ConfigureDefender utility for Windows 10/11

[oldschool]

@Andy Ful Can you clarify the warn mode for us?
Here's what I found in MS document.

What is meant by the word "content" in this case? Is it the particular blocked content or the whole ASR rule will be unblocked for 24 hours if I select allow.

My guess is the content but I'll leave that to the expert.

 

[Moonhorse]

md @ max + hc all @ max + hc firewall @ max
perfekt

I have no problems running MD on max, and if i run into problem i can check defender security log or just lower the settings

HC is not my business its too complicated sometimes, i rather use comodo firewall (easier to whitelist) but its different story

 

[Andy Ful]

@Andy Ful Can you clarify the warn mode for us?
Here's what I found in MS document.

What is meant by the word "content" in this case? Is it the particular blocked content or the whole ASR rule will be unblocked for 24 hours if I select allow.

Only the particular content will be unblocked.
More precisely, the < OK / Unblock > alert can prompt several times when running a single application. By pressing Unblock each time, the process is blocked but is going to be unblocked if you repeat running the application in the next 24 hours. This has no impact on the ASR rule - it will still block other suspicious actions/processes.
So, one alert is related to unblocking a particular content, but several alerts (for one application) are related to unblocking the whole blocked content (for this application).

 

[Andy Ful]

md @ max + hc all @ max + hc firewall @ max
perfekt

Requires an advanced user to manage the whitelisting, adjust exclusions, perform software updates, etc. Some knowledge to read & understand the Logs available in H_C is also required. This setup will not be convenient for most users, mostly due to making manual software updates (protection temporarily switched OFF). Many software auto-updates will be silently blocked in this setup, so the user should periodically look into the H_C Logs (including FirewallHardening Log).

 

[SeriousHoax]

Only the particular content will be unblocked.
More precisely, the < OK / Unblock > alert can prompt several times when running a single application. By pressing Unblock each time, the process is blocked but is going to be unblocked if you repeat running the application in the next 24 hours. This has no impact on the ASR rule - it will still block other suspicious actions/processes.
So, one alert is related to unblocking a particular content, but several alerts (for one application) are related to unblocking the whole blocked content (for this application).

This is great. I'll try the interactive/warn mode then.

 

[Andy Ful]

block happen 1 per 6 month
view log
turn off
make policy change
turn on
so easy for child

Ha, ha. Try to convince someone else than you.

People hear:
incidents happen 1 per 6 months
inspect how you feel
rest a little if needed
change the path if required
continue the way to Mount Everest
it is so easy for the Sherpa

 

[wat0114]

that funny
also sad
software not problem
person are problem
can not fix person problem with software

Not everyone wants to micromanage their security config.

 

[SeriousHoax]

@Andy Ful So I set Defender in Interactive mode yesterday and just now I noticed these in the log.

I was not aware of this as I saw no notification when this happened. Is this normal for Warn mode?

I also found another one after updating Ventoy on my flash drive. This behavior is expected as it is designed to do that. It only says, detected suspicious behavior. Doesn't say whether it was blocked or not. I don't think it was blocked but curious to what you know about these types of logs.

 

[Andy Ful]

@Andy Ful So I set Defender in Interactive mode yesterday and just now I noticed these in the log.
View attachment 259995View attachment 259996
I was not aware of this as I saw no notification when this happened. Is this normal for Warn mode?

The ASR LSASS rule can usually block something without any alert (even set to ON). It is probably due to the fact that the process itself is not blocked but only the LSASS query. I think that when the whole process would be blocked by this rule then the alert should be shown.

I also found another one after updating Ventoy on my flash drive. This behavior is expected as it is designed to do that. It only says, detected suspicious behavior. Doesn't say whether it was blocked or not. I don't think it was blocked but curious to what you know about these types of logs.
View attachment 259998

That is a normal post-execution behavior-based detection. The process should be blocked after doing some non-suspicious actions when trying to do the suspicious action.

 

[SeriousHoax]

The ASR LSASS rule can usually block something without any alert (even set to ON). It is probably due to the fact that the process itself is not blocked but only the LSASS query. I think that when the whole process would be blocked by this rule then the alert should be shown.


That is a normal post-execution behavior-based detection. The process should be blocked after doing some non-suspicious actions when trying to do the suspicious action.

Okay, got it.

 

[Digmor Crusher]

Hi Andy, a buddy on another forum is trying to run CD, the smartscreen warning popped up and he clicked 'Run Anyways" then this popped up. Any ideas as to why? Thanks.

 

[Andy Ful]

Hi Andy, a buddy on another forum is trying to run CD, the smartscreen warning popped up and he clicked 'Run Anyways" then this popped up. Any ideas as to why? Thanks.

Something wrong is with the executable.

The official ConfigureDefender executables are accepted by SmartScreen and are digitally signed. Files that trigger SmartScreen with an unknown publisher should not be run. It is probable that the downloaded executable was corrupted. Here are the links to official executables from GitHub:

https://github.com/AndyFul/ConfigureDefender/raw/master/ConfigureDefender3001.zip

https://github.com/AndyFul/ConfigureDefender/raw/master/ConfigureDefender.exe

https://github.com/AndyFul/ConfigureDefender/raw/master/C_D_3010_beta2.exe

I checked all of them and after download, they run without SmartScreen alert. I suspect that the AV could detect the corrupted file as suspicious or malicious.

 

[Digmor Crusher]

Thank you sir.

 

[Moonhorse]

So I set Defender in Interactive mode yesterday and just now I noticed these in the log.

I was not aware of this as I saw no notification when this happened. Is this normal for Warn mode?

Noticed this now too, 3 threats showing up, adguard is one as expected

I just reverted from max > high to avoid it

 

[oldschool]

Noticed this now too, 3 threats showing up, adguard is one as expected

I just reverted from max > high to avoid it

All lsass-related? If so, just disable that one rule.

 

[Moonhorse]

lsass block ignore it nothing broke windows itself block lsass acess
do not revert securatay cause you do not want to see block events

All i care is cloud>block so high works as good.. i have cf anyways

 

[oldschool]

lsass block ignore it nothing broke windows itself block lsass acess
do not revert securatay cause you do not want to see block events

The ASR LSASS rule can usually block something without any alert (even set to ON). It is probably due to the fact that the process itself is not blocked but only the LSASS query. I think that when the whole process would be blocked by this rule then the alert should be shown.

This is what you're referring to? Yes?

 

[Andy Ful]

...
basic windows internals that no process need access lsass memory yet no concern when home pc not part of domain nor active directory
...

You are right. This also logically suggests that the ASR LSASS rule can be disabled in the Home environment.
It can make a lot of unnecessary entries in the Log. Of course, if one uses applications that do it rarely, then this ASR rule can be enabled as well.

 

[SeriousHoax]

One more problem is that these ASR rules logs can't be deleted at all from Windows Security's "Protection History". Microsoft hasn't provided any way to delete any protection history log. There are tricks available to remove malware-related entries but it doesn't work for ASR rules. Now my protection history is filled with those. A very childish design from Microsoft. I'm so annoyed that I can't explain it in words. I even switched to a third-party AV out of annoyance (temporarily at least).
Anyway, it's Microsoft's fault. Configure Defender is awesome as always.

 

[SeriousHoax]

why? just logs windows full of logs


os and ocd is bad mix

might this work but obsession of logs is problem

Clear Protection History in Windows Defender on Windows 10

I'm not talking about those logs, I'm talking about the logs in Windows Security's protection history. There should be options in the UI to delete those but there aren't any. I don't want to open protection history and be greeted with old unnecessary ASR rule blocking logs.
I don't know if the solution you showed works to remove ASR rules-related entries. Maybe Andy or someone else can try and share the info.