ConfigureDefender utility for Windows 10/11

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
@Andy Ful

A friend of me who has studied IT-security, advised me to add this registry tweak in stead of adding Windows and Program Files to the exclusions of Windows_Defender. I am using an old laptop and he told me this was a 'safer' tweak than adding UAC protected folders to the Windows Defender exclusions. I know it is choosing between two non-ideal options, but what is your opinion about it?

Performance tweak: Set real time scan direction to check only when writing files (on access scan incoming, disables on access open check).

Microsoft Docs said:
Specifies scanning configuration for incoming and outgoing files on NTFS volumes. The acceptable values for this parameter are:

  • 0: Scan both incoming and outgoing files. This is the default.
  • 1: Scan incoming files only.
  • 2: Scan outgoing files only.
Specify a value for this parameter to enhance performance on servers which have a large number of file transfers, but need scanning for either incoming or outgoing files. Evaluate this configuration based on the server role. For non-NTFS volumes, Windows Defender performs full monitoring of file and program activity

I have removed UAC protected folders from exclusions and added this tweak (Set-MpPreference and Regedit)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
On my computer, WD behaves well. So, performance tweaks are not required. The policy you mentioned ("Real-time scan direction" policy) can be applied on Windows Home by the reg tweak:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"RealtimeScanDirection"=dword:00000001

It can enhance the performance when one opens the folder with many executables. But, I did not notice any impact on the performance while copying folders with many executables.(y)

Whitelisting "Windows" and "Program Files" folder can have other performance advantages, because the writes to these folders are not checked. It is hard to say if the "Real-time scan direction" policy is safer than whitelisting system folders. In both cases, the system has to be first compromised - the rest depends on the malware. Both cases can be used to obtain malware persistence.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
I set updates to metered connection and disabled updates for 2 weeks to confirm if WD will automatically update signatures. The current signature version on my computer is 1.307.1571.0 .
WD has been updated to ver. 1.307.1633.0 (03.01.2020 11:53). I did not change the settings - the Windows Updates are deferred to 16.01.2020 (will be resumed 17.01.2020) and the metered connection is enabled.
WD1.png


WD2.png


I will keep the current settings for a while to see what will happen.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
On my computer, WD behaves well. So, performance tweaks are not required. The policy you mentioned ("Real-time scan direction" policy) can be applied on Windows Home by the reg tweak:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"RealtimeScanDirection"=dword:00000001

It can enhance the performance when one opens the folder with many executables. But, I did not notice any impact on the performance while copying folders with many executables.(y)

Whitelisting "Windows" and "Program Files" folder can have other performance advantages, because the writes to these folders are not checked. It is hard to say if the "Real-time scan direction" policy is safer than whitelisting system folders. In both cases, the system has to be first compromised - the rest depends on the malware. Both cases can be used to obtain malware persistence.

My guess why disabling write was a bit safer and nearly as effective as disable scan (read+write) system folders

1. I did not know that the execution check would still be enabled when excluding folders from scan (so process execution check is done in both scenario's).

2. When a malware is dropped, it has to be written to the disk, so keeping write enabled seemed safer

3. Write once read many: because Windows10 normally behaves well as a basic user, I thought 'disabling read' would be as effective as 'disabling read+write' in practice
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
Lenny_Linux,
I have no time now to test it, but there are some questions related to the "Real-time scan direction" policy:
  1. What is the exact meaning of the terms "incoming" and "outgoing" in relation to NTFS drive?
  2. Is the file "outgoing" when copied on the same NTFS drive?
  3. Is the file "outgoing" when copied to different NTFS drive?
  4. Is the file "outgoing" when moved on the same NTFS drive?
  5. Is the file "outgoing" when moved on to different NTFS drive?
  6. Is the file "outgoing" when executed from NTFS drive?
  7. Is the file "outgoing" when copied from NTFS drive to FAT32 flash drive?
  8. Is the file "outgoing" when copied from FAT32 flash drive to NTFS drive?
  9. Similar questions for "incoming".
Without testing, I could guess that "outgoing" means 3, 5, 7.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
My settings are a little different. I don't allow updates over the metered connection because I was using that as the update deferral method before 1903.View attachment 231586
You have a disabled metered connection. So, I will also disable it, to see what will happen. The current signature version is 1.307.1660.0. (y)
In the settings from my previous post (Windows Updates deferred, meter connection enabled), the WD signatures are updated normally.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
I noticed an interesting event related to WD Cloud delivered detection. When compiling the new version of Hard_Configurator executable, it was checked by the WD cloud and the file was not executed at all. So, WD Cloud delivered protection can be triggered not only when the file has MOTW (via BAFS) or when it is executed.
A similar block could be seen also when the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" was applied (I have it currently disabled).

The information about cloud check is not available via WD Security Center, but can be seen from the WD Log (for example c:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20191218-140027.log):

Code:
Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=false, resource="\Device\HarddiskVolume2\Users\.......\AppData\Local\AutoIt v3\Aut2exe\~AUCBC2.tmp.exe"
2020-01-04T11:55:56.830Z [MpRtp] Engine VFZ lofi/sample/expensive: \Device\HarddiskVolume2\Users\........\AppData\Local\AutoIt v3\Aut2exe\~AUCBC2.tmp.exe. status=0x40050000, statusex=0x0, threatid=0x80000000, sigseq=0x157e833e0325
Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=false, resource="\\?\C:\Users\......\AppData\Local\AutoIt v3\Aut2exe\~AUCBC2.tmp.exe"
2020-01-04T11:55:57.001Z [Cloud] Engine is requesting config to do cloud query [regular network].
2020-01-04T11:55:57.033Z [Cloud] SubmitReport(CMpSpyDssContext), ShouldSendEvenOnPaidNetworks: 1
2020-01-04T11:55:57.033Z [Cloud] Start of cloud request.
2020-01-04T11:55:57.033Z [Cloud] Queued cloud request.
2020-01-04T11:55:57.033Z [Cloud] MpEngineCloudRequest(). hr = 0x0
2020-01-04T11:55:57.033Z [Cloud] Dequeued cloud request.
2020-01-04T11:55:57.033Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0x0
Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=false, resource="\Device\HarddiskVolume2\Users\.......\AppData\Local\AutoIt v3\Aut2exe\RCXD970.tmp"
2020-01-04T11:55:57.580Z [MpRtp] Engine VFZ lofi/sample/expensive: \Device\HarddiskVolume2\Users\........\AppData\Local\AutoIt v3\Aut2exe\RCXD970.tmp. status=0x40050000, statusex=0x0, threatid=0x80000000, sigseq=0x157e833e0325
Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=true, resource="\Device\HarddiskVolume2\Windows\Hard_Configurator\Hard_Configurator.exe"
2020-01-04T11:55:57.955Z Dynamic signature received

The new compiled file was checked against the cloud backend and the new dynamic signature was received from the cloud.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
Let us know when new version is released and the download Is trusted by Microsoft.
I always publish only the installers/executables that were accepted by Microsoft (and some other AV vendors). If not then they will be detected as a HackTool.
From half of the year, the executables are digitally signed, so they are rater quickly trusted by SmartScreen too.(y)
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
@Andy Ful

As far as I understand the file is checked when closed (written) to an NTFS drive, so it checks incoming files.

People on security forums often complain that Windows Defender does not has a cache of checked executables, so it would br checked on any write.

My friend who gave me this tip, thinks files which are group signed by Microsoft are checked differently, because they seem to load faster.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
@Andy Ful
...
People on security forums often complain that Windows Defender does not has a cache of checked executables, so it would br checked on any write.
...
WD creates the cache of checked files, but this cache is cleared on Windows restart/shutdown. If you set to check only incoming files, then WD probably works as if the cache was never cleared. I noticed that WD engine was not triggered while opening the folder with many executables (first opening after the restart).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
You have a disabled metered connection. So, I will also disable it, to see what will happen. The current signature version is 1.307.1660.0. (y)
In the settings from my previous post (Windows Updates deferred, meter connection enabled), the WD signatures are updated normally.
After one day, I noticed the WD signature update to version 1.307.1744.0 .
I keep WD to defer signatures (until 16.01.2020) with disabled metered connection:

updates2.jpg


This is what I would expect from the applied settings. I wonder what is the reason for not getting the signature updates by @South Park? Maybe there are some problems with the Internet connection soon after starting Windows? In my case, the signature update was made after starting the system. Does anybody have similar problems?
I will try to not restart/shut down the system for two days to see if that matters.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
After one day, I noticed the WD signature update to version 1.307.1744.0 .
I keep WD to defer signatures (until 16.01.2020) with disabled metered connection:

View attachment 231660

This is what I would expect from the applied settings. I wonder what is the reason for not getting the signature updates by @South Park? Maybe there are some problems with the Internet connection soon after starting Windows? In my case, the signature update was made after starting the system. Does anybody have similar problems?
I will try to not restart/shut down the system for two days to see if that matters.
After one day, I have got the signature update to version 1.307.1806.0 .
So, deferring Windows Updates and changing metered connection settings do not prevent WD signature updates. Furthermore, it is not required to reboot the system to get signature updates.
My tests were done on Windows 10 Pro 64-bit ver. 1909.
If there is a problem with WD signature updates, then it is probably related to something else.(y)
 
Last edited:

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
If there is a problem with WD signature updates, then it is probably related to something else.(y)

Hmmm, I'm wondering if VoodooShield's Whitelist Cloud is the culprit? I started this morning and WD failed to update since yesterday. So for now I have uninstalled VS and reset Windows firewall to test. I am not a fan of WLC feature in VS. I believe it has caused problems to the application.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
Hmmm, I'm wondering if VoodooShield's Whitelist Cloud is the culprit? I started this morning and WD failed to update since yesterday. So for now I have uninstalled VS and reset Windows firewall to test. I am not a fan of WLC feature in VS. I believe it has caused problems to the application.
It would be very strange. VoodooShield should not block WD processes (as far I know).:unsure:
In my case, I noticed several times in the past that WD signature update failed due to the lack of connection with my router. I usually do not set an automatic wireless connection, but do it manually. Sometimes, WD asks about signatures before the connection is established (after starting WIndows).
I wonder what will be the source of your issue.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top