Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

Why H_C doesn't want to open ?

Did you read the General help in WHHLight?

Which application do you want to use?
If your choice is H_C, then run WHHLight and restore Windows defaults (from the Menu). Next, run H_C and configure it. Do not run WHHLight in the future.
If your choice is WHHLight, then run it (it will remove the H_C settings automatically). Do not run H_C in the future.

In theory, one could use both H_C and SWH (I use such a setup in malware testing), but it is unnecessary and would be very inconvenient. For example, your current setup is a mess of SRP and WDAC. The WDAC settings are not visible in H_C. The option <Forced SmartScreen> is OFF, but should be 'Standard User', etc.

 

[dronefox1166]

Did you read the General help in WHHLight?

View attachment 281323

Which application do you want to use?
If your choice is H_C, then run WHHLight and restore Windows defaults (from the Menu). Next, run H_C and configure it. Do not run WHHLight in the future.
If your choice is WHHLight, then run it (it will remove the H_C settings automatically). Do not run H_C in the future.

In theory, one could use both H_C and SWH (I use such a setup in malware testing), but it is unnecessary and would be very inconvenient. For example, your current setup is a mess of SRP and WDAC. The WDAC settings are not visible in H_C. The option <Forced SmartScreen> is OFF, but should be 'Standard User', etc.

I'm french I don't understand all I thing... But I understand many things... I will try to read ... Thank you !

 

[Andy Ful]

I'm french I don't understand all I thing...

Is this translation OK?

Quelle application souhaitez-vous utiliser ?

• Si votre choix est H_C, exécutez WHHLight et restaurez les paramètres par défaut de Windows (à partir du menu). Ensuite, exécutez H_C et configurez-le. N'exécutez plus WHHLight à l'avenir.
• Si votre choix est WHHLight, exécutez-le (il supprimera automatiquement les paramètres H_C). N'exécutez pas H_C à l'avenir.

*************************

Incompatibilités logicielles :

1. WHHLight est une version simplifiée de WindowsHybridHardening. Les deux versions de WindowsHybridHardening partagent certaines ressources et paramètres, elles ne doivent donc pas fonctionner ensemble.
2. Les paramètres WHHLight SRP peuvent entrer en conflit avec le SRP introduit via l'objet de stratégies de groupe (GPO) disponible dans les éditions Windows Pro, Education et Enterprise. Avant d'utiliser WHHLight, le SRP doit être supprimé du GPO.
3. WHHLight entrera également en conflit avec tout logiciel utilisant SRP, mais ces applications sont rares (CryptoPrevent, SBGuard, AskAdmin). Avant d'utiliser WHHLight, l'application en conflit doit être désinstallée.
4. Si l'utilisateur a installé Hard_Configurator (SimpleWindowsHardening), l'application des restrictions WHHLight peut modifier les paramètres. Il n'est donc pas recommandé d'utiliser WHHLight avec Hard_Configurator (SimpleWindowsHardening).
5. WHHLight n'est pas destiné à fonctionner avec les stratégies AppLocker activées.

 

[dronefox1166]

Is this translation OK?

Quelle application souhaitez-vous utiliser ?

• Si votre choix est H_C, exécutez WHHLight et restaurez les paramètres par défaut de Windows (à partir du menu). Ensuite, exécutez H_C et configurez-le. N'exécutez plus WHHLight à l'avenir.
• Si votre choix est WHHLight, exécutez-le (il supprimera automatiquement les paramètres H_C). N'exécutez pas H_C à l'avenir.

*************************

Incompatibilités logicielles :

1. WHHLight est une version simplifiée de WindowsHybridHardening. Les deux versions de WindowsHybridHardening partagent certaines ressources et paramètres, elles ne doivent donc pas fonctionner ensemble.
2. Les paramètres WHHLight SRP peuvent entrer en conflit avec le SRP introduit via l'objet de stratégies de groupe (GPO) disponible dans les éditions Windows Pro, Education et Enterprise. Avant d'utiliser WHHLight, le SRP doit être supprimé du GPO.
3. WHHLight entrera également en conflit avec tout logiciel utilisant SRP, mais ces applications sont rares (CryptoPrevent, SBGuard, AskAdmin). Avant d'utiliser WHHLight, l'application en conflit doit être désinstallée.
4. Si l'utilisateur a installé Hard_Configurator (SimpleWindowsHardening), l'application des restrictions WHHLight peut modifier les paramètres. Il n'est donc pas recommandé d'utiliser WHHLight avec Hard_Configurator (SimpleWindowsHardening).
5. WHHLight n'est pas destiné à fonctionner avec les stratégies AppLocker activées.

Many Thanks for all the work for this software and this translation !

 

[ZeroDay]

@Andy Ful Does WHHLight automatically remove Windows hard configurator? Or should I uninstall that first? Forgive my silly question, I just wanted to make sure.

 

[Andy Ful]

@Andy Ful Does WHHLight automatically remove Windows hard configurator? Or should I uninstall that first? Forgive my silly question, I just wanted to make sure.

WHHLight does not remove the installation files of H_C - it only removes the H_C restrictions and applies the new ones.
You can uninstall H_C or keep it on disk as well. But I do not recommend running H_C when you use WHHLight, otherwise, you must remember to rerun WHHLight to restore its settings.

 

[ZeroDay]

WHHLight does not remove the installation files of H_C - it only removes the H_C restrictions and applies the new ones.
You can uninstall H_C or keep it on disk as well. But I do not recommend running H_C when you use WHHLight, otherwise, you must remember to rerun WHHLight to restore its settings.

Thanks for the reply, Is H_C better or equal to WHHLIGHT?

 

[ErzCrz]

Thanks for the reply, Is H_C better or equal to WHHLIGHT?

See: Serious Discussion - WHHLight - simplified application control for Windows Home and Pro.

WHHLight is simpler, but not as configurable as H_C.

I think WHH blocks DLLs that H_C doesn't by default but is covered if you use the RestrictedRecommended settings.

I've used both but I prefer H_C when I use it.

 

[Andy Ful]

Thanks for the reply, Is H_C better or equal to WHHLIGHT?

They are different, but the protection level is similar. As @ErzCrz noticed, WHHLight is simpler and H_C is more configurable.

 

[Azazel]

When Whhfull will be available. Is it gonna be as configurable as Simple Windows Hardening. (eg turn off windows hardening reg tweaks)

 

[Andy Ful]

When Whhfull will be available. Is it gonna be as configurable as Simple Windows Hardening. (eg turn off windows hardening reg tweaks)

 

[Azazel]

what are all the file extensions that wdac stops?

 

[WhiteMouse]

what are all the file extensions that wdac stops?

.sys, .exe, .com, .dll, .ocx, .msi, .mst, .msp, .ps1, .vbs, .js, .appx

 

[Andy Ful]

... and additionally: .scr, .wsf, .jse, .vbe, .tmp (temporary images of PE executables).

 

[SeriousHoax]

Hi @Andy Ful! Finally, I made up my lazy mind to try WHHLight yesterday. With SWH configured everything is great as usual but enabling WDAC made my PC really slow at launching most apps including Windows Explorer when it's run for the first time after booting the system. Is this expected with ISG? The time it takes for ISG to verify files is much longer.

 

[Andy Ful]

Hi @Andy Ful! Finally, I made up my lazy mind to try WHHLight yesterday. With SWH configured everything is great as usual but enabling WDAC made my PC really slow at launching most apps including Windows Explorer when it's run for the first time after booting the system. Is this expected with ISG? The time it takes for ISG to verify files is much longer.

Do you use the default WDAC Whitelist?
ISG can slow launching non-Microsoft applications, but in most cases, it happens when you run the application for the first time. If the application is accepted then it is marked (in the kernel) as OK, and it is not checked again. But, this scenario applies only to the files on the NTFS drives. For example, files on the flash drives (FAT32) are not marked, so they are checked at any time (if launched by the user).
The issue related to Windows Explorer can be somehow rooted in Microsoft Defender. Currently, I test WHHLight with Avast and there are no slowdowns. The issue can be also caused due to interactions with 3rd party security.
Please let me know if you have suggestions about that issue.

 

[Andy Ful]

WHHLight vs. SmartScreen bypass via the URL shortcut
(Smart App Control set to OFF)

The bypass was patched by Microsoft a few months ago. The articles refer to the samples haunted before this patch.

New Mispadu Banking Trojan Exploiting Windows SmartScreen Flaw

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a...

malwaretips.com

Attack flow:
URL shortcut ----> malicious file downloaded without MOTW (SmartScreen bypass) ----> file is executed without SmartScreen check

Without the bypass, the file would be downloaded with MOTW (Mark of the Web), and the file could be executed with SmartScreen check.
It is worth noting, that this bypass is not a bypass of Forced SmartScreen implemented in Hard_Configurator and WHHLight.

In the H_C Recommended Settings, the file will be initially blocked, and the user must use "Install By SmartScreen" to run the downloaded file. But then, the custom MOTW is always added to the file and the file is executed with SmartScreen check.

In WHHLight the file will be executed first without SmartScreen check. However, in WHHLight the SmartScreen is used as a smart whitelisting method for WDAC ISG. So, this SmartScreen bypass will always increase the protection level of WHHLight. The file will be blocked, so the user will apply "Run By SmartScreen" to manually bypass the WDAC ISG block. As in the case of H_C, the MOTW is always added to the file and the file will be checked by SmartScreen.

 

[Azazel]

Would Whh work on Windows 12. They are planning to make C:/Windows immutable (read-only)

 

[Andy Ful]

Would Whh work on Windows 12. They are planning to make C:/Windows immutable (read-only)

For now, there is no real problem with that (except for a cosmetic change).

 

[SeriousHoax]

Do you use the default WDAC Whitelist?
ISG can slow launching non-Microsoft applications, but in most cases, it happens when you run the application for the first time. If the application is accepted then it is marked (in the kernel) as OK, and it is not checked again. But, this scenario applies only to the files on the NTFS drives. For example, files on the flash drives (FAT32) are not marked, so they are checked at any time (if launched by the user).
The issue related to Windows Explorer can be somehow rooted in Microsoft Defender. Currently, I test WHHLight with Avast and there are no slowdowns. The issue can be also caused due to interactions with 3rd party security.
Please let me know if you have suggestions about that issue.

Yeah, default whitelists. Is this kernel whitelist removed after a system restart? For me, application startup for non-Microsoft apps is slower after every boot.