ConfigureDefender utility for Windows 10/11

[509322]

What home user is going to genuinely need features like VBScript or local JScript? I cannot think of a single one. I think it is simpler for it to just be disabled and be done with it than relying on ASR which is going to be a risky game of hit'n'miss each time.

It is awesome that Microsoft is adding protections. However, we all know how it goes... it is fiendishly complex, hidden, with little to no documentation. And it takes a lot of effort to figure it out. I can count in excess of 20 pages of ASR discussion spread across multiple threads and PMs. And in an instant parts of it can be undone with the next Windows Update and y'all can sort it out all over again.

I am simple stupid. So if people are like me, then they appreciate simple - stuff that they can master easily (they don't have to necessarily understand it). People are much more apt to use ON\OFF and not use "Deep Dive" security. A user can understand ON blocks and OFF allows. ON blocks all the "user wants to use stuff" stuff and OFF let's them do it. Gee... hey now... we're gettin' really good at this... Voila ! Will you look at that... a user is using something because they "get it," it works, and they didn't have to take a college semester class to just begin to figure it out.

 

[Andy Ful]

What home user is going to genuinely need features like VBScript or local JScript? I cannot think of a single one. I think it is simpler for it to just be disabled and be done with it than relying on ASR which is going to be a risky game of hit'n'miss each time.

OSArmor thread was a good source for that - users posted several blocked events. There is some software that can require Windows Script Host scripts, for example: Intel(r) Energy Checker SDK, FreeDownloadManager, etc.
Some printers require mshta.exe like HP Officejet Pro 6830.
There are also near 1000 VBScript and over 700 JScript scripts in the Windows folder (but many duplicates for different resources). Who knows for what. Probably, some of them can be used sometimes for Windows troubleshooting. The safest way is to block them only by extension when the user tries to execute them, or block script execution only as standard user.

Edit.
Anyway, my wife has completely blocked execution of Windows Script Host scripts (for 2 years) and no problems with Windows 10.

 

[509322]

There are also near 1000 VBScript and over 700 JScript scripts in the Windows folder (but many duplicates for different resources). Who knows for what. Probably, some of them can be used sometimes for Windows troubleshooting.

wscript is legacy.

They're slowly but surely replacing with PowerShell scripts. For example, now network troubleshooter scripts are *.ps1.

Rename system.management.automation.dll to system.management.automation.dll_ and all your network troubleshooters don't work - and probably others. I didn't go on a testing expedition to discover all that have been transitioned from .js to .ps1.

* * * * *

The safest way is to block them only by extension when the user tries to execute them, or block script execution only as standard user.

Unfortunately most users do not even know they can create a SUA.

The safest thing is just to block them always. I know. I've screwed up before and encrypted my system with script-only ransomware when I wasn't paying attention. If I can manage to mess up a system, then a user who doesn't understand has no chance by themselves.

 

[shmu26]

What home user is going to genuinely need features like VBScript or local JScript? I cannot think of a single one. I think it is simpler for it to just be disabled and be done with it than relying on ASR which is going to be a risky game of hit'n'miss each time.

If you disable stuff like that, and Microsoft support does a remote session with you to fix your Office 365 installation, for instance, there are going to be problems. That's what happened to me. I couldn't undo my advanced protection fast enough for the support rep, so he just gave up, and told me to reinstall Office...
Microsoft doesn't want you to mess with system settings, and if you do, they can't and won't help you. Tinkerer beware.
On the other hand, MS support is less than worthless most of the time, you are better off solving your own issues. I just wanted to mention this point.

 

[Eddie Morra]

@shmu26 I cannot deny that you and Andy make a good point in response to what I said. You're both completely correct about third-party software relying on WSH existing out there and the Microsoft customer support thing (I am pretty sure I recall hearing about others who had a similar experience to you with that).

I disable WSH and it works well for me on my environments but I understand that not everyone can disable it without being so lucky and not running into issues. Which is a real shame and disadvantage for them.

 

[509322]

Microsoft doesn't want you to mess with system settings, and if you do, they can't and won't help you. Tinkerer beware.

This is their unstated policy. They give you choices, but in reality they would really prefer that you don't mess with settings. This is true for most softs ? And why is it that almost everyone doesn't want users monkeying with settings ? Because the user gets themselves into trouble. The user is the problem.

On the other hand, MS support is less than worthless most of the time, you are better off solving your own issues. I just wanted to mention this point.

It's true. Microsoft support across all of its products lines, staffing is like a revolving door.

 

[shmu26]

@shmu26 I cannot deny that you and Andy make a good point in response to what I said. You're both completely correct about third-party software relying on WSH existing out there and the Microsoft customer support thing (I am pretty sure I recall hearing about others who had a similar experience to you with that).

I disable WSH and it works well for me on my environments but I understand that not everyone can disable it without being so lucky and not running into issues. Which is a real shame and disadvantage for them.

I agree that your way is better. The gain is greater than the loss.

 

[509322]

I disable WSH and it works well for me on my environments but I understand that not everyone can disable it without being so lucky and not running into issues. Which is a real shame and disadvantage for them.

You know what, disabling wscript\cscript is a simple matter of ON\OFF or running it with restricted privileges if you happen to need it. Of course lowered rights is not a solution to everything, it does solve many security issues. For someone with a weeny bit of knowledge, it should not be difficult for them to figure out "Hey, I need this all the time so I won't disable it permanently or I need it once in a while and therefore I can turn it on only when I need it, and finally, I don't need it so I'm gonna kill it."

I am all for educating the user and empowering them. Instead of enslaving them to the OS and softs in ignorance.

The fact of the matter is if Microsoft would rip out the high-risk garbage in Windows such as wscript, then publishers would adjust their products and make it work. That's what we do now anyway because Microsoft makes changes unilaterally.

 

[509322]

If Google can do it, then Microsoft can do it.

Microsoft just ain't gonna do it until it gets a bloodied nose that bleeds the color of money.

It's all about money.

 

[509322]

Microsoft's answer is this... everyone needs to upgrade to the latest Windows 10 across all product types. Then we can take care of you. Eliminate the entire fractured IT ecosystem and we can take care of you.

They also argue that Windows Home is essentially a free OS with free ongoing support. So they send down from IT Pro level to consumer level what they're willing to provide in the form that they're willing to provide it.

I get the second one, but the first one is nonsense. Because Microsoft is the one who helped create the fractured and legacy system in the first place. A problem that has been fractious forever. Now they're trying to rectify it with Windows 10 and it isn't working to their master plan.

For anyone who doesn't know, these are huge problems with no real solutions in sight. Sort of like 2000 years of underground plumbing in some Euro cities. How you gonna fix that ?

 

[oldschool]

I got this Controlled Folder Access block today:



Occasionally I'll get something like this, which I simply ignore.

 

[509322]

I got this Controlled Folder Access block today:

View attachment 199344

Occasionally I'll get something like this, which I simply ignore.

It's probably a software update. Chrome ?

 

[oldschool]

It's probably a software update. Chrome ?

I use Edge & Brave Beta. Added Brave Update to CFA exclusions which I had neglected to do upon original install. Thanks!

 

[509322]

I use Edge & Brave Beta.

It's an update\install of something. Many programs use C:\Windows\temp to run their updates.

 

[oldschool]

It's an update\install of something. Many programs use C:\Windows\temp to run their updates.

Yes, just edited my last reply.

 

[shmu26]

I got this Controlled Folder Access block today:

View attachment 199344

Occasionally I'll get something like this, which I simply ignore.

Are you on Win 10 1809, or 1803, or what?

 

[Andy Ful]

I got this Controlled Folder Access block today:

View attachment 199344

Occasionally I'll get something like this, which I simply ignore.

The updater wants probably add the shortcut to Start Menu folder.

 

[shmu26]

ASR rule "Block all Office applications from creating child processes"
This one can cause unpredictable behavior from the print-to-fax driver of HP printers. This driver calls rundll32 in order to talk to the printer.
The block does not show in the log of "View Blocked Events".
It might even break the driver, but I am not sure about it, that would require further testing. I broke my printer's drivers, programs and firmware enough times yesterday. I am not happy with HP at all. Just look at it, and it breaks.

Slightly off topic, but the HP printer management program does not require elevation in order to run, and it calls mshta, which is blocked by SRP sponsors -- and the block does not show in the log of "View Blocked Events".
Just reporting, for the sake of reporting...

I also reported the first issue on the MS feedback hub.

 

[Andy Ful]

ASR rule "Block all Office applications from creating child processes"
This one can cause unpredictable behavior from the print-to-fax driver of HP printers. This driver calls rundll32 in order to talk to the printer.
The block does not show in the log of "View Blocked Events".
It might even break the driver, but I am not sure about it, that would require further testing. I broke my printer's drivers, programs and firmware enough times yesterday. I am not happy with HP at all. Just look at it, and it breaks.

Slightly off topic, but the HP printer management program does not require elevation in order to run, and it calls mshta, which is blocked by SRP sponsors -- and the block does not show in the log of "View Blocked Events".
Just reporting, for the sake of reporting...

I also reported the first issue on the MS feedback hub.

Does everything work well when this ASR rule is disabled (reboot is necessary) in ConfigureDefender and mshta.exe is unblocked in H_C?
I am asking, because something else interferes with this issue, too. The driver/software actions are not fully blocked or something prevents the proper logging.
What Enforcement setting do you have?

 

[LDogg]

I was having some issues with my VPN earlier, may have sorted itself out.

~LDogg