ConfigureDefender utility for Windows 10/11

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
Hello @Andy Ful ,
Can you add the low CPU priority setting.

Thanks

Did anyone see it working?

It never worked for me. Here is a screenshot (Defender's full scan):

1716027244137.png
 
Last edited:

NormanF

Level 9
Verified
Jan 11, 2018
404
A feature enabling threat detection and response might be worth considering.

A subset of managed detection and response.

If you're running Microsoft Defender for Business, you'd need to upgrade to Microsoft Premium for Business to get them for an extra $11 a month.

While it offers a lot of value for the money, it also overlaps and duplicates apps I already have.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
A feature enabling threat detection and response might be worth considering.

A subset of managed detection and response.

If you're running Microsoft Defender for Business, you'd need to upgrade to Microsoft Premium for Business to get them for an extra $11 a month.

While it offers a lot of value for the money, it also overlaps and duplicates apps I already have.

If I recall correctly, Threat Detection and Response (TDR) requires a Security Operations Center, which is unavailable for consumers, except for some Enterprises:

Features like TDR require a paid version of Microsoft Defender (with an incident console). For example:

 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
I tested two new ASR rules on Windows 11 Home ver. 24H2:
  • Block rebooting machine in Safe Mode
  • Block use of copied or impersonated system tools
These rules work well, so I will add them in the next ver. of ConfigureDefender.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
"Block use of copied or impersonated system tools" blocked the manual install of HP Compaq Pro 6300 Graphics driver"

This rule must be improved for several reasons. For example, it also blocks the installation and updates of Photoshop 25.5.0. The blocked file is "convert.exe" which is a renamed ImageMagick. The ASR rule wrongly thinks that "convert.exe" is a Windows system file convert.exe. There can be more such file name collisions.
 
Last edited:

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,424
I keep getting this block now Andy, anything to worry about? I assume its because I'm using the Interactive setting? Thanks.

Event[0]:
Time Created : 2024-10-25 7:46:09 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-25T12:46:09.878Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\taskhostw.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: taskhostw.exe -RegisterDevice -SettingChange
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.704.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
I keep getting this block now Andy, anything to worry about? I assume its because I'm using the Interactive setting? Thanks.

Event[0]:
Time Created : 2024-10-25 7:46:09 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-25T12:46:09.878Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\taskhostw.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: taskhostw.exe -RegisterDevice -SettingChange
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.704.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9

In the HIGH Protection Level this ASR rule is disabled because the block is triggered for many benign applications that try to enumerate running processes and attempt to open them with exhaustive permissions. In your case, some service based on DLL tries to change settings.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top