- Apr 24, 2016
- 7,249
Do we have to do anything with this new version?
Both old and new are now in the same folder (C:\ProgramData\WindowsHybridHardening_Tools).
Is deleting the old version and when necessary using the new one enough?
WHHLight - simplified application control for Windows Home and Pro.
- Thread starter Andy Ful
- Start date
Both old and new are now in the same folder (C:\ProgramData\WindowsHybridHardening_Tools).
Is deleting the old version and when necessary using the new one enough?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
Delete the old version and run the new one.
If you want to update FirewallHardening settings (only from the version used in WHHLight package 1004 or 1002), run new FH and apply "Recommended H_C".
Post updated.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
- Apr 16, 2017
- 2,604
yesterday I downloaded and ran the new runbysmartscreen, should I have deleted the previous version first?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
It is not necessary. WHHLight ver. 1.0.1.0 and 1.0.1.1 use the newest version of RunBySmartscreen (ver. 5.0.1.1).
- Apr 16, 2017
- 2,604
thanks, (I may have been unclear)... for clarification, on this VM I had been running standalone runbysmartscreen, probably 5.0.0.0, then yesterday I ran 5.0.1.1 and it opened and I selected to add it to Explorer contest menu. Did this correctly override the previous version and "install" correctly without me undoing or deleting previous version first? (not a WHHLight question)
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
WHHLight vs. Spica attack
(Smart App Control set to OFF)
https://malwaretips.com/threads/goo...w-spica-backdoor-malware.128457/#post-1072430
https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/
Attack Flow:
PDF lure document (encrypted) ----> emails ----> link to the cloud storage ---> malware downloaded/executed by the user (EXE file)
The malware uses PowerShell to obtain persistence. It is unclear from the article if the malware uses a PS1 script. If so, then the script will be blocked by default SWH settings.
Anyway, the main protection can be applied by SmartScreen or WHHLight WDAC settings. In both cases, this particular malware is blocked (confirmed myself). The Spica sample from the article can be found via Google. The sample never gained a sufficient reputation, so SmartScreen + WDAC ISG could easily block it also as 0-day.
The user could be infected only when ignoring/bypassing the SmartScreen or WDAC alert. Such a scenario is probable when the user is a child or a happy clicker. It can be prevented by setting <SmartScreen Block> = ON, in WHHLight. But, this will require more attention & help from the "home administrator".
(Smart App Control set to OFF)
https://malwaretips.com/threads/goo...w-spica-backdoor-malware.128457/#post-1072430
https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/
Attack Flow:
PDF lure document (encrypted) ----> emails ----> link to the cloud storage ---> malware downloaded/executed by the user (EXE file)
The malware uses PowerShell to obtain persistence. It is unclear from the article if the malware uses a PS1 script. If so, then the script will be blocked by default SWH settings.
Anyway, the main protection can be applied by SmartScreen or WHHLight WDAC settings. In both cases, this particular malware is blocked (confirmed myself). The Spica sample from the article can be found via Google. The sample never gained a sufficient reputation, so SmartScreen + WDAC ISG could easily block it also as 0-day.
The user could be infected only when ignoring/bypassing the SmartScreen or WDAC alert. Such a scenario is probable when the user is a child or a happy clicker. It can be prevented by setting <SmartScreen Block> = ON, in WHHLight. But, this will require more attention & help from the "home administrator".
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
- Apr 24, 2016
- 7,249
In WDAC blocked events for EXE and DLL files I have one blocked event that fills the log every minute:
Anything I can do about that block?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
We talked about that block some time ago:
https://malwaretips.com/threads/tes...new-hardening-application.125082/post-1053743
The WebClient (WebDav) service is unsafe and currently deprecated by Microsoft. If you want to avoid the WebClient blocks in the log, you can try disabling this service.
Last edited:
- Apr 24, 2016
- 7,249
You have a better memory than I have
I have now disabled the WebClient service and hope that that will be the end of those blocks
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
I have now disabled the WebClient service and hope that that will be the end of those blocks
Disabling WebClient is probably a good idea. I am not sure which applications can use WebClient (maybe SharePoint or Messenger). I think that it is also possible to configure the involved application to skip WebClient (WebDav).
Last edited:
- Apr 24, 2016
- 7,249
I couldn't find the involved application, so if disabling WebClient works then that is okay for me.
If not, the search continues...
No other blocks with SWH and WDAC enabled, WHH Light is working great here
- Apr 16, 2017
- 2,604
@Gandalf_The_Grey , sidenote: on my win10 Windows Firewall Control WFC by default blocks microsoft.sharepoint.exe from connecting, so I assume it is not considered a necessary ms windows component...?
- Apr 24, 2016
- 7,249
IMO not a necessary Windows component for home users, but I have seen it as part of OneDrive and it is used by Teams (for work or school).
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
SharePoint and OneDrive are usually bundled in Microsoft 365 subscriptions:
https://www.microsoft.com/en-us/microsoft-365/sharepoint/compare-sharepoint-plans
SharePoint does what OneDrive can do, and more. Both support WebDav as an option (additional configuration required), for example:
https://www.techstream.at/en/how-to-access-onedrive-via-webdav/
If I correctly remember, it is also possible to set up the computer to sync SharePoint files when using OneDrive for Business (WebDav not required).
As Gandalf_The_Grey already mentioned, SharePoint is integrated with Microsoft Teams - the files shared in Microsoft Teams are stored in SharePoint Online.
https://www.microsoft.com/en-us/microsoft-365/sharepoint/compare-sharepoint-plans
SharePoint does what OneDrive can do, and more. Both support WebDav as an option (additional configuration required), for example:
https://www.techstream.at/en/how-to-access-onedrive-via-webdav/
If I correctly remember, it is also possible to set up the computer to sync SharePoint files when using OneDrive for Business (WebDav not required).
As Gandalf_The_Grey already mentioned, SharePoint is integrated with Microsoft Teams - the files shared in Microsoft Teams are stored in SharePoint Online.
- Aug 16, 2021
- 232
hey @Andy Ful thanks so much for this!
i'd previously had SWH on my 3 pc's
personal desktop
personal laptop
wfh laptop
but have replaced for hybrid hardening light today as a test....
the first 2 i have no issues
personal desktop
personal laptop
but my wfh laptop (im constantly powershelled (pwsh) 7.4.1 into my works rmm system for api calls, and noticed straight away after running hybrid light, my powershell was in "constrained language mode" and unable to run any of my api scripts using some custom powershell modules, even after whitelisting various paths...... the only way around it for me was to disable "SWH"
which then worked, but i then have to remember to re-enable "SWH" when im done running my API / Scripts
which tbh is too much like hard work....... I'll likely go back to using SWH as i could run pwsh without being blocked with "constrained language"
(understand this is about script signing) but, while i want hybrid hardening and your latest protections......... is there anyway to get around this without disabling SWH of WHHlight totally?
i'd previously had SWH on my 3 pc's
personal desktop
personal laptop
wfh laptop
but have replaced for hybrid hardening light today as a test....
the first 2 i have no issues
personal desktop
personal laptop
but my wfh laptop (im constantly powershelled (pwsh) 7.4.1 into my works rmm system for api calls, and noticed straight away after running hybrid light, my powershell was in "constrained language mode" and unable to run any of my api scripts using some custom powershell modules, even after whitelisting various paths...... the only way around it for me was to disable "SWH"
which then worked, but i then have to remember to re-enable "SWH" when im done running my API / Scripts
which tbh is too much like hard work....... I'll likely go back to using SWH as i could run pwsh without being blocked with "constrained language"
(understand this is about script signing) but, while i want hybrid hardening and your latest protections......... is there anyway to get around this without disabling SWH of WHHlight totally?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
Yes, WHHLight is not designed for the use of PowerShell in daily work.
This will be possible in the WHH full version (I will finish it in a few months).
- Aug 16, 2021
- 232
again, thanks for your amazing work!
really is just my work machine suffering, ill hold out for WHH full my personal machines have noticed no change .... (but I know deep down they are safer!)
really is just my work machine suffering, ill hold out for WHH full
my personal machines have noticed no change .... (but I know deep down they are safer!)Is it possible to add autocheck and auto update functionality in the background.
For example the installer will add a script or small program that checks for updates everyday and auto downloads the new binaries.
For example the installer will add a script or small program that checks for updates everyday and auto downloads the new binaries.
Similar threads
