ConfigureDefender utility for Windows 10/11

[oldschool]

This test was not about WD maximum security, because the files were executed without MOTWs (from the local network).

Because Leo still doesn't understand how WD works!

 

[Andy Ful]

Because Leo still doesn't understand how WD works!

He uses a special framework (for all AVs) which is convenient because it allows testing quickly many malicious samples from the local network. Anyway, such a testing framework has some downsides because a lot of the samples are run on the same Windows session.
Leo's testing is not a Real-World type where WD security is strongest due to BAFS.

 

[oldschool]

He uses a special framework (for all AVs) which is convenient because it allows testing quickly many malicious samples from the local network. Anyway, such a testing framework has some downsides because a lot of the samples are run on the same Windows session

I understand both things. The point is that his WD tests have demonstrated either his ignorance or his true motives.

 

[Andy Ful]

I understand both things. The point is that his WD tests have demonstrated either his ignorance or his true motives.

He is not a WD expert and he obviously does not share a good opinion about WD. I do not think that he wants intentionally bash WD, because this particular test would contradict such intentions. A few of his tests I saw could rather suggest that he really believed that WD is not as good as most of popular commercial AVs. This can partially follow from his tests and his testing framework. It can be also true that he slowly changes his mind.
Anyway, I think that WD on default settings can score slightly worse in Malware Protection tests due to the lack of BAFS protection. This can be recompensated by using ConfigureDefender High Protection Level. But, it can be also true that the difference could be hardly visible for the home users.

 

[oldschool]

Anyway, I think that WD on default settings can score slightly worse in Malware Protection tests due to the lack of BAFS protection.

I read somewhere that WD will deploy BAFS "High" setting by default.

Edited previous version of this post.

 

[oldschool]

I edited above post with my intended meaning.

 

[Andy Ful]

I should be more precise. The lack of BAFS (Block At First Sight) follows from Leo's testing procedure. The samples are not downloaded from the Internet, so they do not have Mark Of The Web (MOTW). The BAFS feature is triggered in WD only when the executable with MOTW is executed (Internet connection is required too).
There is one feature related to default BAFS which is absent in WD on Windows Home and Pro, e.g. the analysis in the sandbox. We will see if this feature will be available in the future.

 

[codswollip]

Today I tried to launch ConfigureDefender v3.0.0.1 and I get...

I then tried to launch SimpleWindowsHardening v1.0.0.2 and got the same notice, however the second time I launched SWH it wanted to reboot my PC. After doing that SWH loaded... but still no CD launch.

Coincidentally, 30 minutes earlier I attempted to launch a .bat file and it was blocked, so presumably SWH was active, even though I could not launch SWH.

Only running Windows Defender.

Win10 Home x64 v2004.

 

[Andy Ful]

Today I tried to launch ConfigureDefender v3.0.0.1 and I get...

I then tried to launch SimpleWindowsHardening v1.0.0.2 and got the same notice, however the second time I launched SWH it wanted to reboot my PC. After doing that SWH loaded... but still no CD launch.

Coincidentally, 30 minutes earlier I attempted to launch a .bat file and it was blocked, so presumably SWH was active, even though I could not launch it.

Only running Windows Defender.

Win10 Home x64 v2004.

Did you make an upgrade from Windows 7 or 8.1 recently?
What is the value of the Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
CurrentBuildNumber

Post edited

 

[codswollip]

Did you make an upgrade from Windows 7 or 8.1 recently?
What is the value of the Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
CurrentBuildNumber

I've been on Win10 for quite some time...

 

[Andy Ful]

I've been on Win10 for quite some time...

The values are OK. No idea what is the source of your issue. The application gets the wrong info about your Windows version. I wonder if someone else has a similar problem with Windows 10?
SWH works on Windows 8+. I put the message that Windows 10 is needed (for now) because SWH is a good companion to WD only on Windows 10. On Windows 8 or 8.1, WD has got weaker protection for EXE files and these files are allowed in SWH.

 

[codswollip]

No idea what is the source of your issue.

This issue has occurred in the past with both apps. For now, I'll step away from these tools, as I worry that one day I may be locked out from reversing custom entries and changes outside Windows defaults. Thanks for your help. Best going forward.

 

[Andy Ful]

This issue has occurred in the past with both apps. For now, I'll step away from these tools, as I worry that one day I may be locked out from reversing custom entries and changes outside Windows defaults. Thanks for your help. Best going forward.

Thanks for reporting - it is an interesting issue. Fortunately, the scenario when one could not run Configuredefender or SWH after making configuration never happened. Anyway, it would be a good idea to release the PowerShell script which can apply default WD settings (just in case).
Of course, this will not solve your potential problems with other applications.

 

[SeriousHoax]

Sharing one Windows Defender related problem here that I had today.
So today I enabled Controlled folder access on WD and few minutes later opened Epic Games Launcher to play Red Dead Redemption 2. Launcher.exe of Rockstar launcher was blocked by CFA so whitelisted that and restarted the launcher again. The game ran without anymore blocking from CFA but after opening I was getting an in game error, cannot connect to Rockstar, error 1014. Then restarted my system and ran the game again. Same error. Searched online and found many people facing similar issue on GTA V and Red Dead 2. One of the suggestion available on Reddit is to turn off real time protection of WD which seems to have worked for everyone on that thread.
Next, I didn't turn off Real time protection but turned off CFA, ran the game and it ran fine without any problem. I don't know what CFA is doing to prevent the game from connecting to server. There was no blocking notification, no log in Configure Defender, Firewall hardening. Really weird. Whether it's an issue from Microsoft's side or Rockstar's, I got no clue.
Sharing it here in case someone face this or other similar weird error with CFA turned on.

 

[Andy Ful]

Sharing one Windows Defender related problem here that I had today.
So today I enabled Controlled folder access on WD and few minutes later opened Epic Games Launcher to play Red Dead Redemption 2. Launcher.exe of Rockstar launcher was blocked by CFA so whitelisted that and restarted the launcher again. The game ran without anymore blocking from CFA but after opening I was getting an in game error, cannot connect to Rockstar, error 1014. Then restarted my system and ran the game again. Same error. Searched online and found many people facing similar issue on GTA V and Red Dead 2. One of the suggestion available on Reddit is to turn off real time protection of WD which seems to have worked for everyone on that thread.
Next, I didn't turn off Real time protection but turned off CFA, ran the game and it ran fine without any problem. I don't know what CFA is doing to prevent the game from connecting to server. There was no blocking notification, no log in Configure Defender, Firewall hardening. Really weird. Whether it's an issue from Microsoft's side or Rockstar's, I got no clue.
Sharing it here in case someone face this or other similar weird error with CFA turned on.

The problems were also reported by people on Windows 7 (with several AVs) and these problems were also random, sometimes the game worked and sometimes not (on the same computer with the same settings). Some problems can be greater with CFA because it protects not only the folders but also some system protected disk areas.

Edit.
There are some solutions proposed , for example:

Red Dead Redemption 2: How To Fix Constant Crashes On PC | Tweaks Guide - Gameranx

If you're crashing out of RDR2 on PC, try these quick community fixes.

gameranx.com

And thank @SeriousHoax also disabling CFA can help.

 

[Digmor Crusher]

Wisevector Stop-X is an interesting nomination. It is not invasive to the system, so its compatibility with the system is probably close to WD. It is very light and the detection is better than any other free AV on default settings. It does not have Internet Protection, so should be used with Edge browser or another web browser with good extensions (anti-phishing, Ad-blocker).
I think that stronger protection can be realized only with highly tweaked Comodo or WD (MAX settings).
It does not have Banking & Payments Protection (feature mentioned in OP), but I do not know any free AV that has such a feature. Wisevector Stop-X does not have Network Protection, but most free AVs do not have such a feature too - these free AVs that have it, do not have Botnet protection anyway.
One con that can be important for average users is too big false positives rate (similar to highly tweaked Comodo or WD on MAX settings).

Quick question if you choose to answer. What would provide better protection, Configure Defender on High with Simple Windows Hardening or Configure Defender on High with Wise Vector? Thanks.

 

[Andy Ful]

Quick question if you choose to answer. What would provide better protection, Configure Defender on High with Simple Windows Hardening or Configure Defender on High with Wise Vector? Thanks.

The first applies stronger prevention against scripting and fileless malware that are the most prevalent malware in the wild. Wise Vector has very aggressive detection (many false positives), so it is probable that it can detect slightly more 0-day EXE malware as compared to WD HIGH preset.
I think, that it would be hard to see any difference in practice.

Edit1.
Most of the EXE payloads start in the real-world scenario from phishing or scripting/fileless malware. So in theory, the first setup should be slightly stronger, because both solutions have WD Network Protection, but the first has stronger scripting/fileless prevention.

Edit2.
The problem with Wise Vector is that when getting more popularity, it will be probably less aggressive to decrease the false positive rate. But, this will also decrease its detection to the level of WD.

 

[Digmor Crusher]

Interesting, thank you.

 

[JB007]

ConfigureDefender utility for Windows 10.

Developer website:

GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings.

Utility for configuring Windows 10 built-in Defender antivirus settings. - AndyFul/ConfigureDefender

github.com

The dedicated ConfigureDefender webpage on Hard_Configurator website (thanks to @askalan):

Hard_Configurator — ConfigureDefender

ConfigureDefender utility is a GUI application to view and configure important Defender settings on Windows 10. It mostly uses PowerShell cmdlets (with a few exceptions). Furthermore, the user can apply one of three predefined settings: default, high, and child protection. Some settings require restarting the computer.
The child protection is mostly set to block anything suspicious via Attack Surface Reduction, Controlled Folder Access, SmartScreen (set to block), and 0-tolerance cloud level - also Defender Security Center is hidden.
ConfigureDefender utility is a part of the Hard_Configurator project, but it can be used as a standalone application.
.
Some important remarks on the possible ways used to configure Defender (for advanced users).
.
Windows Defender settings are stored in the Windows Registry and most of them are not available from Windows Defender Security Center. They can be managed via:
a) Group Policy Management Console (gpedit.msc, not available in Windows Home edition),
b) Direct Registry editing (manual, *.reg files, scripts).
c) PowerShell cmdlets (set-mppreference, add-mppreference, remove-mppreference, only Windows 8.1+).
.
Normally, Windows Defender stores most settings under the key (owned by SYSTEM):
HKLM\SOFTWARE\Microsoft\Windows Defender
They can be changed when using Defender Security Center or PowerShell cmdlets.
.
Administrators can use Group Policy Management Console to override those settings. Group Policy settings are stored under another key (owned by ADMINISTRATORS):
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Group Policy settings do not delete the normal Defender settings.
.
Direct Registry editing is usually made, under the second key (the first requires System Rights).
Applying Defender settings by Direct Registry editing under the key:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
is not recommended, on Windows editions which support Group Policy Management Console (for example PRO and Enterprise editions), because of some cons:
a) Those settings are not recognized by the Group Policy Management Console.
b) They can temporarily overwrite the Group Policy Management Console setup in the Registry, because they share the same Registry keys. Those changes are not permanent, because Group Policy configuration is not overwritten.
c) After some hours, those settings are automatically and silently back-overwritten by the Group Policy Refresh feature.
d) Those settings cannot be changed via the Defender Security Center (or PowerShell cmdlets), even if they are visible there (like folders and applications related to Controlled Folder Access).
.
In Windows 8.1+ Home edition, one can configure Defender settings (outside of the Defender Security Center), when using PowerShell cmdlets or via the manual Registry editing.
This may confuse some users, so ConfigureDefender utility can remove the settings made via Direct Registry editing under the key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender .
That is required because those settings would override ConfigureDefender settings.
.
ConfigureDefender utility may be used also on Windows 10 Professional and Enterprise editions, if Administrator did not apply Defender policies via Group Policy Management Console. Normally all those policies are set to 'Not configured'. So, if Administrator applied Defender policies, then they must be set first to 'Not configured' before using ConfigureDefender.
.
Those settings can be found in the Group Policy Management Console:
Computer configuration >> Policies >> Administrative templates >> Windows components >> Windows Defender Antivirus.
The tabs: MAPS, MpEngine, Real-time Protection, Reporting, Scan, Spynet, and Windows Defender Exploit Guard, should be examined.
.
The below list shows which settings are available in ConfigureDefender for different Windows versions:
.
At least Windows 10:
Real-time Monitoring, Behavior Monitoring, Scan all downloaded files and attachments, Reporting Level (MAPS membership level), Average CPU Load while scanning, Automatic Sample Submission, PUA Protection, Cloud Protection Level (Default), Cloud Check Time Limit.

At least Windows 10, version 1607 (Anniversary Update):
Block At First Seen.

At least Windows 10, version 1703 (Anniversary Update):
Cloud Protection Level (High level for Windows Pro and Enterprise), Cloud Check Time Limit (Extended to 60s).

At least Windows 10, version 1709 (Creators Fall Update):
Attack Surface Reduction, Cloud Protection Level (extended Levels for Windows Pro and Enterprise), Controlled Folder Access, Network Protection.

Edit
Post edited - new link to ConfigureDefender added.

Hello @Andy Ful
This link https://hard-configurator.com/configuredefender.html is obsolete

 

[Andy Ful]

Hello @Andy Ful
This link https://hard-configurator.com/configuredefender.html is obsolete
View attachment 249605

Thanks. It is obsolete after the renovation of the H_C website this year. I will ask MT staff to allow corrections.