ConfigureDefender utility for Windows 10/11

[JiSingh12]

Probably yes. But normally you should not see those alerts when opening PowerPoint or a new Word document. Such alerts suggest that you use in Word a custom template, 3rd party Add-in, or similar feature that needs VBA. I am not sure why Powerpoint triggers the ASR rule. There can be several reasons for such behavior. Can you post the GUID of this ASR rule? You can also look at ConfigureDefender Security Log for the name of this ASR rule.

Edit.
I assume that your computer is clean. In the worst scenario, such alerts can be also triggered when the computer is infected. But, then you should see other symptoms, so there is no need to worry.

Got it.

Computer is clean according to HMP and Malwarebytes so yeah all good on that front.
Powerpoint pop-up was caused by a 3rd party add-in, Office Timeline - ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A. But I have uninstalled this program now.

The word problem is not in the ConfigureDefender or SWH logs.
So must be something else so no worries will figure it out!

Thanks Andy

 

[Andy Ful]

...
The word problem is not in the ConfigureDefender or SWH logs.
So must be something else so no worries will figure it out!

Thanks Andy

The alert about VBA is related to the SWH setting "Documents Anti-Exploit". It applies the well known Windows policy that disables all VBA code in MS Office. This setting blocks all macros in documents and templates. It can also block running ActiveX/COM DLLs, Add-ins, and OLE features that depend on VBA.

 

[Andy Ful]

Does everyone need advanced Defender settings?

The short answer for most people (home users) will be: NO.
This question is reasonable because the Defender default protection (with Edge SmartScreen) for home users is currently very similar to the protection of popular home AVs (on default settings).
Using the advanced Defender settings is similar to using advanced ATP settings in other AVs. Some people may like it and some probably do not need it.

Anyway, using advanced Defender settings at home can be seriously considered in some cases, for example:

1. The computer is used both in-home and work.
2. The ASR rules for MS Office can be recommendable when MS Office is installed.
3. Using other ASR rules is a good idea to protect happy clickers and children.
4. The Cloud Protection Level set to Highest is (also) a very good anti-ransomware protection.
5. The settings in the "Admin: Smartscreen" section in ConfigureDefender (for IE and legacy Edge) can be useful for people who still use the older versions of Windows 10.

 

[Moonhorse]

Im currently enjoying vivaldi browser instead of edge while using defender..is the smartscreen only thing im missing here? As you said before on some thread that bafs wont work on firefox, but will work on other chromium browsers like vivaldi as example

Im often using CIS with the vivaldi, brave, opera because theyre the browsers that wont support something like avast/ avg web filtering....but i dont think im going CIS now just because of vivaldi

 

[Andy Ful]

I was asked to make ConfigureDefender work also on Windows Server. After some tests, I decided to do it. The upcoming version of ConfigureDefender will work for Windows 10 build 1809 or Windows Server 2019, and higher versions.

 

[SeriousHoax]

Hello Andy! On my PC, some unsigned apps take longer to load when Configure Defender is set at High. It's not a new thing.
On default settings, things are much faster. Enabling PUP/Network Protection don't have any impact. It must be something else that has the most impact. I know the best thing for me would be to enable one advanced feature each day to figure it out. But wanted to ask you in case you have an answer for it already.

 

[oldschool]

@SeriousHoax your link to security config is for 2020.

 

[Andy Ful]

Hello Andy! On my PC, some unsigned apps take longer to load when Configure Defender is set at High. It's not a new thing.
On default settings, things are much faster. Enabling PUP/Network Protection don't have any impact. It must be something else that has the most impact. I know the best thing for me would be to enable one advanced feature each day to figure it out. But wanted to ask you in case you have an answer for it already.

Did you try to whitelist them in the ASR?

 

[SeriousHoax]

@SeriousHoax your link to security config is for 2020.

Too lazy to update

Did you try to whitelist them in the ASR?

I have not. Ok, I'll try this.

 

[Arequire]

Hello Andy! On my PC, some unsigned apps take longer to load when Configure Defender is set at High. It's not a new thing.
On default settings, things are much faster. Enabling PUP/Network Protection don't have any impact. It must be something else that has the most impact. I know the best thing for me would be to enable one advanced feature each day to figure it out. But wanted to ask you in case you have an answer for it already.

Could be the cloud protection level. Microsoft mentions that setting it to High Plus (labelled highest in CD) may affect system performance:

• Not configured: Default state.
• High: Applies a strong level of detection.
• High plus: Uses the High level and applies extra protection measures (might affect client performance).
• Zero tolerance: Blocks all unknown executables.

Haven't got any evidence to prove it's the cause; just spitballing. Try lowering the level to high and seeing if it makes any difference.

 

[Andy Ful]

There are a few features that are used when connecting the cloud backend:

1. Cloud Protection Level - triggers advanced analysis.
2. Cloud Check Time Limit.
3. ASR rule "Use advanced protection against ransomware".

Another ASR rule that can have an impact on some applications is "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"

 

[Mjolnir]

ASR rule "Use advanced protection against ransomware" - is this the same thing as enabling controlled folder access or is there more to it?

 

[oldschool]

or is there more to it

in addition to CFA and completely different.

This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:

• The file has already been found to be unharmful in the Microsoft cloud.
• The file is a valid signed file.
• The file is prevalent enough to not be considered as ransomware.

The rule tends to err on the side of caution to prevent ransomware.

Attack surface reduction rules reference - Microsoft Defender for Endpoint

Lists details about Microsoft Defender for Endpoint attack surface reduction rules on a per-rule basis.

docs.microsoft.com

Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint

Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.

docs.microsoft.com

 

[Andy Ful]

ASR rule "Use advanced protection against ransomware" - is this the same thing as enabling controlled folder access or is there more to it?

1. ASR rule examines the execution of concrete files against ransomware methods and can block/kill ransomware processes.
2. CFA can protect the concrete locations on disks (folders, disc sectors) against unauthorized processes. It does not detect/block/kill the ransomware processes, so other locations can be encrypted by ransomware.

 

[Mjolnir]

When I go to settings in Edge browser there is a gray banner on the top that says "browser is managed by your organization", this is on a Win 10 home system. Is this caused from using Configure Defender? - I see the banner after returning the settings back to default and using the administrator account.

 

[Gandalf_The_Grey]

When I go to settings in Edge browser there is a gray banner on the top that says "browser is managed by your organization", this is on a Win 10 home system. Is this caused from using Configure Defender? - I see the banner after returning the settings back to default and using the administrator account.

No, do you use a tool like O&O ShutUp 10++, or SpywareBlaster,?
Those tools can cause it.

 

[Mjolnir]

No, do you use a tool like O&O ShutUp 10++, or SpywareBlaster,?
Those tools can cause it.

Thank you so much Gandalf! - you are absolutely correct. I completely forgot about running O&O ShutUp.

 

[Gandalf_The_Grey]

Thank you so much Gandalf! - you are absolutely correct. I completely forgot about running O&O ShutUp.

I use it too and have all the Edge (old and new) settings on off.
For this and because you aways search when something is not working in Edge, what settings in O&O SU10 are responsible.
I now prefer to change the privacy settings in Edge itself.

 

[Andy Ful]

When I go to settings in Edge browser there is a gray banner on the top that says "browser is managed by your organization", this is on a Win 10 home system. Is this caused from using Configure Defender?

No.

 

[Gandalf_The_Grey]

When using Outlook and accessing my calendar Outlook gets unresponsive when fetching the weather forecast for my location with ConfigureDefender on High.
What (ASR rule?) could be causing this?
It's not happening with ConfigureDefender at Default.