New Update DefenderUI by VoodooShield - Turn on Hidden Security Features of Microsoft Defender

A

Azazel

Can you lower auto-reactivation to 1 minute or 30 seconds?

1715612560998.png
 
  • Like
Reactions: [correlate]

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Getting close… DefenderUI Pro / WDAC Lockdown should be ready by the weekend for sure, assuming we do not think of a cool new feature to add ;). We figured out a way to prompt the user on a WDAC block, and it is almost ready, just working out the kinks.

Here is a screenshot of what we have so far.

ss.PNG



Just for the fun of it, I created an Ai video about WDAC Lockdown. It took all of 5 minutes to write the prompt. There are actually parts of the video that are really good, but there are parts that are super bad. The dialog they created was quite good, but some of the stock video footage was silly.

 
Last edited:

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Hey Guys,

Here is the initial beta of DefenderUI Pro. If anyone is running CyberLock and wants to try this beta, you can always uninstall CyberLock, and just choose to not remove the settings and logs, then uninstall DefenderUI Pro later and reinstall CyberLock. I am curious to see if anyone thinks we should add the WDAC Lockdown feature to CyberLock. It really is not necessary, but it would not hurt to add WDAC Lockdown to CyberLock.

I am still not a huge fan of WDAC, but a lot of people swear by it, so I figured we would make a user-friendly, automated version of it. A good kernel mode driver like the one DefenderUI Pro and CyberLock uses is much more flexible, and allows developers to do tons of things they could never do with WDAC.

The WDAC Lockdown factory default policies were generated from the Microsoft WDAC Wizard are stored here: C:\Program Files\DefenderUI\Policies. Then there are also user customizable policies that are stored here: C:\ProgramData\DefenderUI\Policies. If any of the factory default policies are modified, then the user customizable policies are automatically deployed. But if there are not user customizable policies, then the factory default policies are deployed.

The WDAC Lockdown feature also includes a modified version of the Microsoft WDAC Wizard, and this modified version makes it super simple to create and modify policies for WDAC Lockdown.
If you do use the WDAC Lockdown feature, it would be best to start in Training mode for a day or so. There are only four folders that are automatically whitelisted by the factory default policies.

C:\Program Files\
C:\Program Files (x86)\
C:\WindowsApps\
C:\XboxGames\

We could have whitelisted other folders as well, but as you are aware, that can be dangerous. Besides, with the new WDAC Lockdown usability features, anything that needs to be whitelisted is automatically whitelisted, and that way we do not have to whitelist entire potentially dangerous directories. We might end up tweaking the factory policies a little, but it is probably best to stick with the policies that are recommended by Microsoft.

There are probably a few things that we need to tweak or fix, so if you guys find anything please let me know!

DefenderUIPro 1.18
SHA-256: 7dc488692ccafcca67777a5d72be2b4d6c5eb75f607fe1127200c65622fe198c


Have a great weekend!

Dan
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
BTW, the default factory policies includes the Microsoft Recommended Block rules.

If anyone is having an issue with the Microsoft Recommended Block rules blocking an item, you will probably need to use the integrated WDAC Wizard and uncheck the Merge with Recommended User Mode Block Rules and uncheck the Merge with Recommended Kernel Block Rules. You should be able to do this with either the Policy Creator or Policy Editor options, and modifying the BasePolicies… both the Audit and Enforced. It is difficult to explain, but the modified WDAC Wizard should walk you right through the process.

Better yet, you can use the Policy Editor to manually remove the specific rule, for both the Audit and Enforced BasePolicies.

Or you could just put WDAC Lockdown into training mode for now.

I am working on a feature that will automatically remove these Recommended Block Rules when the user clicks Allow. I meant to include this in the initial, but I completely forgot. It should be ready in a couple of days, possibly sooner.

Edit:
Also, there is a typo in the modified WDAC Wizard. The third line should read...

The user modified policies are stored here: C:\ProgramData\DefenderUI\Policies
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Please do not add this to VoodooShield. 🙏🙏
I am guessing that you have not tried the WDAC Lockdown feature. Am I correct? ;)

Keep in mind, this is just the first version and it is only going to get better. I am working on optimizing the allow one new item feature so that it does not refresh the policy over and over again. There are many ways to do this, but I need to think through it, then optimize the code. It should be ready soon.

Having said that, yeah, I highly doubt that we will add WDAC Lockdown to VoodooShield / CyberLock (It really is not necessary). I have other plans ;).
 

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,577

Oldie1950

Level 6
Verified
Well-known
Mar 30, 2022
283
Hello
DefenderUI Free, how do I save Custom Profile? Or does this function not work?
Click on the disk symbol, the sequence of letters that the program then creates is the user profile. If you want to use it on another computer, enter the letter sequence above in the field next to the download icon and then click on the download icon. The user profile is then adopted.
 
  • Like
Reactions: [correlate]

aldist

Level 2
Jul 22, 2020
59
Click on the disk symbol, the sequence of letters that the program then creates is the user profile.
I don't see where these "letters" are created. In the program folder, in the program interface? Can you show a screenshot?
Ad
Ahhh, I get it, the program does this online, it needs a connection to its server to do this. These letters will appear as in the screenshot, it will be something like your custom profile ID.
Ok, in what file is the profile stored, how do you load the profile into the program without internet?
cust.png
 
Last edited:

aldist

Level 2
Jul 22, 2020
59
Got it, the program stores some settings in [HKEY_LOCAL_MACHINE\SOFTWARE\DefenderUI]. Export-import of this key will allow you to switch custom profiles in offline (for effect make full restart DefUI or restart the computer).
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Correct.

Thank goodness!

What are they? And why?
I am working on a stand alone version of WDAC Lockdown, so that people can use it even if Microsoft Defender is not their primary AV. It is mainly targeted toward security enthusiasts, SMB and enterprise

The question is, should we include the ASR rules with the stand alone version?
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Got it, the program stores some settings in [HKEY_LOCAL_MACHINE\SOFTWARE\DefenderUI]. Export-import of this key will allow you to switch custom profiles in offline (for effect make full restart DefUI or restart the computer).
Thank you @@Oldie1950 for fielding this question. Yeah, we could make it so that this feature does not require an internet connection, but the whole idea is for you to be able to share your config with other people. Like, hey, try this config... "JJLTT". Having said that, we might include a local option at some point as well.
 
  • Like
Reactions: [correlate]
A

Azazel

I am working on a stand alone version of WDAC Lockdown, so that people can use it even if Microsoft Defender is not their primary AV. It is mainly targeted toward security enthusiasts, SMB and enterprise

The question is, should we include the ASR rules with the stand alone version?
Will you add the option to add ISG, to work similarly with cyberlock autopilot or ISG used as smart training mode.
 
  • Like
Reactions: [correlate]

aldist

Level 2
Jul 22, 2020
59
@danb
DUI Free, not all users prefer to use the program as resident with autostart. User starts DUI, configures WS via DUI, closes DUI. The user should be able to close the program intelligently, not brute force kill processes. Like offline saving of custom config, this will only add users to the program.
DUI Pro, needs the ability to copy strings from the alerts in "Show more" mode, by button or by highlighting strings with mouse. But Pro requires resident mode.
Update
It turns out that strings are copied individually by double-clicking. I double-clicked on the hash line, the browser startup alert appeared, DUI Pro froze, Win11 computer froze, only a hard reboot helped.
 
Last edited:
  • Like
Reactions: [correlate]

aldist

Level 2
Jul 22, 2020
59
Update2
LOL, the context menu in the tray has scrolling! :) Maybe because I have 11pt font instead of 9pt?
And it has a normal Exit. But the scroll buttons are small, it's hard to hit, and why scrolling where you could do without it? Scrolling is obviously unnecessary here.
When you exit the program, DefenderUIService continues to work, so DefenderGuard will continue to protect?
 
  • Like
Reactions: [correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top