ConfigureDefender utility for Windows 10/11

[Andy Ful]

How would the use of Defender Configure and Simple Windows Hardening influence Microsoft Defender's performance /protection against being bypassed as discussed in another MT thread? Thanks

Defender (on the updated machine) cannot be bypassed as discussed in that thread. The author of the video made a mistake by using PowerShell with admin rights. The bypass was patched by Microsoft a few months before the video was made. It was reported for example here:

Microsoft fixes Defender flaw letting hackers bypass antivirus scans

Microsoft has recently addressed a weakness in the Microsoft Defender Antivirus on Windows that allowed attackers to plant and execute malicious payloads without triggering Defender's malware detection engine.

www.bleepingcomputer.com

There is no Defender Configure application.
If you mean by performance the impact on system resources, then Simple Windows Hardening does not lower performance. Most users do not feel the impact also when using ConfigureDefender. Some users reported some impact when applying the Highest Cloud Protection Level or Network Protection.

 

[PD20]

Thank you.

 

[Kongo]

Is anyone still running Microsoft Defender in a sandbox on Windows 11? I am not sure wether it makes sense nowadays.

 

[SeriousHoax]

Is anyone still running Microsoft Defender in a sandbox on Windows 11? I am not sure wether it makes sense nowadays.

I don't as Microsoft themselves have disabled it now by default in Windows 11. As you may know already, it's used to be on by default in 11. Also, faced some bugs due to it.

 

[Jan Willy]

Is anyone still running Microsoft Defender in a sandbox on Windows 11? I am not sure wether it makes sense nowadays.

I saw your question and I checked it on my laptop. I had nearly forgotten that I ever had activated it. Even on W. 11 it's still active. I never noticed any problem.

 

[Kongo]

I don't as Microsoft themselves have disabled it now by default in Windows 11. As you may know already, it's used to be on by default in 11. Also, faced some bugs due to it.

I didn’t know actually, thanks for letting me know.

 

[Kongo]

I saw your question and I checked it on my laptop. I had nearly forgotten that I ever had activated it. Even on W. 11 it's still active. I never noticed any problem.

I’ll try it for some time to see if I face any issues. Good to see that it’s working well for you.

 

[oldschool]

Is anyone still running Microsoft Defender in a sandbox on Windows 11? I am not sure wether it makes sense nowadays.

I recently enabled it again after M$ disabled it in W11 and resource usage seems pretty good to me and no apparent issues here, though I don't know what kind of bugs changed their mind about its default status.

 

[Kongo]

I recently enabled it again after M$ disabled it in W11 and resource usage seems pretty good to me and no apparent issues here, though I don't know what kind of bugs changed their mind about its default status.

I know, I saw it in your status. That's why I wanted to try it again. I just thought that there weren't any new versions for the sandbox in quite some time, so I thought that it could be problematic on Windows 11 systems.

 

[oldschool]

If I'm reading this correctly, some ASR rules require at least High cloud block level. To see which ones read here Attack surface reduction rules reference

I happened to see this when configuring M$ Defender via GPO. Do something new and learn some things along the way.

 

[SeriousHoax]

If I'm reading this correctly, some ASR rules require at least High cloud block level. To see which ones read here Attack surface reduction rules reference

I happened to see this when configuring M$ Defender via GPO. Do something new and learn some things along the way.

This is a great find. As I said before, on my system, I notice some app launching slowdown (Most are portable apps stored in HDD) in High settings. But when I enabled some ASR rules while keeping cloud level to Default, it didn't make much difference in terms of speed. Now I understand why. So, some ASR rules don't work in the default cloud level.

 

[Andy Ful]

If I'm reading this correctly, some ASR rules require at least High cloud block level. To see which ones read here Attack surface reduction rules reference

I happened to see this when configuring M$ Defender via GPO. Do something new and learn some things along the way.

I think that the info from the Microsoft documentation is related to the EDR console. In the EDR console, some ASR rules can produce additional alerts when Cloud Protection Level is High (or higher). But, for most ASR rules there will not be any additional alert even if the Cloud Protection Level is High. Still, the ASR rules will block the content independently of the fact that the EDR console alert was triggered or not. The normal alert on the client machines will be always visible.

You can easily check it. Download the 7-ZIP installer:

https://www.7-zip.org/a/7z2200-x64.exe

Copy it to the flash drive and run. It will be blocked by the ASR rule for USB even when the Cloud Protection Level is set to Default.

Another simple test can be done for the Adobe ASR rule.
Run Adobe Reader and press CTRL-O to open the Adobe file explorer window. Change the default file filtering from "PDF files" to "All files (*.*)". Navigate to any EXE file on your hard disk and use the "Run as administrator" from right-click context menu. Normally this could run the EXE file as a child process of Adobe Reader. But, it will be blocked by the ASR rule.

Edit.
Works also for ASR script rule.

 

[Andy Ful]

This is a great find. As I said before, on my system, I notice some app launching slowdown (Most are portable apps stored in HDD) in High settings. But when I enabled some ASR rules while keeping cloud level to Default, it didn't make much difference in terms of speed. Now I understand why. So, some ASR rules don't work in the default cloud level.

This behavior can be explained by changing only Cloud Protection Level from Default to High.
But you can test if applying or not-applying ASR rules can have an additional impact, too.

 

[oldschool]

I think that the info from the Microsoft documentation is related to the EDR console. In the EDR console, some ASR rules can produce additional alerts when Cloud Protection Level is High (or higher). But, for most ASR rules there will not be any additional alert even if the Cloud Protection Level is High. Still, the ASR rules will block the content independently of the fact that the EDR console alert was triggered or not. The normal alert on the client machines will be always visible.

Indeed, I thought something like this was another explanation. I couldn't be sure they were talking about alerts and/or protection since M$ documentation is usually centered on enterprise products - leaving home users scratching their heads.

Historical note: Wasn't it @0pcode who used to complain about this?

 

[Andy Ful]

Most features must be tested when using Windows Home and Pro. The Microsoft documents rarely mention Windows Pro, and info about the Home versions is almost absent. I spent 90% of my work time reading the security articles + testing and only 10% on coding.

 

[shmu26]

Interesting.
I suspect that the HIGH settings could block some configuration processes. So, after finishing the configuration on default settings everything could work flawlessly also in HIGH settings.
Anyway, there are no blocked events in the log, so it is also possible that the issue was accidentally time-correlated, but the real source was not the ASR rules. I cannot say for sure what happened, but your way of solving the problem is recommendable.

Today I had another issue with MS Outlook desktop app and Defender high settings. I sent myself a voice message by Gmail, using that feature in "Checker Plus for Gmail". In Outlook desktop, the voice file (.wav) was stripped from the incoming email message.

Nothing in the log about it.

I am starting to think that Outlook desktop doesn't like the advanced Defender settings very much.

 

[Andy Ful]

Today I had another issue with MS Outlook desktop app and Defender high settings. I sent myself a voice message by Gmail, using that feature in "Checker Plus for Gmail". In Outlook desktop, the voice file (.wav) was stripped from the incoming email message.

Nothing in the log about it.

I am starting to think that Outlook desktop doesn't like the advanced Defender settings very much.

Did you try to send the voice message before? Were there any problems?

 

[shmu26]

Did you try to send the voice message before? Were there any problems?

I didn't try it before, but I tried afterwards, with ESET instead of Defender, and it worked as expected.

 

[oldschool]

Retirement of Home - Microsoft Defender Testground has been delayed until 22-7-15.

BTW, Network seems like it performs better now. I don't know if any improvements have been made.

 

[Kongo]

Retirement of Home - Microsoft Defender Testground has been delayed until 22-7-15.

BTW, Network seems like it performs better now. I don't know if any improvements have been made.

It has been delayed 3 times already.