Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
Any events in the ConfigureDefender Log?
ConfigureDefender utility for Windows 10/11
- Thread starter Andy Ful
- Start date
Any events in the ConfigureDefender Log?
- Apr 24, 2016
- 7,231
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
- Apr 24, 2016
- 7,231
Microsoft Outlook for Microsoft 365 MSO (Version 2202 Build 16.0.14931.20128) 64 bits.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
Did you try to disable (only) ASR rules? (Windows restart required)
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
No problem with MS Office 2019 and ConfigureDefender Interactive.
Cannot test it on MS Office 365.
Cannot test it on MS Office 365.
- Apr 24, 2016
- 7,231
Just tried Interactive, same problem.
Trying to explain the "problem" better
I have a problem when switching from mail to calendar and back that Outlook get unresponsive for a few seconds when using the high or interactive settings.
That does not happen on default.
I will try now with the ASR rules disabled and let you know the result.
EDIT: it also happens with these ASR rules disabled:
Now I have to work, later today i will try to experiment with the various settings to see if I can find the ones responsible.
Trying to explain the "problem" better
I have a problem when switching from mail to calendar and back that Outlook get unresponsive for a few seconds when using the high or interactive settings.
That does not happen on default.
I will try now with the ASR rules disabled and let you know the result.
EDIT: it also happens with these ASR rules disabled:
Now I have to work, later today i will try to experiment with the various settings to see if I can find the ones responsible.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
Just tried Interactive, same problem.
Trying to explain the "problem" better
I have a problem when switching from mail to calendar and back that Outlook get unresponsive for a few seconds when using the high or interactive settings.
View attachment 265189
That does not happen on default.
I will try now with the ASR rules disabled and let you know the result.
EDIT: it also happens with these ASR rules disabled:
View attachment 265190
Now I have to work, later today i will try to experiment with the various settings to see if I can find the ones responsible.
Try to lower the Cloud Protection Level.
- Apr 24, 2016
- 7,231
That didn't make a difference, the search continues...Try to lower the Cloud Protection Level.
EDIT: Could it be the Cloud Check Time Limit?
Setting it to 40s seems to have solved the issue.
Will keep monitoring my Outlook to see if the issue returns.
EDIT2: Spoke too soon, the issue is back.
Going to start with the default settings and slowly work towards the high settings to see if I can find the setting that causes this.
Last edited:
- Mar 29, 2018
- 7,595
Good idea, which is why I now prefer default + VS.
- Apr 24, 2016
- 7,231
Now the issue is also present on default or on a system without Microsoft Defender enabled.
So, it has nothing to do with ConfigureDefender.
Outlook is just too heavy to work fluently.
Hopefully MS will deliver the new One Outlook client soon...
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
If one uses MS Office, then it is good to use Defender's ASR rules and also block Add-ins file extensions. ASR rules do not prevent malicious Add-ins. The problem is that running Add-ins often does not spawn child processes (similarly to loading DLLs).
Access Add-ins
MDA, ACCDA, ACCDU
Excel Add-ins
XLA, XLAM, XLL
Outlook Add-ins
ECF
PowerPoint Add-ins
PA, PPA, PPAM
Word Add-ins
WLL, WWL
The attacks via Add-ins can be efficiently blocked (so far) by Defender's HIGH settings + SWH (H_C) on default settings. This happens because they use VBA (blocked by SWH / H_C on default settings) or LOLBins (blocked by ASR rules). But these attacks can be in theory more sophisticated, so it is better to block the Add-in extensions, especially with Defender on default settings. These extensions will be added to the default settings in the next versions of H_C and SWH.
Another solution is blocking all Add-ins in MS Office applications (this solution can cause problems).
The Add-ins mentioned by me, work mostly like DLLs. The DLLs can be run via RunDLL32, Regsrv32, and similar LOLBins, but this would require access to the CmdLine or some exploit. On the contrary, Add-ins can be run by Access, Excel, Outlook, PowerPoint, and Word, when the user simply clicks on the Add-in file.
Access Add-ins
MDA, ACCDA, ACCDU
Excel Add-ins
XLA, XLAM, XLL
Outlook Add-ins
ECF
PowerPoint Add-ins
PA, PPA, PPAM
Word Add-ins
WLL, WWL
The attacks via Add-ins can be efficiently blocked (so far) by Defender's HIGH settings + SWH (H_C) on default settings. This happens because they use VBA (blocked by SWH / H_C on default settings) or LOLBins (blocked by ASR rules). But these attacks can be in theory more sophisticated, so it is better to block the Add-in extensions, especially with Defender on default settings. These extensions will be added to the default settings in the next versions of H_C and SWH.
Another solution is blocking all Add-ins in MS Office applications (this solution can cause problems).
The Add-ins mentioned by me, work mostly like DLLs. The DLLs can be run via RunDLL32, Regsrv32, and similar LOLBins, but this would require access to the CmdLine or some exploit. On the contrary, Add-ins can be run by Access, Excel, Outlook, PowerPoint, and Word, when the user simply clicks on the Add-in file.
Last edited:
Can ConfigureDefender be used in Win 11 Pro? If yes, is it time that the title and post #1 be updated to reflect this?
One question
Just now when I clicked on Default in ConfigureDefender and Refresh it I saw my Automatic Sample Submission in Windows Security Center under Reputation-based protection disappeared. I also see that the Spynet entry in my registry disappeared. What have I done................?
So, if I want to uninstall ConfigureDefender how should I do it? Will all my previous settings (before running ConfigureDefender) in Windows be reverted?
I'm not seeing a Save//Restore Original Settings (or something similar) before I execute ConfigureDefender so that if anything happens I can just restore my original settings and start all over again.
Thanks
One question
Just now when I clicked on Default in ConfigureDefender and Refresh it I saw my Automatic Sample Submission in Windows Security Center under Reputation-based protection disappeared. I also see that the Spynet entry in my registry disappeared. What have I done................?
So, if I want to uninstall ConfigureDefender how should I do it? Will all my previous settings (before running ConfigureDefender) in Windows be reverted?
I'm not seeing a Save//Restore Original Settings (or something similar) before I execute ConfigureDefender so that if anything happens I can just restore my original settings and start all over again.
Thanks
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
Yes.
Automatic Sample Submission in Windows Security Center was never under Reputation-based protection. It is under Virus & threat protection settings.
What concrete registry key disappeared? The Spynet settings should be under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet
If you used Windows Policies instead of the native Defender settings then these policies were removed, because they would override the native Defender settings applied by ConfigureDefender. More info about it is included in the ConfigureDefender help or manual.
Press <Default> green button - this will restore the default native settings. ConfigureDefender does not remember any previous settings, except those applied via <DEFAULT>, <INTERACTIVE, and <MAX> buttons. So, your settings before using ConfigureDefender cannot be restored.
Yes, I'm using Group Policies for setting quite a number of things
Too bad now that some were gone
Too bad now that some were gone
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
If you use GPO (via gpedit.msc) then they were not gone, The GPO refresh feature will restore them after some hours. If you used reg tweaks then your tweaks were gone.
If you use GPO Defender settings via gpedit.msc then ConfigureDefender settings will be incompatible with them. This information and info on what to do are included in the ConfigureDefender help files. The GPO refresh feature will restore the policies after some hours so using the GPO Defender policies with ConfigureDefender makes no sense. You can still use GPO for other settings only the settings shared by GPO and ConfigureDefender can be a problem.
If I can advise you something, then it is good to read the help files or manual before using security software. Your current problem will be solved automatically, but when installing something else you can face serious problems.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,477
Recently, I tested Defender against ransomware simulator:
https://malwaretips.com/threads/ransomware-knowbe4-vs-10-avs.113267/post-984441
It seems that the setting "Cloud Protection Level" = Block, was very efficient against ransomware samples:
It seems that Microsoft worked hard on decreasing the rate of false positives. This can be seen in the tests of AV-Comparatives and AV-Test from the year 2021. The setting "Cloud Protection Level" = Block, looks well and should not increase much the very good (low) rate of false positives.
https://malwaretips.com/threads/ransomware-knowbe4-vs-10-avs.113267/post-984441
It seems that the setting "Cloud Protection Level" = Block, was very efficient against ransomware samples:
- Defender Default ---> 12 vulnerable, 2 false positives.
- Defender Default + Cloud Block Level = Highest ----> 5 vulnerable, 2 false positives.
- Defender Default + Cloud Block Level = Block ----> 0 vulnerable, 2 false positives.
- Downloaded a few tenth fresh application installers from Softpedia (all uploaded to Softpedia today).
- These installers were for any kind of applications, including niche/unpopular ones.
- Tried to install each of them.
- 40% were blocked by SmartScreen
- 30% were blocked by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", and one installation by the ASR rule "Use advanced protection against ransomware".
- "Cloud Protection Level" = Block, did not block any installation.
It seems that Microsoft worked hard on decreasing the rate of false positives. This can be seen in the tests of AV-Comparatives and AV-Test from the year 2021. The setting "Cloud Protection Level" = Block, looks well and should not increase much the very good (low) rate of false positives.
- Jan 27, 2018
- 1,400
Hi Andy, weird glitch on W11. I downloaded the newest version from your link in the Firewall Hardening thread today. I deleted my older version of CD and moved new version to desktop, when I tried to open these 2 boxed popped up. Just to check I restored old version from Recycle Bin and same thing happened. This leads me to think that maybe its my computer although I've had no issues in the past.
- Aug 28, 2015
- 800
Install .NET 3.5 from Programs and Features from Control Panel. Then try again and you should be good to go.
- Jan 27, 2018
- 1,400
I was actually trying that and you are correct, it worked. Thanks.
Similar threads
-
- Sticky
