ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Kees1958 said:
Although I have a Windows Pro, I prefer to use Hard_Configurator (and Configure Defender) over group policy settings.

@Andy Ful question: could you also add the update (interval) values to increase? Except for the "disable update while using battery", all other values could be cranked up automatically when people choose HIGH or MAX setting for Configure Defender.

I use Configure Defender and add below registry values manually (link to explanation: Signature Updates | Windows security encyclopedia)
_________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"ASSignatureDue"=dword:00000001
"AVSignatureDue"=dword:00000001
"DisableScheduledSignatureUpdateOnBattery"=dword:00000000
"DisableUpdateOnStartupWithoutEngine"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000001
"ScheduleDay"=dword:00000000
"UpdateOnStartUp"=dword:00000001
"SignatureUpdateInterval"=dword:00000001
Click to expand...
Hi, @Kees1958.
It is good to see you here back again.:)

For the reasons mentioned below, I skipped the settings related to local signatures. I am convinced (for now) that adding such settings would produce more trouble than gain (for most users).

Some AVs rely on local signatures and require frequent signature updates (like secondary AV scanners). When the computer is connected to the Internet, Microsoft Defender relies on signatures in the cloud and does not require frequent updates. The local scanning can be still useful for deleting some inactive malware leftovers.
Frequent signature updates can cause performance issues, especially on Windows startup, or when the user is running many tasks, or when gaming, etc.

The additional protection caused by frequent signature updates in Defender is close to 0, except when the Internet connection is broken or disabled.

So, the problem can occur when the computer is disconnected from the Internet. Some users can open unsafe files and run unsafe applications from flash drives (USB drives). It is worth mentioning that in such cases the Defender's signatures are relatively poor even with frequent updates. So, another protection layer is required (like for example H_C or manual scanning with another AV engine).

Anyway, I am opened to the discussion. Maybe I have missed something important.:)(y)
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, SeriousHoax, oldschool and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Maybe it would be sensible to add the <Advanced settings> button to ConfigureDefender. There are probably more settings that can be important for some users in some situations.:unsure:
But this is something to consider for future versions.
docs.microsoft.com

Set-MpPreference (Defender)

Use this article to help manage Windows and Windows Server technologies with Windows PowerShell.
docs.microsoft.com
 
Last edited:
  • Like
Reactions: Nevi, harlan4096, oldschool and 2 others
F

ForgottenSeer 92963

Hi @Andy Ful thanks

It has been some time ago when I talked to a Microsoft Engineer (link), but I think you are overlooking the added value of the intelligence updates. Looking at the frequency of updates of Microsoft, they seem to update roughly every two hours. (source: https://https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.349.1271.0).

When people have set Configure Defender to HIGH or MAX, they also receive the intelligence updates from the threat response. As far as I understood, these are the fingerprints for the latest emerging threats. When you look at the category of the intelligence updates they are nearly always classified as severe.

The intelligence update feature were developed for the corporate environment as early threat response. The use case of receiving the intelligence updates for the latest (severe) threats was for mobile employees having on and off internet connection. This could also be beneficial for people meeting at public places meeting friends and exchanging data via USB.

So while I agree that the home laptop users is a different use case scenario than the mobile corporate worker, why would Microsoft bring threat response to home users, when there would not be any benefit? These 'trickle' updates are not used when AV's are tested for their offline malware protection (e.g. the malware protection test of AV-Comparatives). Microsoft Defender has the third worst offline detection (after Trend Micro and Panda), but as stated this is without the intelligence updates.


Regards Kees

From this commandlet I think the following should be considered:

SignatureDisableUpdateOnStartupWithoutEngine
SignatureScheduleDay
SignatureUpdateInterval
 
Last edited by a moderator:
  • Like
  • +Reputation
Reactions: Golden King, Nevi, Andy Ful and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Kees1958 said:
Hi @Andy Ful thanks

It has been some time ago when I talked to a Microsoft Engineer (link), but I think you are overlooking the added value of the intelligence updates. Looking at the frequency of updates of Microsoft, they seem to update roughly every two hours. (source: https://https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.349.1271.0).
Click to expand...

If I correctly recall the updates for home users are not as frequent as for Enterprises. Some time ago I noticed 3 or 4 updates a day (no more). Many computers in Enterprises are not connected to the Internet but can download updates from the local server. Frequent updates can have some value for them. But, such an environment is very different from the home environment or mobile user environment.

Kees1958 said:
The intelligence update feature were developed for the corporate environment as early threat response. The use case of receiving the intelligence updates for the latest (severe) threats was for mobile employees having on and off internet connection. This could also be beneficial for people meeting at public places meeting friends and exchanging data via USB.
Click to expand...

I am afraid that this is pretty much an illusion because the protection without an Internet connection is not very good even after the update. In such cases, one cannot rely on Defender alone.

docs.microsoft.com

Apply Microsoft Defender Antivirus updates after certain events

Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
docs.microsoft.com

Allow ad hoc changes to protection based on cloud-delivered protection
Microsoft Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.

If you have enabled cloud-delivered protection, Microsoft Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender AV to automatically receive that protection update. Other important protection updates can also be applied."
Click to expand...

The fast threat response updates are not available without an Internet connection.
Anyway, most ASR rules work as advanced HIPS and do not require frequent updates and Internet connection.
There are also exceptions:
These ASR rules require an Internet connection.

Kees1958 said:
So while I agree that the home laptop users is a different use case scenario than the mobile corporate worker, why would Microsoft bring threat response to home users, when there would not be any benefit? These 'trickle' updates are not used when AV's are tested for their offline malware protection (e.g. the malware protection test of AV-Comparatives).
Click to expand...

The AV testing labs always make an update just before testing Defender. So, the offline results can reflect the situation when the user has set Defender to update most frequently. Still the results are not great when offline.
If the malware samples were executed from the USB drive with ASR rules enabled then the results would be probably much better. But this would not follow from the frequent updates.

(y):coffee:
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: silversurfer, Zartarra, Nevi and 6 others
F

ForgottenSeer 92963

oldschool said:
ASR rules are HIPS-like and 'built-in'. When enabled don't require cloud (not cloud-dependent).
Click to expand...
True, that they provide "OS-aware" HIPS like (smart) protection, but I can imagine that for the ASR "Block executable files from running unless that meet the prevelence, age, trusted list criteria" it needs access to the cloud to determine the latest prevelence. PrevX was the first with this type of protection (seen by the community) and that feature was cloud based. Maybe @Andy Ful can give us the answer on which ASR protections need internet connection.
 
  • Like
Reactions: Moonhorse, Nevi, SeriousHoax and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
  • Like
  • Thanks
  • +Reputation
Reactions: Moonhorse, Nevi, SeriousHoax and 4 others
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
Andy Ful said:
Updated Hard_Configurator tools
updated: ConfigureDefender
not-updated: FirewallHardening, RunBySmartscreen, DocumentsAntiExploit

Click to expand...
Thanks @Andy Ful If my memory serves me well, the Palantir blog post has been updated since my earlier reading: it appears they have changed some recommendations based on a larger data set.
Microsoft Defender Attack Surface Reduction recommendations I appreciate the links on your GitHub ConfigureDefender page. (y) (y)
 
  • Like
Reactions: Szellem, Nevi, Andy Ful and 2 others
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Asking on behalf of Krusty

www.wilderssecurity.com

ConfigureDefender - for configuring Windows built-in Defender settings

Hi @ Wilders Recently installed Configure Defender on Windows 10 (Windows Defender fully operating) and I think I have set it on High setting by...
www.wilderssecurity.com www.wilderssecurity.com

Will a new version of Hard Configurator be available soon that includes the updated Configure Defender?
 
  • Like
Reactions: Szellem, Andy Ful, oldschool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
Azure said:
Asking on behalf of Krusty

www.wilderssecurity.com

ConfigureDefender - for configuring Windows built-in Defender settings

Hi @ Wilders Recently installed Configure Defender on Windows 10 (Windows Defender fully operating) and I think I have set it on High setting by...
www.wilderssecurity.com www.wilderssecurity.com

Will a new version of Hard Configurator be available soon that includes the updated Configure Defender?
Click to expand...

Yes, probably in one or two weeks.(y)

The ConfigureDefender in the H_C 6 beta 1 is fully functional on Windows 11. In the newest standalone version I added:
  • support for event Id=1120.
  • new CFA setting BDMO = Block Disk Modifications Only.
 
Last edited:
  • Like
  • +Reputation
Reactions: Szellem, oldschool, SeriousHoax and 1 other person
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Andy Ful said:
Yes, probably in one or two weeks.(y)

The ConfigureDefender in the H_C 6 beta 1 is fully functional on Windows 11. In the newest standalone version I added:
  • support for event Id=1120.
  • new CFA setting BDMO = Block Disk Modifications Only.
Click to expand...
Is it possible to update CD by downloading the latest version and replacing the one in H_C?

www.wilderssecurity.com

ConfigureDefender - for configuring Windows built-in Defender settings

Hi @ Wilders Recently installed Configure Defender on Windows 10 (Windows Defender fully operating) and I think I have set it on High setting by...
www.wilderssecurity.com www.wilderssecurity.com
 
  • Like
Reactions: Szellem, Gandalf_The_Grey and Andy Ful

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,067
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,410
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,218
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top