Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Gandalf_The_Grey said:
The problem is that "warn" differs from "user" that was set by the high settings of ConfigureDefender, that causes some confusion.
Click to expand...
Yes, if one can notice it. Anyway, there is no functional difference (except if one chooses to disable SmartScreen).
But all of this is logical. ConfigureDefender does some hardening and WHHLight applies additional restrictions. One cannot expect that ConfigureDefnder settings will be completely independent of WHHLight settings. :) (y)
 
  • Like
  • +Reputation
Reactions: simmerskool, Freki123 and Gandalf_The_Grey
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,600
Andy Ful said:
Yes, if one can notice it. Anyway, there is no functional difference (except if one chooses to disable SmartScreen).
But all of this is logical. ConfigureDefender does some hardening and WHHLight applies additional restrictions. One cannot expect that ConfigureDefnder settings will be completely independent of WHHLight settings. :) (y)
Click to expand...
No problem, if there is no functional difference (y)
For you it is logical, but a user might wonder what happened. 🤔
It is the first time that your programs interact like this.
 
  • Like
  • Hundred Points
Reactions: simmerskool and Andy Ful
N

NormanF

Level 8
Verified
Jan 11, 2018
355
BitDefender detects it as a Trojan and deletes the taskbar shortcut.

(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F

It needs to be fixed.

A workaround is to put the Hardening Configurator on the desktop, unblock it and drag it to the taskbar and pin it there.

Then it works but pinning it from the desktop folder to the taskbar results in the AV deleting the shortcut.
 
Last edited:
  • Like
Reactions: SeriousHoax, simmerskool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
NormanF said:
BitDefender detects it as a Trojan and deletes the taskbar shortcut.

(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F

It needs to be fixed.

A workaround is to put the Hardening Configurator on the desktop, unblock it and drag it to the taskbar and pin it there.

Then it works but pinning it from the desktop folder to the taskbar results in the AV deleting the shortcut.
Click to expand...

What is detected, WHHLight, Hard_Configurator, or the shortcut?
Why the shortcut is on the taskbar?
 
  • Like
Reactions: SeriousHoax and simmerskool
N

NormanF

Level 8
Verified
Jan 11, 2018
355
Andy Ful said:
WHHLight vs. AppInstaller

https://malwaretips.com/threads/mic...col-handler-abused-in-malware-attacks.127972/
https://www.microsoft.com/en-us/sec...tivated-threat-actors-misusing-app-installer/

The original attacks were performed by abusing the ms-appinstaller protocol handler. This method is now patched - Microsoft disabled that protocol by default.
Anyway, a similar attack can be performed without using ms-appinstaller:

Malicious URL or email attachment (ZIP, ISO, etc.) ---> malicious MSIX package (digitally signed) ---> AppInstaller runs malware from the MSIX package.

SWH default settings in WHHLight block AppInstaller.

View attachment 280828

The blocked event can be seen in the EventViewer (System, Id = 10010).
In WHHLight the APPX and MSIX packages are blocked by Exploit Protection and not by SRP. The ExploitProtection method allows the installation of UWP apps and desktop apps from Microsoft Store. The SRP method (used in H_C and SimpleWindowsHaredening) is more restrictive and allows only UWP apps from Microsoft Store.
Click to expand...
The SRP method in H_C and SimpleWindowsHardening should be changed to allow both UWP apps and desktop apps from the Microsoft Store to be installed. There is no reason to list them as untrusted. It may be better to block apps downloaded from the Internet.
 
  • Like
Reactions: Andy Ful and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
NormanF said:
The SRP method in H_C and SimpleWindowsHardening should be changed to allow both UWP apps and desktop apps from the Microsoft Store to be installed. There is no reason to list them as untrusted. It may be better to block apps downloaded from the Internet.
Click to expand...

This is already done in WHHLight (a continuation of SWH) via Exploit Protection, and cannot be done via SRP.

In H_C, I plan two ways of blocking AppInstaller: the current one and that from WHHLight.
The desktop apps from the Microsoft Store are not listed as untrusted but as applications that cannot auto-update in the H_C strict settings (the user Temp folder is not whitelisted). So, users should prefer installing UWP apps in those settings. Unfortunately, one does not know if the app is UWP until it is installed, so blocking desktop application in the Microsoft Store can be helpful.
 
Last edited:
  • +Reputation
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
NormanF said:
The Hard Configurator. BitDefender views it as a Trojan and automatically deletes it. Of course its a false positive.

I want to make changes on the fly - easy access to the app on the taskbar.
Click to expand...

Which file is detected?
Which edition of Bitdefender do you use?
 
  • Like
Reactions: simmerskool
N

NormanF

Level 8
Verified
Jan 11, 2018
355
Andy Ful said:
Which file is detected?
Which edition of Bitdefender do you use?
Click to expand...
I run BitDefender Endpoint Security Tools.

The Security Console Antimalware reports:

On-Access scanning has detected a threat. The file has been deleted. C:\Users\User Name\OneDrive\Desktop\WindowsHybridHardeningLight_1011.exe - Shortcut.lnk=>(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F
 
  • Like
Reactions: simmerskool and Andy Ful
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
Andy Ful said:
What is detected, WHHLight, Hard_Configurator, or the shortcut?
Why the shortcut is on the taskbar?
Click to expand...
Install WHHLight, create a shortcut for the installed WHHLight exe like Pin to start, install BD and BD will detect only the shortcut as malware. It won't delete the exe.
This "Heur.BZC......" is a Bitdefender heuristic to detect shortcut malware. You may try to create a shortcut, zip the file and upload to VT to check if BD detects it. Then that would be easy for you to report as a false positive without needing to install Bitdefender on a VM.
 
  • Like
Reactions: simmerskool and Andy Ful
N

NormanF

Level 8
Verified
Jan 11, 2018
355
SeriousHoax said:
Install WHHLight, create a shortcut for the installed WHHLight exe like Pin to start, install BD and BD will detect only the shortcut as malware. It won't delete the exe.
This "Heur.BZC......" is a Bitdefender heuristic to detect shortcut malware. You may try to create a shortcut, zip the file and upload to VT to check if BD detects it. Then that would be easy for you to report as a false positive without needing to install Bitdefender on a VM.
Click to expand...

Yup. But when the WHHLight.exe is moved to the desktop and then dragged to the taskbar and pinned there, its not recognised as malware and removed.
That only happens when the app is launched from within the folder and pinned to the taskbar, the AV antimalware comes to life and removes it. Don't know why the difference in behaviour is manifested. The shortcut is the same apart from the location.
 
  • Like
Reactions: simmerskool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
NormanF said:
I run BitDefender Endpoint Security Tools.

The Security Console Antimalware reports:

On-Access scanning has detected a threat. The file has been deleted. C:\Users\User Name\OneDrive\Desktop\WindowsHybridHardeningLight_1011.exe - Shortcut.lnk=>(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F
Click to expand...

So, your custom-made shortcut on the taskbar is detected.
I am afraid that there will be a problem. From my experience with Bitdefender, they require the installation of the concrete Bitdefender AV, and ask which concrete Bitdefender feature produces the issue. Another problem is that the issue does not happen due to the WHHLight installation, but due to the user's custom actions and Bitdefender treatment of shortcuts on the taskbar.
Such issues cannot be solved via false positive submissions, but via the developer channel. Unfortunately, it seems that Bitdefender does not use such a channel.
 
  • +Reputation
Reactions: simmerskool
N

NormanF

Level 8
Verified
Jan 11, 2018
355
Andy Ful said:
So, your custom-made shortcut on the taskbar is detected.
I am afraid that there will be a problem. From my experience with Bitdefender, they require the installation of the concrete Bitdefender AV, and ask which concrete Bitdefender feature produces the issue. Another problem is that the issue does not happen due to the WHHLight installation, but due to the user's custom actions and Bitdefender treatment of shortcuts on the taskbar.
Such issues cannot be solved via false positive submissions, but via the developer channel. Unfortunately, it seems that Bitdefender does not use such a channel.
Click to expand...

To be fair, you're not to blame. Its not easy to know what situation can trigger a false positive and its annoying when legitimate security software gets flagged as malicious. I mean its ridiculous to delete just the shortcut while the app itself is still on the PC.
 
  • Like
Reactions: simmerskool, SeriousHoax and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
NormanF said:
To be fair, you're not to blame. Its not easy to know what situation can trigger a false positive and its annoying when legitimate security software gets flagged as malicious. I mean its ridiculous to delete just the shortcut while the app itself is still on the PC.
Click to expand...

Yes. In your case, Bitdefender did not flag that application as malicious, but recognized as malicious the creation of the shortcut on the taskbar.
Interestingly, the shortcut created by the WHHLight installer was allowed by Bitdefender, but the shortcut created by you was detected as malicious.

It would be interesting to copy another legal executable the the WHHLight folder and try to create a similar shortcut. If it is blocked, then the issue follows from Bitdefender's detection of shortcuts.
 
  • Like
Reactions: simmerskool, oldschool and SeriousHoax
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
Maybe WHHLight.exe's reputation (not seen by BD on enough endpoints) is somehow making Bitdefender detect the shortcut? I don't know how it works. In my case, the shortcut was already created and then a system restart after installing Bitdefender triggered the detection at startup. I'll try to reproduce the scenario on my VM and let you know if I can.
Edit: Reproduced.
1.png2.jpg
 
Last edited:
  • Like
Reactions: simmerskool, oldschool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
SeriousHoax said:
Maybe WHHLight.exe's reputation (not seen by BD on enough endpoints) is somehow making Bitdefender detect the shortcut? I don't know how it works. In my case, the shortcut was already created and then a system restart after installing Bitdefender triggered the detection at startup. I'll try to reproduce the scenario on my VM and let you know if I can.
Edit: Reproduced.
View attachment 281574View attachment 281575
Click to expand...
Did you try the same with another legal EXE (not from WHHLight tools) copied to the WHHLight folder?
 
  • Like
Reactions: simmerskool, oldschool and SeriousHoax

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,064
Hard_Configurator Tools
South Park
South Park
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
494
General Security Discussions
Andy Ful
Andy Ful
SpyNetGirl
    • +Reputation
    • Like
    • Hundred Points
New Update Advanced Windows hardening with WDAC - Windows Defender Application Control
Replies
50
Views
6,260
Other security for Windows, Mac, Linux
SpyNetGirl
SpyNetGirl

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top