ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Vasudev said:
Ok... so that was the feature! I thought it was whitelisted system files and its children from being detected as malware. Child Protection = Max web safety and protection for Kids or paranoid users.
Click to expand...
That is right.:giggle:
It is the protection for kids and computer illiterate users, which is supervised by the advanced user (kind of family computer administrator). The Child Protection in ConfigureDefender is very aggressive, and can generate false positives.
 
Last edited:
  • Like
  • Thanks
Reactions: Vasudev, harlan4096, Gandalf_The_Grey and 1 other person
V

Vasudev

Level 33
Verified
Nov 8, 2014
2,247
211065

@Andy Ful Suddenly WD blocks Wise Uninstaller's Uninstall monitor module saying lsass.exe minor risk rule was applied.
 
  • Like
Reactions: shmu26, Handsome Recluse, Gandalf_The_Grey and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Vasudev said:
View attachment 211065
@Andy Ful Suddenly WD blocks Wise Uninstaller's Uninstall monitor module saying lsass.exe minor risk rule was applied.
Click to expand...
You have activated the custom settings or 'Child Protection', with the ASR rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
I do not know for what reason UnMonitor.exe wants to interfere with lsass.exe, it should not.
If you are certain that the application is clean and safe, then it is OK. The alert does not mean that all actions of UnMonitor.exe are blocked, but only access to lsass.exe, so probably you can ignore it. This ASR rule can alert for some other monitoring legal applications, so it is Disabled in ConfigureDefender "Defender high settings''.
 
  • Like
  • Wow
  • Applause
Reactions: Vasudev, Moonhorse, shmu26 and 4 others
V

Vasudev

Level 33
Verified
Nov 8, 2014
2,247
Andy Ful said:
You have activated the custom settings or 'Child Protection', with the ASR rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
I do not know for what reason UnMonitor.exe wants to interfere with lsass.exe, it should not.
If you are certain that the application is clean and safe, then it is OK. The alert does not mean that all actions of UnMonitor.exe are blocked, but only access to lsass.exe, so probably you can ignore it. This ASR rule can alert for some other monitoring legal applications, so it is Disabled in ConfigureDefender "Defender high settings''.
Click to expand...
I enabled it since the beginning. By default, its disabled, correct?
I think 19H1 is very strict for Default deny based rulesets or ASR rules. I'm on 19h1 build so its becoming paranoid these days and guess what 1902.5 WD engine which is shipped in 19h1 you cannot clear protection history and even move/delete items from quarantine. I always preferred MSE UI which was clean and did its job unlike UWP version with confusing dashboard.
 
Last edited:
  • Like
Reactions: oldschool and Andy Ful
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
Nightwalker said:
I think "Block at First Sight" isnt working as it should in my machine, I tried the demo file from Windows Defender Testground and WD didnt blocked it.


View attachment 212097


Should it be allowed to execute?

@Andy Ful
Click to expand...

I did the same test and Smartscreen blocked it, and WD thus "failed" the BAFS test. Curious indeed!
 
  • Like
  • Thanks
Reactions: harlan4096, Andy Ful, stefanos and 3 others
F

ForgottenSeer 72227

Nightwalker said:
I think "Block at First Sight" isnt working as it should in my machine, I tried the demo file from Windows Defender Testground and WD didnt blocked it.


View attachment 212097


Should it be allowed to execute?

@Andy Ful
Click to expand...

Try setting the block level in configure defender to block instead of highest. I have ran this test before and for some reason it only seems to work with it set to block. I know @Andy Ful has said in the past that for home users it doesn't matter as it works more like heuristics, but in my experience it seems to make a difference, at least with that test. A so which browser are you using? I find it doesn't work as well with Firefox for some reason, but with Edge and Chrome it works fine. My guess is that both Edge and Chrome use AMSI and Firefox doesn't so, I am not sure if that's the reason behind it or not.
 
  • Like
Reactions: Moonhorse, harlan4096, oldschool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Nightwalker said:
I think "Block at First Sight" isnt working as it should in my machine, I tried the demo file from Windows Defender Testground and WD didnt blocked it.


View attachment 212097


Should it be allowed to execute?

@Andy Ful
Click to expand...
oldschool said:
I did the same test and Smartscreen blocked it, and WD thus "failed" the BAFS test. Curious indeed!
Click to expand...
The demo for BASF is outdated and does not work well. It does not work at all for Firefox.
It is a simple way to see if it works. If you download the malicious (or highly suspicious) EXE file (via Edge or Chrome) which has not the signature in WD, then you should see the WD alert that the file requires further inspection for 10s (or 60s when ConfigureDefender high settings were used). If the file is recognized as malicious, then it is automatically quarantined (or sometimes deleted).
BASF is the default WD feature so it should work without any issues.
 
  • Like
  • Thanks
Reactions: ForgottenSeer 85179, Moonhorse, harlan4096 and 4 others
F

ForgottenSeer 72227

oldschool said:
Mine is set to :Block" on 1809.
Click to expand...
Hmm interesting. I just tried it in Chrome, also on 1809 with it set to block and it worked for me. Now what I did find out is that it may not work every time. I ran it like 3-4 times and it didn't work once out of the 3-4 times. If I'm not mistaken, it relies on the cloud component and if it cannot make a determination during the time out period, it allows the file to finish downloading, but also sends it to the cloud for further analysis. I could be wrong, but maybe @Andy Ful can explain it better.

Andy Ful said:
The demo for BASF is outdated and does not work well. It does not work at all for Firefox.
It is a simple way to see if it works. If you download the malicious (or highly suspicious) EXE file (via Edge or Chrome) which has not the signature in WD, then you should see the WD alert that the file requires further inspection for 10s (or 60s when ConfigureDefender high settings were used). If the file is recognized as malicious, then it is automatically quarantined (or sometimes deleted).
BASF is the default WD feature so it should work without any issues.
Click to expand...

Thanks for the clarification. I do wish that MS would keep up with their test page, but then again, maybe they don't think too many people use it.
 
  • Like
Reactions: harlan4096, Nightwalker and shmu26
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Raiden said:
Hmm interesting. I just tried it in Chrome, also on 1809 with it set to block and it worked for me. Now what I did find out is that it may not work every time. I ran it like 3-4 times and it didn't work once out of the 3-4 times. If I'm not mistaken, it relies on the cloud component and if it cannot make a determination during the time out period, it allows the file to finish downloading, but also sends it to the cloud for further analysis. I could be wrong, but maybe @Andy Ful can explain it better.
Click to expand...
I made many tests with BASF some time ago. In the beginning, almost all samples were blocked in high settings. But after some tests, the rate dropped to about 50%. Those samples are really not malicious. They differ only by a small binary part at the end of the file.
 
  • Like
Reactions: harlan4096, Nightwalker, oldschool and 2 others
V

Vasudev

Level 33
Verified
Nov 8, 2014
2,247
Nightwalker said:
I think "Block at First Sight" isnt working as it should in my machine, I tried the demo file from Windows Defender Testground and WD didnt blocked it.


View attachment 212097


Should it be allowed to execute?

@Andy Ful
Click to expand...
If you're on Windows 19H1 you need to disable Tamper protection for Configuredefender's custom rule-sets to work.
 
  • Like
Reactions: oldschool, ForgottenSeer 72227, Gandalf_The_Grey and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Vasudev said:
If you're on Windows 19H1 you need to disable Tamper protection for Configuredefender's custom rule-sets to work.
Click to expand...
Tamper protection blocks only two entries in ConfigureDefender, which normally are not changed by the user (tested on Windows 10 Insider Build 18841):
  1. Behavior Monitoring.
  2. Scan all downloaded files and attachments.
Other options work as usual.
 
  • Like
Reactions: oldschool, Vasudev, ForgottenSeer 72227 and 4 others
V

Vasudev

Level 33
Verified
Nov 8, 2014
2,247
Andy Ful said:
Tamper protection blocks only two entries in ConfigureDefender, which normally are not changed by the user (tested on Windows 10 Insider Build 18841):
  1. Behavior Monitoring.
  2. Scan all downloaded files and attachments.
Other options work as usual.
Click to expand...
For me, Configuredefender always stays in Script Paused state and disabling Tamper protection solved it. Oterwise, some rulesets weren't applying or not working. 20H1 has some fixes unlike 19H1. When will MSFT learn?
 
  • Like
Reactions: shmu26 and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Vasudev said:
For me, Configuredefender always stays in Script Paused state and disabling Tamper protection solved it. Oterwise, some rulesets weren't applying or not working. 20H1 has some fixes unlike 19H1. When will MSFT learn?
Click to expand...
What is the script paused state?
 
  • Like
Reactions: oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Vasudev said:
CofigureDefender doesn't respond and UI appears stuck! When you hover the tray icon you'll see Script Paused message.
Click to expand...
So you are using the early Insider version which will be finally pushed in the next year. We have to wait until it will be more mature, and then we will see if it is a bug or M$ decided to block more configuration changes (also with PowerShell) when Tamper Protection is active.(y)
 
  • Like
Reactions: oldschool, harlan4096 and shmu26

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,091
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,227
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top