ConfigureDefender utility for Windows 10/11

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
silversurfer posted the example of advanced multistage malware:

Here is a fragment from Microsoft article about WD protection which can fight such malware:
"
  1. Machine learning models in the Windows Defender Antivirus client generically detects suspicious obfuscation in the initial HTA file used in this attack. Beyond this immediate protection, behavioral detection and containment capabilities can spot anomalous and malicious behaviors, such as the execution of scripts and tools. When the behavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats.
  2. Meanwhile, scripts that are decrypted and run directly in memory are exposed by Antimalware Scan Interface (AMSI) instrumentation in scripting engines, while launching PowerShell with a command-line that specifies encoded commands is defeated by command-line scanning. Tamper protection in Microsoft Defender ATP protects systems modifications that attempt to disable Windows Defender Antivirus.
  3. These multiple layers of protection are part of the threat and malware prevention capabilities in Microsoft Defender ATP. The complete endpoint protection platform provides multiple capabilities that empower security teams to defend their organizations against attacks like Nodersok. Attack surface reduction shuts common attack surfaces. Threat and vulnerability management, endpoint detection and response, and automated investigation and remediation help organizations detect and respond to cyberattacks. Microsoft Threat Experts, Microsoft Defender ATP’s managed detection and response service, further helps security teams by providing expert-level monitoring and analysis."
"
I put here three paragraphs from this text into three points.
The first point is interesting because it is related to actions made by WD offline protection. It also clearly states how works the behavior monitoring engine:

"behavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats."

The third point is mostly related to Windows E5 (except some ASR features).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
I wish I could see the ConfigureDefender Log from the last WD test:
I wonder if 4 script samples were missed, or some WD advanced settings silently blocked the malicious actions (or Windows 10 mitigations did this). In the end, the system seems protected. But, who knows?
The script 0.3614618.js was seen as a part of EMOTET attack.
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Some people would like to test if AMSI works on their computer. It is easy when using the test script prepared by Microsoft:
First copy/paste the below script to PowerShell console to see what command will be executed:
Code:
# AMSI test script
$base64 = "FHJ+YHoTZ1ZARxNgUl5DX1YJEwRWBAFQAFBWHgsFAlEeBwAACh4LBAcDHgNSUAIHCwdQAgALBRQ="
$bytes = [Convert]::FromBase64String($base64)
$string = -join ($bytes | % { [char] ($_ -bxor 0x33) })
# The variable $string contains the command that will be executed
$string
You will see the output:
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
which is a decoded command.
After this execute this command:
Code:
iex $string
which should be blocked by WD:
AMSI_test.png



Edit.
Converting from BASE64 is blocked in PowerShell Constrained Language mode, which is set by SRP default-deny, or can be set via SysHardener.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
WD offline detection c.d.

...
The first point is interesting because it is related to actions made by WD offline protection. It also clearly states how works the behavior monitoring engine:

"behavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the process tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify files and identify potential threats."
...
Fragment from MS article:

"When the client-based machine learning model predicts a high probability of maliciousness, a rich set of feature vectors is then prepared to describe the content. These feature vectors include:
  • Behavior during emulation, such as API calls and executed code
  • Similarity fuzzy hashes
  • Vectors of content descriptive flags optimized for use in ML models
  • Researcher-driven attributes, such as packer technology used for obfuscation
  • File name
  • File size
  • Entropy level
  • File attributes, such as number of sections
  • Partial file hashes of the static and emulated content
This set of features form a signal sent to the Windows Defender AV cloud protection service, which runs a wide array of more complex models in real-time to instantly classify the signal as malicious or benign."
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
SUMMARY of WD offline non-signature detection/blocking on Windows Home and Pro.
  1. WD offline non-signature detection uses Machine Learning models, behavior-based algorithms, generics (based on similarities to known malware), and heuristics.
  2. AMSI is used to log/detect unobfuscated script actions.
  3. Most of these features apply to images in memory and are optimized to detect suspicious behavior and trigger the cloud backend.
  4. WD can be configured to use also ASR rules and Controlled Folder Access to block locally, malicious behaviors.
It seems that WD main offline protection is based on malware signatures, and can be extended by using ASR rules and Controlled Folder Access. Other features are mostly the interlude to the cloud backend.
Of course, in the home environment, offline protection is supported by cloud protection even when the user is offline! The main malware delivery is due to the Internet, so if the user is well protected online (web protection, BAFS, etc.), then there is usually no malware on disk when being offline. This may work well for many users, but there are some exceptions, for example when downloading/unpacking files without MOTW (like from USB drives, via 7-ZIP unpacker, etc.).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Thanks for the Log. WD behavior blocking features did very well when blocking the malicious actions of SoundSysK.exe and remittance.jar . Even the autorun registry changes were blocked. (y)
The second malware is nasty:
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
Hi just wondering why is cpu load at scanning at 50% with high settings? Is this on demand scanning only? Not realtime?

You can change it > lower number if desired. My guess it's for all scans and real-time, but that doesn't mean it always uses 50%. I imagine under stress when encountering malware e.g. testing, is when it will spike. :unsure: Those who have tested it could give a more accurate answer than mine.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,948
@Andy Ful: what about XLSTATSTART.exe? I got final verdict from KVirusDesk is clean, also appears as Trusted in KSN... :unsure: :unsure:

I've also tested with KTS2020d (defaults) and :

I've tested and triggers cmd.exe -> conhost.exe for about 1 second and auto terminates, it only left a 0 KB file... false positive??
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top