WHHLight - simplified application control for Windows Home and Pro.
- Thread starter Andy Ful
- Start date
- Featured
For UniGetUI :
even if I have disbaled or desactivated all powershell lines (4) HC_Recommanded in FirewallHardening.
even if I have disbaled or desactivated all powershell lines (4) HC_Recommanded in FirewallHardening.
Ha. Ha.
Osprey thinks that blocking animated .gif from the researcher's article (warns how this attack may look like), can save people against attacks in the wild.
Does it also block the .gif examples of ClickFix attacks?
Interesting. Is it present when you update UniGetUI or when you update one of the applications?
I never saw this strange error. Does it happen after switching OFF WHHLight (WDAC = OFF, SWH = OFF) and removing FirewallHardening restrictions (Windows restart required)?
You must look into the SWH Logs (and WDAC logs if WDAC = ON).
I am lost with the tools you use. What is a MinimalFirewall?
dronefox1166,
I have a proposition. Disable all my applications and experiment with other tools until you establish the right config. Use it for a month to see that it works without issues (also issues related to software updates). Next, apply WHHLight (but no ConfigureDefender and FirewallHardening) and use/adjust the settings for a month. If everything will work flawlessly, we will think about applying additional security layers.
Currently, your setup is too complex, and I am not sure what is happening. Complex config requires analysis of Log events.
I have a proposition. Disable all my applications and experiment with other tools until you establish the right config. Use it for a month to see that it works without issues (also issues related to software updates). Next, apply WHHLight (but no ConfigureDefender and FirewallHardening) and use/adjust the settings for a month. If everything will work flawlessly, we will think about applying additional security layers.
Currently, your setup is too complex, and I am not sure what is happening. Complex config requires analysis of Log events.
Last edited:
Of course not.Ha. Ha.
Does it also block the .gif examples of ClickFix attacks?
Osprey only blocks URLs through the browser. I accessed the URL you posted with the .gif as an example just out of curiosity, knowing it was a demonstration of how a ClickFix attack works. What I found funny was that when you click on the URL and the browser loads the page, Osprey doesn't block the gif immediately; there's a delay, and you can still see the gif running when the researcher clicks on the blue button to open the file in Explorer, and that's when Osprey blocks the gif URL. Obviously, it's just a coincidence. Your tools block these ClickFix attacks because they open PowerShell. At least on my computer and laptop, PowerShell is blocked by the Windows Hybrid Hardening Light tool. 
Post updated.
WHHLight package + UniGetUI
UniGetUI works well and can update without any issues. Most applications update well, except for the following:
For example, from my 18 applications, UniGetUI successfully updated 17. One update failed (WinSCP) due to WDAC ISG - in max settings, the WDAC Whitelist is empty. This block could be avoided when using the default WDAC Whitelist.
WHHLight package + UniGetUI
- UniGetUI is set to use only WinGet. Chocolatey and others are disabled (may use PowerShell scripts).
- WHHLight, ConfigureDefender, and FirewallHardening set to max settings.
UniGetUI works well and can update without any issues. Most applications update well, except for the following:
- applications that use Windows scripts (can be blocked by SWH restrictions or FirewallHardening ),
- applications that use LOLBins from the Microsoft Recommended BlockList (Wmic, Mshta, etc. are blocked by WDAC),
- not so popular applications (can be blocked by Defender ASR rule or WDAC ISG).
For example, from my 18 applications, UniGetUI successfully updated 17. One update failed (WinSCP) due to WDAC ISG - in max settings, the WDAC Whitelist is empty. This block could be avoided when using the default WDAC Whitelist.
Last edited:
Be aware of other possible variants of the FileFix attack:
In the above picture, I used the original example with modified text.
I found out that the attacker can use a well-known keyboard shortcut (Windows Key + E) to open File Explorer (no need to abuse the Web browser upload functionality).
Edit
Unfortunately, Windows has implemented a few other shortcuts that can be abused (like "Windows Key + x" and next "i").
Sadly, many users are vulnerable to such trivial attacks.
In the above picture, I used the original example with modified text.
I found out that the attacker can use a well-known keyboard shortcut (Windows Key + E) to open File Explorer (no need to abuse the Web browser upload functionality).
Edit
Unfortunately, Windows has implemented a few other shortcuts that can be abused (like "Windows Key + x" and next "i").
Sadly, many users are vulnerable to such trivial attacks.
Last edited:
The latest version on Softpedia
WHHLight vs. Rainbow Hyena attacks (Polygot Files)
malwaretips.com
cybersecuritynews.com
Infection chain:
Email with Polygot attachment ---> invisible DLL + Shortcut with PowerShell CmdLine ----> LOLBin runs invisible malicious DLL
I am always surprised how often the new attack methods are easily prevented by 20-year-old simple hardening methods.
WHHLight blocks Shortcuts (SWH restrictions) in UserSpace and fully prevents infection.
Scams & Phishing News - Hackers Use Polyglot Files to Bypass Email Filters to Deliver Malicious Emails
Hidden behind familiar subject lines and legitimate sender addresses, the messages contained archives that looked like ordinary ZIP files yet behaved like executable libraries. This hybrid format—known as a polyglot—slipped past most secure mail gateways, allowing attackers to plant malware...
malwaretips.com
Hackers Use Polyglot Files to Bypass Email Filters to Deliver Malicious Emails
In the final week of June 2025 security teams across Russia’s healthcare and technology sectors began receiving an unusual flood of “routine” logistics and contract e-mails. Hidden behind familiar subject lines and legitimate sender addresses, the messages contained archives that looked like...
cybersecuritynews.com
Infection chain:
Email with Polygot attachment ---> invisible DLL + Shortcut with PowerShell CmdLine ----> LOLBin runs invisible malicious DLL
I am always surprised how often the new attack methods are easily prevented by 20-year-old simple hardening methods.
WHHLight blocks Shortcuts (SWH restrictions) in UserSpace and fully prevents infection.
@Andy Ful, Could you integrate ConfigureDefender and FirewallHardening into the WHHLight interface for convenient access, similar to H_C?
I could. However, objectively speaking, this would not be more convenient.
Currently, you have one shortcut on the Desktop that gives direct access to ConfigureDefender and FirewallHardening (without running WHHLight) via a folder opened in File Explorer. Why would you want to choose a longer path and run WHHLight first, and then ConfigureDefender or FirewallHardening?
The H_C installation folder contains many files, so finding ConfigureDefender or FirewallHardening in the opened folder would be rather inconvenient.
I always start with WHHLight first, as it would block the most or more than others, right? It would then be more convenient to access other tools from the WHHLight interface. I can simply create a WHHLight link in Biniware Run rather than minimizing windows and reaching the desktop.
Can you safely pin WHHLight or H_C icons to the taskbar?
Does WHHLight apply less hardening than H_C, as WHHLight includes WDAC?
The solution would be adding ConfigureDefender and FirewallHardening to Biniware Run.
Yes. You can use the right-click Explorer context menu to pin any executable to the taskbar (Properties >> Show more options >> Pin to taskbar) or create the shortcut on the Desktop.
Less SRP hardening for EXE and MSI files (covered by WDAC).
Edit.
For now, I like the idea of WHHLight package of a few independent tools, instead of the WHHLight application with integrated tools. This has some pros and cons.
I do not exclude the possibility of integration in the future.
Last edited:
Then, it would be the same—reaching the desktop vs. reaching the Biniware Run icon—to access "each" WHHLight tool.
WHHLight shows another instance/icon on the taskbar when you access the pinned one. Could you explain why?
So the SRP blocking/hardening experience would be more or less the same with both WHHLight and H_C except for EXE and MSI files. Correct? WHHLight has a slight advantage in the sense that you get additional cloud reputation with WDAC.
I agree both integrated and individual ways have pros and cons.
"We'll be getting back to you soon enough!"I do not exclude the possibility of integration in the future.
I believe H_C/WHHLight suites, paired with their recommended tools, offer better protection than ComodoFW, Comodo's proactive configuration, disabled HIPS, and containment.
Last edited:
The pinned EXE contains both 32 and 64 bit executables. The second icon is related to one of them that is actually executed.
Not exactly. In H_C, additional SRP restrictions can be applied (like blocking LOLBins). It is also possible to use a less restrictive setup based on the default_allow policy.
In H_C, you have Forced SmartScreen, which is as effective as WDAC with the default whitelist. The WDAC advantage is visible after applying a more restricted whitelist (SUPER_SAFE, TWO_ACCOUNTS, or INSTALL_APP_CONTROL setups).
There is no way to prove which of those solutions can offer better protection.
Both can be configured for strong protection at home.
You may also like...
-
-
Testing Windows Hybrid Hardening (new hardening application).
- Started by Andy Ful
- Replies: 253
-
Windows 11 Home OEM + Office 2021 Pro Plus OEM Bundle €23.80- Started by Brownie2019
- Replies: 4
-
Soft Organizer Pro from Chemtable for Free - Uninstall applications- Started by BigWrench
- Replies: 9
-
Windows 11 25H2/24H2 get 1000 Hz+ refresh rate support, File Explorer improvements, and more- Started by Parkinsond
- Replies: 9