Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

With WDAC - ON:

1. If you get a SmartScreen alert, it means ISG allowed the file, right?
2. If you get a WDAC alert, you can run the file with the "Run by SmartScreen" feature, and it'll show an alert for a malicious or unrecognized file, right?

I guess WDAC shows alerts for installers but not for DLLs, correct?

SmartScreen is integrated into WDAC ISG. So, the file with MOTW gets the SmartScreen reputation, and the file without MOTW gets the reputation from AI in the cloud.
If the reputation cannot be obtained (no Internet), the file is blocked. After the first execution, the reputation is remembered locally.

RunBySmartscreen forces SmartScreen for EXE/MSI files (custom MOTW is attached), so WDAC ISG will allow execution if SmartScreen allows it.
If you use the IAC setting, then the execution via RunBySmartscreen is always blocked, even if WDAC ISG allows the file.

 

[rashmi]

SmartScreen is integrated into WDAC ISG. So, the file with MOTW gets the SmartScreen reputation, and the file without MOTW gets the reputation from AI in the cloud.
If the reputation cannot be obtained (no Internet), the file is blocked. After the first execution, the reputation is remembered locally.

I have requested @Shadowra to test WHHLight. Should I ask him to run the files blocked with the "Run by SmartScreen" feature?
Does it re-perform the reputation check when the internet is available and you re-execute the file?

 

[Andy Ful]

Does it re-perform the reputation check when the internet is available?

Yes, if the reputation was not positive yet.
No, if the reputation was positive.

I have requested @Shadowra to test WHHLight. Should I ask him to run the files blocked with the "Run by SmartScreen" feature?

I would leave the decision to @Shadowra.

 

[Shadowra]

I have requested @Shadowra to test WHHLight. Should I ask him to run the files blocked with the "Run by SmartScreen" feature?
Does it re-perform the reputation check when the internet is available and you re-execute the file?

Why not yes a little later

 

[rashmi]

I would leave the decision to @Shadowra.

I will ask him to perform the "Run by SmartScreen" for blocked files, as the help file suggests it, or the user may attempt it.

 

[Andy Ful]

I will ask him to perform the "Run by SmartScreen" for blocked files, as the help file suggests it, or the user may attempt it.

When WDAC is enabled, the "Run By SmartScreen" is suggested when the user intentionally tries to install the application and the installer is blocked by WDAC. This will not happen frequently (usually when the installer is executed from the flash drive). I think that in the test, the "Run By SmartScreen" can be used for cracks.
In many cases, the attack will use EXE/MSI files disguised as something else (like a PDF or DOC document), and then using "Run By SmartScreen" does not make sense. The attackers can also execute EXE/MSI files via scripts, shortcuts (MOTW bypass), etc.

Using "Run By SmartScreen" for all blocked EXE/MSI files will not test WDAC ISG, but only Windows SmartScreen + MOTW bypass prevention + DLL hijacking prevention. Of course, such a test could also be interesting.

 

[Victor M]

So you want Shadowa to use RunbySmartscreen for every malware she is testing?

 

[rashmi]

Using "Run By SmartScreen" for all blocked EXE/MSI files will not test WDAC ISG, but only Windows SmartScreen + MOTW bypass prevention + DLL hijacking prevention. Of course, such a test could also be interesting.

What do you mean by "blocked files" here? I mean, how would the SWH (ON) + WDAC (ON) + LOLBins (FirewallHardening) setup block EXE/MSI files (@Shadowra runs) without using WDAC ISG?

 

[rashmi]

The text, or fifth point, of video 3 in the first post, "Forced SmartScreen applied via WDAC ISG," confused me.

You mention "SmartScreen has limitations with files from USB/archiver/etc."
You then provide an on-demand solution, the "Run by SmartScreen" feature.
You continue with, "I'll show how to force SmartScreen." I thought WDAC would automatically apply SmartScreen.

I got confused when all I saw was, "Your organization used WDAC to block this app." I was like, where is the "forced" SmartScreen, which would allow these programs?

So, "Forced SmartScreen applied via WDAC ISG" means "blocking" files from "USB/archiver/etc." that would be otherwise allowed.

 

[Andy Ful]

The text, or fifth point, of video 3 in the first post, "Forced SmartScreen applied via WDAC ISG," confused me.

You mention "SmartScreen has limitations with files from USB/archiver/etc."
You then provide an on-demand solution, the "Run by SmartScreen" feature.
You continue with, "I'll show how to force SmartScreen." I thought WDAC would automatically apply SmartScreen.

Forced SmartScreen applied via WDAC ISG means that Microsoft integrated two different features: SmartScreen for Explorer and ISG cloud AI.
The first is a well-known file reputation lookup for executables originating from the Internet Zone (files with MotW).
The second is based on Microsoft ISG cloud AI (file does not need MotW).
Both work in the cloud and WDAC can ask them for a positive file reputation when the file is executed (mainly for EXE, DLL, and MSI).
The integration means that SmartScreen reputation is mainly taken in the first place (for files with MotW the ISG AI is skipped).

You continue with, "I'll show how to force SmartScreen." I thought WDAC would automatically apply SmartScreen.
I got confused when all I saw was, "Your organization used WDAC to block this app." I was like, where is the "forced" SmartScreen, which would allow these programs?

In point 5. of the video, the files are executed from the flash drive (cannot have MotW, ignored by SmartScreen):

 

[rashmi]

In point 5. of the video, the files are executed from the flash drive (cannot have MotW, ignored by SmartScreen):

You can still use the on-demand "Run by SmartScreen" for those files. I thought "forced" would work like Run by SmartScreen for files from the flash drive, but automatically.

 

[rashmi]

You manually apply restrictions with the tools in the WHHLight package. Why does WHHLight automatically apply restrictions or not work like the other tools?

 

[Andy Ful]

You manually apply restrictions with the tools in the WHHLight package. Why does WHHLight automatically apply restrictions or not work like the other tools?

WHHLight package is intended to work with 3rd-party AVs and other security applications. There is often no need to use all tools.

 

[rashmi]

WHHLight package is intended to work with 3rd-party AVs and other security applications. There is often no need to use all tools.

I meant I can choose to enable SWH or not if WHHLight opens without applying restrictions.

How effective would you say the setup, ConfigureDefender (High) and WHHLight > SWH (ON) + SmartScreen (ON) + WDAC (ON), is for less informed users?

I'm thinking of using only WDAC (WHHLight) as an extended protection for Comodo Firewall on my system. What do you say?

 

[rashmi]

I replaced Comodo Firewall with WHHLight Tools on the kids' Windows 11 Pro SSD system. Currently, I've configured CD (High) + SWH (ON) + SS (ON) + WDAC (ON). I followed your advice and disabled the USB-related setting in ConfigureDefender. I'm weighing whether to add FirewallHardening and DocumentsAntiExploit for MS Office to the configuration.

When I switch OFF and then switch ON the SWH setting, the SWH menu shows SMB123 instead of SMB1.

Before WHHLight, Hard Disk Sentinel showed the SSD health as 100%. After WHHLight, it shows the health as 99%. I believe it's because of SSD usage or writes.

I suspect Comodo Firewall was causing the mouse pad issue where the left and right clicks were intermittently not working. The issue appears to be fixed now, which is a relief.

Can I use encryption software to lock the WHHLight Tools folder on the desktop?

What are your suggestions to not corrupt or ensure proper configurations?

 

[Andy Ful]

I meant I can choose to enable SWH or not if WHHLight opens without applying restrictions.

When you open WHHLight for the first time it automatically applies the default restrictions.

How effective would you say the setup, ConfigureDefender (High) and WHHLight > SWH (ON) + SmartScreen (ON) + WDAC (ON), is for less informed users?

It is not for less informed users. However, the less informed user can become more informed after reading the help and documentation included in the WHHLight package.
The effectiveness can depend on some other factors. The overall protection rate is similar to Microsoft Defender + Smart App Control, Comodo Firewall (Proactive profile) + Microsoft Defender, or Kaspersky (paid) with @harlan4096 settings.

I'm thinking of using only WDAC (WHHLight) as an extended protection for Comodo Firewall on my system. What do you say?

The attack vectors like DLL hijacking, Macros, or weaponized shortcuts, can skirt around the Comodo Auto-containment. However, Comodo Firewall + Microsoft Defender (or any good AV) can prevent/detect/block almost all attacks at home. Adding something else can improve the protection a little, but the setup will be overcomplicated.
Adding the WHHLight (SWH OFF, WDAC ON) can mainly improve the prevention of DLL hijacking. After enabling SWH, protection against weaponized shortcuts and some fileless attacks will be also added.

 

[rashmi]

When you open WHHLight for the first time it automatically applies the default restrictions.

Okay, the WHHLight basic configuration means it verifies the Windows default configuration or features state for WHHLight requirements, right?

It is not for less informed users. The overall protection rate is similar to Microsoft Defender + Smart App Control, Comodo Firewall (Proactive profile) + Microsoft Defender, or Kaspersky (paid) with @harlan4096 settings.

Yes, I meant the overall effectiveness of the setup in terms of protection for less informed users.

 

[Andy Ful]

Okay, the WHHLight basic configuration means it verifies the Windows default configuration or features state for WHHLight requirements, right?

Yes, something like that. After applying the WHHLight settings (default or more restrictive), the user can restore the Windows default values of those settings.

 

[rashmi]

I have CD and WHHLight on an HDD and SSD system. On SSD, I have configured SWH (ON), SS (ON), WDAC (ON), and CD (High). On HDD, I have configured SWH (ON), WDAC (ON), and CD (High) with the "warn" setting and "prompt" for sample submission.

On SSD, the CD log shows:
Microsoft Defender Antivirus Real-time Protection feature configuration has changed.
Feature: Network Inspection System
Configuration: 1

On HDD, the CD log shows:
Microsoft Defender Antivirus Real-time Protection feature configuration has changed. 6:52:11 AM
Feature: Network Inspection System
Configuration: 0

Microsoft Defender Antivirus Real-time Protection feature configuration has changed. 6:52:08 AM
Feature: Network Inspection System
Configuration: 1

On the SSD system, under Core isolation, the following feature is turned off. Should I turn it on?
Kernel-mode Hardware-enforced Stack Protection
Prevents attacks that substitute return addresses in kernel-mode memory to launch harmful code.

 

[Andy Ful]

On the SSD system, under Core isolation, the following feature is turned off. Should I turn it on?
Kernel-mode Hardware-enforced Stack Protection

You should try it. However, it can block some drivers.