ConfigureDefender utility for Windows 10/11

[Gandalf_The_Grey]

I'm getting some block with lsass.exe:

ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detectietijd: 2018-06-09T08:16:56.944Z
     User: NT AUTHORITY\SYSTEM
     Pad: C:\Windows\System32\lsass.exe
     Procesnaam: C:\Windows\System32\taskhostw.exe

ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detectietijd: 2018-06-09T08:06:45.138Z
     User: NT AUTHORITY\SYSTEM
     Pad: C:\Windows\System32\lsass.exe
     Procesnaam: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detectietijd: 2018-06-09T08:06:10.917Z
     User: NITRO\xxxxx
     Pad: C:\Windows\System32\lsass.exe
     Procesnaam: C:\Program Files (x86)\DisplayCAL\DisplayCAL-apply-profiles.exe

What is the best way to solve this?
I'm on Defender high settings.

 

[Andy Ful]

I'm getting some block with lsass.exe:

ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detectietijd: 2018-06-09T08:16:56.944Z
     User: NT AUTHORITY\SYSTEM
     Pad: C:\Windows\System32\lsass.exe
     Procesnaam: C:\Windows\System32\taskhostw.exe

ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detectietijd: 2018-06-09T08:06:45.138Z
     User: NT AUTHORITY\SYSTEM
     Pad: C:\Windows\System32\lsass.exe
     Procesnaam: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detectietijd: 2018-06-09T08:06:10.917Z
     User: NITRO\xxxxx
     Pad: C:\Windows\System32\lsass.exe
     Procesnaam: C:\Program Files (x86)\DisplayCAL\DisplayCAL-apply-profiles.exe

What is the best way to solve this?
I'm on Defender high settings.

You are using Defender High settings from version 1.0.1.0.
In version 1.0.1.1 Defender High settings include this mitigation set to Audit.
I can advise you setting this mitigation to Audit. It is strange why C:\Program Files (x86)\DisplayCAL\DisplayCAL-apply-profiles.exe does want something from lsass?

 

[shmu26]

For some reason, I am not getting the option to bypass smartscreen anymore. When I click on "more info" there is no button at the bottom to run anyways.
And when I try to disable smartscreen from Windows Defender center, it says that it is handled by administrator.
I am in an admin user account.
Any ideas?

 

[shmu26]

For some reason, I am not getting the option to bypass smartscreen anymore. When I click on "more info" there is no button at the bottom to run anyways.
And when I try to disable smartscreen from Windows Defender center, it says that it is handled by administrator.
I am in an admin user account.
Any ideas?

Okay, so I deleted the smartscreen registry key, and that fixed it. Now it is set to warn, not to block, so I can make exceptions. And I can also manage the smartscreen level as I wish.

 

[oldschool]

I have High Settings + CFA Enabled, 4 new Exploit Guard features Enabled, SS Explorer and Edge @ Warn, IE @ Blocked.
I am having no problems as far as I know. I'm also using System Hardener @ Default + Telemetry and OS Armor @ Default. I amazed my machine seems to be working fine - which is fortunate because if I did I'd have no option but to turn to all of you since I currently lack the expertise to deal with most of the issues that might arise. Maybe in part because we don't have many added apps to our machine? Maybe something I'm not seeing?

 

[Andy Ful]

Okay, so I deleted the smartscreen registry key, and that fixed it. Now it is set to warn, not to block, so I can make exceptions. And I can also manage the smartscreen level as I wish.

If you are using only ConfigureDefender to manage Defender, then in the ADMIN: SMARTSCREEN section there are three options: For Explorer, For Edge, and For Internet Explorer. Each option has 4 settings: Warn, Block, Disabled, User.
The User setting is Defender default setting (= no Admin restriction), and it allows the user to change SmartScreen levels via Defender Security Center (Warn, Block, Disabled). The difference between {Warn, Block, Disabled} and {Warn, Block, Disabled} is that {Warn, Block, Disabled} are Administrator settings which lock SmartScreen level via GPO, so the user can see that SmartScreen level is set to Warn, Block, or Disabled, but cannot change it.
You probably changed the ADMIN: SMARTSCREEN setting FOR EXPLORER from User to Block. The Block is set in ConfigureDefender via <Child Protection> to secure the inexperienced users. The User is set via <Defender default settings> or <Defender high settings>.
You deleted the GPO registry for SmartScreen, so now your actual ADMIN: SMARTSCREEN setting FOR EXPLORER should be seen in ConfigureDefender as User.

 

[shmu26]

I have High Settings + CFA Enabled, 4 new Exploit Guard features Enabled, SS Explorer and Edge @ Warn, IE @ Blocked.
I am having no problems as far as I know. I'm also using System Hardener @ Default + Telemetry and OS Armor @ Default. I amazed my machine seems to be working fine - which is fortunate because if I did I'd have no option but to turn to all of you since I currently lack the expertise to deal with most of the issues that might arise. Maybe in part because we don't have many added apps to our machine? Maybe something I'm not seeing?

If you haven't done so already, in Hard_Configurator you could click on Tools/View blocked events, and see if you missed anything notable.

 

[Gandalf_The_Grey]

You are using Defender High settings from version 1.0.1.0.
In version 1.0.1.1 Defender High settings include this mitigation set to Audit.
I can advise you setting this mitigation to Audit. It is strange why C:\Program Files (x86)\DisplayCAL\DisplayCAL-apply-profiles.exe does want something from lsass?

No, I have that setting on audit:

So probably no block, just a warning.

I just want to know if I have to do something with those warnings and what is the best way to do so.

DisplayCal applies a color profile system wide, maybe that's why it want something with lsass?

 

[shmu26]

I installed HC 4, and it showed Documents Anti-Exploit to be at "Partial". I am guessing that this is because of the ASR settings that I had previously enabled in ConfigureDefender.
I fully enabled Documents Anti-Exploit, and then I had trouble opening MS Word, even without a specific document. It said that the doc I wanted to open has a macro that violates my macro settings. This was triggered by one of my Word add-ons.
Is there a way to make an exception for this? I tried putting the add-on in Windows Defender "Exclusions" but that didn't help.

 

[oldschool]

If you haven't done so already, in Hard_Configurator you could click on Tools/View blocked events, and see if you missed anything notable.

Thanks, but I don't have H_C. I use NVT System Hardener. I did import the new (appropriate) filters for EG into Event Viewer and only items I see are changes I made to system settings, a couple of items that would have been blocked, and a couple of error messages that appear of no consequence.

 

[shmu26]

Thanks, but I don't have H_C. I use NVT System Hardener. I did import the new (appropriate) filters for EG into Event Viewer and only items I see are changes I made to system settings, a couple of items that would have been blocked, and a couple of error messages that appear of no consequence.

So it sounds like you are all set.
In my experience, you will know when something is being blocked. Either you will see an error message, or you will not succeed in the action you are attempting.

The big exception is certain powershell scripts that Windows runs automatically, from time to time, for maintenance purposes. Some of them are not important.
OSA has rules to allow these scripts. But it is quite possible that Microsoft will cook up new PS scripts from time to time, which OSA has not yet whitelisted. But you can check the OSA logs every once in a while, if you want to worry about this, and see what is being blocked. Usually, Windows will try again, after every reboot, to run a script that failed, so you don't have to dig back into ancient history, just look at the logs from the last day or two.

 

[oldschool]

So it sounds like you are all set.
In my experience, you will know when something is being blocked. Either you will see an error message, or you will not succeed in the action you are attempting.

The big exception is certain powershell scripts that Windows runs automatically, from time to time, for maintenance purposes. Some of them are not important.
OSA has rules to allow these scripts. But it is quite possible that Microsoft will cook up new PS scripts from time to time, which OSA has not yet whitelisted. But you can check the OSA logs every once in a while, if you want to worry about this, and see what is being blocked. Usually, Windows will try again, after every reboot, to run a script that failed, so you don't have to dig back into ancient history, just look at the logs from the last day or two.

Thanks. I will keep that it mind as I continue to use this setup, which I do not foresee changing anytime soon as I'm quite comfortable with it. This is why I love MT!

 

[Andy Ful]

No, I have that setting on audit:
View attachment 190324
So probably no block, just a warning.

I just want to know if I have to do something with those warnings and what is the best way to do so.

DisplayCal applies a color profile system wide, maybe that's why it want something with lsass?

Normally, Audit means no alert from lsass mitigation and no blocking, but only warning entries in the Windows Event Log. So, you can see what would be blocked after enabling this mitigation. Did you see any blocking alert from lsass mitigation?
Also, if you do not plan to enable lsass mitigation, then simply set it to Disabled.

 

[Andy Ful]

I installed HC 4, and it showed Documents Anti-Exploit to be at "Partial". I am guessing that this is because of the ASR settings that I had previously enabled in ConfigureDefender.
I fully enabled Documents Anti-Exploit, and then I had trouble opening MS Word, even without a specific document. It said that the doc I wanted to open has a macro that violates my macro settings. This was triggered by one of my Word add-ons.
Is there a way to make an exception for this? I tried putting the add-on in Windows Defender "Exclusions" but that didn't help.

It seems that you have a special Microsoft Word config that uses macros when opening Word (probably in normal.dot).
Please, try to delete the registry value VBAOFF under the below registry keys:
HKLM\Software\Policies\Microsoft\Office\16.0\Common
HKLM\Software\Policies\Microsoft\Office\15.0\Common
HKLM\Software\Policies\Microsoft\Office\14.0\Common
HKLM\Software\Policies\Microsoft\Office\12.0\Common
HKLM\Software\Policies\Microsoft\Office\11.0\Common
HKLM\Software\Policies\Microsoft\Office\10.0\Common
This will unblock macros (and VBA), so you can block them via Microsoft Word menu. Maybe I should reserve another option for blocking VBA?

 

[shmu26]

It seems that you have a special Microsoft Word config that uses macros when opening Word (probably in normal.dot).
Please, try to delete the registry value VBAOFF under the below registry keys:
HKLM\Software\Policies\Microsoft\Office\16.0\Common
HKLM\Software\Policies\Microsoft\Office\15.0\Common
HKLM\Software\Policies\Microsoft\Office\14.0\Common
HKLM\Software\Policies\Microsoft\Office\12.0\Common
HKLM\Software\Policies\Microsoft\Office\11.0\Common
HKLM\Software\Policies\Microsoft\Office\10.0\Common
This will unblock macros (and VBA), so you can block them via Microsoft Word menu. Maybe I should reserve another option for blocking VBA?

I don't find those registry entries at all

 

[Gandalf_The_Grey]

Normally, Audit means no alert from lsass mitigation and no blocking, but only warning entries in the Windows Event Log. So, you can see what would be blocked after enabling this mitigation. Did you see any blocking alert from lsass mitigation?
Also, if you do not plan to enable lsass mitigation, then simply set it to Disabled.

No blocking alerts, so I will set it to disabled. Thanks

 

[Andy Ful]

I don't find those registry entries at all
View attachment 190335

What is your actual <Documents Anti-Exploit> setting? You probably set it to OFF. My previous post was about <Documents Anti-Exploit> = ON, and then you should delete those registry keys to unblock macros (VBA) and keep other vulnerable items (DDE, OLE, ActiveX) blocked.
Anyway, I think that if you unblock VBA, then on Windows 10 with ASR mitigations, the <Documents Anti-Exploit> = ON does not give you additional security.
The setting <Documents Anti-Exploit> = ON is rather for people on Windows 8.1 and prior versions. Defender ASR mitigations are actually very strong on Windows 10 ver. 1803.

 

[shmu26]

What is your actual <Documents Anti-Exploit> setting? You probably set it to OFF. My previous post was about <Documents Anti-Exploit> = ON, and then you should delete those registry keys to unblock macros (VBA) and keep other vulnerable items (DDE, OLE, ActiveX) blocked.
Anyway, I think that if you unblock VBA, then on Windows 10 with ASR mitigations, the <Documents Anti-Exploit> = ON does not give you additional security.
The setting <Documents Anti-Exploit> = ON is rather for people on Windows 8.1 and prior versions. Defender ASR mitigations are actually very strong on Windows 10 ver. 1803.

My <Documents Anti-Exploit> setting says "Partial". I did not set it that way, it decided on its own. Before I installed Hard-Configurator 4, I already had many of the ASR mitigations enabled.
So I will just leave things the way they are, since I am on Win 10 1803.

 

[Andy Ful]

My <Documents Anti-Exploit> setting says "Partial". I did not set it that way, it decided on its own. Before I installed Hard-Configurator 4, I already had many of the ASR mitigations enabled.
So I will just leave things the way they are, since I am on Win 10 1803.

OK. The setting 'Partial' is visible only if the user activated/deactivated some MS Office or Acrobat Reader non-default security settings when not using <Documents Anti-Exploit>. Hard_Configurator does not change those user settings, until the user will choose to set the <Documents Anti-Exploit> option to ON / OFF .
It seems that <Documents Anti-Exploit> is not activated in your setup.
If you still have problems with opening MS Office, then they are related to something else.

 

[shmu26]

OK. The setting 'Partial' is visible only if the user activated/deactivated some MS Office or Acrobat Reader non-default security settings when not using <Documents Anti-Exploit>. Hard_Configurator does not change those user settings, until the user will choose to set the <Documents Anti-Exploit> option to ON / OFF .
It seems that <Documents Anti-Exploit> is not activated in your setup.
If you still have problems with opening MS Office, then they are related to something else.

Thanks.
I have no problems with the Partial setting. I only had problems when I set the <Documents Anti-Exploit> option to ON, and I did a system restore to get things back to the way they were.