SysHardener: Harden Windows Settings

An amazing and very exciting reality with NoVirusThanks is that they highly welcome suggestions and take user's interest seriously and then actively include many of those (if not nearly all!) rapidly into their respective products which sharply improves it's effectiveness while at the same time advances their end products to a scale on an entirely different level in comparison to many others.

 

ERP v4 is rule set with powershell-powershell ISE to ASK

SysHardener 1.5-Bypasses easy when activating PowerShell from it's Menu under System Tools-PowerShell.

How is this possible? More Info-SysHardener IS NOT engaged, am testing the System Tools Menu ONLY- It opens with INSTALL MODE from ERP v4 prompt.

 

i don't remember SH has a setting to fully block powershell execution (which is v5 on Win10), it can only block the old powershell v2 and scripts loaded by powershell.

 

OK-Maybe I will delve some more and try another workaround-all im trying to do is be sure even another NVT app like SysHardener's Menu raises an alert in ERP v4 which I yet to see happen. It probably uses a method I not discovered yet but will revisit my rules and make sure both SysWow + System32 poweshell/ISE are listing in the rules section for ASK only.

 

Suggestion

Did not find an option in current v1.5 of NVT SysHardener yet.
Any option to add java.exe and javaw.exe to the optional Blacklist, so .jar malware can be prevented from running?
Speaking of Adwind /qRAT Remote Access Trojans particularly, they cause havoc once executed (by setting AutoRuns, creating hundreds of registry entries,...), and many AntiVirus solutions fail preventing them (fully or at all) from system infection, unless there are signatures in place (the initital detection rate for those .jar is quite low in the first 24-48h).
Obviously, once the system is successfully penetrated, the remote attacker will be able to steal data by keylogging or via file transfers, to chat with you, to monitor you with microphone and camera, install further malware,...

Adwind example:
https://www.hybrid-analysis.com/sam...66fde049a4ea71c36bfc8ad4547?environmentId=100

 

That's what OSArmor is for.

 

Sure, but it should be easy to do that by Windows tweaks, too?
I'm feeling quite comfortable by NVT SysH, because it does not have persistance and therefore does not cost additional resources / might conflict with AV software (not that I expect any). It simply sets registry entries.
Just like blacklisting wscript.exe (which can be done easily by NVT SysH?)?

EDIT:
Or does it need preinstalled JRE?
Am aware that I can un-associate .jar.

 

OSArmor is like a feather, no, it's like an atom of a feather! It's THIS light! Really, this program should come with Windows by default! Check everything you can that doesn't cause false positives or exclude them if they're a few, set and forget, great protection! And it's FREE!

 

I have several 32 bit apps that I have used for several years, & they sometimes use scripts (such as to auto-print the date in a notepad app). So I want SysHardener to NOT interfere with my apps when they use scripts. I will let OSA do that job because it allows exclusions whereas SysHardener does not.

I installed SysHardener with just its default settings*. I then unchecked all those settings which mentioned scripts as far as I could tell. However, SysHardener still blocked those apps using batch script.

QUESTION: Can someone please give me a list of ALL the default settings that I need to uncheck in order to enable scripts with SysHardener?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*I have to stick to defaults because I am by NO means a security guru.

 

Open SysHardener > Tweaks (at the top) > Unselect All > Apply Selected > Restart machine.

[I think]

 

What about the setting for "Unassociate .BAT file extension"? Is it ticked? If it is, undo that setting and reboot. It should be unticked by default, if I remember right.

 

For some file extensions, restoring them may require something slightly more thorough than just using "assoc .bat=batfile" (as an example) which is what syshardener does

Best to use this:

https://www.tenforums.com/tutorials/8703-restore-default-file-type-associations-windows-10-a.html (scroll down)

https://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html

 

Just a reminder to anyone who has upgraded their Win10 machine to 1809, you may want to re-run SysHardener again.

 

another one rock solid is registry guard from NVT (wonder why never mentioned), good as addition to OS armor and ERP, however some issues with Eset being blocked despite me setting exclusions
back on topic, would be great if u updated it syshardener with alot more policy rules, on its own is very good but there is room for better security especially through group policy, in addition close default win 7-10 open ports/listening (49152, 49153, 49154, 49155, 49157, 49159 = pain in the ass to do manually, btw. if u update your port scanner to have the option to close ports it would be awesome), some netsh commands like Netsh int ipv4 set global reassemblylimit=0, UseLogonCredential=0, DisallowRun "1"="powershell_ise.exe""2"="powershell.exe" "3"="cmd.exe", ink, dcom hardening, stop the WinHTTP Web Proxy Auto-Discovery Service, randomize network adapter name, disable admin shares/cd auto runs (autoruns are not blocked well by SH according to avz by oleg), task scheduler, protection of the registry settings issued by SH, block common exes exploited by hackers (calc.exe etc) and so on so forth -endless possibilities and looking forward to new features

 

Yeah ... I know @mood uses it which is a recommendation (at least it's in his sig). I have the service version in passive mode ...

https://www.wilderssecurity.com/threads/registry-guard-service.392953/
https://www.wilderssecurity.com/threads/registry-guard-protect-registry-keys-and-values.381740/

 

On recent versions of Windows 10, registry guard is not quite as important, because the OS itself will reject any kernel-mode driver that is not co-signed by Microsoft, unless you disable safe boot.

 

IDK why you specifically mention these ports. If you mean outbound I think there're more ports one may want to block. But blocking many ports can cause trouble. Also from my eye your other tweaks except for WinHttpAutoProxySvc don't substantially increase security e.g. reassemblylimit is about DoS, DisallowRun can be trivially bypassed, admin share is disabled by default in recent Windows, etc. I understand SH is intented for the average user, so tweaks in the product should meat 2 conditions: (i) don't cause trouble for most user (tho it can be default-disabled if do), and (2) substantially increase security (I have a bit of question regarding some settings there about (ii) tho). As you said, there're too many tweaks so if you wanna change them efficiently write your script (your firewall rules can also be set by a short script). There're some publicly available scripts as well, but I don't recommend them as they may cause trouble unless you understand all of tweaks there and often they don't eliminate deprecated tweaks.

 

@142395 I generally agree with you. Also thanks for the information. About ports its my fetish somehow I know u need firewall (software+hardware), to conclude: most of the stuff in SH will break stuff for most users as it is mentioned by SH itself (depending of severity: marked in yellow or in red), most of the SH tweaks can be bypassed too I believe as its just a bunch of tweaks that can be reverted - there is no protection for them and this is a flaw. SH also patches deprecated stuff too as well. I also don't use win 10 (some programs only work correctly in win 10) unless I really have to so admin $ are not disabled by default in my case. For me personally I don't mind SH adding more tweaks to the list, both universal to all users and more particular. The more the better - but perhaps more quality tweaks and less general mumbo jumbo yes (thats why I asked Andreas to add them). I am also wiriting my own script but I'd like professionals wtih some reputation to do it for me since I might have missed something and I don't fully trust myself.

 

Mostly agreed, and I also don't trust myself.
I just didn't know SH had caused so many troubles. Admittedly I haven't tracked all conversation here.

 

SH doesn't causes problems by itself, it is the users who just click on options they don't even know what they are and do.
SH is just a big powershell script with a GUI.

 

CMD + Powershell script

That said, I'm also disappointed by syshardener's little options, there's just sooooooooooooooooooooooooooooo many things you can tweak on a windows 10 pc for security, syshardener doesn't even begin to scratch them, here's some of them: https://pastebin.com/u/TairikuOkami , https://www.hardenwindows10forsecurity.com

 

Indeed

i know @TairikuOkami , he doesn't uses Win10 Pro , he uses Win10 Crippled edition

 

Ah..., I should have read the thread before I spoke. But it seems what lucidstorm & you said reinforces my point: if user change option despite they don't understand what it is, potentially problematic tweak should not be included even as an option. Maybe they'll ignore whatever warning or hiding there is. I remember when I published my scripts in a thread, some users reported problems to me. This is why I won't publish these scripts any more.

Tho IDK what exactly the crippled ed., but when I tweak OS/programs, one of the things what I mostly care is not to lower security by that. There're at least some such 'dengeraous' tweaks, and I guess not a few ppl do them w/out thorough understanding 'cause they do not necessarily cause visible problem. One should change things only after he/she understand what it is, and only when confident to solve any problem by him/herselves. Tho hardenwindows10 is good for a reference, I personally don't recommend anyone to just copy these published tweaks nor blindly apply any of published scripts.

 

Actually, you don't have to understand what you're doing. Better if you do, but it's ok if you don't. If something doesn't work, simply revert the tweak that caused it, no need to know what the tweak does as long as you know which tweak caused it using the 1 by 1 divide-and-conquer approach, ez

 

Well you don't have to use everything he does, I use some things + some of mine