ConfigureDefender utility for Windows 10/11

ErzCrz

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,156
Templarware said:
You think I didn't try running the installer outside the browser immediately after? :ROFLMAO:
If it's not MpEngine, then it's something from Windows 10, outside Defender.
Click to expand...
Are you using WindowsSimpleHardening or Hard_Configurator along with CD? Try right clicking the icon and see if a Install By Smartscreen option is there or run as administrator. There are lots of browser options out there and if your using Microsoft Defender anyway, that's best accompanied with Chromium-Edge.
 
  • Like
Reactions: Nevi and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Templarware said:
You think I didn't try running the installer outside the browser immediately after? 😛
It was probably MAPS, block at first sight, MpEngine... I think it's not being blocked, but it maybe it's being suspended to be analyzed, but something doesn't work right and immediately gives the error "installer cold not launch".
Click to expand...
Yes, this might happen when you have several executables in the folder. When you open the folder (first time after starting Windows session) these executables are checked by Defender. Some of them (not checked yet) can be suspended.
 
  • Like
Reactions: ForgottenSeer 85179
Templarware

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
462
ErzCrz said:
Are you using WindowsSimpleHardening or Hard_Configurator along with CD? Try right clicking the icon and see if a Install By Smartscreen option is there or run as administrator. There are lots of browser options out there and if your using Microsoft Defender anyway, that's best accompanied with Chromium-Edge.
Click to expand...
None. I manually changed group policies, following a video, because I wanted to learn exactly what I was changing. I did this: and this:

Running as administrator didn't work, I tried.
 
  • Like
Reactions: Nevi
Templarware

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
462
Andy Ful said:
Yes, this might happen when you have several executables in the folder. When you open the folder (first time after starting Windows session) these executables are checked by Defender. Some of them (not checked yet) can be suspended.
Click to expand...
There were no executables, only a few documents and video files.
 
  • Like
Reactions: Nevi
Templarware

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
462
SecureKongo said:
Why wasting so much time while it could be so easy hardening Windows/Defender with Andy's tools in which he puts so much effort? 🤨
Click to expand...
Because I wanted to know what I was changing. I found it doesn't really explain what is doing, group policies have better explanation, and there aren't many policies to change, it's a quick thing to do.
 
  • Like
Reactions: Nevi, Nagisa and Kongo
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,585
Templarware said:
Because I wanted to know what I was changing. I found it doesn't really explain what is doing, group policies have better explanation, and there aren't many policies to change, it's a quick thing to do.
Click to expand...
I can assure you that Simple Windows Hardening does it's job perfectly fine, thats why so many people are using it here. Same with Configure Defender... And if you face any issues, you can revert the changes easily.

I also think that the information that is provided within the tool, is enough for people to understand what it's doing:
Screenshot 2021-04-24 202520.png
Unbenannt2.PNG

Unbenannt.PNG
 
Last edited:
  • Like
Reactions: Nevi, Stopspying, blackice and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
The more detailed info about SWH options is included in the manual:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf

The comprehensive info about SRP and Registry changes related to hardening can be found in the H_C documentation:
https://github.com/AndyFul/Hard_Configurator/tree/master/Documentation

The info about Defender ASR rules can be found in articles (included on the ConfigureDefender GitHub webpage):
medium.com

Microsoft Defender Attack Surface Reduction Recommendations

Palantir’s Infosec team shares their tips and best practices
medium.com medium.com
docs.microsoft.com

Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint

Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
docs.microsoft.com
techcommunity.microsoft.com

Microsoft Defender for Endpoint Blog

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement
techcommunity.microsoft.com
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Nevi, Stopspying, TairikuOkami and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Moonhorse said:
Could someone of you guys check, if the disabling of telemetry of windows will cause defender to prevent that?

I guess the adguard desktop caused to run that commandline and md prevented it from running , right?
View attachment 258443
Click to expand...
This CmdLine is also blocked by Defender on my computer.
 
  • Like
  • Thanks
Reactions: Nevi, Moonhorse, Vasudev and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Gandalf_The_Grey said:
Thanks Andy (y)
How does the new warn option work?
Do you get a popup or something like that where you can decide if you allow or deny something or just info that a rule is triggered?
Click to expand...
It works like most ASR rules. If it is set to Warn, then the driver is initially blocked and you can see the alert, that allows unblocking. The next time the driver will be allowed. One can also use ASR exclusions. The blocked driver can be submitted for analysis to Microsoft.

1622368759749.png 1622368961086.png

docs.microsoft.com

Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint

Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
docs.microsoft.com
 
Last edited by a moderator:
  • +Reputation
  • Like
Reactions: Protomartyr, Vasudev, blackice and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Andy Ful said:
...
This rule will be set as follows:
DEFAULT -------------> Disabled
HIGH -------------------> Audit
INTERACTIVE -----> Warn
MAX -------------------> ON
Click to expand...
I have overlooked that this rule does not block the drivers already installed on the system. So, maybe it will be better to set it to ON in the HIGH preset.:unsure:

DEFAULT -------------> Disabled
HIGH -------------------> ON
INTERACTIVE -----> Warn
MAX -------------------> ON
 
Last edited:
  • Like
  • Applause
  • Thanks
Reactions: Protomartyr, Vasudev, blackice and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Microsoft disabled its own PowerShell cmdlets for managing ASR rules (Disabled, AuditMode) when Tamper Protection is enabled. When the user opens PowerShell console and tries to set any ASR rule to Disabled or Audit Mode, then Defender blocks the cmdlet and Logs the event as :
Trojan:Win32/MpTamperASRRule.PSA (for AuditMode attempt)
Trojan:Win32/MpTamperASRRule.PSD (for disabling attempt)

This does not affect the PowerShell cmdlets when the user wants to enable ASR rules.

For now, these changes do not affect the functionality of <DEFAULT>, <HIGH>, <INTERACTIVE>, <MAX> options in ConfigureDefender. They work as usual. Anyway, when the user wants to set a particular ASR rule manually to Disabled or Audit, Defender will block the attempt with an alert. It is still possible to do it when Tamper Protection is temporarily disabled.

I will try to negotiate with Microsoft to whitelist ConfigureDefender in Tamper Protection, but the chances for that are not great.:(
Furthermore, I think that Microsoft is doing the right thing, except labeling the action as Trojan.
 
  • Like
  • +Reputation
  • Wow
Reactions: SeriousHoax, plat, Kongo and 8 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,067
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,410
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,218
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top