SysHardener: Harden Windows Settings

Discussion in 'other anti-malware software' started by novirusthanks, Feb 26, 2018.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,327
    Location:
    U.S.A. (South)
    An amazing and very exciting reality with NoVirusThanks is that they highly welcome suggestions and take user's interest seriously and then actively include many of those (if not nearly all!) rapidly into their respective products which sharply improves it's effectiveness while at the same time advances their end products to a scale on an entirely different level in comparison to many others.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,327
    Location:
    U.S.A. (South)
    ERP v4 is rule set with powershell-powershell ISE to ASK

    SysHardener 1.5-Bypasses easy when activating PowerShell from it's Menu under System Tools-PowerShell.

    How is this possible? More Info-SysHardener IS NOT engaged, am testing the System Tools Menu ONLY- It opens with INSTALL MODE from ERP v4 prompt.
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,736
    Location:
    Europe then Asia
    i don't remember SH has a setting to fully block powershell execution (which is v5 on Win10), it can only block the old powershell v2 and scripts loaded by powershell.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,327
    Location:
    U.S.A. (South)
    OK-Maybe I will delve some more and try another workaround-all im trying to do is be sure even another NVT app like SysHardener's Menu raises an alert in ERP v4 which I yet to see happen. It probably uses a method I not discovered yet but will revisit my rules and make sure both SysWow + System32 poweshell/ISE are listing in the rules section for ASK only.
     
  5. DreamsandVisions

    DreamsandVisions Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    45
    Location:
    Germany
    Suggestion

    Did not find an option in current v1.5 of NVT SysHardener yet.
    Any option to add java.exe and javaw.exe to the optional Blacklist, so .jar malware can be prevented from running?
    Speaking of Adwind /qRAT Remote Access Trojans particularly, they cause havoc once executed (by setting AutoRuns, creating hundreds of registry entries,...), and many AntiVirus solutions fail preventing them (fully or at all) from system infection, unless there are signatures in place (the initital detection rate for those .jar is quite low in the first 24-48h).
    Obviously, once the system is successfully penetrated, the remote attacker will be able to steal data by keylogging or via file transfers, to chat with you, to monitor you with microphone and camera, install further malware,...

    Adwind example:
    https://www.hybrid-analysis.com/sam...66fde049a4ea71c36bfc8ad4547?environmentId=100

    Unbenannt.PNG
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    That's what OSArmor is for.
     
  7. DreamsandVisions

    DreamsandVisions Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    45
    Location:
    Germany
    Sure, but it should be easy to do that by Windows tweaks, too?
    I'm feeling quite comfortable by NVT SysH, because it does not have persistance and therefore does not cost additional resources / might conflict with AV software (not that I expect any). It simply sets registry entries.
    Just like blacklisting wscript.exe (which can be done easily by NVT SysH?)?

    EDIT:
    Or does it need preinstalled JRE?
    Am aware that I can un-associate .jar.
     
  8. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    OSArmor is like a feather, no, it's like an atom of a feather! It's THIS light! Really, this program should come with Windows by default! Check everything you can that doesn't cause false positives or exclude them if they're a few, set and forget, great protection! And it's FREE!
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,463
    Location:
    Hawaii
    I have several 32 bit apps that I have used for several years, & they sometimes use scripts (such as to auto-print the date in a notepad app). So I want SysHardener to NOT interfere with my apps when they use scripts. I will let OSA do that job because it allows exclusions whereas SysHardener does not.

    I installed SysHardener with just its default settings*. I then unchecked all those settings which mentioned scripts as far as I could tell. However, SysHardener still blocked those apps using batch script.

    QUESTION: Can someone please give me a list of ALL the default settings that I need to uncheck in order to enable scripts with SysHardener?
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    *I have to stick to defaults because I am by NO means a security guru.
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,784
    Location:
    Among the gum trees
    Open SysHardener > Tweaks (at the top) > Unselect All > Apply Selected > Restart machine.

    [I think]
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    What about the setting for "Unassociate .BAT file extension"? Is it ticked? If it is, undo that setting and reboot. It should be unticked by default, if I remember right.
     
  12. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    For some file extensions, restoring them may require something slightly more thorough than just using "assoc .bat=batfile" (as an example) which is what syshardener does

    Best to use this:

    https://www.tenforums.com/tutorials/8703-restore-default-file-type-associations-windows-10-a.html (scroll down)

    https://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,784
    Location:
    Among the gum trees
    Just a reminder to anyone who has upgraded their Win10 machine to 1809, you may want to re-run SysHardener again.
     
  14. lucidstorm

    lucidstorm Registered Member

    Joined:
    Aug 12, 2018
    Posts:
    41
    Location:
    Poland
    another one rock solid is registry guard from NVT (wonder why never mentioned), good as addition to OS armor and ERP, however some issues with Eset being blocked despite me setting exclusions
    back on topic, would be great if u updated it syshardener with alot more policy rules, on its own is very good but there is room for better security especially through group policy, in addition close default win 7-10 open ports/listening (49152, 49153, 49154, 49155, 49157, 49159 = pain in the ass to do manually, btw. if u update your port scanner to have the option to close ports it would be awesome), some netsh commands like Netsh int ipv4 set global reassemblylimit=0, UseLogonCredential=0, DisallowRun "1"="powershell_ise.exe""2"="powershell.exe" "3"="cmd.exe", ink, dcom hardening, stop the WinHTTP Web Proxy Auto-Discovery Service, randomize network adapter name, disable admin shares/cd auto runs (autoruns are not blocked well by SH according to avz by oleg), task scheduler, protection of the registry settings issued by SH, block common exes exploited by hackers (calc.exe etc) and so on so forth -endless possibilities and looking forward to new features
     
    Last edited: Oct 4, 2018
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,500
    Location:
    Under a bushel ...
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    On recent versions of Windows 10, registry guard is not quite as important, because the OS itself will reject any kernel-mode driver that is not co-signed by Microsoft, unless you disable safe boot.
     
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    IDK why you specifically mention these ports. If you mean outbound I think there're more ports one may want to block. But blocking many ports can cause trouble. Also from my eye your other tweaks except for WinHttpAutoProxySvc don't substantially increase security e.g. reassemblylimit is about DoS, DisallowRun can be trivially bypassed, admin share is disabled by default in recent Windows, etc. I understand SH is intented for the average user, so tweaks in the product should meat 2 conditions: (i) don't cause trouble for most user (tho it can be default-disabled if do), and (2) substantially increase security (I have a bit of question regarding some settings there about (ii) tho). As you said, there're too many tweaks so if you wanna change them efficiently write your script (your firewall rules can also be set by a short script). There're some publicly available scripts as well, but I don't recommend them as they may cause trouble unless you understand all of tweaks there and often they don't eliminate deprecated tweaks.
     
  18. lucidstorm

    lucidstorm Registered Member

    Joined:
    Aug 12, 2018
    Posts:
    41
    Location:
    Poland
    @Yuki2718 I generally agree with you. Also thanks for the information. About ports its my fetish somehow I know u need firewall (software+hardware), to conclude: most of the stuff in SH will break stuff for most users as it is mentioned by SH itself (depending of severity: marked in yellow or in red), most of the SH tweaks can be bypassed too I believe as its just a bunch of tweaks that can be reverted - there is no protection for them and this is a flaw. SH also patches deprecated stuff too as well. I also don't use win 10 (some programs only work correctly in win 10) unless I really have to so admin $ are not disabled by default in my case. For me personally I don't mind SH adding more tweaks to the list, both universal to all users and more particular. The more the better - but perhaps more quality tweaks and less general mumbo jumbo yes (thats why I asked Andreas to add them). I am also wiriting my own script but I'd like professionals wtih some reputation to do it for me since I might have missed something and I don't fully trust myself.
     
    Last edited: Oct 5, 2018
  19. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    Mostly agreed, and I also don't trust myself.:)
    I just didn't know SH had caused so many troubles. Admittedly I haven't tracked all conversation here.
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,736
    Location:
    Europe then Asia
    SH doesn't causes problems by itself, it is the users who just click on options they don't even know what they are and do.
    SH is just a big powershell script with a GUI.
     
  21. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    CMD + Powershell script :)

    That said, I'm also disappointed by syshardener's little options, there's just sooooooooooooooooooooooooooooo many things you can tweak on a windows 10 pc for security, syshardener doesn't even begin to scratch them, here's some of them: https://pastebin.com/u/TairikuOkami , https://www.hardenwindows10forsecurity.com
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,736
    Location:
    Europe then Asia
    Indeed

    i know @TairikuOkami , he doesn't uses Win10 Pro , he uses Win10 Crippled edition :p
     
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    Ah..., I should have read the thread before I spoke. But it seems what lucidstorm & you said reinforces my point: if user change option despite they don't understand what it is, potentially problematic tweak should not be included even as an option. Maybe they'll ignore whatever warning or hiding there is. I remember when I published my scripts in a thread, some users reported problems to me. This is why I won't publish these scripts any more.

    Tho IDK what exactly the crippled ed., but when I tweak OS/programs, one of the things what I mostly care is not to lower security by that. There're at least some such 'dengeraous' tweaks, and I guess not a few ppl do them w/out thorough understanding 'cause they do not necessarily cause visible problem. One should change things only after he/she understand what it is, and only when confident to solve any problem by him/herselves. Tho hardenwindows10 is good for a reference, I personally don't recommend anyone to just copy these published tweaks nor blindly apply any of published scripts.
     
    Last edited: Oct 6, 2018
  24. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Actually, you don't have to understand what you're doing. Better if you do, but it's ok if you don't. If something doesn't work, simply revert the tweak that caused it, no need to know what the tweak does as long as you know which tweak caused it using the 1 by 1 divide-and-conquer approach, ez
     
  25. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Well you don't have to use everything he does, I use some things + some of mine
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.