ConfigureDefender utility for Windows 10/11

[Andy Ful]

That popup never appeared. If I try to open Windows Security via Settings, I get this...

Even with...

Quite the minefield to negotiate.

This happens when you did not restart Windows after changing the settings. As it is stated in the ConfigureDefender help, the restart is required.
If the issue persists after restart, then it is a sign that something in your system prevents ConfigureDefender to make changes.

 

[codswollip]

This happens when you did not restart Windows after changing the settings

Got it. I'll give it another go, as I backed down from Max. So back to Max and reboot.

I have a "cosmetic" wish list here... While the vertical scrollbar is essential for viewing the CD settings, I prefer to use my scroll wheel to peruse the settings...

The better option is just to clean install Windows.

 

[Andy Ful]

It seems that the ConfigureDefender help features (<HELP> and <Info>) are useful only for me.

 

[Andy Ful]

@Andy Ful

Windows 10 21H1

Yeah I have to report my observations on fixing the crashing protection history. After taking the steps and deleting mpenginedb.db, on that particular system, afterwards CFA alerts for things such as msedge.exe downloading an a file to the Desktop and sihost.exe deleting an image file.

FYI I have added the entire OneDrive to protected folders as well as use the OneDrive personal folder (e.g. Desktop, Documents) backup and sync feature across systems. So Desktop and others are protected by CFA in my configuration.

What I am saying is that it appears that the default mpenginedb.db file whitelists some Microsoft processes on behalf of users, so there are no CFA alerts for those processes, but once you delete that mpenginedb.db file, they are no longer whitelisted, alerts will appear, and the user will have to create exclusion rules for CFA.

I am not sure. I deleted mpenginedb.db many times in the past. After your post, I added my Desktop folder (located also on OneDrive) to CFA and made a test:

1. Downloaded file1 by using Edge to Desktop folder (no CFA block).
2. Tried to delete the file1 from Desktop by using PowerShell - action blocked by CFA.
3. Stopped the Windefend service, deleted the file mpenginedb.db, and started the service again.
4. Tried to delete the file1 from Desktop by using PowerShell - action blocked by CFA.
5. Downloaded file2 by using Edge to Desktop (no CFA block).
6. Tried to delete the file2 from Desktop by using PowerShell - action blocked by CFA.

This test was done on Windows 10 Pro 21H1 64-bit.
I suspect, that in your case the Edge was updated and Microsoft did not whitelist the new executable on time in CFA.

 

[Kongo]

Suddenly CD is detected by the AI engine of Sophos. Already submitted it to them as a false positive.

 

[Back3]

I use the CD beta. Whenever I click on Defender Security Log, a small window appears. But the text in it is hidden by a banner that says Please wait...it can take a minute. After a few seconds, everything disappears. To be able to read the text, I have to move the window up or down or sideways....

 

[Andy Ful]

Suddenly CD is detected by the AI engine of Sophos. Already submitted it to them as a false positive.

View attachment 260410

Thanks.

 

[Andy Ful]

No. That's not the case. The behavior started after deleting mpenginedb.db on a clean Windows 10 image.
...

View attachment 260398

View attachment 260399

View attachment 260400

Edit: I tried on a completely different system. Same results. Can reproduce it at-will every single time. The OneDrive backup feature must be enabled. This does not "add" the Desktop folder to the list of protected folders. The user does not do that manually. The Desktop folder is added by Windows to OneDrive in a hidden manner.

View attachment 260401

View attachment 260402

That is interesting behavior. Did you check what process is blocked?
The issue should be related to OneDrive, maybe.
I will try to reproduce it on my system.

Edit.
After logging into OneDrive the CFA blocked OneDrive.exe from accessing the Documents folder.

 

[Andy Ful]

I use the CD beta. Whenever I click on Defender Security Log, a small window appears. But the text in it is hidden by a banner that says Please wait...it can take a minute. After a few seconds, everything disappears. To be able to read the text, I have to move the window up or down or sideways....View attachment 260411

Yes. This minor issue can happen when the log is empty.

 

[Andy Ful]

wurde,​

The behavior of CFA is slightly different on my computer. I have the Documents and Desktop folders synced in OneDrive, but normally my Desktop folder is not protected in CFA.

1. Logged to OneDrive. CFA blocked the OneDrive.exe from accessing the Documents folder.
2. Used Edge to download file1 to Desktop (not blocked, file synced).
3. Used PowerShell to delete file1 from Desktop (not blocked, file deleted).
4. Added Desktop folder to CFA .
5. Used Edge to download file2 to Desktop (not blocked, file synced).
6. Used PowerShell to delete file2 from Desktop (action blocked by CFA).

So, it seems that CFA blocks OneDrive on my computer but does not block Edge. I do not use any CFA exclusions for applications. I deleted the file mpenginedb.db several times in the past.

Edit
Does CFA still block Edge on your machine?

 

[Gandalf_The_Grey]

CFA remains a bit strange because it seems to differ between computers and setups.
There are no blocks for OneDrive and Edge on my laptop.

 

[Andy Ful]

CFA remains a bit strange because it seems to differ between computers and setups.
There are no blocks for OneDrive and Edge on my laptop.

On my computer, the CFA blocks for OneDrive are present only when OneDrive does not start with Windows. The Defender alert is going to be triggered (once per Windows session) just after I run OneDrive manually. If the OneDrive is set to start with windows, then there is no CFA block. Anyway, in both cases, I do not see any difference in the normal functioning of OneDrive.
I still do not use any CFA exclusions.

 

[Gandalf_The_Grey]

On my computer, the CFA blocks for OneDrive are present only when OneDrive does not start with Windows. The Defender alert is going to be triggered just after I run OneDrive manually. If the OneDrive is set to start with windows, then there is no CFA block. Anyway, in both cases, I do not see any difference in the normal functioning of OneDrive.
I still do not use any CFA exclusions.

That's very good advice
You are inclined to allow a program when you notice that it's blocked by CFA.
But when it doesn't impact the functionality why should you.
By allowing all kinds of programs you are weakening CFA's defenses.

 

[Andy Ful]

In my opinion, CFA is good anti-ransomware protection, but only until it is unpopular. It would be easy to bypass CFA, by injecting the shellcode into an application that is whitelisted in CFA. So, if it will become more popular, then using OneDrive, MS Office, or other very popular document editors/viewers will be less safe than today.

 

[codswollip]

You are inclined to allow a program when you notice that it's blocked by CFA.
But when it doesn't impact the functionality why should you.

In principle, I agree. However, saying "it doesn't impact the functionality" without fully understanding why the block was triggered, and what effect, if any, blocking leads to, takes us into a gray area where we may not immediately recognize what blocking has broken. I have no sure answer for this. It is a judgement call for me when I allow xyplorer.exe as an CFA exception.

 

[Andy Ful]

In principle, I agree. However, saying "it doesn't impact the functionality" without fully understanding why the block was triggered, and what effect, if any, blocking leads to, takes us into a gray area where we may not immediately recognize what blocking has broken. I have no sure answer for this. It is a judgement call for me when I allow xyplorer.exe as an CFA exception.

Whitelisting XYplorer and similar not popular applications will be a practical solution for you and most people.
You probably use XYplorer as a replacement for Windows Explorer.

 

[Andy Ful]

CVE-2021-40444 MSHTML vulnerability​

As I mentioned a few days ago in another thread, Defender can fully mitigate this exploit by the ASR rule "Block all Office applications from creating child processes" (included in the ConfigureDefender HIGH settings).

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability | Microsoft Security Blog

This blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for Microsoft 365 Defender customers, and lists mitigation steps for hardening networks against this and similar attacks.

www.microsoft.com

New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka...

malwaretips.com

Edit.
On September 2021 Patch Tuesday, Microsoft has fixed this exploit.

 

[gsbnlda]

ConfigureDefender utility for Windows 10.

Developer website:

GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings.

Utility for configuring Windows 10 built-in Defender antivirus settings. - AndyFul/ConfigureDefender

github.com

Softpedia:
Download ConfigureDefender 3.0.0.1 (softpedia.com)

Hard_Configurator website (thanks to @askalan):

https://hard-configurator.com

ConfigureDefender utility is a GUI application to view and configure important Defender settings on Windows 10. It mostly uses PowerShell cmdlets (with a few exceptions). Furthermore, the user can apply one of three predefined settings: Default, High, and Max. Applying settings require restarting the computer.
Recommended for most users are High settings. The Max protection is mostly set to block anything suspicious via Attack Surface Reduction, Controlled Folder Access, SmartScreen (set to block), and 0-tolerance cloud level - also Defender Security Center is hidden.
ConfigureDefender utility is a part of the Hard_Configurator project, but it can be used as a standalone application.
.
Some important remarks on the possible ways used to configure Defender (for advanced users).


.
Windows Defender settings are stored in the Windows Registry and most of them are not available from Windows Defender Security Center. They can be managed via:
a) Group Policy Management Console (gpedit.msc, not available in Windows Home edition),
b) Direct Registry editing (manual, *.reg files, scripts).
c) PowerShell cmdlets (set-mppreference, add-mppreference, remove-mppreference, only Windows 8.1+).
.
Normally, Windows Defender stores most settings under the key (owned by SYSTEM):
HKLM\SOFTWARE\Microsoft\Windows Defender
They can be changed when using Defender Security Center or PowerShell cmdlets.
.
Administrators can use Group Policy Management Console to override those settings. Group Policy settings are stored under another key (owned by ADMINISTRATORS):
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Group Policy settings do not delete the normal Defender settings.
.
Direct Registry editing is usually made, under the second key (the first requires System Rights).
Applying Defender settings by Direct Registry editing under the key:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
is not recommended, on Windows editions which support Group Policy Management Console (for example PRO and Enterprise editions), because of some cons:
a) Those settings are not recognized by the Group Policy Management Console.
b) They can temporarily overwrite the Group Policy Management Console setup in the Registry, because they share the same Registry keys. Those changes are not permanent, because Group Policy configuration is not overwritten.
c) After some hours, those settings are automatically and silently back-overwritten by the Group Policy Refresh feature.
d) Those settings cannot be changed via the Defender Security Center (or PowerShell cmdlets), even if they are visible there (like folders and applications related to Controlled Folder Access).
.
In Windows Home edition, one can configure Defender settings (outside of the Defender Security Center), when using PowerShell cmdlets or via the manual Registry editing. But, the most important settings are available only on Windows 10, so ConfigureDefender supports only Windows 10.
This may confuse some users, so ConfigureDefender utility can remove the settings made via Direct Registry editing under the key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender .
That is required because those settings would override ConfigureDefender settings.
.
ConfigureDefender utility may be used also on Windows 10 Professional and Enterprise editions, if Administrator did not apply Defender policies via Group Policy Management Console. Normally all those policies are set to 'Not configured'. So, if Administrator applied Defender policies, then they must be set first to 'Not configured' before using ConfigureDefender.
.
Those settings can be found in the Group Policy Management Console:
Computer configuration >> Policies >> Administrative templates >> Windows components >> Windows Defender Antivirus.
The tabs: MAPS, MpEngine, Real-time Protection, Reporting, Scan, Spynet, and Windows Defender Exploit Guard, should be examined.
.
The below list shows which settings are available in ConfigureDefender for different Windows versions:
.
At least Windows 10:
Real-time Monitoring, Behavior Monitoring, Scan all downloaded files and attachments, Reporting Level (MAPS membership level), Average CPU Load while scanning, Automatic Sample Submission, PUA Protection, Cloud Protection Level (Default), Cloud Check Time Limit.

At least Windows 10, version 1607 (Anniversary Update):
Block At First Seen.

At least Windows 10, version 1703 (Anniversary Update):
Cloud Protection Level (High level for Windows Pro and Enterprise), Cloud Check Time Limit (Extended to 60s).

At least Windows 10, version 1709 (Creators Fall Update):
Attack Surface Reduction, Cloud Protection Level (extended Levels for Windows Pro and Enterprise), Controlled Folder Access, Network Protection.

Some reviews:
Windows 10 Defender's hidden features revealed by this free tool (bleepingcomputer.com)
Windows Defender configuration tool ConfigureDefender 3.0.0.0 released - gHacks Tech News

Post updated in November 2020.

is like real scanning ?

 

[Andy Ful]

is like real scanning ?

ConfigureDefender makes the Microsoft Defender real-time protection more aggressive and comprehensive by activating some advanced Defender features.

 

[ForgottenSeer 92963]

Although I have a Windows Pro, I prefer to use Hard_Configurator (and Configure Defender) over group policy settings.

@Andy Ful question: could you also add the update (interval) values to increase? Except for the "disable update while using battery", all other values could be cranked up automatically when people choose HIGH or MAX setting for Configure Defender.

I use Configure Defender and add below registry values manually (link to explanation: Signature Updates | Windows security encyclopedia)
_________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"ASSignatureDue"=dword:00000001
"AVSignatureDue"=dword:00000001
"DisableScheduledSignatureUpdateOnBattery"=dword:00000000
"DisableUpdateOnStartupWithoutEngine"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000001
"ScheduleDay"=dword:00000000
"UpdateOnStartUp"=dword:00000001
"SignatureUpdateInterval"=dword:00000001