ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
porkpiehat said:
@Andy Ful
I'm running CF with CS settings and UAC disabled..
As I'm running this alongside Defender, would I benefit from running ConfigureDefender at HIGH setting, or would there be some conflict?
Thank you..
Click to expand...

If I correctly recall, CF shows an alert when the executable asks for an elevation, so disabling the Windows UAC prompt is probably OK.
Using ConfigureDefender would be reasonable if you use Microsoft Office, Microsoft Outlook, Adobe Acrobat, etc.
 
  • Like
  • +Reputation
Reactions: simmerskool and porkpiehat
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
porkpiehat said:
@Andy Ful
As I'm running this alongside Defender, ... would there be some conflict?
Click to expand...

ConfigureDefender uses PowerShell code that will be blocked by Comodo's Script Analysis.
To apply ConfigureDefender It is necessary to turn off temporarily the Embedded Code Detection for PowerShell >> use ConfigureDefender >> turn ON the Embedded Code Detection for PowerShell.

1735581993861.png
 
  • Applause
  • +Reputation
Reactions: porkpiehat and simmerskool
Jonny Quest

Jonny Quest

Level 23
Verified
Top Poster
Well-known
Mar 2, 2023
1,247
porkpiehat said:
@Andy Ful
lovely jubbly.. thanks so much.. (y)
Click to expand...

For those of you who may be like me, I'll save you a Google search :) :)

BBC World Service | Learning English | Keep your English Up to Date

Professor David Crystal gives short talks on the origins and usage of new and evolved words and phrases.
www.bbc.co.uk

It's a jocular exclamation. It means excellent, brilliant, great. It's the sort of thing you'd say when you got some good news or had a stroke of luck, 'ah, lovely jubbly'.

Well, would you use it? It depends whether you're influenced by television, I suppose, more than anything else. It's one of the slang phrases that was used by Dell Boy in the television series 'Only Fools and Horses', back in the 1990s. It actually goes back longer than that. These script writers are well aware of some of the earlier usages of phrases like this. In fact, you can take it right back to the 1950s, when there was an ice lolly called a jubbly, and there was an advertising catch phrase, 'lovely jubbly', and the Dell usage, I suppose, has come from that.
Click to expand...
 
  • Like
  • HaHa
Reactions: simmerskool, SeriousHoax, Andy Ful and 2 others
R

rashmi

Level 16
Jan 15, 2024
766
Andy Ful said:
ConfigureDefender uses PowerShell code that will be blocked by Comodo's Script Analysis.
To apply ConfigureDefender It is necessary to turn off temporarily the Embedded Code Detection for PowerShell >> use ConfigureDefender >> turn ON the Embedded Code Detection for PowerShell.

View attachment 286941
Click to expand...
Wouldn't setting Configure Defender as "ignore" in auto-containment be a more efficient solution? The scripts will appear in the unrecognized files section but shouldn't affect the CD process. You can mark the scripts as trusted later.
 
  • Like
Reactions: simmerskool
ErzCrz

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,296
rashmi said:
Wouldn't setting Configure Defender as "ignore" in auto-containment be a more efficient solution? The scripts will appear in the unrecognized files section but shouldn't affect the CD process. You can mark the scripts as trusted later.
Click to expand...
CD doesn't run as an active process like DefenderUI does. You use it as and when to change the Microsoft Defender settings and that's it apart from viewing the defender log when you want to. CD is a set and forget so easier to just changed the script analysis embedded shelcode for powershell as @Andy Ful suggested for the initial configuration.
 
  • Like
  • +Reputation
Reactions: simmerskool and porkpiehat
R

rashmi

Level 16
Jan 15, 2024
766
ErzCrz said:
CD doesn't run as an active process like DefenderUI does. You use it as and when to change the Microsoft Defender settings and that's it apart from viewing the defender log when you want to. CD is a set and forget so easier to just changed the script analysis embedded shelcode for powershell as @Andy Ful suggested for the initial configuration.
Click to expand...
You need to disable script analysis when applying a Configure Defender configuration and viewing logs. Do you need to reapply a Configure Defender configuration with a new version? Wouldn't it be better to exclude CD in auto-containment as a permanent solution?
 
  • Like
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
rashmi said:
You need to disable script analysis when applying a Configure Defender configuration and viewing logs. Do you need to reapply a Configure Defender configuration with a new version? Wouldn't it be better to exclude CD in auto-containment as a permanent solution?
Click to expand...
CD is a Trusted application, automatically excluded from the containment. However, it uses PowerShell to check and apply settings, and PowerShell is restricted in Script Analysis.
That is how Embedded Code Detection works. It ignores if the application is Trusted, but can restrict the embedded code related to the particular LOLBin.
It is possible to whitelist the blocked PowerShell code, but any combination of ConfigureDefender ASR rules has a different embedded code, so many possible variants exist.
 
Last edited:
  • +Reputation
  • Hundred Points
Reactions: oldschool and simmerskool
R

rashmi

Level 16
Jan 15, 2024
766
Andy Ful said:
CD is a Trusted application, automatically excluded from the containment. However, it uses PowerShell to check and apply settings, and PowerShell is restricted in Script Analysis.
That is how Embedded Code Detection works. It ignores if the application is Trusted, but can restrict the embedded code related to the particular LOLBin.
It is possible to whitelist the blocked PowerShell code, but any combination of ConfigureDefender ASR rules has a different embedded code, so many possible variants exist.
Click to expand...
As far as I can recall, the 'ignore' status exceeds the 'trusted' status in terms of rights. With ConfigureDefender ignored, I successfully applied the "high" configuration. Refreshed ConfigureDefender and restarted the system. ConfigureDefender retained the "high" configuration. Successfully applied ConfigureDefender's interactive configuration.
 
  • Like
Reactions: oldschool and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
rashmi said:
As far as I can recall, the 'ignore' status exceeds the 'trusted' status in terms of rights. With ConfigureDefender ignored, I successfully applied the "high" configuration. Refreshed ConfigureDefender and restarted the system. ConfigureDefender retained the "high" configuration. Successfully applied ConfigureDefender's interactive configuration.
Click to expand...
You cannot choose "ignore" for the ConfigureDfender executable because it is already Trusted. However, you can do it for the blocked content (embedded code). As I already noted, this can only whitelist the content used for a particular action. One such action is applying the "HIGH" Protection Level. There are about 100 possible actions that use different pieces of embedded code. If you would like to fully whitelist the ConfigureDefender actions, you should apply all those possible actions one by one and choose each time to not contain the action.
 
Last edited:
  • +Reputation
Reactions: simmerskool
R

rashmi

Level 16
Jan 15, 2024
766
Andy Ful said:
You cannot choose "ignore" for the ConfigureDfender executable because it is already Trusted. However, you can do it for the blocked content (embedded code). As I already noted, this can only whitelist the content used for a particular action. One such action is applying the "HIGH" Protection Level. There are about 100 possible actions that use different pieces of embedded code. If you would like to fully whitelist the ConfigureDefender actions, you should apply all those possible actions one by one and choose each time to not contain the action.
Click to expand...
You have the option to manually "ignore" any executable; however, you can only "trust" Comodo tempscrpt. Listing ConfigureDefender as "ignore" in auto-containment should permit all its actions. You might see Comodo tempscript files related to ConfigureDefender listed as unrecognized; this shouldn't affect ConfigureDefender's functions.
 
  • Like
  • Hundred Points
Reactions: simmerskool, Andy Ful and oldschool
R

rashmi

Level 16
Jan 15, 2024
766
@Andy Ful I tested the "ignore" option in Comodo a little to see how it works. The "ignore" option seems designed for user convenience, enabling the exclusion of all actions from an app, possibly for all modules. This might explain why Comodo marks an app as both trusted and ignored when checking "Trust this app" on the alert.
 
  • Like
Reactions: simmerskool, Andy Ful and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
rashmi said:
@Andy Ful I tested the "ignore" option in Comodo a little to see how it works. The "ignore" option seems designed for user convenience, enabling the exclusion of all actions from an app, possibly for all modules. This might explain why Comodo marks an app as both trusted and ignored when checking "Trust this app" on the alert.
Click to expand...

Yes, the manual "Ignore" under Containment settings works. (y) :)
 
  • Like
  • +Reputation
Reactions: Captain Awesome, rashmi and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
  • +Reputation
  • Like
  • Applause
Reactions: Moonhorse, dronefox1166, simmerskool and 4 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
378
Views
48,889
Hard_Configurator Tools
rashmi
R
Gandalf_The_Grey
    • Like
    • Applause
New Update 10 cool features Windows 11 received in 2024
Replies
1
Views
408
Windows 11
Jonny Quest
Jonny Quest
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
35,246
Hard_Configurator Tools
South Park
South Park

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top