ConfigureDefender utility for Windows 10/11

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
I believe in such cases it's already "game over", just said in general, user downloading any malicious installer from homepage XY, then installing this abused "software" with admin-rights... of course, AVs may be monitoring suspicious file behavior but it's probably too late to intercept all malicious activities...

Exactly! If a malicious code executes with admin-rights it is already "game over"; self-defense, tamper protection are borderline useless and I really cant understand why people care too much AFTER the system was already breached.

The best way to protect against those kind of threats (and the rest too) is to use the "Rule of 3", just wait 3 days to execute new code in your system after its download, you can apply that to avoid buggy updates in Windows, faulty graphic drivers and so on, you can apply that to almost everything.

3 days is usually more than enough to security vendors, AI algorithms, machine learning, independent security researchers to notice the threat and "solve" it.

Ps: Avoiding snake oil software like IOBIT products are a good start to protect your system.

Ps2: Limiting the number of third party software in your machine is a nice way to limit the attack surface.
 

Nagisa

Level 7
Verified
Jul 19, 2018
342
@Andy Ful In the attack on IOBIT users exception were added to Microsoft Defender:

Can we protect ourselves from this by the use of any of your tools?
WMIC gets blacklisted if you block Script Interpreters from H_C.

1611070353835.png


Two ASR rules related to WMI but I guess they won't prevent such case.

Something I don't know yet, does Cloud submission protect from malicious DLLs? What if the actual malicious code is embedded to something else that doesn't get uploaded to AI/ML Cloud, do we get infected?

Also this.

Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
WMIC gets blacklisted if you block Script Interpreters from H_C.

View attachment 253142

Two ASR rules related to WMI but I guess they won't prevent such case.

Something I don't know yet, does Cloud submission protect from malicious DLLs? What if the actual malicious code is embedded to something else that doesn't get uploaded to AI/ML Cloud, do we get infected?

Also this:
"Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments."

All really doesn't matter as users was suckered by abused software-installer, so in this case the "malware" is already on the system just downloaded manually by users, after that the abused software-installer ran with admin-rights, finally: game over

I believe that "Block at first sight" doesn't be able to lookup even for malicious .dll injections, but let's wait for more infos from @Andy Ful
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The malware was not a standalone installer, but an archive with a portable IObit License Manager program - one DLL was replaced by malicious unsigned DLL. This DLL dropped DeroHE ransomware to C:\Program Files (x86)\IObit\iobit.dll . This malware was also uploaded to VS via Iobit.rar (packed iobit.dll):

1611091876174.png


VirusTotal

So, it was probably detected by WD very quickly. The detection is Program:Win32/Wacapew.C!ml which is (pre-execution) behavior-based detection. The actual signature detection of iobit.dll is Ransom:Win32/Vigorf.A

When this ZIP archive is unpacked with a built-in Windows unpacker, the malicious DLL gets MOTW. So it is checked by WD "Block AT First Sight" after being unpacked. This will prevent the infection of all WD users except maybe the first victim (WD user). Of course, the malicious DLL could be possibly detected by WD behavior-based ML in the cloud, especially with ConfigureDefender HIGH preset.

The malware could be also mitigated by several WD advanced settings. For example, adding exclusions to Windows Defender could be prevented in this particular malware example by the ASR rule "Block process creations originating from PSExec and WMI commands" "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" which is present in ConfigureDefender MAX preset.

Anyway, the delivery method is so convincing (trusted IOBIT forum) that in most cases the users simply turn off the protection and install the malware. So, the problem here is not the AV protection but human imperfection.

A good solution for such threats was already presented on MT:
Q&A - Windows Defender Delay Protection. | MalwareTips Community

Edit1.

The malware uses rundll32.exe to run iobit.dll and this behavior is blocked by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".

Edit2.

From the posts made by malware victims, it follows that it could bypass the protection of most AVs (including WD and Kaspersky). But, from the picture above it also follows that these two AVs detected the malware very quickly after the attack.
The users who use 7-Zip or a similar unpacker that does not preserve MOTW, could not be protected very quickly by Windows Defender (default settings) because the Block At First Sight feature was not triggered for the malicious DLL in the IObit License Manager package.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I think that Microsoft should introduce an option similar to Tamper Protection which could lock the Defender's settings against Administrative changes. With such an option enabled, any configuration change would have to be done only manually via Microsoft Security Center.
In Enterprises, the administrators have Intune (or similar paid software) which can alert about Defender's configuration changes. But, Microsoft Defender free does not have anything like that. The user normally is not alerted about most changes and cannot see most of the Defender settings (including file extension exclusions). Of course, they can be seen by using PowerShell, WMI, or when looking into Windows Registry.
For example PowerShell commands:
(get-mppreference).ExclusionExtension
(get-mppreference).ExclusionPath
(get-mppreference).ExclusionIpAddress
(get-mppreference).ExclusionProcess
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
I think that Microsoft should introduce an option similar to Tamper Protection which could lock the Defender's settings against Administrative changes. With such an option enabled, any configuration change would have to be done only manually via Microsoft Security Center.
In Enterprises, the administrators have Intune (or similar paid software) which can alert about Defender's configuration changes. But, Microsoft Defender free does not have anything like that. The user normally is not awhenlerted about most changes and cannot see most of the Defender settings (including file extension exclusions). Of course, they can be seen by using PowerShell, WMI, or when looking into Windows Registry.
For example PowerShell commands:
(get-mppreference).ExclusionExtension
(get-mppreference).ExclusionPath
(get-mppreference).ExclusionIpAddress
(get-mppreference).ExclusionProcess
Wasn't the solution to this for it to run in it's own sandbox? I'm thinking of re-enabling this. Surely then no software can do anything to it.

Windows Defender Antivirus can now run in a sandbox - Microsoft Security

It was quite straight forward though used a little more ram it didn't really slow things down. /shrug

EDIT: to enable it, just run CMD with admin rights and input:

setx /M MP_FORCE_USE_SANDBOX 1

(Change that 1 to a 0 to disable it) and then restart and you'll see the extra process :)

1611151153093.png
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,868
Wasn't the solution to this for it to run in it's own sandbox? I'm thinking of re-enabling this. Surely then no software can do anything to it.

Windows Defender Antivirus can now run in a sandbox - Microsoft Security

It was quite straight forward though used a little more ram it didn't really slow things down. /shrug

EDIT: to enable it, just run CMD with admin rights and input:

setx /M MP_FORCE_USE_SANDBOX 1

(Change that 1 to a 0 to disable it)
WD Sandbox won't help against this I think. But I'll wait for an expert opinion.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Oh okay. Was just a thought. You'd think WD would have better tampering protection.
The idea of adding Defender exclusions can be dangerous in targeted attacks. It seems rather stupid in the wide-spread attacks:
  1. The computer is already highly compromised, because malware has got high privileges.
  2. Adding exclusions by the malware do not stop the behavior monitoring (protected by Tamper Protection), so the malware can be still detected in the cloud.
  3. Adding exclusions increases the chances of the proper detection in the cloud.
In the targeted attacks, this method can be used for lateral movement and can increase the time of penetrating the Enterprise network until finally it will be detected by Defender.
In the case of the IOBIT malware, the attacker did not get any gain of adding exclusions.
 
Last edited:

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
The idea of adding Defender exclusions can be dangerous in targeted attacks. It seems rather stupid in the wide-spread attacks:
  1. The computer is already highly compromised, because malware has got high privileges.
  2. Adding exclusions by the malware do not stop the behavior monitoring (protected by Tamper Protection), so the malware can be still detected in the cloud.
  3. Adding exclusions increases the chances of the proper detection in the cloud.
Thanks for the info :)
 

aldist

Level 2
Jul 22, 2020
59
Hello! I know that as of v1.1.1.1 the option to disable real-time protection has been removed. Is it possible to create a separate program to disable real-time protection? With only two functions, turn off / on. It would be just a delight and sensation for Windows 10 users.
 
  • Like
Reactions: Protomartyr

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Hello! I know that as of v1.1.1.1 the option to disable real-time protection has been removed. Is it possible to create a separate program to disable real-time protection? With only two functions, turn off / on. It would be just a delight and sensation for Windows 10 users.
The problem with doing this is it'll end up getting flagged as malware by Microsoft and other antivirus vendors.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Hello! I know that as of v1.1.1.1 the option to disable real-time protection has been removed. Is it possible to create a separate program to disable real-time protection? With only two functions, turn off / on. It would be just a delight and sensation for Windows 10 users.
WD Real-time protection is protected by Tamper Protection. You can disable it temporarily without any 3rd party tool from Security Center with few clicks.:)(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Guys, did anybody have Windows Defender alert about ConfigureDefender like in this post:
https://www.wilderssecurity.com/thr...ilt-in-defender-settings.399788/#post-2984487

I checked on my computers with Edge SmartScreen + PUA protection, Smartscreen Application Reputation, and Windows Defender (ConfigureDefender on MAX). All allowed download and execution without any warnings. I downloaded the ConfigureDefender from my GitHub repository:
or

It is possible that someone tried to download ConfigureDefender via a kind of download assistant from the website which hosts applications. In such a case, the assistant executable can be flagged as PUA.:unsure:

Edit.
Corrected the link.
 
Last edited:

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
Guys, did anybody have Windows Defender alert about ConfigureDefender like in this post:
https://www.wilderssecurity.com/thr...ilt-in-defender-settings.399788/#post-2984487

I checked on my computers with Edge SmartScreen + PUA protection, Smartscreen Application Reputation, and Windows Defender (ConfigureDefender on MAX). All allowed download and execution without any warnings. I downloaded the ConfigureDefender from my GitHub repository:
or

Here it's fine to download CD from both links above, no alert by WD 👍
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I also tried the downloads from Softpedia and Majorgeeks - no problem at all.
When downloading from Chip.de, Windows Defender alerted about PUA. I checked the file, but it was Chip installer for ConfigureDefender:
ConfigureDefender - CHIP-Installer vom 22.01.2021 906da0d574ad010d4cd1c2007f583c66.exe
 
Last edited:
F

ForgottenSeer 85179

Guys, did anybody have Windows Defender alert about ConfigureDefender like in this post:
https://www.wilderssecurity.com/thr...ilt-in-defender-settings.399788/#post-2984487

I checked on my computers with Edge SmartScreen + PUA protection, Smartscreen Application Reputation, and Windows Defender (ConfigureDefender on MAX). All allowed download and execution without any warnings. I downloaded the ConfigureDefender from my GitHub repository:
or

It is possible that someone tried to download ConfigureDefender via a kind of downloader from the website which hosts applications. In such a case, the downloader can be flagged as PUA.:unsure:
Your two Github links are the same.
But i don't get any problems

I also tried the downloads from Softpedia and Majorgeeks - no problem at all.
When downloading from Chip.de, Windows Defender alerted about PUA. I checked the file, but it was Chip installer for ConfigureDefender:
ConfigureDefender - CHIP-Installer vom 22.01.2021 906da0d574ad010d4cd1c2007f583c66.exe
CHIP is known for adding PUA to binaries (n)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top