ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
Azazel said:
Hello @Andy Ful ,
Can you add the low CPU priority setting.

Thanks
Click to expand...

Did anyone see it working?

Configure low CPU priority for scheduled scans

This policy setting allows you to enable or disable low CPU priority for scheduled scans.
admx.help

It never worked for me. Here is a screenshot (Defender's full scan):

1716027244137.png
 
Last edited:
  • Sad
Reactions: RansomwareRemediation
N

NormanF

Level 9
Verified
Jan 11, 2018
404
A feature enabling threat detection and response might be worth considering.

A subset of managed detection and response.

If you're running Microsoft Defender for Business, you'd need to upgrade to Microsoft Premium for Business to get them for an extra $11 a month.

While it offers a lot of value for the money, it also overlaps and duplicates apps I already have.
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
NormanF said:
A feature enabling threat detection and response might be worth considering.

A subset of managed detection and response.

If you're running Microsoft Defender for Business, you'd need to upgrade to Microsoft Premium for Business to get them for an extra $11 a month.

While it offers a lot of value for the money, it also overlaps and duplicates apps I already have.
Click to expand...

If I recall correctly, Threat Detection and Response (TDR) requires a Security Operations Center, which is unavailable for consumers, except for some Enterprises:

What Is Threat Detection and Response (TDR)? | Microsoft Security

Threat detection and response (TDR) is the proactive process of identifying and mitigating security risks or malicious activity to protect an organization's assets.
www.microsoft.com

Features like TDR require a paid version of Microsoft Defender (with an incident console). For example:

 
Last edited:
  • +Reputation
  • Like
Reactions: [correlate] and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
I tested two new ASR rules on Windows 11 Home ver. 24H2:
  • Block rebooting machine in Safe Mode
  • Block use of copied or impersonated system tools
These rules work well, so I will add them in the next ver. of ConfigureDefender.
 
  • +Reputation
  • Like
Reactions: SeriousHoax, oldschool, jerzy601 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
aftech said:
"Block use of copied or impersonated system tools" blocked the manual install of HP Compaq Pro 6300 Graphics driver"
Click to expand...

This rule must be improved for several reasons. For example, it also blocks the installation and updates of Photoshop 25.5.0. The blocked file is "convert.exe" which is a renamed ImageMagick. The ASR rule wrongly thinks that "convert.exe" is a Windows system file convert.exe. There can be more such file name collisions.
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: South Park, SeriousHoax, oldschool and 4 others
Digmor Crusher

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,400
I keep getting this block now Andy, anything to worry about? I assume its because I'm using the Interactive setting? Thanks.

Event[0]:
Time Created : 2024-10-25 7:46:09 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-25T12:46:09.878Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\taskhostw.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: taskhostw.exe -RegisterDevice -SettingChange
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.704.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
 
Last edited:
  • Like
Reactions: South Park, ErzCrz, Gandalf_The_Grey and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
Digmor Crusher said:
I keep getting this block now Andy, anything to worry about? I assume its because I'm using the Interactive setting? Thanks.

Event[0]:
Time Created : 2024-10-25 7:46:09 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-25T12:46:09.878Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\taskhostw.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: taskhostw.exe -RegisterDevice -SettingChange
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.704.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
Click to expand...

In the HIGH Protection Level this ASR rule is disabled because the block is triggered for many benign applications that try to enumerate running processes and attempt to open them with exhaustive permissions. In your case, some service based on DLL tries to change settings.
 
  • +Reputation
  • Like
Reactions: sypqys, oldschool, ErzCrz and 2 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,058
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,402
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,211
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top