ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Here is a simple VBS script to check the ASR rule related to running something via WMI:
Code: 
'Using WMI Win32_Process
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 0
set process = GetObject("winmgmts:Win32_Process")
result = process.Create ("powershell_ise",null,objConfig,processid)
WScript.Quit

It should be blocked if the rule "Block process creations originating from PSExec and WMI commands" (d1e49aac-8f56-4280-b9ba-993a6d77406c) is enabled. If not blocked, then it will run the PowerShell script editor/debugger (PowerShell Integrated Scripting Environment).
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: Step 1, Protomartyr, simmerskool and 8 others
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
 
  • Like
  • HaHa
Reactions: plat, toto_10, South Park and 6 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Azure said:
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
Click to expand...
I doubt there is anyone working for Microsoft who knows everything about every aspect of Windows. It's just too vast and constantly changing. The experts are compartmentalized.
 
  • Like
Reactions: toto_10, simmerskool, harlan4096 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Azure said:
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
Click to expand...
I think that he knows about Windows Home capabilities, but the article is related to Microsoft Defender ATP (paid software) which is not available on Windows Home. Technically he is not wrong, but simply not especially precise when ignoring Windows Home. The same approach is visible in MS documentation, so the only way is testing the advanced WD features on Windows Home to see how they work.
 
Last edited:
  • Like
  • +Reputation
Reactions: toto_10, Gandalf_The_Grey, tsunami and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Both should apply their mitigations. So, if you will apply the mitigation A by HMPA and mitigation B by Exploit Guard, then both should work. Of course, two anti-exploit solutions can sometimes produce conflicts.
 
  • Like
  • Thanks
Reactions: simmerskool, Protomartyr, toto_10 and 2 others
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,321
Andy Ful said:
Both should apply their mitigations. So, if you will apply the mitigation A by HMPA and mitigation B by Exploit Guard, then both should work. Of course, two anti-exploit solutions can sometimes produce conflicts.
Click to expand...
I haven't seen good documents on hitman pro alert so i can't understand
What defenders exploit guard can defend that hitman lacks ?
 
  • Like
Reactions: Protomartyr and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
  • Like
  • +Reputation
Reactions: toto_10, simmerskool, Protomartyr and 4 others
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,321
Andy Ful said:
This is a good question for the developer.:)
There is some information on the developer website (slightly outdated):
Click to expand...
Thanks so much for researching the
Web!
Shame on sophos on yhe lack of documentation despite hitman pro alert being exported to intercept x endpoint protection !
Not much enterprise venders have this much lack of documentation !
Im abandoning these products unfortunately
 
  • Like
Reactions: toto_10, simmerskool, Protomartyr and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Vitali Ortzi said:
Thanks so much for researching the
Web!
Shame on sophos on yhe lack of documentation despite hitman pro alert being exported to intercept x endpoint protection !
Not much enterprise venders have this much lack of documentation !
Im abandoning these products unfortunately
Click to expand...
This job was not done by me. I found this document in one of the posts of @Sampei Nihira, when we discussed his Windows XP config.:)
 
  • Like
Reactions: Step 1, toto_10, simmerskool and 6 others
L

l0rdraiden

Level 3
Verified
Jul 28, 2017
117
Is there a way to troubleshoot this? I have tried disabling the AV (trend Micro), but still doesn't work. I don't have any other security tool.

1588110810107.png
 
  • Like
Reactions: harlan4096, toto_10 and Andy Ful
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,596
l0rdraiden said:
So the exploit guard settings (not the AV ones) only apply if windows defender is enable? Is tied to WD?
Click to expand...

Yes, but you may use exploit protection for browsers and other programs in Windows Security Center>App and browser control>Exploit protection settings. These are OS protection capabilities separate from Windows Defender.
 
  • Like
Reactions: Andy Ful, SeriousHoax, toto_10 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SeriousHoax said:
Windows Defender has received a new program update today: KB4052623 (Version 4.18.2004.6)
Haven't found any changelog yet:

Microsoft Update Catalog

www.catalog.update.microsoft.com
Click to expand...
Strange, I have got this Windows Update KB4052623 in February (27.02.2020).:unsure:
It seems that KB4052623 may update different versions (mine was 4.18.2001.10). My current version is also 4.18.2004.6, but was done via normal WD signature updates (21.04.2020) and not by Windows Updates.
 
Last edited:
  • Like
Reactions: Protomartyr, ForgottenSeer 85179, toto_10 and 1 other person
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Andy Ful said:
Strange, I have got this Windows Update KB4052623 in February (27.02.2020).:unsure:
It seems that KB4052623 may update different versions (mine was 4.18.2001.10). My current version is also 4.18.2004.6, but was done via normal WD signature updates (21.04.2020) and not by Windows Updates.
Click to expand...
I noticed this too. Same KB version for both updates. My one was downloaded by signature update too.
One thing that I noticed is that, since the 4.18.2001.10 came out, after installing a new Windows, it always downloads this update before downloading any newer one's. I guess from now on after this 4.18.2004.6 update, Windows will download this one instead of the older one. This is probably their cumulative product updates for Windows Defender. Anyway, I'm just guessing this because of the same KB version.
 
  • Like
Reactions: Andy Ful and Protomartyr

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,111
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,430
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,230
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top