ConfigureDefender utility for Windows 10/11

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
I've had some trouble auto-updating Brave Browser and I have this ASR block in the log:

View attachment 228755

I have added this ASR exclusion (folder): Windows/C:/Program Files (86)/Brave Software/Update/Install

Is this correct? :unsure:
I don't know about the exclusion part but if you're 100% certain of a program being safe, in this case Brave browser then turn off WD Real time protection before installing Brave and turn on after. It happened to me a lot too while updating apps because of this ASR rule. As you can see from the name of the rule, it's obvious to face this issue while installing brand new version of a program.
 
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
I've had some trouble auto-updating Brave Browser and I have this ASR block in the log:

View attachment 228755

I have added this ASR exclusion (folder): Windows/C:/Program Files (86)/Brave Software/Update/Install

Is this correct? :unsure:
You can do it, but in most cases, it would not work because some executables will be unpacked and run from the user temporary folder. Furthermore, it is not necessary. The new updater will be allowed by Microsoft tomorrow when it will gain more prevalence.(y):giggle:
I think its because your on Max settings ? with ConfigureDefender..... with High settings probably no problem.
Yes, this ASR rule is activated in MAX Protection Level.:emoji_ok_hand:
I don't know about the exclusion part but if you're 100% certain of a program being safe, in this case Brave browser then turn off WD Real time protection before installing Brave and turn on after. It happened to me a lot too while updating apps because of this ASR rule. As you can see from the name of the rule, it's obvious to face this issue while installing brand new version of a program.
Disable WD, run the updater, enable WD, restart Windows.
Restarting Windows is necessary to make ASR rules work properly.(y)
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
Hi Andy Ful, Windows Defender doesn't seem to respect this setting conf.png
Why is that?
1.png2.png3.png4.png5.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Finally, something bypassed the WD on ConfigureDefender MAX Protection Level. As it could be guessed, this was a script (poy.js):
poy.png


The persistence was done in a standard way by dropping the shortcut sideb.lnk to the start folder. The shortcut can start JScript payload with a fake file extension (.dat) dropped to the user Temp folder. The malware also created the autorun registry key that can execute the shortcut with Windows start. It probably behaved as an info-stealer and did not run any payload during the test. If the poy.js malware did directly run the payload (dropped to the start folder), then it could be blocked by ASR rules. Congrats to Eset for the quick signature of poy.js malware.:)

Edit.
Thank SeriousHoax, WD can detect this malware by signatures, now (WD deleted the malware after it has been unpacked):
poy.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Leave it to M$! Edge Chromium update blocked by its own ASR rules. In this case "Block credential stealing ... "
This ASR rule should not block the updates. It blocks access only to LSASS which is usually unimportant for installing/running/updating applications.
Anyway, I do not use this rule because it produces so many false positives, that you cannot see anything else in ConfigureDefernder Log. :)(y)
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
This ASR rule should not block the updates. It blocks access only to LSASS which is usually unimportant for installing/running/updating applications.
Anyway, I do not use this rule because it produces so many false positives, that you cannot see anything else in ConfigureDefernder Log. :)(y)
Btw, everything that is blocked by this ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is also blocked by ESET HIPS. I found that in ESET HIPS log. ESET usually blocks even more related to this lass.exe so maybe not false positives?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Btw, everything that is blocked by this ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is also blocked by ESET HIPS. I found that in ESET HIPS log. ESET usually blocks even more related to this lass.exe so maybe not false positives?
HIPS cannot recognize if something is malicious or not. ESET HIPS is not smarter than ASR.
It does not mean that it will be always false positive, but only in 99 % (or more).:)(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Some notes about the last WD test made by @SeriousHoax:

1. AL_5014513395824.vbs
The malware uses WMI to run payload. This should be blocked by ASR if it did not auto terminate (ASR rule "Block process creations originating from PSExec and WMI commands").
https://app.any.run/tasks/a8184aa1-1892-4434-82a7-93bbba1364fa/

2.JD.vbe
The malware was prevented from using ADOB.Stream to download something and the script execution was interrupted with error (probably by ASR).
https://app.any.run/tasks/cd3a5e8a-9725-41aa-b3a1-9c554ee198a8/

3. JVC_21555.vbs
The malware (QBOT) is going to download and run a payload. This should be prevented by ASR rule "Impede JavaScript and VBScript to launch executables" (the name of this rule was changed by MS to "Block JavaScript or VBScript from launching downloaded executable content").
https://app.any.run/tasks/0e65507e-685a-4b68-9358-7dc619c8b4c2/

4.ps.ps1
This malicious script is going to download and run the EMOTET trojan. Blocked probably by ASR.
https://app.any.run/tasks/7e5fab0a-d591-4dde-b33f-2fe1501a3941/

5. Order_2718032693_Proforma_invoice.jar
This is Adwind RAT.
WD has allowed the malware on the initial stage, but it seems that the malicious actions were neutralized.
"This initial process executed js script which in turn ran one more js script and another .jar file. JS script also used Task Scheduler to run itself later. Jar file started a series of malicious activities such as using attrib.exe to mark files or folders as hidden, running VBS script files, changing the autorun value in the registry and more. It has been noted that sometimes Jar file runs a series of taskkill commands to shutdown processes by their names based on a list that contains names of system processes, names of common Anti-virus programs and analyzing programs, such as wireshark.exe, procexp.exe, processhacker.exe and so on."
https://any.run/malware-trends/adwin

Thanks to @SeriousHoax and other testers for their excellent job.:)
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
Some notes about the last WD test made by @SeriousHoax:

1. AL_5014513395824.vbs
The malware uses WMI to run payload. This should be blocked by ASR if it did not auto terminate (ASR rule "Block process creations originating from PSExec and WMI commands").
https://app.any.run/tasks/a8184aa1-1892-4434-82a7-93bbba1364fa/

2.JD.vbe
The malware was prevented from using ADOB.Stream to download something and the script execution was interrupted with error (probably by ASR).
https://app.any.run/tasks/cd3a5e8a-9725-41aa-b3a1-9c554ee198a8/

3. JVC_21555.vbs
The malware (QBOT) is going to download and run a payload. This should be prevented by ASR rule "Impede JavaScript and VBScript to launch executables" (the name of this rule was changed by MS to "Block JavaScript or VBScript from launching downloaded executable content").
https://app.any.run/tasks/0e65507e-685a-4b68-9358-7dc619c8b4c2/

4.ps.ps1
This malicious script is going to download and run the EMOTET trojan. Blocked probably by ASR.
https://app.any.run/tasks/7e5fab0a-d591-4dde-b33f-2fe1501a3941/

5. Order_2718032693_Proforma_invoice.jar
This is Adwind RAT.
WD has allowed the malware on the initial stage, but it seems that the malicious actions were neutralized.
"This initial process executed js script which in turn ran one more js script and another .jar file. JS script also used Task Scheduler to run itself later. Jar file started a series of malicious activities such as using attrib.exe to mark files or folders as hidden, running VBS script files, changing the autorun value in the registry and more. It has been noted that sometimes Jar file runs a series of taskkill commands to shutdown processes by their names based on a list that contains names of system processes, names of common Anti-virus programs and analyzing programs, such as wireshark.exe, procexp.exe, processhacker.exe and so on."
https://any.run/malware-trends/adwin

Thanks to @SeriousHoax and other testers for their excellent job.:)
WoW this is nice. While testing I do what I can with the tools I have to check for malicious activities. Since you know a lot more about WD, ASR etc, this thorough analysis of your is highly appreciated. Keep it up 👌
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
WoW this is nice. While testing I do what I can with the tools I have to check for malicious activities. Since you know a lot more about WD, ASR etc, this thorough analysis of your is highly appreciated. Keep it up 👌
I will try, but I do not think that it is necessary to understand the tests on Malware Hub. I was just curious about what these malware samples could do.(y):)
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
Congrats to Eset for the quick signature of poy.js malware.:)
They've been crazy crazy good at this especially since v13. Most of the zero days I analyze are dynamically generated Mac malware and I've found dozens in the last week where VT detection rates are 2 or 3 out of 69 and ESET is always amongst the 2 that detect it, and it detects whatever you feed at it. They somehow manage to detect zero-day variations of existing malware using generic signatures but they don't suffer from frequent false positives which is usually what happens with other vendors' AI-based engines (like Symantec's AdvML.x signatures, which seem to nab corporate Powershell scripts once a month or two if you crawl back on their forums)
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
I was not sure where to mention this, while testing Windows Defender in Shadow Defender, its Cloud protection is not working. That's why I was not able to test the last malware pack. Tried again today and same result. I had this problem before and was fixed automatically. So, I won't be able to test WD until that and might test other AVs in the meantime.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
I was not sure where to mention this, while testing Windows Defender in Shadow Defender, its Cloud protection is not working. That's why I was not able to test the last malware pack. Tried again today and same result. I had this problem before and was fixed automatically. So, I won't be able to test WD until that and might test other AVs in the meantime.
This issue with ShadowDefender should be solved by leaving the ShadowMode, setting WD with ConfigureDefender, checking/correcting the settings in WD Security Center, restarting the computer, and entering the ShadowMode again.(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top