ConfigureDefender utility for Windows 10/11

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
I am getting apparently harmless blocks of CD by ASR rule "Block executables unless they ..."

View attachment 238721

... but I also got a separate, one-time system notification that NSIS was blocked or failed to install.
I found out what was the issue. As I suspected it was related to WD whitelisting signatures. The portable CD is a simple NSIS installer which contains 3 files (2 signed executables: for Windows 64-bit and 32-bit + unsigned uninstaller). I send first the signed executables for whitelisting and after a day I noticed that uninstaller also has to be whitelisted. At the time you ran the application, WD did not have the whitelisting signatures for the uninstaller. So, when you ran the portable ConfigureDefender everything was OK, until you closed it. The uninstaller was blocked by ASR due to low prevalence, so you have two signed executables somewhere in "C:\Windows\Temp" folder - they were not cleaned by the uninstaller.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Yesterday I did an old relatives tour and cooked them an old fashioned Dutch meal(boiled asperagus with butter sauce, ham and eggs - remember I was part time cook to pay for my study). As posted earlier, I have 8 older relatives on H_C running with my dangerous file type restrictions profile (comparable with H_C recommended basic) and Windows Defender on MAX.

So really wondering why/what is the caution in using the MAX setting, because people running plain Windows with free or microsoft office, don't install programs, so the MAX setting works extremely well.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
...
So really wondering why/what is the caution in using the MAX setting, because people running plain Windows with free or microsoft office, don't install programs, so the MAX setting works extremely well.
Yes. That is true. Although, some of ASR rules in MAX settings can cause issues. For example, the factory firmware on some laptops uses WMI. Also, when the firmware wants to update, this can be prevented for some days by ASR due to the low prevalence.
Anyway, if one has a typical desktop computer with a simple setup based on Microsoft programs and Microsoft Store apps, then CD MAX settings can be highly recommended.
It can be also used with very popular software, because the application updates will not be prevented for more than one or two days. Of course, for non-casual users, there is no need to hide the Security Center, so the last ConfigureDefender option should be set to Visible.
 
Last edited:

Paul.R

Level 17
Verified
Well-known
May 16, 2013
844
Manage Windows Defender with ConfigureDefender
The author released several updates for the program since then. ConfigureDefender 3.0.0.0 is the latest major release and reason enough to take another look at the program to see how it evolved.

configure defender 3


You can download the latest version of ConfigureDefender from the project's GitHub repository. Note that you find the latest executable in the file listing and not under releases. You can run the program right after you have downloaded as it does not need to be installed. Note that you need to run it with elevated rights. If you ran the program before you may notice that the executable file is digitally signed.

The interface has not changed all that much but there are some meaningful changes. First, you find protection levels (presets) at the top that you may activate with a click. That's handy if you want to reset all protections to the default of Windows or switch to high or maximum security instead. The program does not reveal what high and maximum change, but you find the information in the help file on GitHub.

High
Enhanced configuration which enables Network Protection and most of Exploit Guard (ASR) features. Three Exploit Guard features and Controlled Folder Access ransomware protection are disabled to avoid false positives. This is the recommended configuration which is appropriate for most users and provides significantly increased security.
Max
This is the most secure protection level which enables all advanced Windows Defender features and hides Windows Security Center. Configuration changes can be made only with the ConfigureDefender user interface. The "Max" settings are intended to protect children and casual users but can also be used (with some modifications) to maximize the protection. This protection level usually generates more false positives compared to the "High" settings may require more user knowledge or skill.
All settings can be customized from within the interface. It is easy enough to turn features such as Behavior Monitoring, PUA Protection or Controlled Folder Access on or off using the program. Values of some settings can be modified, e.g. to change the cloud check time limit or average CPU load while scanning.

Another new feature of recent versions of ConfigureDefender is a new button that loads the Defender Security log.


source: 1. Windows Defender configuration tool ConfigureDefender 3.0.0.0 released - gHacks Tech News
2. AndyFul/ConfigureDefender
 

Pat MacKnife

Level 16
Verified
Top Poster
Well-known
Jul 14, 2015
782
Hi,
We already have a topic with Configure defender .... see :

 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
I onced configured Defender and got this...

View attachment 239334
You probably used one of the old CD versions, which was first whitelisted by Microsoft, and after 4 months flagged as malicious, after changing the malware criteria by Microsoft. The reason for this was an option that allowed the user to disable real-time protection. This story is well documented on the ConfigureDefender thread.(y)

Here is my ironic comment to this detection:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-767631
 
Last edited:

Marko :)

Level 24
Verified
Top Poster
Well-known
Aug 12, 2015
1,315
You probably used one of the old CD versions, which was first whitelisted by Microsoft, and after 4 months flagged as malicious, after changing the malware criteria by Microsoft. The reason for this was an option that allowed the user to disable real-time protection. This story is well documented on the ConfigureDefender thread.(y)

Here is my ironic comment to this detection:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-767631
At that time, I downloaded the latest version from GitHub. But, the interesting part; alert was shown few days after changing settings. When detection occured, I didn't even have ConfigureDefender on my PC. :D
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
I onced configured Defender and got this...

View attachment 239334
At that time, I downloaded the latest version from GitHub. But, the interesting part; alert was shown few days after changing settings. When detection occured, I didn't even have ConfigureDefender on my PC. :D

Yeah. This alert is not related to ConfigureDefender application, but to the concrete setting in the registry. It seems that you somehow changed the WD settings (probably by ConfigureDefender) which were later reverted by WD Tamper Protection. :)

"With tamper protection, malicious apps are prevented from taking actions like these:
  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Disabling cloud-delivered protection
  • Removing security intelligence updates"

The red entries are available in ConfigureDefender, but will be prevented if Tamper Protection is ON.
 

S M G

Level 2
Feb 18, 2020
58
Did anyone notice high ping when Network Protection is enabled (HIGH settings)? I ran a speed test in Firefox and the first test I got normal ping (~7ms):

1.png

I ran several speeds tests immediately afterwards and I got really high ping with slightly lower up/down speeds:

2.png


I had to wait for 1-2 min for ping to go down to normal. I didn't run into this issue with Edge though. I'm not sure if it's WD or Firefox issue. I disabled Network Protection for now.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
Did anyone notice high ping when Network Protection is enabled (HIGH settings)? I ran a speed test in Firefox and the first test I got normal ping (~7ms):

View attachment 239348
I ran several speeds tests immediately afterwards and I got really high ping with slightly lower up/down speeds:

View attachment 239349

I had to wait for 1-2 min for ping to go down to normal. I didn't run into this issue with Edge though. I'm not sure if it's WD or Firefox issue. I disabled Network Protection for now.
This will require testing by others. But, WD Network Protection is by design independent of the application which connects to the Internet. It will work for web browsers, Internet Downloaders, script engines, etc. So, this issue (if it will be confirmed on other machines) would be probably related to the web browser or to the way it interacts with WD Network Protection. Anyway, I would not be surprised if protecting the network could slow down the connection a little.
 

S M G

Level 2
Feb 18, 2020
58
This will require testing by others. But, WD Network Protection is by design independent of the application which connects to the Internet. It will work for web browsers, Internet Downloaders, script engines, etc. So, this issue (if it will be confirmed on other machines) would be probably related to the web browser or to the way it interacts with WD Network Protection. Anyway, I would not be surprised if protecting the network could slow down the connection a little.
Thanks Andy. Is there a way to allow single app to bypass WD Network Protection?
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,706
Here's a nice overview of ASR functionality and the principles behind them.

 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
Here's a nice overview of ASR functionality and the principles behind them.

Yes I read them all. Unfortunately, I knew all of it already from Microsoft documentation.:(
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
Did anyone notice high ping when Network Protection is enabled (HIGH settings)? I ran a speed test in Firefox and the first test I got normal ping (~7ms):

View attachment 239348
I ran several speeds tests immediately afterwards and I got really high ping with slightly lower up/down speeds:

View attachment 239349

I had to wait for 1-2 min for ping to go down to normal. I didn't run into this issue with Edge though. I'm not sure if it's WD or Firefox issue. I disabled Network Protection for now.
When I used WD, Network Protection made the dslreports bufferbloat test show absurdly high latency spikes
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,874
Andy or anyone have any idea about this? This happens almost every 2 days for some reason and I'm getting sick of it. WD won't update and this is what I find in the log always. To fix this I have to manually download the update from their website. I had to do it yesterday also but now 24 hours later no updates and yet again this is what I found in the log. Manually clicking check for update doesn't fix it either. My internet is fine btw.
1.PNG
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top