ConfigureDefender utility for Windows 10/11

[Andy Ful]

For some reason, when I chose "Remove" or "Quarantine" for some of the files/threats detected.. nothing is done. Only when I chose "Allow on device" then the entry will be removed or else It just stays there. Did I miss out on some settings? I'm using SUA with ConfigureDefender @ High

Sometimes the files are locked and are removed by WD after reboot.

 

[Kaze]

Sometimes the files are locked and are removed by WD after reboot.

That explains. Haha, thanks for the help again. Still exploring WD and so far it's been unintrusive with its real-time protection

 

[Andy Ful]

Guys, I need some help/feedback to clarify the usability of ConfigureDefender MAX settings, especially the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" (this rule is disabled in HIGH settings).

From my quick tests, it follows that when running fresh (less than 24 hours old) application installers/updaters from Softpedia, almost all digitally signed files are not blocked at all by this ASR rule. For now, I found only one blocked example (blocked for 2 days) which was ZHPDiag application similar to Farbar Recovery Scan Tool (FRST is not signed and was also blocked for 2 days).

So, please post here if anybody had problems with blocking the installation/update of any application especially digitally signed.

 

[ForgottenSeer 85179]

Guys, I need some help/feedback to clarify the usability of ConfigureDefender MAX settings, especially the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" (this rule is disabled in HIGH settings).

I enabled it now (still on HIGH) and will see if i found anything at weekend

 

[Gandalf_The_Grey]

I enabled it now (still on HIGH) and will see if i found anything at weekend

I have done the same. Remaining on high settings and enabled that rule.

 

[codswollip]

I'm using Configure Defender, Simple Hardening, and Firewall Hardening... I guess with those all involved, I should just switch to Hard Configurator... yes?

 

[oldschool]

So, please post here if anybody had problems with blocking the installation/update of any application especially digitally signed.

When I enabled that rule some months ago I would have to manually update Brave Nightly. I enabled it again a couple of weeks ago and Brave Nightly has updated fine since then.

 

[Andy Ful]

I'm using Configure Defender, Simple Hardening, and Firewall Hardening... I guess with those all involved, I should just switch to Hard Configurator... yes?

I do not think so, except if you want to apply more restrictive settings. You probably do not need to change anything.

 

[ForgottenSeer 85179]

Today i found the first problems.
As Backup program i use Personal-Backup
The problem is that this program isn't digital signed. Before the ASR rule i allowed unsigned files temporary but this isn't possible as the ASR rule block SmartScreen check:


Also the rule block adding the program exe to H_C whitelist :


The error logs are:

Microsoft Defender Exploit Guard hat einen Vorgang blockiert, der vom IT-Administrator nicht zugelassen wurde.
Weitere Informationen erhalten Sie von Ihrem IT-Administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Erkennungszeit: 2020-09-17T10:06:55.499Z
Benutzer: XXX
Pfad: D:\XXX\Downloads\XXX\pb-setup-x64-6.1.0801.exe
Prozessname: C:\Windows\explorer.exe
Version der Sicherheitsinformationen: 1.323.1332.0
Modulversion: 1.1.17400.5
Produktversion: 4.18.2008.9

Microsoft Defender Exploit Guard hat einen Vorgang blockiert, der vom IT-Administrator nicht zugelassen wurde.
Weitere Informationen erhalten Sie von Ihrem IT-Administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Erkennungszeit: 2020-09-17T10:06:55.849Z
Benutzer: XXX
Pfad: D:\XXX\Downloads\XXX\pb-setup-x64-6.1.0801.exe
Prozessname: C:\Windows\Hard_Configurator\Hard_Configurator(x64).exe
Version der Sicherheitsinformationen: 1.323.1332.0
Modulversion: 1.1.17400.5
Produktversion: 4.18.2008.9

Microsoft Defender Exploit Guard hat einen Vorgang blockiert, der vom IT-Administrator nicht zugelassen wurde.
Weitere Informationen erhalten Sie von Ihrem IT-Administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Erkennungszeit: 2020-09-17T10:06:24.728Z
Benutzer: XXX
Pfad: D:\XXX\Downloads\XXX\pb-setup-x64-6.1.0801.exe
Prozessname: C:\Windows\Hard_Configurator\InstallBySmartScreen(x64).exe
Version der Sicherheitsinformationen: 1.323.1332.0
Modulversion: 1.1.17400.5
Produktversion: 4.18.2008.9

 

[Andy Ful]

Today i found the first problems.
As Backup program i use Personal-Backup
The problem is that this program isn't digital signed. Before the ASR rule i allowed unsigned files temporary but this isn't possible as the ASR rule block SmartScreen check:
View attachment 246373

Also the rule block adding the program exe to H_C whitelist :
View attachment 246374

The error logs are:

Thanks for reporting.
WD blocks access to the installer so "Install By SmartScreen" cannot work. You cannot also copy the file to another location. Adding the ASR exclusions for blocked installers will not solve the problem because the next installer will be blocked, too. Whitelisting in H_C cannot help, because this block is not related to SRP.
As I noted in one of my previous posts, the simple solution is setting the prevalence ASR rule to Audit, run the installer to update (reboot or Log off not necessary), and finally run the updated application. Next, you can set this ASR rule to ON again. WD will remember that it should not be blocked.

Edit.
The file pb-setup-x64-6.1.0801 is now allowed by ASR on my computer.
It was pushed to Softpedia 15.09.2020, so the block has lasted 2 days.

 

[Andy Ful]

I have received some emails from a guy who wants to rebrand ConfigureDefender. Here is one of the emails:

"Hey Andy,

Thanks for the response! You understand correctly, but I would as well like to rebrand with a different name.

I am personally not a developer and have no preference as to what language is used. Typically, I pass the code to freelance developers who are able to accomplish whatever changes needed. I don't usually reach out directly to the authors but I really enjoy ConfigureDefender and wouldn't want to ruin the elegance of the program with a different author.

Are you taking projects right now and would you like to be paid to work on this together? I have already designed what the new GUI would look like.

It would be great to talk more on either a call or by email. Happy to accommodate your schedule."

Here is my answer:
"Hi,
AutoIt has got limited GUI capabilities. So, if you will use another programming language, sufficiently different GUI, and will rebrand the application with a different name and different author, then it should be OK.
I have enough money so I do not need to sell my projects. They are made to improve users' computer safety.

Regards."

 

[ForgottenSeer 72227]

I have received some emails from a guy who wants to rebrand ConfigureDefender. Here is one of the emails:

"Hey Andy,

Thanks for the response! You understand correctly, but I would as well like to rebrand with a different name.

I am personally not a developer and have no preference as to what language is used. Typically, I pass the code to freelance developers who are able to accomplish whatever changes needed. I don't usually reach out directly to the authors but I really enjoy ConfigureDefender and wouldn't want to ruin the elegance of the program with a different author.

Are you taking projects right now and would you like to be paid to work on this together? I have already designed what the new GUI would look like.

It would be great to talk more on either a call or by email. Happy to accommodate your schedule."

Here is my answer:
"Hi,
AutoIt has got limited GUI capabilities. So, if you will use another programming language, sufficiently different GUI, and will rebrand the application with a different name and different author, then it should be OK.
I have enough money so I do not need to sell my projects. They are made to improve users' computer safety.

Regards."

Sounds like your typical opportunist looking to make money off your work.

 

[Andy Ful]

Sounds like your typical opportunist looking to make money off your work.

He stated that it will not be a paid application (probably with some Ads). I do not mind if someone will make a better GUI, if it will be a good program.

 

[ForgottenSeer 85179]

He stated that it will not be a paid application (probably with some Ads). I do not mind if someone will make a better GUI, if it will be a good program.

But such a change (adding Ads) will reduce your reputation as users will think that's default in your programs

Personally i wouldn't allow that guy release your tools with changes.

 

[ForgottenSeer 72227]

He stated that it will not be a paid application (probably with some Ads). I do not mind if someone will make a better GUI, if it will be a good program.

Thats fair.

Believe me im not here to tell you what you should and shouldn't do hehe, after all its your program(s).

Personally I truly appreciate all the hard work you put into these programs. You've done a great service to us security geeks and those who want to be able to secure their systems more easily. I'm very much a cautious person and tend to view things like this with some sort of skepticism.

IMHO, while the GUI may not be the prettiest out there, for the most part once someone uses your software to configure their systems, rarely does one a have to go back in, unless they want to change something.

Again not here to pressure you one way or another, I just know there's no such thing as free and sometimes people have other motives than what they are telling you.

Keep up the great work!

 

[Andy Ful]

...
Personally i wouldn't allow that guy release your tools with changes.

I am not sure if I could call ConfigureDefender completely my program. In fact, it is my GUI and some research, but much is done by the well documented PowerShell cmdlets. This will be another application made by another developer.
As you know, I am not the person who would like to spend all my life to work on GUIs. I rather prefer researching the security problems and propose a good solution, than working on a good looking design. Furthermore, I do not like to stop the development of configuring Windows Defender.

 

[codswollip]

At least enjoy a cut of the ad revenue should this new spinoff take flight... Eh?

 

[paulderdash]

Should, or could, CD under any particular circumstances set Device Security>Core isolation>Memory integrity to 'On'?

 

[Andy Ful]

Should, or could, CD under any particular circumstances set Device Security>Core isolation>Memory integrity to 'On'?

Not soon. Look at my post:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-854713

 

[Andy Ful]

Thank @tsunami I have watched Leo's video about WD with ConfigureDefender MAX Protection Level. Of course, this was not an especially hard test - more demanding tests were already done on Malware Hub. Generally, WD in these settings is hard to beat by EXE malware. Also, many malicious scripts will be detected/blocked (but some not, especially Python, JAR, HTA). I am not sure about the effectiveness on MSI files (rarely tested).



Some comment about the video:

1. The ASR rules work also on Windows Home.
2. Most ConfigureDefender settings are not applied via GPO.
3. This test was not about WD maximum security, because the files were executed without MOTWs (from the local network).