ConfigureDefender utility for Windows 10/11

[oldschool]

VoodooShield should not block WD processes (as far I know).
... I wonder what will be the source of your issue.

Indeed, except WLC has the funny Windows Firewall feature (it can create rules for non-whitelisted files, which I do not enable.) I will just run WD alone for a couple of days and see what happens.

(Edit in italics)

 

[m7d1]

Hi
is it necessary to turn on email scanning through policy editor, or ASR is enough to protect?
i am using outlook, set protection level to high..
thx

 

[oldschool]

Hi
is it necessary to turn on email scanning through policy editor, or ASR is enough to protect?
i am using outlook, set protection level to high..
thx

ASR should be enough but you may enable both features.

 

[oldschool]

I wonder still if office ASR rules are protect other office programs like Libre Office?

Nope.

 

[Andy Ful]

So after Run by Smartscreen utility & Configure Defender thread, I now finished reading this whole thread but I wonder still if office ASR rules are protect other office programs like Libre Office?
Now I start reading hard configurator thread and just want say a big thanks for your great work, Andy!

There are some ASR rules that can protect only MS Office, Outlook, Adobe Reader. The rest can protect all applications (these ASR rules do not contain the words "Office" and "email").

 

[Digmor Crusher]

Andy, why is this showing up in the Security log, once a twice a day since Jan 8th.

User Name: NT AUTHORITY\SYSTEM
Computer: DESKTOP-FCJKD3Q
Description:
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1

Event[1]:
*****************************************
*****************************************
Date: 2020-01-27 Time: 08:32:08.977
Event ID: 5007
(Changed Windows Defender settings)

Thanks.

 

[Gandalf_The_Grey]

Andy, why is this showing up in the Security log, once a twice a day since Jan 8th.

User Name: NT AUTHORITY\SYSTEM
Computer: DESKTOP-FCJKD3Q
Description:
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1

Event[1]:
*****************************************
*****************************************
Date: 2020-01-27 Time: 08:32:08.977
Event ID: 5007
(Changed Windows Defender settings)

Thanks.

That's when WD updates.

 

[Andy Ful]

Andy, why is this showing up in the Security log, once a twice a day since Jan 8th.

User Name: NT AUTHORITY\SYSTEM
Computer: DESKTOP-FCJKD3Q
Description:
Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1

Event[1]:
*****************************************
*****************************************
Date: 2020-01-27 Time: 08:32:08.977
Event ID: 5007
(Changed Windows Defender settings)

Thanks.

"New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1"
means that Windows Defender service was activated.
This happens when you (re)start your computer. As @Gandalf_The_Grey already noticed, this can also happen when WD is updating. You can compare the time of last such event with the last system start or WD update.
If it is not correlated with the above events, then something else (also the malware) could interfere with WD service. But, I did not hear about the malware that wanted to turn ON the WD service.

 

[oldschool]

But, I did not hear about the malware that wanted to turn ON the WD service.

Maybe I have that malware on my system!

 

[Andy Ful]

Maybe I have that malware on my system!

Ha, ha.
Such malware would be smarter as compared to samples in the wild. The smart malware would disable WD temporarily to download the known low-level payload which could hide deep in the system and would wipe out the traces. After that WD should be turned on by the malware. Fortunately, this scenario is possible in targeted attacks, but not in the wide-spread attacks.

 

[Digmor Crusher]

Makes sense, dziekuje.

 

[shmu26]

Today I tried out recommended settings in my Windows 10 virtual machine, and it ran without a hitch, which surprised me.
This inspired me to try recommended settings in my Windows 10 physical machine, and I got the block I was expecting from one of my MS Word add-ons.
See screenshot of WD "protection history."
It's odd that it works differently in VM.
It's nice that Windows Defender now gives such nice logs straight from the system tray icon.

The VM is Win10 Enterprise, and the physical machine is Win10 Pro. Maybe that makes a difference?

 

[Andy Ful]

Today I tried out recommended settings in my Windows 10 virtual machine, and it ran without a hitch, which surprised me.
This inspired me to try recommended settings in my Windows 10 physical machine, and I got the block I was expecting from one of my MS Word add-ons.
See screenshot of WD "protection history."
It's odd that it works differently in VM.
It's nice that Windows Defender now gives such nice logs straight from the system tray icon.

The VM is Windows 10 Enterprise, and the physical machine is Windows 10 Pro. Maybe that makes a difference?

View attachment 233642

It is probable that you did not installed the Save Reminder in VM.
Do you have the file "SaveReminder Ver 2.1.dotm" in the path:
%UserProfile%\Appdata\Roaming\Microsoft\Word\STARTUP
in your VM?

By the way, I think that the file can be excluded in ConfigureDefender ASR Exclusions.

 

[shmu26]

I have it in the VM, for sure. See screenshot

 

[Andy Ful]

I have it in the VM, for sure. See screenshot

View attachment 233644

So, the next probable source can be different Word settings.
Do you have the same MS Office in VM and physical machine?

 

[shmu26]

This is in PM

 

[oldschool]

@Andy Ful I'm wondering how you determined the 3 ASR exclusions you built into ConfigureDefender. I realize these are system files, but I'm wondering what your source reference was to write the exceptions? Was there a specific M$ source or simply based on your extensive Windows knowledge?

I'm asking in order to know the background necessary if one were to deploy WD without ConfigureDefender.

 

[Andy Ful]

@Andy Ful I'm wondering how you determined the 3 ASR exclusions you built into ConfigureDefender. I realize these are system files, but I'm wondering what your source reference was to write the exceptions? Was there a specific M$ source or simply based on your extensive Windows knowledge?

I'm asking in order to know the background necessary if one were to deploy WD without ConfigureDefender.

There are 3 ASR rules that do not support ASR exclusions, those beginning with **** in ConfigureDefender.

Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint

Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.

docs.microsoft.com

 

[oldschool]

@Andy Ful I think you misunderstood my question. You included 3 exclusions, i.e. pre-written, built-in, in ASR exclusions which are shown below:

How did you know to include them? Was there reference material from M$, or simply your working knowledge of Windows?

Maybe a stupid question?

 

[Andy Ful]

@shmu26,

@Andy Ful I think you misunderstood my question. You included 3 exclusions, i.e. pre-written, built-in, in ASR exclusions which are shown below:

View attachment 233662

How did you know to include them? Was there reference material from M$, or simply your working knowledge of Windows?

Maybe a stupid question?

These exclusions are applied only when the user enables the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", to avoid blocking the native image DLLs. The native image DLLs can be blocked by this ASR rule, because they are not delivered by Microsoft, but created locally on the computer. There is no documentation about it, just my deduction.