ConfigureDefender utility for Windows 10/11

[Andy Ful]

Today I tried to launch ConfigureDefender v3.0.0.1 and I get...

...

Only running Windows Defender.

Win10 Home x64 v2004.

I investigated this issue a little on the AutoIt forum. The problem can be related to upgrading from Windows 8 or 8.1 to Windows 10 and still preserving the possibility to downgrade. In this situation, the AutoIt function recognizes that the system is not fully Windows 10. That is good for ConfigureDefender, because there could be a problem when the user did apply the advanced settings and next downgraded to Windows 8 or 8.1 (preserving the WD setup). These settings can be configured only by PowerShell ver. 5.0+ which is not present in Windows 8 and 8.1.
So the current behavior of ConfigureDefender is in fact the safest for the user.
I will add the info about it in the ConfigureDefender manual.

 

[codswollip]

The problem can be related to upgrading from Windows 8 or 8.1 to Windows 10 and still preserving the possibility to downgrade.

While this may be... it doesn't explain my experience, as I have no means to revert to Win 8/8.1 short of bare metal.

 

[Andy Ful]

While this may be... it doesn't explain my experience, as I have no means to revert to Win 8/8.1 short of bare metal.

Did you remove the files related to the previous version? You can use the Windows built-in cleanup:

1. Open Settings
2. Select System > Storage > This PC and then scroll down the list and choose Temporary files.
3. Under Remove temporary files, select the Previous version of Windows check box and then choose Remove files.

Another thing. Did you run ConfigureDefender in compatibility mode? This can also happen when running via custom file Explorer. If so, then the AutoIt function will see the Windows version used for compatibility (not Windows 10).

 

[codswollip]

Did you remove the files related to the previous version? You can use the Windows built-in cleanup:

When I upgraded to Win10 I used repair install. Since then I've regularly used "Disk Cleanup" in admin mode.

Presently...

So it seems there is something else triggering the Win10 warning (nothing runs in compatibility mode, AFAIK).

 

[Andy Ful]

When I upgraded to Win10 I used repair install. Since then I've regularly used "Disk Cleanup" in admin mode.

Presently...

So it seems there is something else triggering the Win10 warning (nothing runs in compatibility mode, AFAIK).

Yes, it is strange.
I created the Windows version checker which uses the same AutoIt function as ConfigureDefender. Could you use it to check what version can see ConfigureDefender on your computer?
ConfigureDefender/CheckVersion.zip at master · AndyFul/ConfigureDefender (github.com)

There are two executables in the ZIP archive. The CheckVersion64.exe is for 64-bit Windows.
Thank you.

 

[codswollip]

Could you use it to check what version can see ConfigureDefender on your computer?

 

[Andy Ful]

So, this time ConfigureDefender must work well. Please use the latest version from June 2020:
Download (github.com)

 

[JB007]

Thanks. It is obsolete after the renovation of the H_C website this year. I will ask MT staff to allow corrections.

Thanks @Andy Ful for your great tool

 

[Andy Ful]

I posted a short false positives test of ConfigureDefender MAX settings (without Controlled Folder Access) as compared to Norton LifeLock (default settings):
User Feedback - Microsoft Defender 6/12/2020 Review | MalwareTips Community

Conclusion.
It seems that Norton LifeLock (default settings) and WD (ConfigureDefender MAX settings) use a similar protection method that includes file reputation of PE files. It is very strong but can give more false positives for fresh files. The false positives rate is similar to Norton and WD (ConfigureDefender MAX settings). In most cases, the WD blocks are released after two days.

 

[Arequire]

@Andy Ful
How does Defender's Cloud Protection Level set to Block and the "prevelence, age or trusted list" ASR rule differ in terms of protection?
Does one invalidate the other or do they provide different functionality?

 

[oldschool]

@Andy Ful
How does Defender's Cloud Protection Level set to Block and the "prevelence, age or trusted list" ASR rule differ in terms of protection?
Does one invalidate the other or do they provide different functionality?

I don't know if my limited understanding helps:

ASR rule = blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: executable files (such as .exe, .dll, or .scr) using M$ criteria, which isn't otherwise specifically defined in supporting docs. "This rule uses cloud-delivered protection to update its trusted list regularly."

Block setting = Zero tolerance: Blocks all unknown executables. Higher number of FPs.

 

[Andy Ful]

@Andy Ful
How does Defender's Cloud Protection Level set to Block and the "prevelence, age or trusted list" ASR rule differ in terms of protection?
Does one invalidate the other or do they provide different functionality?

They provide different protection.
The first works to detect both fresh and older malware. It uses behavior-based detections. It is the primary protection. The Block Level can slightly increase the number of false positives.
The second is a kind of file reputation for the fresh files. The reputation is based on the file prevalence, age, and some unknown trust criteria managed by Microsoft. It is very strong against PE malware (EXE, SCR, etc.) and can produce some false positives (when an application uses auto-update) for about 2 days - after this time almost all clean applications are allowed.

 

[Andy Ful]

It seems that people still can have a problem with the ASR prevalence rule:

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Appears Spybot Anti-Beacon is the culprit:...

www.wilderssecurity.com

The solution described by @Nightwalker is not optimal:

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Appears Spybot Anti-Beacon is the culprit:...

www.wilderssecurity.com

I would like to recall the easy procedure to bypass this rule if it is necessary:

1. Run ConfigureDefender and temporarily set the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" to Audit (do not choose Disabled).
2. Run the blocked application. If it is an installer then run the installer and next run the installed application.
3. Set the ASR rule to ON. WD will automatically remember that the application has to be allowed locally, so it will not be blocked again by this ASR rule on this particular computer.

A similar thing cannot be done by disabling the ASR rule, because after enabling this rule the file will be blocked again. When disabling the rule the application executable has to be additionally excluded by using <Manage ASR Exclusions> in ConfigureDefender and Windows has to be also restarted (changing ON<--->Audit does not require restarting). This procedure is more complicated than the procedure described in points 1-3.

 

[codswollip]

Can Configure Defender protect against the Win disk corruption bug?

 

[Nagisa]

Can Configure Defender protect against the Win disk corruption bug?

Another interesting question is, is it somehow related to the Avast is currently blocking youtube.com?

Avast Community

forum.avast.com

 

[Andy Ful]

This vulnerability is not related to advanced WD settings that can be enabled by ConfigureDefender. It is also improbable that it could be used in widespread attacks, because it cannot give the attacker any profit. Anyway it seems that it can be used for some time to abuse websites for fun.
This NTFS driver vulnerability is related to a specific command line with the $I30 attribute or shortcut's faulty icon path. On reboot, the Windows check disk utility can probably repair the error (as it follows from the BleepingComputer article), but I did not test it. In Enterprises, this vulnerability can be used to force Windows restart which can be some advantage to the attacker (especially when attacking the servers).

Edit.
As an author explains the exploit can be delivered via HTML webpage, so it will be probably blocked soon by the AV web protection modules.

 

[Nagisa]

Is there any way to reset protection history for attack surface reduction rules? I deleted files under history folder but all detections related to ASR remained on the GUI. It crashes often because of that.

 

[Andy Ful]

Is there any way to reset protection history for attack surface reduction rules? I deleted files under history folder but all detections related to ASR remained on the GUI. It crashes often because of that.

Do you mean the Windows Defender GUI? If so, then it is possible after disabling WD service:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-837954
The bug with crashing WD history is not related to displaying ASR entries. It can often cause crashes when there are too many history entries.

 

[Gandalf_The_Grey]

@Andy Ful In the attack on IOBIT users exception were added to Microsoft Defender:

Emsisoft analyst Elise van Dorp, who also analyzed the ransomware, stated the ransomware adds the following Windows Defender exclusions to allow the DLL to run.

@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"
@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"\Temp\\"
@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionExtension=\".dll\"
@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionProcess=\"rundll32.exe\"

IObit forums hacked to spread ransomware to its members

Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.

www.bleepingcomputer.com

Can we protect ourselves from this by the use of any of your tools?

 

[silversurfer]

I believe in such cases it's already "game over", just said in general, user downloading any malicious installer from homepage XY, then installing this abused "software" with admin-rights... of course, AVs may be monitoring suspicious file behavior but it's probably too late to intercept all malicious activities...