ConfigureDefender utility for Windows 10/11

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Here is a simple VBS script to check the ASR rule related to running something via WMI:
Code:
'Using WMI Win32_Process
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 0
set process = GetObject("winmgmts:Win32_Process")
result = process.Create ("powershell_ise",null,objConfig,processid)
WScript.Quit

It should be blocked if the rule "Block process creations originating from PSExec and WMI commands" (d1e49aac-8f56-4280-b9ba-993a6d77406c) is enabled. If not blocked, then it will run the PowerShell script editor/debugger (PowerShell Integrated Scripting Environment).
 
Last edited:

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
I doubt there is anyone working for Microsoft who knows everything about every aspect of Windows. It's just too vast and constantly changing. The experts are compartmentalized.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
I think that he knows about Windows Home capabilities, but the article is related to Microsoft Defender ATP (paid software) which is not available on Windows Home. Technically he is not wrong, but simply not especially precise when ignoring Windows Home. The same approach is visible in MS documentation, so the only way is testing the advanced WD features on Windows Home to see how they work.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Both should apply their mitigations. So, if you will apply the mitigation A by HMPA and mitigation B by Exploit Guard, then both should work. Of course, two anti-exploit solutions can sometimes produce conflicts.
 

Vitali Ortzi

Level 27
Verified
Top Poster
Well-known
Dec 12, 2016
1,607
Both should apply their mitigations. So, if you will apply the mitigation A by HMPA and mitigation B by Exploit Guard, then both should work. Of course, two anti-exploit solutions can sometimes produce conflicts.
I haven't seen good documents on hitman pro alert so i can't understand
What defenders exploit guard can defend that hitman lacks ?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602

Vitali Ortzi

Level 27
Verified
Top Poster
Well-known
Dec 12, 2016
1,607
This is a good question for the developer.:)
There is some information on the developer website (slightly outdated):
Thanks so much for researching the
Web!
Shame on sophos on yhe lack of documentation despite hitman pro alert being exported to intercept x endpoint protection !
Not much enterprise venders have this much lack of documentation !
Im abandoning these products unfortunately
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Thanks so much for researching the
Web!
Shame on sophos on yhe lack of documentation despite hitman pro alert being exported to intercept x endpoint protection !
Not much enterprise venders have this much lack of documentation !
Im abandoning these products unfortunately
This job was not done by me. I found this document in one of the posts of @Sampei Nihira, when we discussed his Windows XP config.:)
 

l0rdraiden

Level 3
Verified
Jul 28, 2017
117
Is there a way to troubleshoot this? I have tried disabling the AV (trend Micro), but still doesn't work. I don't have any other security tool.

1588110810107.png
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,707
So the exploit guard settings (not the AV ones) only apply if windows defender is enable? Is tied to WD?

Yes, but you may use exploit protection for browsers and other programs in Windows Security Center>App and browser control>Exploit protection settings. These are OS protection capabilities separate from Windows Defender.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Windows Defender has received a new program update today: KB4052623 (Version 4.18.2004.6)
Haven't found any changelog yet:
Strange, I have got this Windows Update KB4052623 in February (27.02.2020).:unsure:
It seems that KB4052623 may update different versions (mine was 4.18.2001.10). My current version is also 4.18.2004.6, but was done via normal WD signature updates (21.04.2020) and not by Windows Updates.
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,877
Strange, I have got this Windows Update KB4052623 in February (27.02.2020).:unsure:
It seems that KB4052623 may update different versions (mine was 4.18.2001.10). My current version is also 4.18.2004.6, but was done via normal WD signature updates (21.04.2020) and not by Windows Updates.
I noticed this too. Same KB version for both updates. My one was downloaded by signature update too.
One thing that I noticed is that, since the 4.18.2001.10 came out, after installing a new Windows, it always downloads this update before downloading any newer one's. I guess from now on after this 4.18.2004.6 update, Windows will download this one instead of the older one. This is probably their cumulative product updates for Windows Defender. Anyway, I'm just guessing this because of the same KB version.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top