ConfigureDefender utility for Windows 10/11

Digmor Crusher

Level 26
Verified
Top Poster
Well-known
Jan 27, 2018
1,538

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,881
I don't understand Credential Guard and VBS very well. But @Andy Ful implemented those in H_C tools? I noticed both are not configured in my system and i'm wondering if i should do something about it ...

Credential Guard and VBS are unrelated to Microsoft Defender and not configured by H_C tools. You can enable them from the Windows Security Center (assuming that your drivers are compatible).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,881
I wonder what is the practical added value that Credential Guard and VBS provide to home user security if one uses WHHL, ConfigureDefender and FirewallHardening. Or is there any...?

I do not know the answer for non-enterprise users. VBS is important in Enterprises for sure.
WHHLight tools can mainly prevent malware/exploits that could compromise the Windows kernel, but no protection is perfect.
Malicious actions in the kernel level can bypass AVs/EDRs, and also WHHLight tools.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,881
It logically follows that these security features should be enabled in home user environments as well.

It follows that they can be enabled when they do not cause issues. :)

Edit.
Incompatible drivers can persist in the system even if you do not use the devices that used those drivers. In such cases, one must refresh the system or manually remove the incompatible drivers. Unfortunately, some devices (like Electronic ID Card Readers, cryptographic cards, etc.) can still use incompatible drivers.
 
Last edited:

bazang

Level 13
Jul 3, 2024
621
It logically follows that these security features should be enabled in home user environments as well.
Common sense. Right?

Let's all take a moment and do a break-down analysis of home users and why they - as a demographic cohort - receive the least amount of default security from Windows, and by extension, Microsoft. In other words, the one category of users that needs the greatest amount of security receives the least.
  • Home users are "users that want to use stuff," and even though Microsoft knows this digital use paradigm is dinosaur thinking, Microsoft allows home users to do what they want because they will cry and complain. Another way to state it is "Microsoft does not want to be bothered by home users."
  • Every single time Microsoft has attempted to make Windows effectively secure, it is home users that unravel Microsoft's efforts via the crying and complaining campaigns.
  • Security is not software, but that is the solution the world has come up with to protect a group of users who are lazy, do not care, and cannot be bothered to use their brain. I know will see that as harsh, but it is true of the vast majority of people globally. Illiterate folk living in isolated villages in Dagestan or the Mongolian steppes (yes, they have electricity and internet), they get a pass. Everybody else does not.
  • Globally, digital insecurity is a pandemic and yet there is no willingness to fix the problems once and for all. Instead, the costs of losses are passed onto all consumers and other buyers of services and goods.
The most ludicrous argument of all is that if security blocks something a home user is attempting to do, then the security is wrong and the user is right. The user cannot be bothered to have to troubleshoot.

Humanity will never be capable of saving itself.

Security is not software. It is a process (that requires users to do stuff). Oh no. The lions, the tigers, the bears... we cannot expect users to do anything... Oh My.
 

Marana

Level 2
Verified
Jan 21, 2018
57
Do you want to be insecure or do you want to stay up to date with security? Old stuff over 5 yrs old (my estimate) is rarely securable unless you carefully segment them . You have to spend some money and toss out the old stuff.
On the other hand, if a home user has a SRP+WDAC style default deny application control and uses also a SUA, is there a verified way for malware to start executing without Credential Guard and VBS (unless the user starts it on purpose, i.e. trusting the malware to be safe)?

If not, I do not see it absolutely necessary (if necessary at all?) to spend money and work time for the home user to upgrade his/her old system ONLY to enable Credential Guard and VBS...

This is why I was asking for opinions if CG and VBS provide some real life added value... (or are they (at least) mostly "marketing hype"?) for the environments I described.
 
  • Like
Reactions: Tiamati

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,881
This is why I was asking for opinions if CG and VBS provide some real life added value...

You will not get the definitive and generally accepted answer.
Anyway, It is worth trying. You are not an average user and MT members can help if necessary.
 

bazang

Level 13
Jul 3, 2024
621
On the other hand, if a home user has a SRP+WDAC style default deny application control and uses also a SUA, is there a verified way for malware to start executing without Credential Guard and VBS (unless the user starts it on purpose, i.e. trusting the malware to be safe)?
Yes. Exploits that do not require elevated permissions & privileges or exploits that can obtain elevated permissions & privileges in a SUA without notifying the user. For example, kernel exploits.

If you are ultra-paranoid, then you worry about such things - that UK GCHQ is hacking you to death to get to your family photos to surveille you and your family, amongst other things like putting agents into your socks.

Uninstall VBS, WMIC, PowerShell ISE, and OpenSSH from Windows 11 features if you are not using them.

Best security advices:
1. Do not be a "user that wants to use stuff"; and
2. Do not solve digital device security with software alone. Instead focus on knowledge gained a little bit at a time. It will serve your goals & objectives much more effectively than simply installing software or disabling Windows features.

Windows security increases exponentially when unneeded, unsecure default features that ship with Windows are permanently disabled.

Security is not software. It is a process. That process requires adequate effort on the part of the user so that they understand an entire slew of inter-connected security matters. Learning the security process is a long process in and of itself.
 
  • Like
Reactions: simmerskool

bazang

Level 13
Jul 3, 2024
621
It is proven that the most effective security arises from:

1. Changing user attitudes; and
2. Changing user behaviors; and
3. Giving them incentives to make those changes; and
4. Closely instruct and support those that cannot figure it out.

The challenge is like taking the 275 kg body mass person down to 75 kg.

This is Hijō ni muzukashī mondai - very difficult problem. Just like the global obesity problem trying to be solved by public health policies alone.
 
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top