ConfigureDefender utility for Windows 10/11

blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,867
Andy Ful said:
Any SmartScreen settings in WSC or ConfigureDefender (except Disabled setting) have no influence to SmartScreen check.
The "Warn" setting simply allows the user to run the application.
The "Block" setting does not allow the user to run the application.
The "User" setting in ConfigureDefender applies the setting from WSC
The "Warn" and "Block" settings in ConfigureDefender forces WSC to apply these settings and they cannot be changed by the user from WSC.

If you do not see the SmartScreen alert then there are some possibilities, for example:
  1. SmartScreen is Disabled.
  2. The file extension is ignored by design - SmartScreen is triggered only for some executables, like EXE, MSI, COM, SCR, BAT, JSE, VBE, etc.
  3. The file has not MOTW attached.
It is easy to check (before execution) if the file has MOTW:

View attachment 225491

Without MOTW, the Unblock option is absent. The MOTW is skipped for files stored on flash drives or unpacked by many unpackers.
Click to expand...
This makes a great case for runbysmartscreen. Not a catch all solution, but helpful in many situations!
 
  • Like
Reactions: [correlate], Venustus, simmerskool and 3 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Andy Ful said:
Any SmartScreen settings in WSC or ConfigureDefender (except Disabled setting) have no influence to SmartScreen check.
The "Warn" setting simply allows the user to run the application.
The "Block" setting does not allow the user to run the application.
The "User" setting in ConfigureDefender applies the setting from WSC
The "Warn" and "Block" settings in ConfigureDefender forces WSC to apply these settings and they cannot be changed by the user from WSC.
Click to expand...
I see. In case of testing malwares on the hub, we download a password protected zip file then extract that file and execute anything that was not detected by signatures. Will SmartScreen work for these exe malwares when I set it to "Warn" via Configure Defender?
 
  • Like
Reactions: [correlate], Venustus, simmerskool and 2 others
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
SeriousHoax said:
I see. In case of testing malwares on the hub, we download a password protected zip file then extract that file and execute anything that was not detected by signatures. Will SmartScreen work for these exe malwares when I set it to "Warn" via Configure Defender?
Click to expand...

If your question is in reference to my request, I changed my profile post request to use Max with no SS because I realized this could interfere with your normal testing routine.
 
  • Like
Reactions: Venustus, simmerskool, blackice and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SeriousHoax said:
I see. In case of testing malwares on the hub, we download a password protected zip file then extract that file and execute anything that was not detected by signatures. Will SmartScreen work for these exe malwares when I set it to "Warn" via Configure Defender?
Click to expand...
No. The "Warn" setting (in WSC or ConfigureDefender) can only allow choosing the available option after the SmartScreen alert is already seen. This setting has no influence on showing this alert or not - it cannot add the MOTW to the file.
You will see the SmartScreen alert only if the executable supported by SmartScreen technology has MOTW attached (assuming that SmartScreen is enabled).
 
  • Like
  • Thanks
Reactions: [correlate], Venustus, simmerskool and 3 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Andy Ful said:
No. The "Warn" setting (in WSC or ConfigureDefender) can only allow choosing the available option after the SmartScreen alert is already seen. This setting has no influence on showing this alert or not - it cannot add the MOTW to the file.
You will see the SmartScreen alert only if the executable supported by SmartScreen technology has MOTW attached (assuming that SmartScreen is enabled).
Click to expand...
Ok, thanks for clarifying :)
 
  • Like
Reactions: [correlate], Venustus and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
oldschool said:
If your question is in reference to my request, I changed my profile post request to use Max with no SS because I realized this could interfere with your normal testing routine.
Click to expand...
The SmartScreen can be Disabled in the test. This will not influence other WD settings.:giggle:(y)
 
  • Like
Reactions: [correlate], Venustus, simmerskool and 3 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
This script was already being detected by WD but the execution wasn't blocked in my test. Same happened with another script in another test. My internet connection didn't drop. What could be the reason?
scr.PNG
 
  • Like
Reactions: Venustus, shmu26, oldschool and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SeriousHoax said:
This script was already being detected by WD but the execution wasn't blocked in my test. Same happened with another script in another test. My internet connection didn't drop. What could be the reason?
View attachment 225818
Click to expand...
What is a source of this image?

Edit.
OK - @blackice is right, this was VT.
 
Last edited:
  • Like
Reactions: [correlate], Venustus, harlan4096 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SeriousHoax said:
This script was already being detected by WD but the execution wasn't blocked in my test. Same happened with another script in another test. My internet connection didn't drop. What could be the reason?
View attachment 225818
Click to expand...
It seems that VT used more recent signatures or the sample was tested (on VT) with MOTW.
The difference might happen also when Windows E5 was used.

Post edited.
 
Last edited:
  • Like
Reactions: [correlate], SeriousHoax, harlan4096 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SeriousHoax said:
Hmm ok, let's see what happens in the next test.
Click to expand...
When using ShadowDefender on boot and for some reason, there was a problem with updating the signatures, then you use pretty old signatures. So before the test, it is good to look at WSC if the signatures are freshly updated.
Anyway, If the sample has a standard signature (but not fast signature related to BAFS), then it should be also detected dynamically by signatures in the cloud.
 
Last edited:
  • Like
Reactions: [correlate], oldschool, Venustus and 1 other person
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Andy Ful said:
When using ShadowDefender on boot and for some reason, there was a problem with updating the signatures, then you use pretty old signatures. So before the test, it is good to look at WSC if the signatures are freshly updated.
Anyway, If the sample has a standard signature (but not fast signature related to BAFS), then it should be also detected dynamically by signatures in the cloud.
Click to expand...
I always update before running shadow defender and it's being detected by a fast signature not the standard one. All the .exe files samples on the dynamic test were also detected by fast signatures but for some reason this .js file wasn't.
 
  • Like
Reactions: [correlate], Andy Ful, Venustus and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SeriousHoax said:
I always update before running shadow defender and it's being detected by a fast signature not the standard one. All the .exe files samples on the dynamic test were also detected by fast signatures but for some reason this .js file wasn't.
Click to expand...

By fast signatures, I mean the signatures in the WD Cloud related to BAFS. If your samples are unpacked by Winrar or 7-ZIP, then they are ignored by BASF. So, they are not detected by fast signatures. In this case, only standard signatures in the cloud and behavior-based Machine Learning models are used. It is often hard to see the difference between them, because behavior-based ML models can classify some samples as malicious in milliseconds.

If WD detection of .js script on VT is related to BASF, then it will not be detected in the static part of your tests, but rather in dynamic part. In some cases, WD on Windows Home or Pro will not detect such samples (but they can be detected on Windows E5).(y)

Edit.
There is also a possibility that VT has access to most recent signatures in the WD Cloud. Who knows?
 
Last edited:
  • Like
Reactions: Venustus, [correlate], Sunshine-boy and 2 others
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
blueblackwow65 said:
I am curious on something, Serioushoax did a sample test today with WD at Max settings ,and static only detected 3 samples but WD got 13 others on demand (dynamic), without the max settings of configure defender would these samples have infected computer?
Click to expand...


Weak local signatures are the reason for the low static detection. The real time detection uses the cloud which is WD's strong point. The main detection difference between High and Max settings are the the blocking level and the number of ASR rules enabled. One sample
"E6425863124892_460722.js opens wscript.exe and the payload is blocked by two ASR rule". One of these ASR rules "Block executables unless they meet a prevalence, age or trusted criteria" would not have been enabled in High setting. I am not sure whether it would have been a block, partial block, etc. with only the one rule "Use advanced protection against ransomware" instead of two.

Remember, you can enable all of these using High and manually select the additional ASR rules, blocking level, cloud timeout, etc. unless you encounter an ASR rule incompatibility with your system that does not allow exclusions.

Edited: last sentence.
 
Last edited:
  • Like
  • +Reputation
Reactions: SeriousHoax, Venustus, [correlate] and 6 others
silversurfer

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,072
blueblackwow65 said:
I am curious on something, Serioushoax did a sample test today with WD at Max settings ,and static only detected 3 samples but WD got 13 others on demand (dynamic), without the max settings of configure defender would these samples have infected computer?
Click to expand...
Just to inform you,
static = on-demand scan
dynamic = on-execution detection
 
  • Like
Reactions: Venustus, oldschool, [correlate] and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
In the test made by SeriousHoax, the ConfigureDefender "MAX Protection level" settings cannot change the results of the static (on-demand scan) detection. These settings have an impact on dynamic (on-execution) detection.
The situation is more complicated when the samples have MOTW attached. Such samples can be treated by WD as they were executed, even when the user just opens the folder with samples. The testers usually count such detections as static but then, ConfigureDefender MAX Protection level can have an important impact on static detection results.
 
  • Like
  • +Reputation
Reactions: SeriousHoax, Venustus, oldschool and 5 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,091
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,227
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top