- Mar 24, 2016
- 43
Thanks Arequire, pretty much exactly what I was looking for, especially the part about "Behavior Monitoring".
ConfigureDefender utility for Windows 10/11
- Thread starter Andy Ful
- Start date
- Jul 3, 2015
- 8,153
It's a big part of antivirus protection these days. Not like in the old days, when an antivirus would basically just compare a file to a list of known malicious files, nowadays the AV tries to watch what the file is doing in real-time, and if it misbehaves, it gets arrested.
- Nov 4, 2011
- 582
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
The most common cause is that some other security prevents executing PowerShell.
Please try HIGH profile, Refresh and send here the screenshots of ConfigureDefender after refreshing.
List your other security software. And wait for help
If it's for example SysHardener look at the powershell restrictions.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
It is not SysHardener, but OSArmor can block PowerShell.List your other security software. And wait for help
- Jul 3, 2015
- 8,153
Someone wrote up a whitepaper about bypassing ASR:
- Mar 29, 2018
- 7,596
- Jul 3, 2015
- 8,153
You probably read more of it, so it took you longer...I literally was just set to post this!
- Mar 29, 2018
- 7,596
I read the whole thing and understood it generally, but the specifics of code, etc. were over my head.
- Jul 3, 2015
- 8,153
My general impression is that if someone specifically crafts malware to bypass ASR, he might succeed, but regular malware will be blocked.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
That was the author's (and my) conclusion too.
I can bypass ASR rules by myself, so why not others. The author is very good at bypassing Windows security. A few bypasses were new to me.
Edit.
I read this article and watched a video (thank to @enemyofarsenic) two months ago.
Most bypasses use scripts or VBA macros, so can be prevented by H_C.
Last edited:
- Apr 1, 2019
- 2,867
My question is if the average malware coder would bother since most people don’t even know how to turn ASR on or off in the security center, at least at home. Minimal effort for biggest return. I would hope most enterprises do it as part of their standard system image. But enterprise focused malware is a whole different beast. But I guess we here are concerned beyond the average malware coder.
- Jul 3, 2015
- 8,153
Agreed. I can see it being used in a targeted attack on a system that is known to employ ASR.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
This article can be summed up by two author citations:
My opinion is that with ASR, Microsoft attempt to shut down whole category of phishing exploits.
For example, the rule “Block all Office applications from creating child processes” probably block 99.9% macro-based droppers found in the wild.
.....
.....
I think ASR are a great feature to prevent common malware attacks. At the same time, most rules seem broken or way too easy to bypass. In fact, during my tests I can say I had more problems with bypassing AMSI for scripts/office documents than ASR.
Currently, ASR is not well known by blue teams. Its probable that as more defenders adopt these measures, attackers will adapt their tools to bypass them.
My opinion is that with ASR, Microsoft attempt to shut down whole category of phishing exploits.
For example, the rule “Block all Office applications from creating child processes” probably block 99.9% macro-based droppers found in the wild.
.....
.....
I think ASR are a great feature to prevent common malware attacks. At the same time, most rules seem broken or way too easy to bypass. In fact, during my tests I can say I had more problems with bypassing AMSI for scripts/office documents than ASR.
Currently, ASR is not well known by blue teams. Its probable that as more defenders adopt these measures, attackers will adapt their tools to bypass them.
Last edited:
- Mar 29, 2018
- 7,596
Is this why I have had certain blocks but it appears the app still functions? Or is it that the app functions generally but not that specific blocked process?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
The second.Is this why I have had certain blocks but it appears the app still functions? Or is it that the app functions generally but not that specific blocked process?
Most such alerts you get due to Lsass ASR rule or Controlled Folder Access.
- Mar 29, 2018
- 7,596
In fact, I don't think I've ever seen any other but these two.
I want to add a ConfigureDefender section to the Hard_Configurator home page because ConfigureDefender is an important part of H_C. But I'm still missing a text/phrase. @Andy Ful @shmu26 @oldschool
A section with the test results from the Hub (H_C tweaks and SmartScreen without any AV as usual) will be added later. Any help or advice (EDIT: changed tip to advice perhaps of confusion) is welcome! (maybe an extra FAQ?)
A section with the test results from the Hub (H_C tweaks and SmartScreen without any AV as usual) will be added later. Any help or advice (EDIT: changed tip to advice perhaps of confusion) is welcome! (maybe an extra FAQ?)
Attachments
Last edited:
- Mar 29, 2018
- 7,596
@askalan @Andy Ful @shmu26
I imagine you want something short and sweet. Here's my first shot at it:
"ConfigureDefender is an open source tool that enables users to easily configure Windows Defender advanced features. It includes three predefined security profiles and allows the user to customize Windows Defender settings."
I imagine you want something short and sweet. Here's my first shot at it:
"ConfigureDefender is an open source tool that enables users to easily configure Windows Defender advanced features. It includes three predefined security profiles and allows the user to customize Windows Defender settings."
Similar threads
-
- Sticky
