Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
The problem is that "warn" differs from "user" that was set by the high settings of ConfigureDefender, that causes some confusion.
Yes, if one can notice it. Anyway, there is no functional difference (except if one chooses to disable SmartScreen).
But all of this is logical. ConfigureDefender does some hardening and WHHLight applies additional restrictions. One cannot expect that ConfigureDefnder settings will be completely independent of WHHLight settings. :) (y)
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,593
Yes, if one can notice it. Anyway, there is no functional difference (except if one chooses to disable SmartScreen).
But all of this is logical. ConfigureDefender does some hardening and WHHLight applies additional restrictions. One cannot expect that ConfigureDefnder settings will be completely independent of WHHLight settings. :) (y)
No problem, if there is no functional difference (y)
For you it is logical, but a user might wonder what happened. 🤔
It is the first time that your programs interact like this.
 

NormanF

Level 8
Verified
Jan 11, 2018
353
BitDefender detects it as a Trojan and deletes the taskbar shortcut.

(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F

It needs to be fixed.

A workaround is to put the Hardening Configurator on the desktop, unblock it and drag it to the taskbar and pin it there.

Then it works but pinning it from the desktop folder to the taskbar results in the AV deleting the shortcut.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
BitDefender detects it as a Trojan and deletes the taskbar shortcut.

(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F

It needs to be fixed.

A workaround is to put the Hardening Configurator on the desktop, unblock it and drag it to the taskbar and pin it there.

Then it works but pinning it from the desktop folder to the taskbar results in the AV deleting the shortcut.

What is detected, WHHLight, Hard_Configurator, or the shortcut?
Why the shortcut is on the taskbar?
 

NormanF

Level 8
Verified
Jan 11, 2018
353
WHHLight vs. AppInstaller

https://malwaretips.com/threads/mic...col-handler-abused-in-malware-attacks.127972/
https://www.microsoft.com/en-us/sec...tivated-threat-actors-misusing-app-installer/

The original attacks were performed by abusing the ms-appinstaller protocol handler. This method is now patched - Microsoft disabled that protocol by default.
Anyway, a similar attack can be performed without using ms-appinstaller:

Malicious URL or email attachment (ZIP, ISO, etc.) ---> malicious MSIX package (digitally signed) ---> AppInstaller runs malware from the MSIX package.

SWH default settings in WHHLight block AppInstaller.

View attachment 280828

The blocked event can be seen in the EventViewer (System, Id = 10010).
In WHHLight the APPX and MSIX packages are blocked by Exploit Protection and not by SRP. The ExploitProtection method allows the installation of UWP apps and desktop apps from Microsoft Store. The SRP method (used in H_C and SimpleWindowsHaredening) is more restrictive and allows only UWP apps from Microsoft Store.
The SRP method in H_C and SimpleWindowsHardening should be changed to allow both UWP apps and desktop apps from the Microsoft Store to be installed. There is no reason to list them as untrusted. It may be better to block apps downloaded from the Internet.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
The SRP method in H_C and SimpleWindowsHardening should be changed to allow both UWP apps and desktop apps from the Microsoft Store to be installed. There is no reason to list them as untrusted. It may be better to block apps downloaded from the Internet.

This is already done in WHHLight (a continuation of SWH) via Exploit Protection, and cannot be done via SRP.

In H_C, I plan two ways of blocking AppInstaller: the current one and that from WHHLight.
The desktop apps from the Microsoft Store are not listed as untrusted but as applications that cannot auto-update in the H_C strict settings (the user Temp folder is not whitelisted). So, users should prefer installing UWP apps in those settings. Unfortunately, one does not know if the app is UWP until it is installed, so blocking desktop application in the Microsoft Store can be helpful.
 
Last edited:
  • +Reputation
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
The Hard Configurator. BitDefender views it as a Trojan and automatically deletes it. Of course its a false positive.

I want to make changes on the fly - easy access to the app on the taskbar.

Which file is detected?
Which edition of Bitdefender do you use?
 
  • Like
Reactions: simmerskool

NormanF

Level 8
Verified
Jan 11, 2018
353
Which file is detected?
Which edition of Bitdefender do you use?
I run BitDefender Endpoint Security Tools.

The Security Console Antimalware reports:

On-Access scanning has detected a threat. The file has been deleted. C:\Users\User Name\OneDrive\Desktop\WindowsHybridHardeningLight_1011.exe - Shortcut.lnk=>(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F
 

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,634
What is detected, WHHLight, Hard_Configurator, or the shortcut?
Why the shortcut is on the taskbar?
Install WHHLight, create a shortcut for the installed WHHLight exe like Pin to start, install BD and BD will detect only the shortcut as malware. It won't delete the exe.
This "Heur.BZC......" is a Bitdefender heuristic to detect shortcut malware. You may try to create a shortcut, zip the file and upload to VT to check if BD detects it. Then that would be easy for you to report as a false positive without needing to install Bitdefender on a VM.
 

NormanF

Level 8
Verified
Jan 11, 2018
353
Install WHHLight, create a shortcut for the installed WHHLight exe like Pin to start, install BD and BD will detect only the shortcut as malware. It won't delete the exe.
This "Heur.BZC......" is a Bitdefender heuristic to detect shortcut malware. You may try to create a shortcut, zip the file and upload to VT to check if BD detects it. Then that would be easy for you to report as a false positive without needing to install Bitdefender on a VM.

Yup. But when the WHHLight.exe is moved to the desktop and then dragged to the taskbar and pinned there, its not recognised as malware and removed.
That only happens when the app is launched from within the folder and pinned to the taskbar, the AV antimalware comes to life and removes it. Don't know why the difference in behaviour is manifested. The shortcut is the same apart from the location.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
I run BitDefender Endpoint Security Tools.

The Security Console Antimalware reports:

On-Access scanning has detected a threat. The file has been deleted. C:\Users\User Name\OneDrive\Desktop\WindowsHybridHardeningLight_1011.exe - Shortcut.lnk=>(ShellItem Unicode) is malware of type Heur.BZC.YAX.Pantera.14.0593876F

So, your custom-made shortcut on the taskbar is detected.
I am afraid that there will be a problem. From my experience with Bitdefender, they require the installation of the concrete Bitdefender AV, and ask which concrete Bitdefender feature produces the issue. Another problem is that the issue does not happen due to the WHHLight installation, but due to the user's custom actions and Bitdefender treatment of shortcuts on the taskbar.
Such issues cannot be solved via false positive submissions, but via the developer channel. Unfortunately, it seems that Bitdefender does not use such a channel.
 
  • +Reputation
Reactions: simmerskool

NormanF

Level 8
Verified
Jan 11, 2018
353
So, your custom-made shortcut on the taskbar is detected.
I am afraid that there will be a problem. From my experience with Bitdefender, they require the installation of the concrete Bitdefender AV, and ask which concrete Bitdefender feature produces the issue. Another problem is that the issue does not happen due to the WHHLight installation, but due to the user's custom actions and Bitdefender treatment of shortcuts on the taskbar.
Such issues cannot be solved via false positive submissions, but via the developer channel. Unfortunately, it seems that Bitdefender does not use such a channel.

To be fair, you're not to blame. Its not easy to know what situation can trigger a false positive and its annoying when legitimate security software gets flagged as malicious. I mean its ridiculous to delete just the shortcut while the app itself is still on the PC.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
To be fair, you're not to blame. Its not easy to know what situation can trigger a false positive and its annoying when legitimate security software gets flagged as malicious. I mean its ridiculous to delete just the shortcut while the app itself is still on the PC.

Yes. In your case, Bitdefender did not flag that application as malicious, but recognized as malicious the creation of the shortcut on the taskbar.
Interestingly, the shortcut created by the WHHLight installer was allowed by Bitdefender, but the shortcut created by you was detected as malicious.

It would be interesting to copy another legal executable the the WHHLight folder and try to create a similar shortcut. If it is blocked, then the issue follows from Bitdefender's detection of shortcuts.
 

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,634
Maybe WHHLight.exe's reputation (not seen by BD on enough endpoints) is somehow making Bitdefender detect the shortcut? I don't know how it works. In my case, the shortcut was already created and then a system restart after installing Bitdefender triggered the detection at startup. I'll try to reproduce the scenario on my VM and let you know if I can.
Edit: Reproduced.
1.png2.jpg
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
Maybe WHHLight.exe's reputation (not seen by BD on enough endpoints) is somehow making Bitdefender detect the shortcut? I don't know how it works. In my case, the shortcut was already created and then a system restart after installing Bitdefender triggered the detection at startup. I'll try to reproduce the scenario on my VM and let you know if I can.
Edit: Reproduced.
View attachment 281574View attachment 281575
Did you try the same with another legal EXE (not from WHHLight tools) copied to the WHHLight folder?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top