ConfigureDefender utility for Windows 10/11

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
How would the use of Defender Configure and Simple Windows Hardening influence Microsoft Defender's performance /protection against being bypassed as discussed in another MT thread? Thanks
Defender (on the updated machine) cannot be bypassed as discussed in that thread. The author of the video made a mistake by using PowerShell with admin rights. The bypass was patched by Microsoft a few months before the video was made. It was reported for example here:

There is no Defender Configure application.
If you mean by performance the impact on system resources, then Simple Windows Hardening does not lower performance. Most users do not feel the impact also when using ConfigureDefender. Some users reported some impact when applying the Highest Cloud Protection Level or Network Protection.
 
  • Like
Reactions: blackice

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
I don't as Microsoft themselves have disabled it now by default in Windows 11. As you may know already, it's used to be on by default in 11. Also, faced some bugs due to it.
I didn’t know actually, thanks for letting me know. 👍
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
I saw your question and I checked it on my laptop. I had nearly forgotten that I ever had activated it. Even on W. 11 it's still active. I never noticed any problem. :)
I’ll try it for some time to see if I face any issues. Good to see that it’s working well for you. :)
 
  • Like
Reactions: Jan Willy

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Is anyone still running Microsoft Defender in a sandbox on Windows 11? I am not sure wether it makes sense nowadays.
I recently enabled it again after M$ disabled it in W11 and resource usage seems pretty good to me and no apparent issues here, though I don't know what kind of bugs changed their mind about its default status.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
I recently enabled it again after M$ disabled it in W11 and resource usage seems pretty good to me and no apparent issues here, though I don't know what kind of bugs changed their mind about its default status.
I know, I saw it in your status. That's why I wanted to try it again. I just thought that there weren't any new versions for the sandbox in quite some time, so I thought that it could be problematic on Windows 11 systems.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,868
If I'm reading this correctly, some ASR rules require at least High cloud block level. To see which ones read here Attack surface reduction rules reference

I happened to see this when configuring M$ Defender via GPO. Do something new and learn some things along the way. :cool:
This is a great find. As I said before, on my system, I notice some app launching slowdown (Most are portable apps stored in HDD) in High settings. But when I enabled some ASR rules while keeping cloud level to Default, it didn't make much difference in terms of speed. Now I understand why. So, some ASR rules don't work in the default cloud level.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
If I'm reading this correctly, some ASR rules require at least High cloud block level. To see which ones read here Attack surface reduction rules reference

I happened to see this when configuring M$ Defender via GPO. Do something new and learn some things along the way. :cool:
I think that the info from the Microsoft documentation is related to the EDR console. In the EDR console, some ASR rules can produce additional alerts when Cloud Protection Level is High (or higher). But, for most ASR rules there will not be any additional alert even if the Cloud Protection Level is High. Still, the ASR rules will block the content independently of the fact that the EDR console alert was triggered or not. The normal alert on the client machines will be always visible.

You can easily check it. Download the 7-ZIP installer:
Copy it to the flash drive and run. It will be blocked by the ASR rule for USB even when the Cloud Protection Level is set to Default.

Another simple test can be done for the Adobe ASR rule.
Run Adobe Reader and press CTRL-O to open the Adobe file explorer window. Change the default file filtering from "PDF files" to "All files (*.*)". Navigate to any EXE file on your hard disk and use the "Run as administrator" from right-click context menu. Normally this could run the EXE file as a child process of Adobe Reader. But, it will be blocked by the ASR rule.

Edit.
Works also for ASR script rule.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
This is a great find. As I said before, on my system, I notice some app launching slowdown (Most are portable apps stored in HDD) in High settings. But when I enabled some ASR rules while keeping cloud level to Default, it didn't make much difference in terms of speed. Now I understand why. So, some ASR rules don't work in the default cloud level.
This behavior can be explained by changing only Cloud Protection Level from Default to High.
But you can test if applying or not-applying ASR rules can have an additional impact, too.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
I think that the info from the Microsoft documentation is related to the EDR console. In the EDR console, some ASR rules can produce additional alerts when Cloud Protection Level is High (or higher). But, for most ASR rules there will not be any additional alert even if the Cloud Protection Level is High. Still, the ASR rules will block the content independently of the fact that the EDR console alert was triggered or not. The normal alert on the client machines will be always visible.
Indeed, I thought something like this was another explanation. I couldn't be sure they were talking about alerts and/or protection since M$ documentation is usually centered on enterprise products - leaving home users scratching their heads.

Historical note: Wasn't it @0pcode who used to complain about this? :LOL:
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Most features must be tested when using Windows Home and Pro. The Microsoft documents rarely mention Windows Pro, and info about the Home versions is almost absent. I spent 90% of my work time reading the security articles + testing and only 10% on coding.:confused:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Interesting.
I suspect that the HIGH settings could block some configuration processes. So, after finishing the configuration on default settings everything could work flawlessly also in HIGH settings.
Anyway, there are no blocked events in the log, so it is also possible that the issue was accidentally time-correlated, but the real source was not the ASR rules. I cannot say for sure what happened, but your way of solving the problem is recommendable. (y) :)
Today I had another issue with MS Outlook desktop app and Defender high settings. I sent myself a voice message by Gmail, using that feature in "Checker Plus for Gmail". In Outlook desktop, the voice file (.wav) was stripped from the incoming email message.

Nothing in the log about it.

I am starting to think that Outlook desktop doesn't like the advanced Defender settings very much.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Today I had another issue with MS Outlook desktop app and Defender high settings. I sent myself a voice message by Gmail, using that feature in "Checker Plus for Gmail". In Outlook desktop, the voice file (.wav) was stripped from the incoming email message.

Nothing in the log about it.

I am starting to think that Outlook desktop doesn't like the advanced Defender settings very much.
Did you try to send the voice message before? Were there any problems?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top