- Aug 3, 2014
- 20
I had the same error before installing KAV. Could it be Simplewall?
ConfigureDefender utility for Windows 10/11
- Thread starter Andy Ful
- Start date
I had the same error before installing KAV. Could it be Simplewall?
- Mar 29, 2018
- 7,595
I'm not familiar with Simplewall and all of its features. Same generally with O&O but some of its settings may be interfering. Have you used Group Policy or some type of OS hardening?
- Aug 3, 2014
- 20
Yeah i used O&O and Debonet before. So wondering how to revert and use ConfigureDefender
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,483
ConfigureDefender is useless when using Kaspersky. ConfigureDefender is for configuring WD real-time protection, which is disabled when using another AV.hi guys, need help here.
I tried to setting "High" instead of "Default". I am running Kaspersky Antivirus and ran some OOshutup and debotnet in the past. Firewall is simplewall
How do i resolve this?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,483
First, you have to find out if PowerShell is blocked/restricted by another security. Could you post the screenshot of all Configuredefender options after you tried applying HIGH preset and pressed the REFRESH button?
I used O&O with nearly every setting ticked and had no problem with Configure Defender "High" or "Max". O&O doesn't restrict powershell afaik.
In O&O under "Actions" is "undo all changes aka factory reset"
In O&O under "Actions" is "undo all changes aka factory reset"
- Aug 3, 2014
- 20
Noted Sir. Let me try without KAV. Thanks for reply.
Yes i can try to reset through O&O. Thanks
I think it would be good if you contact @Vitali Ortzi.
Applications are launching much faster than before so I am happy for now but probably it may not last longer.
Update - Kaspersky stops Kaspersky Free!
- Dec 12, 2016
- 1,319
Good to hear you don't have anymore performance issues.
As essentially SEP full installation can be heavy on some machines whatever it's because of IO/CPU usage (default settings have high amount of impact on both for low end computers) or even ram usage (ram usage can sometimes even have a huge impact on performance because it might cause less prefetch data or worse forcing apps to use HDD instead ).
Usually I recommend to whom have too much performance downgrade to use it as an IPS/ firewall plus a low resource security product as it is very helpful to mitigate attacks in early stages especially with the DeepSight intelligence and the very smart IPS while using very little resources other then the disk space footprint (still slightly lower than full installation).
Anyway to anyone who is looking for rules to added to SEP firewall .
I would recommend to start by putting it into default deny config (if possible )
And playing with built in rules and importing Andy H_C windows firewall rules into SEP.
Last edited:
- Mar 29, 2018
- 7,595
Here is a handy list of powershell commands to configure some extra Defender settings not included (or normally needed) in ConfigureDefender:
www.techtelegraph.co.uk
How to manage Microsoft Defender Antivirus with PowerShell on Windows 10
On Windows 10, Microsoft Defender Antivirus (formerly Windows Defender Antivirus) is part of the Windows Security experience, and it provides a robust real-time protection against unwanted viruses, ransomware, spyware, rootkits, and many other forms of malware and hackers. Although you can...
www.techtelegraph.co.uk
Can this Defender online test be included?:
ValidateMapsConnection
Maybe that can also be used to detect if another security solution is used which break this tool, like some user here already post.
ValidateMapsConnection
Maybe that can also be used to detect if another security solution is used which break this tool, like some user here already post.
- May 29, 2018
- 2,728
Dont want to post other thread since this is false positive, but while running emsisoft emergency kit i got this trojan alert from WD, after clean install
@Andy Ful how i can see wich caused this ?
edit2 : whenever i run emsisoft emergency kit , it will spawn this tmp000000.. file and whenver i exit emsisoft emergency kit it will get removed itself
Since its 0kt i cant upload it to virustotal , so how im supposed to get this false positive reported?
@Andy Ful how i can see wich caused this ?
edit2 : whenever i run emsisoft emergency kit , it will spawn this tmp000000.. file and whenver i exit emsisoft emergency kit it will get removed itself
Since its 0kt i cant upload it to virustotal , so how im supposed to get this false positive reported?
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,483
You can post about this issue to Emsisoft. They should be obliged to inform Microsoft (developer whitelisting request) and then the file will be whitelisted by Microsoft.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,483
I made the test on my machine (Windows 10 64-bit Pro, ver 2004) with ConfigureDefender MAX Protection Level and latest EEK ver. 2020.5.0.10152.
Microsoft Defender :
AntispywareSignatureVersion 1.321.1681.0
AMProductVersion 4.18.2008.4
AMEngineVersion 1.1.17300.4
After the execution, EEK creates the tmp00000000 file, but it is not detected as malicious both on my and your computer. On your computer, a different file is detected as malicious (tmp000028d5).
On ConfigureDefender MAX setup, I have got one alert related to ASR rules (lsass.exe) and one related to CFA (block changes in memory, \Device\Harddisk0\DR0). Both are not important. No false positives from Microsoft Defender engines (antispyware or antimalware).
You can use <Defender Security Log> in ConfigureDefender to see some info about the blocked file tmp000028d5.
Microsoft Defender :
AntispywareSignatureVersion 1.321.1681.0
AMProductVersion 4.18.2008.4
AMEngineVersion 1.1.17300.4
After the execution, EEK creates the tmp00000000 file, but it is not detected as malicious both on my and your computer. On your computer, a different file is detected as malicious (tmp000028d5).
On ConfigureDefender MAX setup, I have got one alert related to ASR rules (lsass.exe) and one related to CFA (block changes in memory, \Device\Harddisk0\DR0). Both are not important. No false positives from Microsoft Defender engines (antispyware or antimalware).
You can use <Defender Security Log> in ConfigureDefender to see some info about the blocked file tmp000028d5.
Last edited:
- May 29, 2018
- 2,728
i asked my friend to test EEK aswell as he has WD too, but he got no alert at all. I sent message to emsisoft about this and clean installed windows as i was doing other stuff meanwhile..seems its all ok now
Cheers
Cheers
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,483
ASR exclusions.
ASR rules are part of WD behavior blocking and work after the suspicious action is taken by running processes. Such protection could be also called advanced HIPS or behavior blocker (on-execution and post-execution blocking). Most ASR rules work locally (no cloud backend), but they have to be updated from time to time.
There is one ASR rule (eg. "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25) which highly depends on the cloud backend.
This rule is a valuable additional protection against malicious executables (EXE, SCR, DLL, etc.), but can produce false positives for not-popular applications. In such a case, WD blocks access to the executable so it cannot be executed, copied, or uploaded. This can be annoying because (rarely) some applications can be blocked for several days. Furthermore, after disabling this ASR rule and installing the application, it will be usually blocked after enabling the rule.
So, what to do?
1. One can disable this rule (like in ConfigureDefender HIGH Protection Level).
2. One can temporarily disable the rule, install (or update) an application, and add the ASR exclusion for the application folder.
When adding the ASR exclusions it is worth remembering that these exclusions will be active for all ASR rules that allow exclusions (3 rules do not allow exclusions). Also, these ASR exclusions will have no impact on WD antimalware exclusions.
It seems, that adding the exclusion for "Program Files" (or "Program Files (x86)") folder does not decrease much the ASR protection, but one should not exclude the Windows system folder.
Excluding the application folders in the UserProfile could be in theory exploited by the attacker, but I did not see it in the wild. So, probably it is better to keep this ASR rule activated with some folder exclusions than not using it at all.
Please, post here about your own experience related to ASR rules and ASR exclusions.
ASR rules are part of WD behavior blocking and work after the suspicious action is taken by running processes. Such protection could be also called advanced HIPS or behavior blocker (on-execution and post-execution blocking). Most ASR rules work locally (no cloud backend), but they have to be updated from time to time.
There is one ASR rule (eg. "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25) which highly depends on the cloud backend.
This rule is a valuable additional protection against malicious executables (EXE, SCR, DLL, etc.), but can produce false positives for not-popular applications. In such a case, WD blocks access to the executable so it cannot be executed, copied, or uploaded. This can be annoying because (rarely) some applications can be blocked for several days. Furthermore, after disabling this ASR rule and installing the application, it will be usually blocked after enabling the rule.
So, what to do?
1. One can disable this rule (like in ConfigureDefender HIGH Protection Level).
2. One can temporarily disable the rule, install (or update) an application, and add the ASR exclusion for the application folder.
When adding the ASR exclusions it is worth remembering that these exclusions will be active for all ASR rules that allow exclusions (3 rules do not allow exclusions). Also, these ASR exclusions will have no impact on WD antimalware exclusions.
It seems, that adding the exclusion for "Program Files" (or "Program Files (x86)") folder does not decrease much the ASR protection, but one should not exclude the Windows system folder.
Excluding the application folders in the UserProfile could be in theory exploited by the attacker, but I did not see it in the wild. So, probably it is better to keep this ASR rule activated with some folder exclusions than not using it at all.
Please, post here about your own experience related to ASR rules and ASR exclusions.
Currently i don't get any problems with recommend HIGH rulesPlease, post here about your own experience related to ASR rules and ASR exclusions.
You might face issues when you're writing custom BAT scripts or python scripts that automate few things.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,483
Normally there should not be issues, except when the scripts try to download and run something or do some other actions similar to fileless malware. Python scripts are not blocked by ASR rules, but Python executable interpreter can be blocked in some scenarios as a child process.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,483
I found a nice picture of the WD local and cloud script protection:
"On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.
These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running."
www.microsoft.com
AMSI and ASR rules are a part of the WD behavior blocking protection (local and cloud-based, pre and post-execution) focused on scripting attacks.
"On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.
These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running."
Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning | Microsoft Security Blog
Microsoft Defender ATP leverages AMSI’s visibility into scripts and harnesses the power of machine learning to detect and stop post-exploitation activities that largely rely on scripts.
AMSI and ASR rules are a part of the WD behavior blocking protection (local and cloud-based, pre and post-execution) focused on scripting attacks.
@Andy Ful I did find latest WD engine version but changelog isn't detailed Manage Microsoft Defender Antivirus updates and apply baselines - Windows security
Its confusing to understand, if they have fixed WD engine being able to download malware files or not!.
Its confusing to understand, if they have fixed WD engine being able to download malware files or not!.
Similar threads
-
- Sticky
