ConfigureDefender utility for Windows 10/11

[Andy Ful]

...
Is there a possibility (in a future version perhaps) to highlight the set protection level?
The same request could be made for Hard_Configurator.
Is it on recommended, one of the profiles or custom settings?

Suppose that you applied the HIGH preset and the <HIGH> button was highlighted. Next, you had many blocks on one of the enabled ASR rules, and you had to disable it. Is it possible to see this from the highlighted <HIGH> button (protection level button)? The same problem will be when you enable an additional rule.
There are many possibilities of adding/removing some rules, so highlighting the Protection Level buttons is not the solution.
The Protection Level buttons are only to apply the predefined settings (and save many clicks). They are not for getting information about the settings - the user has to look at what settings are applied.
That is why ConfigureDefender is for semi-advanced users.

 

[Arequire]

Suppose that you applied the HIGH preset and the <HIGH> button was highlighted. Next, you had many blocks on one of the enabled ASR rules and you have to disable it. Is it possible to see this from the highlighted button <HIGH> (protection level button)? The same problem will be when you enable an additional rule.
There are many possibilities of adding/removing some rules, so highlighting the Protection Level buttons is not the solution.

A potential solution could be to add a "Custom" button and highlight that if any rules are changed from the ones applied by the Default/High/Max protection levels.
The button could be non-interactable; just highlighted to indicate a custom configuration.

 

[Andy Ful]

A potential solution could be to add a "Custom" button and highlight that if any rules are changed from the ones applied by the Default/High/Max protection levels.
The button could be non-interactable; just highlighted to indicate a custom configuration.

OK. So, you would like to know if the settings have been tampered with. This can be done by showing an alert after running ConfigureDefender.

Edit.
If the application supposed to be fully portable then the alert can only inform the user that the current settings are DEFAULT, HIGH, MAX, or CUSTOM. The alert about tampering would require saving the configuration (not fully portable).

 

[Arequire]

OK. So, you would like to know if the settings have been tampered with. This can be done by showing an alert after running ConfigureDefender.

Edit.
If the application supposed to be fully portable then the alert can only inform the user that the current settings are DEFAULT, HIGH, MAX, or CUSTOM. The alert about tampering would require saving the configuration (not fully portable).

I'll defer to @Gandalf_The_Grey as they were the one who asked about highlighting the current protection level.

What I think would be good is a list (maybe placed in the README or Help pdf?) of all the changes that the HIGH and MAX levels implement when moving from Defender's default settings.
I know you've already got a dialogue box that pops up when hovering over each protection level, but a list of the exact changes would be helpful.
Something along the lines of:

HIGH:

• PUA Protection enabled
• Cloud Protection Level set to Highest
• Cloud Check Time Limit increased from 10 to 20 seconds
• [List of ASR rules that're enabled]
• Network Protection enabled

MAX:

• PUA Protection enabled
• Cloud Protection Level set to Block
• Cloud Check Time Limit increased from 10 to 60 seconds
• Explorer/Edge/Internet Explorer SmartScreen implementations changed from Warn to Block
• All ASR rules enabled
• Network Protection enabled
• Controlled Folder Access enabled
• Windows Security Centre hidden

I've probably messed up which settings are actually enabled in those protection levels but you get the point.

 

[Andy Ful]

...
What I think would be good is a list (maybe placed in the README or Help pdf?) of all the changes that the HIGH and MAX levels implement when moving from Defender's default settings.
...

I will think about it.

 

[Andy Ful]

In the next version, the user will be able to see the settings enabled in DEFAULT, HIGH, and MAX Levels. I will also add some information about using ASR rules that are disabled in HIGH preset.

 

[Andy Ful]

I found some interesting additional info about the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria":



We can see this rule under the Polymorphic threats section. From this document, one can conclude that prevalence is related to 1000 machines and age to 24 hours. From my experience, most executable files blocked by this rule (application installers/updaters) are allowed after 48 hours.

https://www.microsoftpartnercommunity.com/atvwr79957/attachments/atvwr79957/UK_Area_db/396/4/Microsoft%20Defender%20for%20Endpoint%20Overview.pdf

 

[Andy Ful]

This info will be displayed after pressing the <INFO> button:

*************************
PROTECTION LEVELS **
*************************

### The below settings are the same for DEFAULT, HIGH, and MAX Protection Levels:

BASIC DEFENDER SETTINGS
- Behavior Monitoring = ON
- Block At First Sight = ON
- Cloud-delivered Protection = ON
- Automatic Sample Submission = Send
- Scan all downloaded files and attachments = ON
- Script Scanning = ON
- Average CPU load while scanning = 50%


### The DEFAULT Protection Level applies the other settings as follows:

BASIC DEFENDER SETTINGS
- PUA Protection = Disabled
- Cloud Protection Level = Default
- Cloud Check Time Limit = 10s

ADMIN: SMARTSCREEN
- For Explorer = User
- For Edge (not Chromium) = User
- For Internet Explorer = User

EXPLOIT GUARD ---> All settings set to Disabled

ADMIN: HIDE SECURITY CENTER = Visible


### The HIGH Protection Level applies the other settings as follows:

BASIC DEFENDER SETTINGS
- PUA Protection = ON
- Cloud Protection Level = Highest
- Cloud Check Time Limit = 20s

ADMIN: SMARTSCREEN
- For Explorer = User
- For Edge (not Chromium) = User
- For Internet Explorer = User

EXPLOIT GUARD ---> All settings set to ON, except the below:
- Block executable files from running unless they meet a prevalence, age, or
trusted list criteria = Disabled
- Block credential stealing from the Windows local security = Disabled
- Block process creations originating from PSExec and WMI commands = Disabled
- Controlled Folder Access = Disabled

ADMIN: HIDE SECURITY CENTER = Visible


### The MAX Protection Level applies the other settings as follows:

BASIC DEFENDER SETTINGS
- PUA Protection = ON
- Cloud Protection Level = Block
- Cloud Check Time Limit = 60s

ADMIN: SMARTSCREEN
- For Explorer = Block
- For Edge (not Chromium) = Block
- For Internet Explorer = Block

EXPLOIT GUARD ---> All settings set to ON

ADMIN: HIDE SECURITY CENTER = Hidden


**************************
TAMPER PROTECTION **
**************************

The below settings cannot be disabled while Defender Tamper Protection is enabled:
- Behavior Monitoring = ON
- Scan all downloaded files and attachments = ON
- Script Scanning = ON


***********************************************
SOME NOTES ABOUT ASR RULES AND CFA **
***********************************************

## Block credential stealing from the Windows local security

This rule can make a lot of noise in the Defender Security Log. Most of the blocked events are usually false positives when the legal application tries to enumerate running processes and attempts to open them with exhaustive permissions. These applications can be excluded by using <Manage ASR Exclusions>.

## Block executable files from running unless they meet a prevalence, age, or trusted list criteria

This rule is strong prevention against Polymorphic malware (EXE, DLL, etc.), but one has to accept the higher rate of false positives for application installers/updaters. The prevalence is related to 1000 machines and age to 24 hours. The trusted list criteria are managed by Microsoft. The rule can recognize the executable as suspicious only when Defender can connect to the Microsoft cloud.
From my experience, most executable files blocked by this rule (application installers/updaters) are allowed after 48 hours. Anyway, some applications with a very low prevalence can be blocked for several days, and the users usually do not know how to unblock them.
Please note: It is useless to add exclusions for this rule. The proper procedure to unblock files is as follows:

1. Set the rule temporarily to Audit.
2. Run the installer/updater > install/update application > run the installed/updated application.
3. Set the rule to ON - Defender is smart enough to allow running the application.

## Block process creations originating from PSExec and WMI commands

This rule is important because malware can try to bypass the parent-child checking by using WMI. So, other ASR rules based on checking child processes will fail. On some computers, the WMI can be used by the computer firmware so it is better to set initially this ASR rule to Audit.

## Controlled Folder Access

It can be very useful, but only after excluding the applications that need to access protected folders and applications that need to access the protected disk areas. The second group can include backup applications, disk management applications, and disk optimization programs. It is recommended to set initially this rule to Audit.


Post updated.

 

[ForgottenSeer 85179]

Looks like a new setting for ASR rules is possible:

+ Warn: Enable the ASR rule but allow the end-user to bypass the block

Update enable-attack-surface-reduction.md by denisebmsft · Pull Request #9353 · MicrosoftDocs/windows-itpro-docs

@denisebmsft , please review.

github.com

 

[Andy Ful]

Yes. Microsoft updated ASR rules but did not add new rules. The update is related to the new mode = Warn.
Before this update, the ASR rules had 3 modes: Disabled, Enabled, Audit. I will add the Warn Mode to ConfigureDefender in a few months.

Warn mode for users​

(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.

Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.

Requirements for warn mode to work​

Warn mode is supported on devices running the following versions of Windows:

• Windows 10, version 1809 or later
• Windows Server, version 1809 or later

Microsoft Defender Antivirus must be running with real-time protection in Active mode.

In addition, make sure Microsoft Defender Antivirus and antimalware updates are installed.

• Minimum platform release requirement: 4.18.2008.9
• Minimum engine release requirement: 1.1.17400.5

For more information and to get your updates, see Update for Microsoft Defender antimalware platform.

Cases where warn mode is not supported​

Warn mode is not supported for the following attack surface reduction rules:

• Block JavaScript or VBScript from launching downloaded executable content (GUID d3e037e1-3eb8-44c8-a917-57927947596d)
• Block persistence through WMI event subscription (GUID e6db77e5-3df2-4cf1-b95a-636979351e5b)
• Use advanced protection against ransomware (GUID c1db55ab-c21a-4637-bb3f-a12568109d35)

In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.

 

[ForgottenSeer 85179]

I will add the Warn Mode to ConfigureDefender in a few months

Awesome!

 

[Templarware]

Hey guys, I've done a Defender and Windows 10 hardening, not thorough this utility, but followed a guide. Not too hardcore, but I've noticed that I'm unable to run some online installers, like Opera GX', I had to use the offline installer. What is more likely to be causing this?

 

[Andy Ful]

Look into the Protection history to identify what Defender feature is involved. For more detailed info you can also run ConfigureDefender (do not change any setting) and use <Defender Security Log> to identify the problem.

 

[Templarware]

Look into the Protection history to identify what Defender feature is involved. For more detailed info you can also run ConfigureDefender (do not change any setting) and use <Defender Security Log> to identify the problem.

There's nothing in history. That's' why I think this is something being deneid by default.

 

[Andy Ful]

Do you see any alerts?

 

[Templarware]

Do you see any alerts?

No, nothing at all. Maybe it could be a problem with the installer, but seems unlikely.
Also, when installing my monitor's driver, I wasn't being able to install the driver, it was still Generic PnP monitor. But then I noticed that the driver got installed to the computer, but not active for the device/monitor. I had to go to the "list of drivers drivers present in the computer" and select it.
Both things are weird and seem related do Defender/Windows hardening blocking something.

 

[Andy Ful]

No, nothing at all. Maybe it could be a problem with the installer, but seems unlikely.
Also, when installing my monitor's driver, I wasn't being able to install the driver, it was still Generic PnP monitor. But then I noticed that the driver got installed to the computer, but not active for the device/monitor. I had to go to the "list of drivers drivers present in the computer" and select it.
Both things are weird and seem related do Defender/Windows hardening blocking something.

Revert the hardening >> check if this helped >> apply the hardening gradually
Try to identify what Id events are related to blocking by the applied hardening features. In this way, you will be able to identify the issues in the future by looking into the Windows Event Log.

 

[Templarware]

Revert the hardening >> check if this helped >> apply the hardening gradually
Try to identify what Id events are related to blocking by the applied hardening features. In this way, you will be able to identify the issues in the future by looking into the Windows Event Log.

I would have to try to run Opera's installer again. I was now able to install HWinfo without any problem.
I wouldn't be surprised if Microsoft could use Defender to block competition, like other browser installations, using security as an excuse.

 

[Andy Ful]

I would have to try to run Opera's installer again. I was now able to install HWinfo without any problem.
I wouldn't be surprised if Microsoft could use Defender to block competition, like other browser installations, using security as an excuse.

Such online installers are frequently blocked by Defender PUA protection. Sometimes Defender do not show an alert, so the user can be misguided. Anyway, the detection event should be noted in the Protection History. If not, then it is highly probable that Defender had nothing to do with this issue. The online installer could be blocked by web browser protection (like SmartScreen).

 

[Templarware]

Such online installers are frequently blocked by Defender PUA protection. Sometimes Defender do not show an alert, so the user can be misguided. Anyway, the detection event should be noted in the Protection History. If not, then it is highly probable that Defender had nothing to do with this issue. The online installer could be blocked by web browser protection (like SmartScreen).

You think I didn't try running the installer outside the browser immediately after?
It was probably MAPS, block at first sight, MpEngine... I think it's not being blocked, but it maybe it's being suspended to be analyzed, but something doesn't work right and immediately gives the error "installer cold not start".