ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,481
RoboMan said:
Andy, would ConfigureDefender at max settings block the ransomware attack used on this video?

Video - Windows Defender vs GandCrab Ransomware: video review
Click to expand...
After the first update update of Windows 10 ver. 1809 (I just did it yesterday), the trick with executing PowerShell from VBScript (JScript) is now blocked. The trick was for fooling one of the ASR rules which blocked the execution when VBScript (JScript) malware downloaded the payload and next executed it, by using only one script engine.
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content" (or the old name used in Configuredefender "Impede JavaScript and VBScript to launch executables"). But, this malware technique will be surely enhanced in the next versions to bypass WD protection.
Generally the ASR rules are evolving and are stronger than before.
 
  • Like
Reactions: ForgottenSeer 85179, bribon77, harlan4096 and 3 others
RoboMan

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,483
Andy Ful said:
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content"
Click to expand...
Is this a default option on WD or only if you enable ConfigureDefender? The very same scenario of this video with latest Windows update should block it?
 
  • Like
Reactions: harlan4096 and Andy Ful
5

509322

Andy Ful said:
After the first update update of Windows 10 ver. 1809 (I just did it yesterday), the trick with executing PowerShell from VBScript (JScript) is now blocked. The trick was for fooling one of the ASR rules which blocked the execution when VBScript (JScript) malware downloaded the payload and next executed it, by using only one script engine.
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content" (or the old name used in Configuredefender "Impede JavaScript and VBScript to launch executables"). But, this malware technique will be surely enhanced in the next versions to bypass WD protection.
Generally the ASR rules are evolving and are stronger than before.
Click to expand...

It is just craziness. An overly complicated mousetrap that sometimes catches mice and other times does nothing or, perhaps, smashes the trap setter's fingers. Users looking at ASR and asking "Wut ?... Will it protect against this ?" And then the user not realizing that the ASR rules must be present (Microsoft has to create them - and they are always playing catch-up) and enabled. If not, they have to figure it out and then do it.

It's fine for us that want to tinker and figure stuff out, but for others who just want to protect their systems this Microsoft spaghetti protection is insane. Not to mention it is just a matter of time that the malc0ders bypass the fixed bypass. It's cuck-cah !

SRP can be crafted such that there is no wondering about "Will this protect against this ?" The only real protection to be had is at the process level - either allowing or denying the process. The fine-grained rules blocking specific behaviors is a pipe-dream fallacy - because new malicious behaviors that bypass current rules are implemented. Merely disable wscript and the rest of unwanted stepchild processes. This is not difficult. This is really easy. It is almost "push button" protection.
 
Last edited by a moderator:
  • Like
Reactions: bribon77, harlan4096, Eddie Morra and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,481
RoboMan said:
Is this a default option on WD or only if you enable ConfigureDefender? The very same scenario of this video with latest Windows update should block it?
Click to expand...
ASR rules are deactivated in WD default settings. They can be activated via PowerShell cmdlets or via policies on Windows 10 Home (policies would require editing the Registry). ConfigureDefender is a GUI that uses PowerShell to activate ASR. I checked the "two script engines" trick some time ago and it could fool ASR, so the malware was probably successful. I did not test this trick again until today, after the first update of Windows 10 ver. 1809. I do not know if the same is true for other Windows 10 versions.
 
  • Like
Reactions: harlan4096, Eddie Morra, In2an3_PpG and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,481
Lockdown said:
...
The fine-grained rules blocking specific behaviors is a pipe-dream fallacy - because new malicious behaviors that bypass current rules are implemented. Merely disable wscript and the rest of unwanted stepchild processes. This is not difficult. This is really easy. It is almost "push button" protection.
Click to expand...
This is recommended and most efficient for home users. Those users who cannot do it, for some reason, can consider activating WD ASR rules.:giggle:
 
5

509322

Andy Ful said:
This is recommended and most efficient for home users. Those users who cannot do it, for some reason, can consider activating WD ASR rules.:giggle:
Click to expand...

LOL... it is a whole lot easier to disable wscript than to enable WD ASR. Some people just like being difficult. :X3:
 
  • Like
Reactions: Eddie Morra
E

Eddie Morra

Lockdown said:
LOL... it is a whole lot easier to disable wscript than to enable WD ASR. Some people just like being difficult. :X3:
Click to expand...
What home user is going to genuinely need features like VBScript or local JScript? I cannot think of a single one. I think it is simpler for it to just be disabled and be done with it than relying on ASR which is going to be a risky game of hit'n'miss each time.
 
  • Like
Reactions: In2an3_PpG, oldschool and Andy Ful

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,081
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,221
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top