Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

You mean, if does not contain PowerShell CmdLine, WDAC would allow to run?

Yes.

 

[Andy Ful]

The CMD or BAT script that contains the PowerShell CmdLines blocked by WDAC (SRP/AppLocker) can still run after some script modifications. Simply, the blocked PowerShell CmdLines must be moved to PS1 scripts, while invoking those PS1 scripts from CMD or BAT script (instead of blocked PowerShell CmdLines). Next, all those scripts must be stored in the whitelisted location.

Post edited.

 

[Parkinsond]

The CMD or BAT script that contains the PowerShell CmdLines blocked by WDAC (SRP/AppLocker) can still run after some script modifications. Simply, the PowerShell content must be moved to PS1 scripts, while invoking those PS1 scripts from CMD or BAT script (instead of PowerShell CmdLines). Next, all those scripts must be stored in the whitelisted location.

WDAC blocked media palyer classic - black edition installer from runing in user space.
When transferred to whitelisted Program files folder, it is still blocked!

 

[Andy Ful]

WDAC blocked media palyer classic - black edition installer from runing in user space.
When transferred to whitelisted Program files folder, it is still blocked!

Can you post the blocked event?

 

[Parkinsond]

Can you post the blocked event?

 

[Parkinsond]

View attachment 288445

This is the last one in event viewer, but this concens when tried to run in user space.
Event view has no mention about trial to run from the whitelisted Program files or Windows folders.

 

[Andy Ful]

This is the last one in event viewer, but this concens when tried to run in user space.
Event view has no mention about trial to run from the whitelisted Program files or Windows folders.

Please post the events from WHHLight (use Event button).

 

[Parkinsond]

This is the last one in event viewer, but this concens when tried to run in user space.
Event view has no mention about trial to run from the whitelisted Program files or Windows folders.

I think I was also blocked in the whitelisted Program files because it tried to load something in user temp file

 

[Andy Ful]

I think I was also blocked in the whitelisted Program files because it tried to load something in user temp fileView attachment 288446

Yes, that is right. You applied a custom WDAC Whitelist where the Temp folder in the user profile is removed from the WDAC Whitelist. The default WDAC Whitelist avoids such blocks by whitelisting this folder.
It is not necessary to copy the installer into %ProgramFiles%. You can use the Explorer context menu to choose "Run By SmartScreen" (the first block will disappear).

 

[piquiteco]

Spoiler: oldschool

Highly doubtful, unless there's some new tweak, otherwise SAC will be disabled after restart, as you can see from above posts.

You can reset while keeping files and some settings, and then you can enable it. That's what I did and it's the easiest way I know. So no need to do a clean install or a reset that wipes everything unless you really want to.

Thanks a lot for the info @oldschool I don't think I'm going to format or reinstall Windows 11 just because of Smart App Control, I thought @Andy Ful had created some tool that activates Smart App Control without having to reset Windows 11 so I asked if it was possible. It seems that the only way to activate Smart App Control is to reset Windows 11.

Spoiler: Andy Ful

I have just re-tested the extended reg tweak I posted a few years ago, and it works on my fresh updated Windows 24H2. I am not sure if it will work on all machines.

One has to use the CMD from the recovery environment to modify the offline registry. It is easy for people who already know it (takes about one minute), but caution is required because:

1. The recovery environment has its own Windows system (usually placed on disk X: ).
2. Regedit in the Recovery environment shows the Registry related to the Windows Recovery system (usually placed on disk X: ) and not the Registry related to the "normal" Windows system.
3. Recovery environment CMD is totally different from Safe Mode CMD (different Windows systems are used).
4. If the "normal" Windows system is installed on disk C:, it can be seen in the recovery environment as C:, D:, E:, etc.. For example, on my computer, it is E:.
5. A mistake can brick your system.

I assume that the offline system is visible in the recovery environment as C: (if not, then another letter must be used like D:, E:, F:, etc.).
It is necessary to load the offline System Registry Hive from "C:\Windows\System32\config" to "HKEY_LOCAL_MACHINE\xxxxx" (I used xxxxx as the name of the new key where the offline System Hive is loaded) and set the following keys:

HKEY_LOCAL_MACHINE\xxxxx\SYSTEM\CurrentControlSet001\Control\CI\Policy
VerifiedAndReputablePolicyState = 2

HKEY_LOCAL_MACHINE\xxxxx\SYSTEM\CurrentControlSet001\Control\CI\Protected
VerifiedAndReputablePolicyStateMinValueSeen = 2

After unloading the "xxxxx" Hive and restarting Windows, the SAC is set in Security Center to Evaluation mode and can be changed to ON.

Edit 1.
This tip is only for advanced (and careful) users. Please use it in the virtual machine until you are certain that it is applied as intended. A mistake can spoil your system.

Edit 2.
Post updated (added some more information about Windows Recovery Environment).

Thanks for your attention @Andy Ful, although your instructions are very detailed, I don't think I'll be able to do this whole procedure because it's out of my jurisdiction, I'll probably get lost when I dig deep into the registry. Although I have a backup image of Windows 11, in case there is a problem, in this case and just restore this backup myself, I do not believe that I will not be able to activate Smart App Control in Windows 11 this way. I wanted to keep M.Defender on Windows 11 without installing third-party antivirus, that was my intention. For now I'll keep MD + Hard Configurator and the M.Defender settings I'll keep on High. If you have any other tips on how I can further strengthen security in MD, I'd appreciate it.

 

[Andy Ful]

Click-Fix attacks instead of Office Macros.

About 10 years ago, most weaponized documents used Office Macros with obfuscated PowerShell CmdLines to download and execute payloads. I even opened a special thread on MT to show how to de-obfuscate those download cradles. A few years ago, the weaponized documents became increasingly evasive, so finally, Microsoft disabled Macros by default in files downloaded from the Internet.
The attackers changed the interest to other file types like archives, disk images, shortcuts, etc. Last year, we could also see an increased interest in Click-Fix methods:

ClickFix Malware & Social Engineering Threat Grows | Proofpoint US

Learn how the threat of ClickFix malware is spreading through social engineering. Find out how to protect yourself from these attacks with Proofpoint.

www.proofpoint.com

The limitation of most Click-Fix attacks is that the CmdLine cannot be too long, so it is mainly used as a download cradle ( just like most Office Macros 10 years ago). The simplest and effective prevention against cradles is blocking outbound connections of LOLBins that can download remote content (PowerShell, MSHTA, MSIEXEC, Curl, etc.). Those LOLBins (and many more) can be blocked by applying FirewallHardening.

 

[Andy Ful]

WHHLight package ver. 2.0.0.3

Added some anti-tampering improvements (automatically applied after running).

https://github.com/AndyFul/Hard_Configurator/raw/refs/heads/master/WindowsHybridHardening/WHHLight_Package_2003.exe

 

[piquiteco]

@Andy Ful How different is Windows Hybrid Hardening Light from Simple Windows Hardening? Which offers better protection?

 

[Parkinsond]

@Andy Ful How different is Windows Hybrid Hardening Light from Simple Windows Hardening? Which offers better protection?

Windows Hybrid Hardening Light is better; it is Simple Windows Hardening plus Windows Defender Application Control module.

 

[piquiteco]

Windows Hybrid Hardening Light is better; it is Simple Windows Hardening plus Windows Defender Application Control module.

Thanks! For the information @Parkinsond is that I'm using Windows Hybrid Hardening and I liked it for its simplicity

 

[Parkinsond]

Thanks! For the information @Parkinsond is that I'm using Windows Hybrid Hardening and I liked it for its simplicity

I was using Windows Defender Application Control, sometimes through Windows Hybrid Hardening Light, sometimes through Windows Defender Application Control wizard, but I found application control is annoying for me; it stops unsigned executables and portable apps and I have to add to exclusions.
It was even stopping AMSI element of K and Avast, even after adding to exclusion.
However, it is less annoying than Smart App Control, which lacks any sort of whitelisting.

 

[rashmi]

@Andy Ful How different is Windows Hybrid Hardening Light from Simple Windows Hardening? Which offers better protection?

In short, WDAC extends WHHL's protection. I chose H_C after initially considering WHHL. H_C's neat interface, complete with protections and external tool access, ensures smooth navigation. H_C, CD, and FH's simple, universal designs work for me, unlike the flat designs of WHHL or the tools. WHHL's cloud protection, WDAC, occasionally slowed my app starts and installations. I gave H_C a shot, and in no time, I was completely smitten with her, which led to a spontaneous round of H_C! Talk about Hooked_Completely!

 

[Parkinsond]

In short, WDAC extends WHHL's protection. I chose H_C after initially considering WHHL. H_C's neat interface, complete with protections and external tool access, ensures smooth navigation. H_C, CD, and FH's simple, universal designs work for me, unlike the flat designs of WHHL or the tools. WHHL's cloud protection, WDAC, occasionally slowed my app starts and installations. I gave H_C a shot, and in no time, I was completely smitten with her, which led to a spontaneous round of H_C! Talk about Hooked_Completely!

Personally, I prefer the simplicity of WHHL to HC; I find WDAC feasible only if using MD, as it can limit the malicious process for threats escaping MD detection, which can occur from time to time. For robust AV such as K, only using script rules by AppLocker will be sufficient.

 

[Andy Ful]

... I found application control is annoying for me; it stops unsigned executables and portable apps and I have to add to exclusions.

It is a common issue related to the default-deny setup. That is why I encourage users to keep the default settings for a few months. It is hard to find a stronger and more usable solution. If default settings are OK in practice, some additional hardening may be applied. Users can always return to the usable setup.

The problem with unsigned and non-prevalent portable apps can be solved easily by keeping them in one already whitelisted folder (for example "C:/Program Data\Portable Apps").
There are no problems with the unsigned (and not popular) software when using the default WDAC Whitelist and Run By SmartScreen.

Rarely, some executables can be blocked by Microsoft recommendations related to vulnerable executables (like some LOLBins). I noticed the blocks of Avast's AMSI-related DLL.. For now, I am unsure if it is considered vulnerable by Microsoft or if the block is accidental. Anyway, scripts are blocked in WHHLight, so this block is not so important.

 

[Parkinsond]

It is a common issue related to the default-deny setup. That is why I encourage users to keep the default settings for a few months. It is hard to find a stronger and more usable solution. If default settings are OK in practice, some additional hardening may be applied. Users can always return to the usable setup.

The problem with unsigned and non-prevalent portable apps can be solved easily by keeping them in one already whitelisted folder (for example "C:/Program Data\Portable Apps").
There are no problems with the unsigned (and not popular) software when using the default WDAC Whitelist and Run By SmartScreen.

Rarely, some executables can be blocked by Microsoft recommendations related to vulnerable executables (like some LOLBins). I noticed the blocks of Avast's AMSI-related DLL.. For now, I am unsure if it is considered vulnerable by Microsoft or if the block is accidental.

I would not consider it accidental; AMSI-related DLL was blocked for more than one AV, Avast-AVG, K, and I am not sure for SEP also or not.
Adding the path of blocked dll to whitelist did not salvage.