ConfigureDefender utility for Windows 10/11

[Bryan320]

South park you must of killed Kenny. on a more serious note i'm happy that Microsoft uses mostly cloud to protect against new malware...

 

[Pat MacKnife]

Got an update this morning 1.307.1626.0

 

[Lenny_Fox]

@Andy Ful

A friend of me who has studied IT-security, advised me to add this registry tweak in stead of adding Windows and Program Files to the exclusions of Windows_Defender. I am using an old laptop and he told me this was a 'safer' tweak than adding UAC protected folders to the Windows Defender exclusions. I know it is choosing between two non-ideal options, but what is your opinion about it?

Performance tweak: Set real time scan direction to check only when writing files (on access scan incoming, disables on access open check).

Specifies scanning configuration for incoming and outgoing files on NTFS volumes. The acceptable values for this parameter are:

• 0: Scan both incoming and outgoing files. This is the default.
• 1: Scan incoming files only.
• 2: Scan outgoing files only.

Specify a value for this parameter to enhance performance on servers which have a large number of file transfers, but need scanning for either incoming or outgoing files. Evaluate this configuration based on the server role. For non-NTFS volumes, Windows Defender performs full monitoring of file and program activity

I have removed UAC protected folders from exclusions and added this tweak (Set-MpPreference and Regedit)

 

[Andy Ful]

On my computer, WD behaves well. So, performance tweaks are not required. The policy you mentioned ("Real-time scan direction" policy) can be applied on Windows Home by the reg tweak:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"RealtimeScanDirection"=dword:00000001

It can enhance the performance when one opens the folder with many executables. But, I did not notice any impact on the performance while copying folders with many executables.

Whitelisting "Windows" and "Program Files" folder can have other performance advantages, because the writes to these folders are not checked. It is hard to say if the "Real-time scan direction" policy is safer than whitelisting system folders. In both cases, the system has to be first compromised - the rest depends on the malware. Both cases can be used to obtain malware persistence.

 

[Andy Ful]

I set updates to metered connection and disabled updates for 2 weeks to confirm if WD will automatically update signatures. The current signature version on my computer is 1.307.1571.0 .

WD has been updated to ver. 1.307.1633.0 (03.01.2020 11:53). I did not change the settings - the Windows Updates are deferred to 16.01.2020 (will be resumed 17.01.2020) and the metered connection is enabled.

I will keep the current settings for a while to see what will happen.

 

[South Park]

My settings are a little different. I don't allow updates over the metered connection because I was using that as the update deferral method before 1903.

 

[Lenny_Fox]

On my computer, WD behaves well. So, performance tweaks are not required. The policy you mentioned ("Real-time scan direction" policy) can be applied on Windows Home by the reg tweak:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"RealtimeScanDirection"=dword:00000001

It can enhance the performance when one opens the folder with many executables. But, I did not notice any impact on the performance while copying folders with many executables.

Whitelisting "Windows" and "Program Files" folder can have other performance advantages, because the writes to these folders are not checked. It is hard to say if the "Real-time scan direction" policy is safer than whitelisting system folders. In both cases, the system has to be first compromised - the rest depends on the malware. Both cases can be used to obtain malware persistence.

My guess why disabling write was a bit safer and nearly as effective as disable scan (read+write) system folders

1. I did not know that the execution check would still be enabled when excluding folders from scan (so process execution check is done in both scenario's).

2. When a malware is dropped, it has to be written to the disk, so keeping write enabled seemed safer

3. Write once read many: because Windows10 normally behaves well as a basic user, I thought 'disabling read' would be as effective as 'disabling read+write' in practice

 

[Andy Ful]

Lenny_Linux,
I have no time now to test it, but there are some questions related to the "Real-time scan direction" policy:

1. What is the exact meaning of the terms "incoming" and "outgoing" in relation to NTFS drive?
2. Is the file "outgoing" when copied on the same NTFS drive?
3. Is the file "outgoing" when copied to different NTFS drive?
4. Is the file "outgoing" when moved on the same NTFS drive?
5. Is the file "outgoing" when moved on to different NTFS drive?
6. Is the file "outgoing" when executed from NTFS drive?
7. Is the file "outgoing" when copied from NTFS drive to FAT32 flash drive?
8. Is the file "outgoing" when copied from FAT32 flash drive to NTFS drive?
9. Similar questions for "incoming".

Without testing, I could guess that "outgoing" means 3, 5, 7.

 

[Andy Ful]

My settings are a little different. I don't allow updates over the metered connection because I was using that as the update deferral method before 1903.View attachment 231586

You have a disabled metered connection. So, I will also disable it, to see what will happen. The current signature version is 1.307.1660.0.
In the settings from my previous post (Windows Updates deferred, meter connection enabled), the WD signatures are updated normally.

 

[Andy Ful]

I noticed an interesting event related to WD Cloud delivered detection. When compiling the new version of Hard_Configurator executable, it was checked by the WD cloud and the file was not executed at all. So, WD Cloud delivered protection can be triggered not only when the file has MOTW (via BAFS) or when it is executed.
A similar block could be seen also when the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" was applied (I have it currently disabled).

The information about cloud check is not available via WD Security Center, but can be seen from the WD Log (for example c:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20191218-140027.log):

Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=false, resource="\Device\HarddiskVolume2\Users\.......\AppData\Local\AutoIt v3\Aut2exe\~AUCBC2.tmp.exe"
2020-01-04T11:55:56.830Z [MpRtp] Engine VFZ lofi/sample/expensive: \Device\HarddiskVolume2\Users\........\AppData\Local\AutoIt v3\Aut2exe\~AUCBC2.tmp.exe. status=0x40050000, statusex=0x0, threatid=0x80000000, sigseq=0x157e833e0325
Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=false, resource="\\?\C:\Users\......\AppData\Local\AutoIt v3\Aut2exe\~AUCBC2.tmp.exe"
2020-01-04T11:55:57.001Z [Cloud] Engine is requesting config to do cloud query [regular network].
2020-01-04T11:55:57.033Z [Cloud] SubmitReport(CMpSpyDssContext), ShouldSendEvenOnPaidNetworks: 1
2020-01-04T11:55:57.033Z [Cloud] Start of cloud request.
2020-01-04T11:55:57.033Z [Cloud] Queued cloud request.
2020-01-04T11:55:57.033Z [Cloud] MpEngineCloudRequest(). hr = 0x0
2020-01-04T11:55:57.033Z [Cloud] Dequeued cloud request.
2020-01-04T11:55:57.033Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0x0
Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=false, resource="\Device\HarddiskVolume2\Users\.......\AppData\Local\AutoIt v3\Aut2exe\RCXD970.tmp"
2020-01-04T11:55:57.580Z [MpRtp] Engine VFZ lofi/sample/expensive: \Device\HarddiskVolume2\Users\........\AppData\Local\AutoIt v3\Aut2exe\RCXD970.tmp. status=0x40050000, statusex=0x0, threatid=0x80000000, sigseq=0x157e833e0325
Internal signature match:subtype=Lowfi, sigseq=0x0000157E833E0325, sigsha=566fb1f9753a4facdb0359bca55e538b2ef383b6, cached=true, resource="\Device\HarddiskVolume2\Windows\Hard_Configurator\Hard_Configurator.exe"
2020-01-04T11:55:57.955Z Dynamic signature received

The new compiled file was checked against the cloud backend and the new dynamic signature was received from the cloud.

 

[Gandalf_The_Grey]

Looking forward to the new version of Hard_Configurator

 

[Bryan320]

Let us know when new version is released and the download Is trusted by Microsoft.

 

[Andy Ful]

Let us know when new version is released and the download Is trusted by Microsoft.

I always publish only the installers/executables that were accepted by Microsoft (and some other AV vendors). If not then they will be detected as a HackTool.
From half of the year, the executables are digitally signed, so they are rater quickly trusted by SmartScreen too.

 

[Lenny_Fox]

@Andy Ful

As far as I understand the file is checked when closed (written) to an NTFS drive, so it checks incoming files.

People on security forums often complain that Windows Defender does not has a cache of checked executables, so it would br checked on any write.

My friend who gave me this tip, thinks files which are group signed by Microsoft are checked differently, because they seem to load faster.

 

[Andy Ful]

@Andy Ful
...
People on security forums often complain that Windows Defender does not has a cache of checked executables, so it would br checked on any write.
...

WD creates the cache of checked files, but this cache is cleared on Windows restart/shutdown. If you set to check only incoming files, then WD probably works as if the cache was never cleared. I noticed that WD engine was not triggered while opening the folder with many executables (first opening after the restart).

 

[Andy Ful]

You have a disabled metered connection. So, I will also disable it, to see what will happen. The current signature version is 1.307.1660.0.
In the settings from my previous post (Windows Updates deferred, meter connection enabled), the WD signatures are updated normally.

After one day, I noticed the WD signature update to version 1.307.1744.0 .
I keep WD to defer signatures (until 16.01.2020) with disabled metered connection:

This is what I would expect from the applied settings. I wonder what is the reason for not getting the signature updates by @South Park? Maybe there are some problems with the Internet connection soon after starting Windows? In my case, the signature update was made after starting the system. Does anybody have similar problems?
I will try to not restart/shut down the system for two days to see if that matters.

 

[oldschool]

Does anybody have similar problems?

When it did not update as in my post above, my machine was in sleep mode. My sense is this is the reason. It always updates after shutdown/startup otherwise.Today it is @ Antivirus Version: 1.307.1762.0

 

[Andy Ful]

After one day, I noticed the WD signature update to version 1.307.1744.0 .
I keep WD to defer signatures (until 16.01.2020) with disabled metered connection:

View attachment 231660

This is what I would expect from the applied settings. I wonder what is the reason for not getting the signature updates by @South Park? Maybe there are some problems with the Internet connection soon after starting Windows? In my case, the signature update was made after starting the system. Does anybody have similar problems?
I will try to not restart/shut down the system for two days to see if that matters.

After one day, I have got the signature update to version 1.307.1806.0 .
So, deferring Windows Updates and changing metered connection settings do not prevent WD signature updates. Furthermore, it is not required to reboot the system to get signature updates.
My tests were done on Windows 10 Pro 64-bit ver. 1909.
If there is a problem with WD signature updates, then it is probably related to something else.

 

[oldschool]

If there is a problem with WD signature updates, then it is probably related to something else.

Hmmm, I'm wondering if VoodooShield's Whitelist Cloud is the culprit? I started this morning and WD failed to update since yesterday. So for now I have uninstalled VS and reset Windows firewall to test. I am not a fan of WLC feature in VS. I believe it has caused problems to the application.

 

[Andy Ful]

Hmmm, I'm wondering if VoodooShield's Whitelist Cloud is the culprit? I started this morning and WD failed to update since yesterday. So for now I have uninstalled VS and reset Windows firewall to test. I am not a fan of WLC feature in VS. I believe it has caused problems to the application.

It would be very strange. VoodooShield should not block WD processes (as far I know).
In my case, I noticed several times in the past that WD signature update failed due to the lack of connection with my router. I usually do not set an automatic wireless connection, but do it manually. Sometimes, WD asks about signatures before the connection is established (after starting WIndows).
I wonder what will be the source of your issue.