Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
simmerskool said:
Am I overthinking this??
Click to expand...

Yes, you are. :)
When you run WHHLight for the first time it applies the default configuration. Simply close WHHLight and restart Windows (as suggested in the closing alert).
Do not tweak WHHLight until you understand how the current settings work. The WHHLight Manual (PDF document) provides useful information - you can find it in the WHH _Tools folder.

Edit.
Did you encounter any blocks?
 
Last edited:
  • +Reputation
  • Like
Reactions: silversurfer, simmerskool, Gandalf_The_Grey and 1 other person
simmerskool

simmerskool

Level 39
Verified
Top Poster
Well-known
Apr 16, 2017
2,849
Andy Ful said:
Yes, you are. :)
When you run WHHLight for the first time it applies the default configuration. Simply close WHHLight and restart Windows (as suggested in the closing alert).
Do not tweak WHHLight until you understand how the current settings work. The WHHLight Manual (PDF document) provides useful information - you can find it in the WHH _Tools folder.

Edit.
Did you encounter any blocks?
Click to expand...
:ROFLMAO: Thanks, I read thru the help(s) a 2d time and that helped, and I ended up doing exactly what you advised before I read your post, for now I left the WDAC off, (I'll probably dream about this tonight and understand it tomorrow :ROFLMAO: -- even with eyeglasses my eyesight is problematic and the popup help info is a struggle for me to read & no copy and paste.
PS no blocks yet. performance speed is very fast. -- correction: the CD had 2 blocks and FWH had about dozen, but all the same thing, looked like some sort of MS telemetry. WHHL specific blocks, not aware of any yet, but not looking for malware.
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
simmerskool said:
even with eyeglasses my eyesight is problematic and the popup help info is a struggle for me to read & no copy and paste.
Click to expand...

Did you try to use Windows Magnifier?
To quickly turn on Magnifier, press the Windows logo key + Plus sign (+) . To turn off Magnifier, press the Windows logo key + Esc.
Click to expand...

Use Magnifier to make things on the screen easier to see - Microsoft Support

Learn how to make items on the screen appear larger by using Magnifier in Windows.
support.microsoft.com support.microsoft.com

Another way to improve display is to use a high resolution with Scale = 125% or 150%. However, such a solution must be tested to confirm that all your applications are properly displayed (older applications may not).
 
Last edited:
  • Thanks
  • +Reputation
Reactions: simmerskool and ErzCrz
simmerskool

simmerskool

Level 39
Verified
Top Poster
Well-known
Apr 16, 2017
2,849
Andy Ful said:
Did you try to use Windows Magnifier?

Another way to improve display is to use a high resolution with Scale = 125% or 150%. However, such a solution must be tested to confirm that all your applications are properly displayed (older applications may not).
Click to expand...
good info thanks re magnifier. Meanwhile how about a plain text file with help info, (there's a readme but did not say much) that way I could edit it with notes to myself, eg, see MT URL... but I need to read more about WDAC and have an app to use it with -- now I do. Today I booted linux for peace of mind :D
 
  • Like
Reactions: Andy Ful
simmerskool

simmerskool

Level 39
Verified
Top Poster
Well-known
Apr 16, 2017
2,849
Andy Ful said:
Did you read the "WHHLight Manual"?
Click to expand...
huh was it included with download WindowsHybridHardeningLight_2001_beta3.exe -- I'm using linux VM but I don't recall seeing it in windows folder. maybe it's separate DL on git-hub. I do see file readme.md -- is that the manual? I sorta skimmed it the other day thinking it will DL with WHHL, or maybe it is in the WHHL windows folder? I just copied and pasted the text from the git-hub web page. But Andy using the app should just be intuitive :ROFLMAO: just kidding totally appreciate your apps and all your effort here.

EDIT ...but clearly the use of WDAC is NOT as easy as ABCD, see eg (it starts to give me a headache -- perhaps why it is switched OFF in WHHL as default...)
techcommunity.microsoft.com

DEPLOYING WINDOWS 10 APPLICATION CONTROL POLICY | Microsoft Community Hub

All things about WDAC – Windows Defender Application Control: Planning, Deployment, Testing, Monitoring, best practice, tips and Troubleshooting.
techcommunity.microsoft.com techcommunity.microsoft.com
 
Last edited:
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
simmerskool said:
huh was it included with download WindowsHybridHardeningLight_2001_beta3.exe -- I'm using linux VM but I don't recall seeing it in windows folder. maybe it's separate DL on git-hub. I do see file readme.md -- is that the manual? I sorta skimmed it the other day thinking it will DL with WHHL, or maybe it is in the WHHL windows folder? I just copied and pasted the text from the git-hub web page. But Andy using the app should just be intuitive :ROFLMAO: just kidding totally appreciate your apps and all your effort here.

EDIT ...but clearly the use of WDAC is NOT as easy as ABCD, see eg (it starts to give me a headache -- perhaps why it is switched OFF in WHHL as default...)
techcommunity.microsoft.com

DEPLOYING WINDOWS 10 APPLICATION CONTROL POLICY | Microsoft Community Hub

All things about WDAC – Windows Defender Application Control: Planning, Deployment, Testing, Monitoring, best practice, tips and Troubleshooting.
techcommunity.microsoft.com techcommunity.microsoft.com
Click to expand...

After the installation, you can see the WHH_Tools shortcut on the Desktop. When you click on the shortcut, the folder (C:\ ProgramData\WindowsHybridHardening_Tools) containing all tools and manuals opens. You should easily see it if you can see and execute the "WindowsHybridHardeningLight_2001" executable. :)
 
Last edited:
  • Thanks
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
simmerskool said:
EDIT ...but clearly the use of WDAC is NOT as easy as ABCD, see eg (it starts to give me a headache -- perhaps why it is switched OFF in WHHL as default...)
Click to expand...
Normally it is. But with WHHLight it is much easier. Anyway, you should not apply WDAC immediately. Wait until you are certain how your applications work with default settings.
Next, you can apply WDAC but do not remove the default folders from the WDAC Whitelist.

I do not recommend more tweaks except when one understands well all the information included in the manual. Of course, you can experiment in the VM with a custom WDAC Whitelist, this cannot kill the system. Simply, some applications will be (partially) blocked and require whitelisting. Anytime, you can simply switch off WDAC to get the current settings. (y)
 
Last edited:
  • +Reputation
Reactions: ErzCrz
simmerskool

simmerskool

Level 39
Verified
Top Poster
Well-known
Apr 16, 2017
2,849
Andy Ful said:
After the installation, you can see the WHH_Tools shortcut on the Desktop. When you click on the shortcut, the folder (C:\ ProgramData\WindowsHybridHardening_Tools) containing all tools and manuals opens. You should easily see it if you can see and execute the "WindowsHybridHardeningLight_2001" executable. :)
Click to expand...
well yes the shortcut was on the desktop, yes it did put the files in programdata, but do not recall a manual opening? so then the manual is a file in the programdata folder? (I'm still running linux today, but will boot win10_VM with WHHL installation later today. Thanks.
PS WHHL sure seemed to update the registry with only SWH [ ON ] (default) (I understood about run_by_smartscreen -- I've been using that for awhile).
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
WHHLight vs. Horus Protector
cybersecsentinel.com

Horus Protector Rewrites the Rules of Cyber Obfuscation

Threat Group: Unknown (French-speaking actors suspected) Threat Type: Fully Undetectable (FUD) Malware Distribution Service Exploited Vulnerabilities: Remote code execution via encoded Visual Basic (VBE) scripts Malware Used: AgentTesla, Remcos, Snake, NjRat, SNAKE Keylogger Threat Score: High...
cybersecsentinel.com cybersecsentinel.com

Overview​

HORUS Protector is a newly identified malware distribution service designed as a Fully Undetectable (FUD) crypter that can bypass many antivirus (AV) protections. It delivers a range of dangerous malware strains, including AgentTesla, Remcos, Snake, NjRat, and the SNAKE Keylogger, using sophisticated obfuscation techniques such as encoded Visual Basic scripts (VBE) packed inside .zip archives.

This service is mainly distributed through cybercrime platforms like Telegram, where threat actors sell subscription-based plans, making advanced malware propagation accessible even to non-expert criminals. By updating frequently and monitoring AV detections, HORUS Protector ensures that its payloads remain undetected, posing a severe risk to organizations and individuals worldwide.
Click to expand...

  • Delivery Method:
    HORUS Protector distributes malware through .zip archives that contain VBE-encoded Visual Basic scripts, which initiate the infection process once executed. Upon activation, these scripts establish communication with command-and-control (C2) servers to download additional payloads.
  • Target:
    Both corporate organizations and individual users are vulnerable to this malware, especially when phishing emails or malicious download links are used.
Click to expand...

Obfuscation Techniques:
HORUS Protector employs various techniques to evade detection, including:
  • VBE-encoded scripts to launch payloads.
  • Registry manipulation to store and execute payloads in segments (e.g., segment1, segment2, etc.).
  • Process hollowing to inject malware into legitimate processes, such as MSBuild.exe.
  • Scheduled tasks to execute malicious scripts persistently.
Click to expand...

Attack flow:
Phishing email ---> ZIP archive ---> VBE script ---> command-and-control (C2) server ----> payloads downloaded into the Windows Registry ----> scheduled task created ----> payloads decoded and executed filelessly

Horus Protector is a Fully Undetectable (FUD) Malware Distribution Service that is constantly updated to bypass the protection of AVs.
WHHLight blocks it via the default SWH settings (running VBE scripts is disabled).
 
Last edited:
  • +Reputation
  • Applause
  • Like
Reactions: Jonny Quest, sypqys, simmerskool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
WHHLight ver. 2.0.0.1

This version is the same as the latest beta3, so users who installed the beta version can skip the new one.
The beta version is without bugs (so far) so I promoted it to the stable version.
Can be installed over previous versions.

What is new (compared to ver. 1.1.1.1):
  • SWH settings can be now selectively controlled from the menu.
  • Added two new ASR rules to ConfigureDefender.
  • Some corrections in the help files and manual.
 
  • Like
  • +Reputation
  • Applause
Reactions: Moonhorse, simmerskool, Gandalf_The_Grey and 6 others
porkpiehat

porkpiehat

Level 7
Verified
Well-known
May 30, 2015
306
Hi @Andy Ful .. I'm running 'CruelComodo'.. just wondering whether there will be any conflict if I run ConfigureDefender=Max and WHHLight 2.0.0.1?
It maybe overkill, but if there are no issues then it can't hurt.. can it?
just looking to plug any potential holes for better overall security.
 
Last edited:
  • Like
Reactions: simmerskool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
porkpiehat said:
Hi @Andy Ful .. I'm running 'CruelComodo'.. just wondering whether there will be any conflict if I run ConfigureDefender=Max and WHHLight 2.0.0.1?
It maybe overkill, but if there are no issues then it can't hurt.. can it?
just looking to plug any potential holes for better over all security.
Click to expand...

In theory, this setup should work after adding the WHHLight application folder (C:\ProgramData\WindowsHybridHardening_Tools) to "Ignored" in the Comodo Auto-containment settings. But as with any overkill, after some time something will not work as intended and there will be a problem identifying the source of it. If you want to maximize the protection, it would be better to tweak the Comodo Firewall, for example:
https://malwaretips.com/threads/comodos-killer.133558/post-1115317
 
  • +Reputation
Reactions: simmerskool
porkpiehat

porkpiehat

Level 7
Verified
Well-known
May 30, 2015
306
Andy Ful said:
In theory, this setup should work after adding the WHHLight application folder (C:\ProgramData\WindowsHybridHardening_Tools) to "Ignored" in the Comodo Auto-containment settings. But as with any overkill, after some time something will not work as intended and there will be a problem identifying the source of it. If you want to maximize the protection, it would be better to tweak the Comodo Firewall, for example:
https://malwaretips.com/threads/comodos-killer.133558/post-1115317
Click to expand...
so, if I remove WHHLight, would ConfigureDefender - Max still be a more viable option to strengthen defender with CFW?
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,716
porkpiehat said:
so, if I remove WHHLight, would ConfigureDefender - Max still be a more viable option to strengthen defender with CFW?
Click to expand...

When using CFW in @cruelsister's settings + Microsoft Defender, you can use ConfigureDefender with HIGH settings. It is not necessary to apply MAX settings (overlaps with Comodo's Cloud Lookup).
 
  • Like
Reactions: Gandalf_The_Grey, simmerskool and porkpiehat

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
32,383
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
App Review AV/EDR challenge
Replies
18
Views
914
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Andy Ful
    • Like
    • Thanks
    • +Reputation
Guide | How To Easy Application Control on Windows
Replies
23
Views
4,184
Guides - Privacy & Security Tips
Studynxx
S

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top