ConfigureDefender utility for Windows 10/11

Digmor Crusher

Digmor Crusher

Level 26
Verified
Top Poster
Well-known
Jan 27, 2018
1,563
  • Like
  • Hundred Points
Reactions: Dave Russo, amico81, simmerskool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,921
Tiamati said:
I don't understand Credential Guard and VBS very well. But @Andy Ful implemented those in H_C tools? I noticed both are not configured in my system and i'm wondering if i should do something about it ...
Click to expand...

Credential Guard and VBS are unrelated to Microsoft Defender and not configured by H_C tools. You can enable them from the Windows Security Center (assuming that your drivers are compatible).
 
Last edited:
  • +Reputation
  • Like
Reactions: simmerskool, Tiamati, ErzCrz and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,921
Marana said:
I wonder what is the practical added value that Credential Guard and VBS provide to home user security if one uses WHHL, ConfigureDefender and FirewallHardening. Or is there any...?
Click to expand...

I do not know the answer for non-enterprise users. VBS is important in Enterprises for sure.
WHHLight tools can mainly prevent malware/exploits that could compromise the Windows kernel, but no protection is perfect.
Malicious actions in the kernel level can bypass AVs/EDRs, and also WHHLight tools.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool and Tiamati
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,921
oldschool said:
It logically follows that these security features should be enabled in home user environments as well.
Click to expand...

It follows that they can be enabled when they do not cause issues. :)

Edit.
Incompatible drivers can persist in the system even if you do not use the devices that used those drivers. In such cases, one must refresh the system or manually remove the incompatible drivers. Unfortunately, some devices (like Electronic ID Card Readers, cryptographic cards, etc.) can still use incompatible drivers.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, oldschool and dronefox1166
bazang

bazang

Level 14
Jul 3, 2024
674
oldschool said:
It logically follows that these security features should be enabled in home user environments as well.
Click to expand...
Common sense. Right?

Let's all take a moment and do a break-down analysis of home users and why they - as a demographic cohort - receive the least amount of default security from Windows, and by extension, Microsoft. In other words, the one category of users that needs the greatest amount of security receives the least.
  • Home users are "users that want to use stuff," and even though Microsoft knows this digital use paradigm is dinosaur thinking, Microsoft allows home users to do what they want because they will cry and complain. Another way to state it is "Microsoft does not want to be bothered by home users."
  • Every single time Microsoft has attempted to make Windows effectively secure, it is home users that unravel Microsoft's efforts via the crying and complaining campaigns.
  • Security is not software, but that is the solution the world has come up with to protect a group of users who are lazy, do not care, and cannot be bothered to use their brain. I know will see that as harsh, but it is true of the vast majority of people globally. Illiterate folk living in isolated villages in Dagestan or the Mongolian steppes (yes, they have electricity and internet), they get a pass. Everybody else does not.
  • Globally, digital insecurity is a pandemic and yet there is no willingness to fix the problems once and for all. Instead, the costs of losses are passed onto all consumers and other buyers of services and goods.
The most ludicrous argument of all is that if security blocks something a home user is attempting to do, then the security is wrong and the user is right. The user cannot be bothered to have to troubleshoot.

Humanity will never be capable of saving itself.

Security is not software. It is a process (that requires users to do stuff). Oh no. The lions, the tigers, the bears... we cannot expect users to do anything... Oh My.
 
  • Like
  • Applause
Reactions: simmerskool and oldschool
Marana

Marana

Level 2
Verified
Jan 21, 2018
57
Victor M said:
Do you want to be insecure or do you want to stay up to date with security? Old stuff over 5 yrs old (my estimate) is rarely securable unless you carefully segment them . You have to spend some money and toss out the old stuff.
Click to expand...
On the other hand, if a home user has a SRP+WDAC style default deny application control and uses also a SUA, is there a verified way for malware to start executing without Credential Guard and VBS (unless the user starts it on purpose, i.e. trusting the malware to be safe)?

If not, I do not see it absolutely necessary (if necessary at all?) to spend money and work time for the home user to upgrade his/her old system ONLY to enable Credential Guard and VBS...

This is why I was asking for opinions if CG and VBS provide some real life added value... (or are they (at least) mostly "marketing hype"?) for the environments I described.
 
  • Like
Reactions: Tiamati
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,921
Marana said:
This is why I was asking for opinions if CG and VBS provide some real life added value...
Click to expand...

You will not get the definitive and generally accepted answer.
Anyway, It is worth trying. You are not an average user and MT members can help if necessary.
 
  • Like
  • +Reputation
Reactions: Tiamati and simmerskool
bazang

bazang

Level 14
Jul 3, 2024
674
Marana said:
On the other hand, if a home user has a SRP+WDAC style default deny application control and uses also a SUA, is there a verified way for malware to start executing without Credential Guard and VBS (unless the user starts it on purpose, i.e. trusting the malware to be safe)?
Click to expand...
Yes. Exploits that do not require elevated permissions & privileges or exploits that can obtain elevated permissions & privileges in a SUA without notifying the user. For example, kernel exploits.

If you are ultra-paranoid, then you worry about such things - that UK GCHQ is hacking you to death to get to your family photos to surveille you and your family, amongst other things like putting agents into your socks.

Uninstall VBS, WMIC, PowerShell ISE, and OpenSSH from Windows 11 features if you are not using them.

Best security advices:
1. Do not be a "user that wants to use stuff"; and
2. Do not solve digital device security with software alone. Instead focus on knowledge gained a little bit at a time. It will serve your goals & objectives much more effectively than simply installing software or disabling Windows features.

Windows security increases exponentially when unneeded, unsecure default features that ship with Windows are permanently disabled.

Security is not software. It is a process. That process requires adequate effort on the part of the user so that they understand an entire slew of inter-connected security matters. Learning the security process is a long process in and of itself.
 
  • Like
Reactions: simmerskool
bazang

bazang

Level 14
Jul 3, 2024
674
It is proven that the most effective security arises from:

1. Changing user attitudes; and
2. Changing user behaviors; and
3. Giving them incentives to make those changes; and
4. Closely instruct and support those that cannot figure it out.

The challenge is like taking the 275 kg body mass person down to 75 kg.

This is Hijō ni muzukashī mondai - very difficult problem. Just like the global obesity problem trying to be solved by public health policies alone.
 
  • Like
Reactions: simmerskool
badboy

badboy

Level 2
Jan 20, 2025
74
I have a question for Andy about one of the utilities that is included in this kit:
ConfigureDefender/H_C_HardeningTools at master · AndyFul/ConfigureDefender

I mean FirewallHardening.

Can I use only this utility without using the other utilities in the kit? Will this utility conflict with another antivirus (without a built-in firewall)?
What are the optimal settings needed to harden so that all ports are closed from external intrusion?
I need download H_C_HardeningTools_3011.zip version?
THANK YOU. :)
 
  • Like
Reactions: simmerskool, rashmi and Andy Ful
Digmor Crusher

Digmor Crusher

Level 26
Verified
Top Poster
Well-known
Jan 27, 2018
1,563
  • Like
  • +Reputation
Reactions: ErzCrz, Gandalf_The_Grey, simmerskool and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,921
  • Like
Reactions: piquiteco, Gandalf_The_Grey, simmerskool and 3 others

Similar threads

Victor M
    • Like
    • Thanks
App Review Beginning test of WHH at max settings per Andy Ful + OSArmor + SysHardener + Sysmon in DMZ
Replies
36
Views
3,909
Written Reviews - Security and Privacy
Victor M
Victor M
Gandalf_The_Grey
    • Like
    • Wow
    • Thanks
Hardware Lenovo’s BIOS updates are failing on Windows 11 after Microsoft made a change
Replies
0
Views
508
Technology News
Gandalf_The_Grey
Gandalf_The_Grey
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
405
Views
58,450
Hard_Configurator Tools
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top