ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
  • Like
  • +Reputation
  • Thanks
Reactions: Kongo, Mercenary, Moonhorse and 6 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Andy Ful said:
Configuredefender ver. 3.1.1.1
Click to expand...
In the app, the version number still shows: 3.0.1.1
cd.png
 
  • Like
Reactions: plat, Mercenary, blackice and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
SeriousHoax said:
In the app, the version number still shows: 3.0.1.1
View attachment 267970
Click to expand...
Yes. I used the executables from ver. 3.0.1.1 and added the new certificate to them.
So, the code in versions 3.1.1.1 and 3.0.1.1 is identical, only file hashes are different.
The ConfigureDefender version is hardcoded in the executables, so it is still visible as 3.0.1.1.
 
  • Like
Reactions: plat, Kongo, Mercenary and 3 others
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,585
Andy Ful said:
Yes. I used the executables from ver. 3.0.1.1 and added the new certificate to them.
So, the code in versions 3.1.1.1 and 3.0.1.1 is identical, only file hashes are different.
The ConfigureDefender version is hardcoded in the executables, so it is still visible as 3.0.1.1.
Click to expand...
New version is detected by Sophos as ML PUA. What's causing this if you only added a new certificate?

Screenshot 2022-07-12 233726.jpg
 
  • Like
  • Wow
Reactions: plat, Zartarra, harlan4096 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
SecureKongo said:
New version is detected by Sophos as ML PUA. What's causing this if you only added a new certificate?

View attachment 267973
Click to expand...
Sophos probably detects by ML all new ConfigureDefender versions as PUA, until it removes the false positive detection. The new ConfigureDefender files are also new to Sophos (different file hashes).
I submit my executables for whitelisting only to Microsoft, Avast, Bitdefender, and Norton.
 
Last edited:
  • Like
Reactions: plat, Kongo, harlan4096 and 3 others
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,585
Andy Ful said:
Sophos probably detects by ML all new ConfigureDefender versions as PUA, until it removes the false positive detection. The new ConfigureDefender files are also new to Sophos (different file hashes).
I submit my executables for whitelisting only to Microsoft, Avast, Bitdefender, and Norton.
Click to expand...
Submitted it as a FP but it will probably take a while as Sophos is quite slow at whitelisting
 
  • Like
Reactions: Mercenary, Andy Ful, Gandalf_The_Grey and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
How NOT to make tests with ConfigureDefender.



The author did not read the ConfigureDefender help:

How to apply the settings.
Select a Protection Level or custom configuration, press the "Refresh" green button and let ConfigureDefender confirm the changes. ConfigureDefender will alert if any of your changes have been blocked. Reboot to apply chosen protection.
Click to expand...

Without rebooting, most of the MAX settings were not applied which is also visible in this video. :)
 
Last edited:
  • Like
  • Sad
  • Wow
Reactions: plat, EascapenMatrix, Mercenary and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
oldschool said:
It is crashing due to a longtime bug in Defender. Try clearing protection history.
Click to expand...
It is not easy because of Tamper Protection. The events related to ASR rules and CFA require a complex treatment. There are some ways to do it, we talk about this on this thread here:
malwaretips.com

ConfigureDefender utility for Windows 10/11

protection history intented to keep history by purpose It should give an option to delete those on purpose too. That's what almost all other security products do. The protection history is also known to crash randomly or when there's a lot of entry. no try yourself let others do your work for...
malwaretips.com malwaretips.com
 
  • Like
Reactions: Mercenary, SeriousHoax and oldschool
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
Andy Ful said:
It is not easy because of Tamper Protection. The events related to ASR rules and CFA require a complex treatment. There are some ways to do it, we talk about this on this thread here:
malwaretips.com

ConfigureDefender utility for Windows 10/11

protection history intented to keep history by purpose It should give an option to delete those on purpose too. That's what almost all other security products do. The protection history is also known to crash randomly or when there's a lot of entry. no try yourself let others do your work for...
malwaretips.com malwaretips.com
Click to expand...
Yes, I'm aware of that thread.

@Emanuel Tomasin One way around this is to reduce length of time to keep Protection History before auto-clearing either in GPO or via powershell.
 
  • Like
  • Thanks
Reactions: Mercenary, SeriousHoax, eonline and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
oldschool said:
Yes, I'm aware of that thread.

@Emanuel Tomasin One way around this is to reduce length of time to keep Protection History before auto-clearing either in GPO or via powershell.
Click to expand...
The last time when I tested this setting it could not clear the advanced blocks. Reducing the time of keeping Protection History could clear the same entries as deleting manually the folder:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory
This can be done easily via PowerShell with Administrator privileges:
Code: 
del "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory"

I posted to Microsoft about this issue, but I did not test if it was solved.
 
  • Like
  • Thanks
Reactions: SeriousHoax, oldschool and eonline
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Interesting changelog in the release preview channel build of Windows 11.
  • New! We enhanced Microsoft Defender for Endpoint’s ability to identify and intercept ransomware and advanced attacks.
Click to expand...
I'm guessing this improvement is even coming to the stock Microsoft Defender. Maybe it has some similarity to the advanced ransomware ASR rule.
 
  • Like
Reactions: Andy Ful, oldschool and eonline
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Andy Ful said:
How NOT to make tests with ConfigureDefender.



The author did not read the ConfigureDefender help:



Without rebooting, most of the MAX settings were not applied which is also visible in this video. :)
Click to expand...

They released a new video comparison
 
Last edited:
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
SeriousHoax said:
Interesting changelog in the release preview channel build of Windows 11.

I'm guessing this improvement is even coming to the stock Microsoft Defender. Maybe it has some similarity to the advanced ransomware ASR rule.
Click to expand...
Maybe they're implementing that ASR rule knowing it is stable and suitable for the average user, i.e. it won't throw FPs.
 
  • Like
Reactions: Mercenary and Andy Ful

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,063
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,410
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,215
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top