Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

Am I overthinking this??

Yes, you are.
When you run WHHLight for the first time it applies the default configuration. Simply close WHHLight and restart Windows (as suggested in the closing alert).
Do not tweak WHHLight until you understand how the current settings work. The WHHLight Manual (PDF document) provides useful information - you can find it in the WHH _Tools folder.

Edit.
Did you encounter any blocks?

 

[simmerskool]

Yes, you are.
When you run WHHLight for the first time it applies the default configuration. Simply close WHHLight and restart Windows (as suggested in the closing alert).
Do not tweak WHHLight until you understand how the current settings work. The WHHLight Manual (PDF document) provides useful information - you can find it in the WHH _Tools folder.

Edit.
Did you encounter any blocks?

Thanks, I read thru the help(s) a 2d time and that helped, and I ended up doing exactly what you advised before I read your post, for now I left the WDAC off, (I'll probably dream about this tonight and understand it tomorrow -- even with eyeglasses my eyesight is problematic and the popup help info is a struggle for me to read & no copy and paste.
PS no blocks yet. performance speed is very fast. -- correction: the CD had 2 blocks and FWH had about dozen, but all the same thing, looked like some sort of MS telemetry. WHHL specific blocks, not aware of any yet, but not looking for malware.

 

[Andy Ful]

even with eyeglasses my eyesight is problematic and the popup help info is a struggle for me to read & no copy and paste.

Did you try to use Windows Magnifier?

To quickly turn on Magnifier, press the Windows logo key + Plus sign (+) . To turn off Magnifier, press the Windows logo key + Esc.

Use Magnifier to make things on the screen easier to see - Microsoft Support

Learn how to make items on the screen appear larger by using Magnifier in Windows.

support.microsoft.com

Another way to improve display is to use a high resolution with Scale = 125% or 150%. However, such a solution must be tested to confirm that all your applications are properly displayed (older applications may not).

 

[simmerskool]

Did you try to use Windows Magnifier?

Another way to improve display is to use a high resolution with Scale = 125% or 150%. However, such a solution must be tested to confirm that all your applications are properly displayed (older applications may not).

good info thanks re magnifier. Meanwhile how about a plain text file with help info, (there's a readme but did not say much) that way I could edit it with notes to myself, eg, see MT URL... but I need to read more about WDAC and have an app to use it with -- now I do. Today I booted linux for peace of mind

 

[Andy Ful]

good info thanks re magnifier. Meanwhile how about a plain text file with help info, (there's a readme but did not say much) ...

Did you read the "WHHLight Manual"?

 

[simmerskool]

Did you read the "WHHLight Manual"?

huh was it included with download WindowsHybridHardeningLight_2001_beta3.exe -- I'm using linux VM but I don't recall seeing it in windows folder. maybe it's separate DL on git-hub. I do see file readme.md -- is that the manual? I sorta skimmed it the other day thinking it will DL with WHHL, or maybe it is in the WHHL windows folder? I just copied and pasted the text from the git-hub web page. But Andy using the app should just be intuitive just kidding totally appreciate your apps and all your effort here.

EDIT ...but clearly the use of WDAC is NOT as easy as ABCD, see eg (it starts to give me a headache -- perhaps why it is switched OFF in WHHL as default...)

DEPLOYING WINDOWS 10 APPLICATION CONTROL POLICY | Microsoft Community Hub

All things about WDAC – Windows Defender Application Control: Planning, Deployment, Testing, Monitoring, best practice, tips and Troubleshooting.

techcommunity.microsoft.com

 

[Andy Ful]

huh was it included with download WindowsHybridHardeningLight_2001_beta3.exe -- I'm using linux VM but I don't recall seeing it in windows folder. maybe it's separate DL on git-hub. I do see file readme.md -- is that the manual? I sorta skimmed it the other day thinking it will DL with WHHL, or maybe it is in the WHHL windows folder? I just copied and pasted the text from the git-hub web page. But Andy using the app should just be intuitive just kidding totally appreciate your apps and all your effort here.

EDIT ...but clearly the use of WDAC is NOT as easy as ABCD, see eg (it starts to give me a headache -- perhaps why it is switched OFF in WHHL as default...)

DEPLOYING WINDOWS 10 APPLICATION CONTROL POLICY | Microsoft Community Hub

All things about WDAC – Windows Defender Application Control: Planning, Deployment, Testing, Monitoring, best practice, tips and Troubleshooting.

techcommunity.microsoft.com

After the installation, you can see the WHH_Tools shortcut on the Desktop. When you click on the shortcut, the folder (C:\ ProgramData\WindowsHybridHardening_Tools) containing all tools and manuals opens. You should easily see it if you can see and execute the "WindowsHybridHardeningLight_2001" executable.

 

[Andy Ful]

EDIT ...but clearly the use of WDAC is NOT as easy as ABCD, see eg (it starts to give me a headache -- perhaps why it is switched OFF in WHHL as default...)

Normally it is. But with WHHLight it is much easier. Anyway, you should not apply WDAC immediately. Wait until you are certain how your applications work with default settings.
Next, you can apply WDAC but do not remove the default folders from the WDAC Whitelist.

I do not recommend more tweaks except when one understands well all the information included in the manual. Of course, you can experiment in the VM with a custom WDAC Whitelist, this cannot kill the system. Simply, some applications will be (partially) blocked and require whitelisting. Anytime, you can simply switch off WDAC to get the current settings.

 

[simmerskool]

After the installation, you can see the WHH_Tools shortcut on the Desktop. When you click on the shortcut, the folder (C:\ ProgramData\WindowsHybridHardening_Tools) containing all tools and manuals opens. You should easily see it if you can see and execute the "WindowsHybridHardeningLight_2001" executable.

well yes the shortcut was on the desktop, yes it did put the files in programdata, but do not recall a manual opening? so then the manual is a file in the programdata folder? (I'm still running linux today, but will boot win10_VM with WHHL installation later today. Thanks.
PS WHHL sure seemed to update the registry with only SWH [ ON ] (default) (I understood about run_by_smartscreen -- I've been using that for awhile).

 

[Andy Ful]

PS WHHL sure seemed to update the registry with only SWH [ ON ] (default)

That is why the SWH restrictions can work.

 

[Andy Ful]

WHHLight vs. Horus Protector

Horus Protector Rewrites the Rules of Cyber Obfuscation

Threat Group: Unknown (French-speaking actors suspected) Threat Type: Fully Undetectable (FUD) Malware Distribution Service Exploited Vulnerabilities: Remote code execution via encoded Visual Basic (VBE) scripts Malware Used: AgentTesla, Remcos, Snake, NjRat, SNAKE Keylogger Threat Score: High...

cybersecsentinel.com

Overview​

HORUS Protector is a newly identified malware distribution service designed as a Fully Undetectable (FUD) crypter that can bypass many antivirus (AV) protections. It delivers a range of dangerous malware strains, including AgentTesla, Remcos, Snake, NjRat, and the SNAKE Keylogger, using sophisticated obfuscation techniques such as encoded Visual Basic scripts (VBE) packed inside .zip archives.

This service is mainly distributed through cybercrime platforms like Telegram, where threat actors sell subscription-based plans, making advanced malware propagation accessible even to non-expert criminals. By updating frequently and monitoring AV detections, HORUS Protector ensures that its payloads remain undetected, posing a severe risk to organizations and individuals worldwide.

• Delivery Method:
  HORUS Protector distributes malware through .zip archives that contain VBE-encoded Visual Basic scripts, which initiate the infection process once executed. Upon activation, these scripts establish communication with command-and-control (C2) servers to download additional payloads.
• Target:
  Both corporate organizations and individual users are vulnerable to this malware, especially when phishing emails or malicious download links are used.

Obfuscation Techniques:
HORUS Protector employs various techniques to evade detection, including:

• VBE-encoded scripts to launch payloads.
• Registry manipulation to store and execute payloads in segments (e.g., segment1, segment2, etc.).
• Process hollowing to inject malware into legitimate processes, such as MSBuild.exe.
• Scheduled tasks to execute malicious scripts persistently.

Attack flow:
Phishing email ---> ZIP archive ---> VBE script ---> command-and-control (C2) server ----> payloads downloaded into the Windows Registry ----> scheduled task created ----> payloads decoded and executed filelessly

Horus Protector is a Fully Undetectable (FUD) Malware Distribution Service that is constantly updated to bypass the protection of AVs.
WHHLight blocks it via the default SWH settings (running VBE scripts is disabled).

 

[Andy Ful]

WHHLight ver. 2.0.0.1

https://github.com/AndyFul/Hard_Configurator/raw/refs/heads/master/WindowsHybridHardening/WHHLight_Package_2001.exe

This version is the same as the latest beta3, so users who installed the beta version can skip the new one.
The beta version is without bugs (so far) so I promoted it to the stable version.
Can be installed over previous versions.

What is new (compared to ver. 1.1.1.1):

• SWH settings can be now selectively controlled from the menu.
• Added two new ASR rules to ConfigureDefender.
• Some corrections in the help files and manual.

 

[lockeddown]

i think Horus Protector got a youtube channel

 

[porkpiehat]

Hi @Andy Ful .. I'm running 'CruelComodo'.. just wondering whether there will be any conflict if I run ConfigureDefender=Max and WHHLight 2.0.0.1?
It maybe overkill, but if there are no issues then it can't hurt.. can it?
just looking to plug any potential holes for better overall security.

 

[Andy Ful]

Hi @Andy Ful .. I'm running 'CruelComodo'.. just wondering whether there will be any conflict if I run ConfigureDefender=Max and WHHLight 2.0.0.1?
It maybe overkill, but if there are no issues then it can't hurt.. can it?
just looking to plug any potential holes for better over all security.

In theory, this setup should work after adding the WHHLight application folder (C:\ProgramData\WindowsHybridHardening_Tools) to "Ignored" in the Comodo Auto-containment settings. But as with any overkill, after some time something will not work as intended and there will be a problem identifying the source of it. If you want to maximize the protection, it would be better to tweak the Comodo Firewall, for example:
https://malwaretips.com/threads/comodos-killer.133558/post-1115317

 

[porkpiehat]

In theory, this setup should work after adding the WHHLight application folder (C:\ProgramData\WindowsHybridHardening_Tools) to "Ignored" in the Comodo Auto-containment settings. But as with any overkill, after some time something will not work as intended and there will be a problem identifying the source of it. If you want to maximize the protection, it would be better to tweak the Comodo Firewall, for example:
https://malwaretips.com/threads/comodos-killer.133558/post-1115317

so, if I remove WHHLight, would ConfigureDefender - Max still be a more viable option to strengthen defender with CFW?

 

[Andy Ful]

so, if I remove WHHLight, would ConfigureDefender - Max still be a more viable option to strengthen defender with CFW?

When using CFW in @cruelsister's settings + Microsoft Defender, you can use ConfigureDefender with HIGH settings. It is not necessary to apply MAX settings (overlaps with Comodo's Cloud Lookup).

 

[porkpiehat]

cheers Andy.. I guess I was overthinking things.. your advice is much appreciated

 

[Andy Ful]

WHHLight vs. 7-Zip MotW exploit

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

The ZDI team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks.

www.trendmicro.com

Security News - 7-Zip MotW bypass exploited in zero-day attacks against Ukraine

A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024. According to Trend Micro researchers, the flaw was used in SmokeLoader malware campaigns targeting the Ukrainian government...

malwaretips.com

By opening the content of a double-packed 7-Zip archive, the final executable could be executed without MotW, even if MotW support was enabled in 7-Zip.

Default SWH settings prevent/block this exploit for all executables via SRP restrictions.
Scripts (like .bat files used in the attack in the wild) are blocked by default in UserSpace.
If the attacker would like to use EXE or MSI files, they would also be blocked by default via archiver applications hardening:

 

[Marana]

I’m currently doing some tests to determine if the coming spring would be the right time for me to migrate from Windows 10 to Windows 11. I have done some experiments with WHHL in this context.

Currently I’m running my own implementation of SRP user interface along with ConfigureDefender and FirewallHardening in Windows 10. I use a two account setup (SUA + Admin), and run SRP in a strict default deny setup (PolicyScope = Skip Admins, Enforcement for all files, and an extensive but well controlled Whitelist).

WHHL seems to be designed somewhat more like SWH instead of like H_C. I mean, it has a simple user interface with not so many possibilities to configure. (I do understand that it serves very well the majority of users, minimizing risks for extra support request due to misconfiguration). For example WHHL seems to have *.exe, *.tmp and *.msi hard coded in the Whitelist, and it also doesn’t seem to like at all, if one goes to forcibly remove them . Also TransparentEnabled seems to be likewise hard coded and monitored in the configuration – obviously as part of monitoring the possibility of “other SRP manipulating Apps”.

@Andy Ful, I have read your tests on how well WHHL tackles various malware, and it indeed seems to perform extremely well. However, I would very much like to have some more flexibility at least in the Whitelist handling (e.g. being able to switch off current “WHHL restrictions” on the Whitelist contents and TransparentEnabled setting).

I wonder if you might think to someday extend WHHL a little bit into that direction? It might be as simple as one binary switch to turn off the monitoring of other SRP manipulating programs, be that either a visible selection in the user interface or maybe preferably hidden somewhere deep in the Windows registry settings...