ConfigureDefender utility for Windows 10/11

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
The new ConfigureDefender ver. 1.0.1.0 is available for testing:
Added ASR mitigations introduced in Windows ver. 1803 (they should work also on updated ver. 1709).
In the "Child Protection", all ASR mitigations are enabled, with some folder exclusions:
Windows, Program Files ..., ProgramData\Microsoft\Windows Defender.
.
I noticed that mitigation: "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" is more restrictive than Defender 'Cloud Protection Level' set to Block. Furthermore, most executables blocked by this mitigation (but not all) can be run after one day.
.
The mitigation "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" can block some schtaks.exe processes and also processes started by Windows Defender in the folder: ProgramData\Microsoft\Windows Defender.

Post edited.
The Lsass rule, does not support exclusions.


Do you advise downloading this to replace current version - IF NOT testing?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The new ConfigureDefender ver. 1.0.1.1 is available:
for Windows 64-bit: AndyFul/ConfigureDefender
for Windows 32-bit: AndyFul/ConfigureDefender
.
1. Corrected a minor bug related to unnecessary folder exclusion for the ASR mitigation that does not support exclusions.
2. In <Defender high settings> the ASR mitigation 'Use advanced protection against ransomware' is set to ON, and 'Controlled Folder Access' is set to Audit.
.
<Defender high settings> can be adopted by most users.
<Child Protection> is very restrictive due to Controlled Folder Access, hiding the Defender Security Center, and two new mitigations:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
The new version was sent to Microsoft and is whitelisted by Defender. It is not whitelisted by SmartScreen, yet. This will take some time.
Be safe.:)
 

Reldel1

Level 2
Verified
Jun 12, 2017
50
Congrats on the official release. Had been running 1.0.1.0 on two 1803 installs without any issues or events showing in event viewer. Already changed both boxes to new 1.0.1.1 this morning. Using both ConfigureDefender and Hard Configurator have saved much time maintaining Pro versions that I used to configure SRP on myself. Greatly appreciated Andy.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Thanks. I will push the new version (4.0.0.0) ) of Hard_Configurator soon with integrated ConfigureDefender. In Hard_Configurator the user can use NirSoft FullEventLogView with the predefined config file to see Windows Defender alerts. I am waiting for whitelisting Hard_Configurator by Avast.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
The new ConfigureDefender ver. 1.0.1.1 is available:
for Windows 64-bit: AndyFul/ConfigureDefender
for Windows 32-bit: AndyFul/ConfigureDefender
.
1. Corrected a minor bug related to unnecessary folder exclusion for the ASR mitigation that does not support exclusions.
2. In <Defender high settings> the ASR mitigation 'Use advanced protection against ransomware' is set to ON, and 'Controlled Folder Access' is set to Audit.
.
<Defender high settings> can be adopted by most users.
<Child Protection> is very restrictive due to Controlled Folder Access, hiding the Defender Security Center, and two new mitigations:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
The new version was sent to Microsoft and is whitelisted by Defender. It is not whitelisted by SmartScreen, yet. This will take some time.
Be safe.:)
Thanks for the update and this great piece of software (y)
What does "Audit" mean?
Do you get a popup?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Thanks for the update and this great piece of software (y)
What does "Audit" mean?
Do you get a popup?
'Audit' means that the file will not be blocked (no visible alert), but the info about the possible block (if the setting was Enabled) is written to the Windows Event Log. It helps to find out how safe will be enabling the setting and what the user can expect after enabling it.
Import custom views to see Windows Defender Exploit Guard events
It is convenient to prepare a custom view only for Windows Defender. One can also use NirSoft tool FullEventLogView with the custom config. See the config file in attachment (change the file extension .txt --> .cfg).
 

Attachments

  • FullEventLogView.txt
    1.1 KB · Views: 481
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415

Yellowing

Level 5
Verified
Jun 7, 2018
221
This is a very nice application! Good work! :)

Could you please keep the initial post up to date? I was wondering for a while if you switched to a different platform because the link threw 404.
I thought because microsoft bought it or something. :D

Thanks!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top