ConfigureDefender utility for Windows 10/11

[Mjolnir]

It doesn't update by itself. It's a portable app so nothing to install. @Andy Ful always announces the latest version and posts the download links here or you may go to GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings. to get the latest.

If you use CD by itself* you may want to consider his RunBySmartscreen, which is another useful tool.

*Note: ConfigureDefender is also included with Hard_Configurator Windows hardening application, which is a complete package as a separate option. His GitHub page has all of his tools.

So to clarify.. When new version is available simply download and run - no need to delete existing version?

 

[oldschool]

So to clarify.. When new version is available simply download and run - no need to delete existing version?

I delete the old version. Why not?

 

[Andy Ful]

So to clarify.. When new version is available simply download and run - no need to delete existing version?

No need, if you like to keep several versions of one portable application.

 

[Andy Ful]

I made a quick test:

1. Disable Defender's real-time protection.
2. Download/unpack Mimikatz.
3. Disable the Internet connection.
4. Copy Mimikatz.exe ---> DumpStack.log in the Mimikatz folder.
5. Enable Defender's real-time protection (Internet connection still disabled).
   Defender detects Mimikatz.exe but ignores DumpStack.log
6. Open Command Prompt and execute DumpStack.log by using the CmdLine:
   start c:\PathToMimikatz\DumpStack.log
   Defender detects DumpStack.log as HackTool:Win32/Mimikatz.D

It is worth mentioning that DumpStack.log is correctly detected also when forcing the manual scan via the option in the Explorer right-click menu.

 

[SeriousHoax]

Have you checked this one? What's your thought on this?
GitHub - 0xsp-SRD/mortar: evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
Not all products were tested but so far among the tested one's bypassed Kaspersky, ESET, Malewarebytes, Mcafee, Cortex XDR, Windows defender, Cylance, TrendMicro, Bitdefender, Norton Symantec.
Some were easier to bypass, eg: ESET, MD. Some were harder, eg: Kaspersky, Cortex XDR.
Also check the open and closed issues.

 

[Andy Ful]

Have you checked this one? What's your thought on this?
GitHub - 0xsp-SRD/mortar: evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
Not all products were tested but so far among the tested one's bypassed Kaspersky, ESET, Malewarebytes, Mcafee, Cortex XDR, Windows defender, Cylance, TrendMicro, Bitdefender, Norton Symantec.
Some were easier to bypass, eg: ESET, MD. Some were harder, eg: Kaspersky, Cortex XDR.
Also check the open and closed issues.

Interesting read.
Such new attack techniques (this one is not entirely new, but new enough) will be always hard to detect by AVs. The original loaders from GitHub had great chances to bypass most AVs (until the signatures will be available). After some time the AVs will try to detect also modified loaders by already known methods for polymorphic or metamorphic malware.
In the case of Defender, the EXE and DLL loader can be prevented by the ASR prevalence rule.

 

[Andy Ful]

After some thinking and experimenting, I found easily several other files that are not automatically scanned by Defender. It is easy to predict which files will be ignored by the Defender when opening a folder. After changing their file extension to EXE, Defender can immediately detect them just like in the case of renamed DumpStack.log.

Edit.
When the malicious file is downloaded via Edge (SmartScreen disabled) with the file name DumpStack.log, it is detected by Defender (download fails). If it is downloaded by Firefox (and not blocked by Firefox) then Defender allows the download. It seems that downloading the file via certutil LOLBin is similar to Firefox.
Furthermore, the files like DumpStack.log are scanned by Defender when copying or opening in the notepad.

 

[Andy Ful]

good to know, it seemed that mr.d0x was saying he launched DumpStack.log --> luanched mimi.exe without WD detection
thank you

If he did not make some mistake then his and my results would suggest something unpleasant for Defender. But, I must investigate this a little to be sure.

 

[Andy Ful]

Fortunately, my suspicion was not true. I suspected that running DumpStack.log from CmdLine could bypass Cloud delivered protection (no cloud backend) and mimi.exe was checked against cloud backend. But, on my computer, this is not true. I made a quick test:

1. Disable Defender real-time protection.
2. Compile the EXE file and rename it to DumpStack.log.
3. Enable Defender real-time protection.
4. Run Dumpstack.log from Command Prompt.

I chose the file that included some suspicious code to trigger the cloud backend. I did not run the original EXE file, but only the Dumpstack.log. Anyway, I could see the normal Defender alert (scanning against cloud backend):

 

[Andy Ful]

If he did not make some mistake then his and my results would suggest something unpleasant for Defender. But, I must investigate this a little to be sure.

I could not reproduce running the Dumpstack.log - it is always checked on execution like the EXE file. So the different results between my test and the original test made by mr.d0x , must probably follow from the fact that he made his test in the local network on the Windows Enterprise edition (different environment and different Windows settings).
Anyway, the first part of our tests is the same. There are some files that can be downloaded to disk (by Firefox or LOLBin) without Defender's scan. They are also not scanned when opening the folder. On the home computer, they are automatically scanned when copying, doing the manual scan, or on execution.

 

[Mjolnir]

Question...I'm currently running Con. Def. on MAX setting. When I open pdf's on the desktop MS Edge launches and the documents are opened with Edge browser...is this expected behavior?

 

[Andy Ful]

Question...I'm currently running Con. Def. on MAX setting. When I open pdf's on the desktop MS Edge launches and the documents are opened with Edge browser...is this expected behavior?

This behavior is related to default Windows settings and unrelated to ConfigureDefender. You can change the default PDF viewer via the Explorer context menu, for example:

How to ditch Microsoft Edge as default PDF reader on Windows 10

You can ditch Microsoft Edge and set another app as your default PDF reader, and in this guide, we'll show you how on Windows 10.

www.windowscentral.com

 

[Mjolnir]

Thank's Andy...I thought maybe it was part of an "open with smart screen policy"...My error.

 

[PD20]

I'm changing the topic a bit here but just saw the article over on Bleeping Computer about the vulnerability in Microsoft Defender where hackers are able to bypass detection. An issue known years ago. Would this be prevented by Configure Defender on High setting?

 

[SeriousHoax]

I'm changing the topic a bit here but just saw the article over on Bleeping Computer about the vulnerability in Microsoft Defender where hackers are able to bypass detection. An issue known years ago. Would this be prevented by Configure Defender on High setting?

Do you mean this one?

Microsoft Defender weakness lets hackers bypass malware detection

Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.

www.bleepingcomputer.com

Then the answer is, No. Looks like this particular bypassing method will only work if you have put folders into exclusions. So if you haven't put any, then this shouldn't cause any issue.

 

[Andy Ful]

I'm changing the topic a bit here but just saw the article over on Bleeping Computer about the vulnerability in Microsoft Defender where hackers are able to bypass detection. An issue known years ago. Would this be prevented by Configure Defender on High setting?

As @SeriousHoax noted, the concern is related to the specific Defender's configurations in Enterprises and are not relevant for home computers. Additional vulnerabilities are also related to the possibility of changing some Defender settings with high privileges, for example.

Microsoft code-sign check bypassed to drop Zloader malware

A new Zloader campaign exploits Microsoft's e-signature code verification to steal user credentials from over two thousand victims in 111 countries.

www.bleepingcomputer.com

Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk - Check Point Research

Research by: Golan Cohen Introduction Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult...

research.checkpoint.com

Such attacks are performed in Enterprises via lateral movement (this can take weeks or months). First, the attacker tries to compromise the network and steal the Administrator credentials to get high privileged access to other computers. Next, something like Zloader is used to infect computers in the network and get persistence by changing Defender's settings (high privileges are used). Such attacks can be prevented in many cases by using ConfigureDefender HIGH settings. But, if the attacker is highly motivated and knows the applied protection, then that protection can be usually bypassed (no matter which AV is installed). See for example:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-970819

Performing similar attacks against home users is much harder (very rare) and not necessary, except for targeted attacks on diplomates, dissidents, or celebrities. The widespread attacks that would require high privileges will mostly fail against Defender, because Microsoft added the behavior-based modules that can detect known UAC bypasses. So actually, Defender has got probably the best "anti-UAC bypass" protection.

Of course, this cannot save people who intentionally install cracks, pirated software, etc. In such cases, the security alerts will be simply ignored, and the 0-day malware will be installed with high privileges.

 

[JiSingh12]

Hi guys, Hi Andy

Lets just say i wanted to use a 3rd party AV, how would i go about this?

So, currently I use Simple Windows Hardening with both options on, and basic recommended settings.
I also used ConfigureDefender set to HIGH, nothing changed by myself.

If i wanted to use something like Avast One, Kaspersky etc. blah blah, how would i go about this?
Can i just install them as default without worrying about anything or will there be problems?

Thank you
Ji

 

[Andy Ful]

Hi guys, Hi Andy

Lets just say i wanted to use a 3rd party AV, how would i go about this?

So, currently I use Simple Windows Hardening with both options on, and basic recommended settings.
I also used ConfigureDefender set to HIGH, nothing changed by myself.

If i wanted to use something like Avast One, Kaspersky etc. blah blah, how would i go about this?
Can i just install them as default without worrying about anything or will there be problems?

Thank you
Ji

SWH should work well with Avast, Kaspersky, and most AVs. If you will install another AV then ConfigureDefender settings will stop working (these settings are related only to Microsoft Defender).

 

[JiSingh12]

SWH should work well with Avast, Kaspersky, and most AVs. If you will install another AV then ConfigureDefender settings will stop working (these settings are related only to Microsoft Defender).

Ok, great, thank you.

One more quick question, when I open Powerpoint i get an action blocked by Attack Surface Reduction.
Also when opening word or a new word document, I get a pop up relating to macros or content that requires macro language support.

I am guessing both of these are down to SWH and ConfigureDefender?

Thank you

 

[Andy Ful]

Ok, great, thank you.

One more quick question, when I open Powerpoint i get an action blocked by Attack Surface Reduction.
Also when opening word or a new word document, I get a pop up relating to macros or content that requires macro language support.

I am guessing both of these are down to SWH and ConfigureDefender?

Thank you

Probably yes. But normally you should not see those alerts when opening PowerPoint or a new Word document. Such alerts suggest that you use in Word a custom template, 3rd party Add-in, or similar feature that needs VBA. I am not sure why Powerpoint triggers the ASR rule. There can be several reasons for such behavior. Can you post the GUID of this ASR rule? You can also look at ConfigureDefender Security Log for the name of this ASR rule.

Edit.
I assume that your computer is clean. In the worst scenario, such alerts can be also triggered when the computer is infected. But, then you should see other symptoms, so there is no need to worry.