Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[rashmi]

Why do you need to disable MD?

I use Comodo Firewall only on our systems.

I plan to replace Comodo Firewall with WHHLight Tools on the kids' system.

I reread the apps' help files and will test the following setup:
ConfigureDefender: High
FirewallHardening: LOLBins and MS Office
DocumentsAntiExploit: MS Office - ON1. Disable VBA in MS Office - ON.
WHHLight: SWH and WDAC - ON. SmartScreen BlockMode - ON.

Are there differences between WHHLight installation SWH settings and SWH default settings in the SWH menu?

 

[rashmi]

Are there differences between WHHLight installation SWH settings and SWH default settings in the SWH menu?

WHHLight installation and system restart
The SWH menu had:
Not Configured
Not Configured
Not Configured
High
Restricted SMB1
Unrestricted

Applied SWH default settings
The SWH menu has:
Not Configured
Restricted
Scripts
High
Restricted SMB1
Unrestricted

 

[Andy Ful]

Are there differences between WHHLight installation SWH settings and SWH default settings in the SWH menu?

There are normally no differences, except when some policies were applied manually via another application before the installation (like in your case).

During the installation, WHHLight takes into account a predefined group of policies. It changes the "Not configured" policies to WHHLight default settings, but ignores the policies previously set to Enabled or Disabled.

The SWH Default Settings applied from the Menu, reset the policies to WHHLight default values, even those previously set to Enabled or Disabled.

 

[Andy Ful]

I plan to replace Comodo Firewall with WHHLight Tools on the kids' system.

You can disable in ConfigureDefender the ASR rule "Block untrusted and unsigned processes that run from USB". It is already covered by WDAC.

 

[Digmor Crusher]

I use Comodo Firewall only on our systems.

I plan to replace Comodo Firewall with WHHLight Tools on the kids' system.

I reread the apps' help files and will test the following setup:
ConfigureDefender: High
FirewallHardening: LOLBins and MS Office
DocumentsAntiExploit: MS Office - ON1. Disable VBA in MS Office - ON.
WHHLight: SWH and WDAC - ON. SmartScreen BlockMode - ON.

Are there differences between WHHLight installation SWH settings and SWH default settings in the SWH menu?

I vaguely recall some time ago someone said not to use SmartScreen Block, maybe it was Andy. That it causes too many blocking events??? Maybe Andy can clarify please.

 

[Andy Ful]

I vaguely recall some time ago someone said not to use SmartScreen Block, maybe it was Andy. That it causes too many blocking events??? Maybe Andy can clarify please.

SmartScreen set to Block is for restricting happy clickers (kids, elders, etc.) from manually bypassing SmartScreen alerts. That is why @rashmi wants to use this setting.

 

[Digmor Crusher]

SmartScreen set to Block is for restricting happy clickers (kids, elders, etc.) from manually bypassing SmartScreen alerts. That is why @rashmi wants to use this setting.

Got it, thank you sir.

 

[rashmi]

There are normally no differences, except when some policies were applied manually via another application before the installation (like in your case).

During the installation, WHHLight takes into account a predefined group of policies. It changes the "Not configured" policies to WHHLight default settings, but ignores the policies previously set to Enabled or Disabled.

The SWH Default Settings applied from the Menu, reset the policies to WHHLight default values, even those previously set to Enabled or Disabled.

Before installing WHHLight, I checked "Group Policy - Administrative Templates - All Settings - State" for both Computer and User Configuration. The Computer Configuration had a Windows Update policy, and the User Configuration had an Explorer policy only.

You can disable in ConfigureDefender the ASR rule "Block untrusted and unsigned processes that run from USB". It is already covered by WDAC.

Is it necessary to disable the setting?

 

[Andy Ful]

Before installing WHHLight, I checked "Group Policy - Administrative Templates - All Settings - State" for both Computer and User Configuration. The Computer Configuration had a Windows Update policy, and the User Configuration had an Explorer policy only.

You did not use GPO, but an application (like Hard_Configurator) or reg tweaks to apply policies directly in the Windows Registry.
Also, the policies applied by WHHLight are not visible to GPO.

Is it necessary to disable the setting?

No, but together with WDAC ISG it can produce (slightly) more false positives.

 

[rashmi]

You did not use GPO, but an application (like Hard_Configurator) or reg tweaks to apply policies directly in the Windows Registry.

I don't use registry tweaks or third-party optimization tools. I restore Windows with the backup software after testing a program. Anyway, I just wanted to know if there are differences between the settings. I appreciate your help and time.

No, but it can produce more false positives.

Ok, I'll disable the setting in ConfigureDefender.

 

[Andy Ful]

I don't use registry tweaks or third-party optimization tools.

You (or someone else) did, or you applied SRP via GPO and did not notice it when checking the applied policies.

The policies we talked about were related to Software Restriction Policies. Normally, these policies are absent in Windows.

 

[rashmi]

You (or someone else) did, or you applied SRP via GPO and did not notice it when checking the applied policies.

View attachment 287694

The policies we talked about were related to Software Restriction Policies. Normally, these policies are absent in Windows.

No one uses my system, and I don't use hardening or setups that silently block stuff. I have not used SRP or even Windows Standard Account.

To confirm, I restored Windows to the image I created before installing WHHLight Tools. The "Group Policy - Administrative Templates - All Settings - State" for Computer and User Configuration shows a Windows Update and an Explorer policy, respectively. Is there another place I should check?

 

[Andy Ful]

To confirm, I restored Windows to the image I created before installing WHHLight Tools. The "Group Policy - Administrative Templates - All Settings - State" for Computer and User Configuration shows a Windows Update and an Explorer policy, respectively. Is there another place I should check?

Look at this registry key:

This is what it looks like with WHHLight.
What does it look like in your case?

 

[rashmi]

Look at this registry key:

View attachment 287695

This is what it looks like with WHHLight.
What does it look like in your case?

Currently, I'm on the restored Windows image before the WHHLight installation. I have 5 group policies: Windows Firewall (2), Microsoft Defender (1), Windows Update (1), and Explorer (1). I reverted the Windows Firewall and Microsoft Defender policies to "Not Configured" and restarted Windows before installing WHHLight.

 

[Andy Ful]

Currently, I'm on the restored Windows image before the WHHLight installation. I have 5 group policies: Windows Firewall (2), Microsoft Defender (1), Windows Update (1), and Explorer (1). I reverted the Windows Firewall and Microsoft Defender policies to "Not Configured" and restarted Windows before installing WHHLight.

View attachment 287696

There are some SRP artifacts (four non-default registry values). Check also the below GPO SRP settings:

 

[Andy Ful]

Check also the below GPO settings:

View attachment 287701


I am unsure if those settings are included in the Microsoft Windows Security Baselines, but they were also changed before installing WHHLight. If so, you must set them to "Not configured" in GPO. Those settings will be managed via WHHLight (SWH ON/OFF). Do not apply Security Baselines after installing WHHLight, because some GPO settings can override the SWH settings (this can happen after some hours due to the GPO refresh feature).

 

[rashmi]

There are some SRP artifacts (four non-default registry values). Check also the below GPO SRP settings:

View attachment 287697

The setting on the system is the same as the screenshot.

Check also the below GPO settings:

View attachment 287700

I am unsure if those settings are included in the Microsoft Windows Security Baselines, but they were also changed before installing WHHLight.

The setting on the system is the same as the screenshot.

If you meant the 5 group policies, I configured them.

 

[Andy Ful]

Check also:

Do not apply Microsoft Windows Security Baselines after installing WHHLight, because some GPO settings can override the SWH settings (this can happen after some hours due to the GPO refresh feature).

 

[rashmi]

Check also:

View attachment 287702

The setting on the system is the same as the screenshot.

Do not apply Microsoft Windows Security Baselines after installing WHHLight, because some GPO settings can override the SWH settings (this can happen after some hours due to the GPO refresh feature).

I'm aware of the info, as I read the apps' PDFs, help, and your GitHub page before trying WHHLight.