ConfigureDefender utility for Windows 10/11

[simmerskool]

Anyway, running ConfigureDefender is not necessary when BitDefender is an active AV.

@Andy Ful where BD is av or any 3d party av, can ConfigureDefender enable / disable periodic scans by Defender?

 

[oldschool]

@Andy Ful where BD is av or any 3d party av, can ConfigureDefender enable / disable periodic scans by Defender?

No.

 

[Andy Ful]

@Andy Ful where BD is av or any 3d party av, can ConfigureDefender enable / disable periodic scans by Defender?

It cannot even if Defender is the main AV - there is no such option in ConfigureDefender.

 

[simmerskool]

It cannot even if Defender is the main AV - there is no such option in ConfigureDefender.

I understand it is not in DefenderUI either. I only ask because after I installed ESET it had automatically disabled Defender periodic scanning (other 3d-party av do too), and for reasons I do not clearly recall, I manually enabled Defender periodic scanning. Then realized I did not really need or want those Defender periodic scans with ESET, but discovered that MS had moved & somewhat hid the disable switch, took me unnecessary time to find it and turn OFF Defender periodic scanning.

 

[tisko4]

i have defender+configure defender (high) , if i enable ransomware protection and firewall incoming connections will affect the settings of configuredefender? just a consern , thanks

 

[Andy Ful]

i have defender+configure defender (high) , if i enable ransomware protection and firewall incoming connections will affect the settings of configuredefender? just a consern , thanks

View attachment 272374View attachment 272375

Firewall settings and Microsoft Defender settings are different, so changing one does not change another.
If you change the Ransomware Protection from Security Center, then this setting will also change in ConfigureDefender, and vice versa.

 

[tisko4]

Firewall settings and Microsoft Defender settings are different, so changing one does not change another.
If you change the Ransomware Protection from Security Center, then this setting will also change in ConfigureDefender, and vice versa.

can i ask, do you suggest configure defender (high) + ransomware protection (enable) + firewall setting (enable ) for better protection ? worth ? thanks

 

[Andy Ful]

can i ask, do you suggest configure defender (high) + ransomware protection (enable) + firewall setting (enable ) for better protection ? worth ? thanks

It will increase the protection level. Is it worth the effort? This will highly depend on your activities and habits.
The only way is to try the setup in practice.

 

[tisko4]

It will increase the protection level. Is it worth the effort? This will highly depend on your activities and habits.
The only way is to try the setup in practice.

thank you sir , i appreciate your good work , keep going

 

[piquiteco]

It will increase the protection level. Is it worth the effort? This will highly depend on your activities and habits.

Andy just enjoying, just a question, does the core isolation enabled bring any benefit to a home user? Because mine was activated, now it is deactivated, it might be incompatibility with some driver. Thanks!

 

[Andy Ful]

Andy just enjoying, just a question, does the core isolation enabled bring any benefit to a home user? Because mine was activated, now it is deactivated, it might be incompatibility with some driver. Thanks!

Yes, it increases security against low-level attacks (especially via vulnerable drivers). Such attacks are usually performed when the environment is already compromised on the administrative level by another malware or when the attacker has got physical access to the machine.
Unfortunately, Core Isolation can break some legal drivers used on home users' computers, so the benefit is limited.
It is especially beneficial in the business environment, which is far more vulnerable to low-level attacks.

 

[Andy Ful]

KnowBe4 Simulator Ransomware test

Part 1: all attack scenarios detected/blocked.
ConfigureDefender set to HIGH + ASR prevalence rule (Block executable files from running unless they meet a prevalence, age, or trusted list criteria)

Part 2: 7 attack scenarios bypassed Defender.
ConfigureDefender set to HIGH (without enabled ASR prevalence rule):

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

KnowBe4 Simulator uses loaders (*.cxp files) executed via WMI, that can load payloads (*.dlm, *.exe, *.bin, ...).
All files are created by the simulator and are different in each test.
The ASR prevalence rule can block such attacks. Many of them are also detected by Defender at the pre-execution level (behavior-based detections: Trojan:Win32/Wacatac.B!ml, Program:Win32/Wacapew.C!ml).
This is not a real-world test and cannot be used to show the true capabilities of AV. I used it to show the effectiveness of the ASR prevalence rule. Of course, all samples could be also blocked by enabling the ASR rule related to WMI commands. Other ASR rules did not block anything due to the special form of KnowBe4 tests.

Edit.
A similar test for other AVs was done on MT:
https://malwaretips.com/threads/ransomware-simulator-vs-10-avs.113267/#post-984441
Generally, most AVs scored poorly (with some exceptions). But, this can follow from a special testing procedure (uncommon in the wild).

 

[Tiamati]

@Andy Ful i'm not sure if here is the correct thread to discuss this, but i'd like your opinion about the argument I've read that using Windows Defender would be superior to other AV solutions as "noone knows Windows better than Microsoft".

In other words, the idea is based on the argument that using other AV private solutions would only add more vulnerabilities to your system as it needs to have privilege rights to work properly. And most companies would not integrate their solutions so well as Microsoft can.

If you think i should open a new thread to that, just let me know. Thank you.

 

[ForgottenSeer 97327]

In theory this claim is true, in practise it is not, because

Windows OS has so many lines of code that different developers are working on different programs and modules.

For efficiency reasons one developer does not contact another developer working on other programs. In stead those developers use the official documentation.

in theory internal documentation is more detailed than official documentation, but Microsoft also has strong policies on compatibility and false positives, which probably prohibits using all capabilities in default mode.

 

[Andy Ful]

@Andy Ful i'm not sure if here is the correct thread to discuss this, but i'd like your opinion about the argument I've read that using Windows Defender would be superior to other AV solutions as "noone knows Windows better than Microsoft".

In other words, the idea is based on the argument that using other AV private solutions would only add more vulnerabilities to your system as it needs to have privilege rights to work properly. And most companies would not integrate their solutions so well as Microsoft can.

If you think i should open a new thread to that, just let me know. Thank you.

The problem of 3rd party AV vulnerabilities is interesting, but not for home users. Nowadays, it has become even less important because Defender is the most popular AV at home (and most targeted).
You are right, such a discussion would require a separate thread.

 

[ForgottenSeer 98186]

@Andy Ful i'm not sure if here is the correct thread to discuss this, but i'd like your opinion about the argument I've read that using Windows Defender would be superior to other AV solutions as "noone knows Windows better than Microsoft".

In other words, the idea is based on the argument that using other AV private solutions would only add more vulnerabilities to your system as it needs to have privilege rights to work properly. And most companies would not integrate their solutions so well as Microsoft can.

If you think i should open a new thread to that, just let me know. Thank you.

The main advocates of sticking to Microsoft Defender is Google's Project Zero - particularly Tavis Ormandy. That team has found throughout their vulnerability research that Microsoft's developers mostly get it right when coding Defender.

Certain aspects of Defender are developed and maintained by subcontractors and\or sub-divisions not located in the USA. For example, Eastern Europe, Turkey and India.

The answer to the question "What is best AV?" is dependent upon what type of malware or exploit a user gets smacked with. At the end of the day, all the AV lab and Youtube test results do not matter. These all provide speculative results. The only thing that matters is how an AV handles any attack or infection that the user experiences personally.

As far as integration into Windows OS, it is correct that Microsoft does it better than any 3rd party AV. Does that translate into better protections? Perhaps in some corner cases that none of us are likely to encounter. Therefore, does it really matter?

Hardened Microsoft Defender and hardening the OS provide better overall protection with the caveat that the user has a certain level of understanding and ability to manage their own security.

 

[Tiamati]

Ok guys. Tyvm for your help. I believe you were able to solve my doubts. I'm currently running hardened windows 10 with MD set to high by Hard configurator.

I used bitdefender and Kaspersky for a long time but I decided to give a MD a chance after reading @Andy Ful reports and because of the argumented o mentioned earlier. It has 2 years I'm using MD with no big problems. I recently had a problem with a cloned credit card but I believe i was victim of skimming, as after running 5 second opinion av scanners, I could find nothing. (Emsisoft , Hitman, Malwarebytes, eset, trendc.)

I can open a new thread, but I think a moderator could move this answers do a new topic , to help other people with your answers. And to allow more discussion


Tyvm . Peace.

 

[ForgottenSeer 100397]

I ran ConfigureDefender to see how it worked. Does ConfigureDefender recommend enabling "App & browser control" with the High Profile? Because the module failed to turn on. I attempted it three times and rebooted the system each time.

 

[Andy Ful]

I ran ConfigureDefender to see how it worked. Does ConfigureDefender recommend enabling "App & browser control" with the High Profile? Because the module failed to turn on. I attempted it three times and rebooted the system each time.

The HIGH Protection Level of Configuredefender does not have any impact on the settings in the "App & browser control" (from Security Center), except for enabling PUA protection (Reputation-based protection >> Potentially unwanted app blocking >> Block apps).
Please check if this option is ticked. If it is, and "App & browser control" is still not turned ON, then it means that another option in "App & browser control" is not enabled (independent of Configuredefender).

 

[ForgottenSeer 100397]

I chose the Default Profile and rebooted the system. The default profile resolved the issue, and now everything works properly.