybridHardening/WHHLight_Package_1111.exe https://github.com/AndyFul/Hard_Configurator/tree/master/WindowsHybridHardening Windows Hybrid...

malwaretips.com

 

[Andy Ful]

The WHHLight beta, had a minor issue with ConfigureDefender ver. 4010. That version of ConfigureDefender works well but when using <HIGH>, <INTERACTIVE>, or <MAX> buttons, two new ASR rules are not activated. So those rules must be added via combobox settings.
The new WHHLight version 2011 is finished and will be published in one week.

 

[Andy Ful]

WHLight_Package 2.0.0.1 beta 3

https://github.com/AndyFul/Hard_Configurator/raw/master/WindowsHybridHardening/WHHLight_Package_2001_beta3.exe

It is a corrected version of:

Serious Discussion - WHHLight - simplified application control for Windows Home and Pro.

So IAC on is Window Like Linux?

malwaretips.com

The corrections related to the new ConfigureDefender rules should work on any updated Windows 10+.

 

[Andy Ful]

WHHLight vs. ClickFix attacks
https://malwaretips.com/threads/fak...push-infostealing-malware.133286/post-1105071
https://www.mcafee.com/blogs/other-...-social-engineering-tactic-to-deploy-malware/
https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/

A new report from Sekoia, a SaaS cybersecurity provider, notes that ClickFix campaigns have evolved significantly and now use a Google Meet lure, phishing emails targeting transport and logistics firms, fake Facebook pages, and deceptive GitHub issues.

Attack flow (example from McAfee):
phishing email HTML attachment ---> ClickFix abusing Explorer ----> LOLBin (CMD, PowerShell) downloads HTA payload ----> HTA payload executed

This attack is blocked by WHHLight default settings even without tools (FirewallHardening, ConfigureDefender, DocumentsAntiExploit).
The payload is dropped into UserSpace, so it can be blocked by SRP restrictions. Many such attacks can be prevented by SRP restrictions, but some would require non-default settings. The best prevention against ClickFix is FirewallHardening. The default "Recommended H_C" BlockList will block the malware delivery via LOLBins.

 

[simmerskool]

This attack is blocked by WHHLight default settings even without tools (FirewallHardening, ConfigureDefender, DocumentsAntiExploit).
The payload is dropped into UserSpace, so it can be blocked by SRP restrictions. Many such attacks can be prevented by SRP restrictions, but some would require non-default settings. The best prevention against ClickFix is FirewallHardening. The default "Recommended H_C" BlockList will block the malware delivery via LOLBins.

@Andy Ful sorry in advance as I think I ask this question every so often (then get sidetracked into something else): I'm running CyberLock on win10. If you know, does CL provide LOLBins protection that FirewallHardening does, as I don't want muck up by redundant protection and possible incompatibility. win10 also running DeepInstinct. Will FirewallHardening plug a gap or not needed here. Or this would be a great trio???
@danb your insight greatly appreciated too. CL 7.79

 

[Andy Ful]

@Andy Ful sorry in advance as I think I ask this question every so often (then get sidetracked into something else): I'm running CyberLock on win10. If you know, does CL provide LOLBins protection that FirewallHardening does, as I don't want muck up by redundant protection and possible incompatibility. win10 also running DeepInstinct. Will FirewallHardening plug a gap or not needed here. Or this would be a great trio???
@danb your insight greatly appreciated too. CL 7.79

Unfortunately, I do not use CyberLock and DeepInstinct. In my opinion, using FirewallHardening would probably make the protection too complex.
I suggest asking someone on the threads dedicated to CyberLock and DeepInstinct. Discussion in this thread will not help those who use CyberLock or DeepInstinct.