ConfigureDefender utility for Windows 10/11

@Andy Ful without me reading all 91 pages of posts... (I normally use danb's DefenderUI but on this VM I only use MSD and your tools), and my Defender systray icon has a yellow flag :oops: and it says Tamper Protection is Off. I assume I ran ConfigureDefender at default (or max or recommended) so should Tamper protection be off. should I just turn it ON from system Windows Security, or open ConfigureDefender and run it again? ie, is it normal for Tamper to be off after running CD?
 
  • Like
Reactions: Gandalf_The_Grey and Andy Ful
simmerskool said:
I assume I ran ConfigureDefender at default (or max or recommended) so should Tamper protection be off. should I just turn it ON from system Windows Security, or open ConfigureDefender and run it again? ie, is it normal for Tamper to be off after running CD?
Click to expand...

ConfigureDefender does not change Tamper Protection. If I recall correctly DefenderUI does.
You should turn ON Tamper Protection.(y)
 
  • Like
  • +Reputation
Reactions: Digmor Crusher, Gandalf_The_Grey, badboy and 1 other person
It looks like ConfigureDefender can also be downloaded from the WinGet repository:
winstall.app

Install ConfigureDefender with winget - winstall

Utility for configuring Windows 10 built-in Defender antivirus settings.
winstall.app winstall.app

WinGet installs ConfigureDefender into the directory:
%LocalAppData%\Microsoft\WinGet\Packages\AndyFul.ConfigureDefender_Microsoft.Winget.Source_8wekyb3d8bbwe

WinGet adds this directory to the PATH environment variable, so ConfigureDefender can be executed from anywhere by invoking the configuredefender variable (similarly to system executables).
 
  • Like
  • +Reputation
Reactions: piquiteco, simmerskool, Gandalf_The_Grey and 1 other person
rashmi said:
Does the Cloud Protection Level or "Block executables..." use the ISG or SmartScreen backend?
Click to expand...

It is possible that the "Block executables..." ASR rule somehow depends on "ISG without a SmartScreen backend (files with no MOTW)". But this rule also depends on the file age. If the file is known in the Microsoft cloud for more than 24 hours, it will be allowed even if ISG still blocks it.

There is no direct connection to SmartScreen. Both Cloud Protection Level and "Block executables..." ASR rule can block executables allowed by SmartScreen. For example, the ASR rule blocked my digitally signed applications a few times (allowed by SmartScreen).

Edit.
The ASR rule "Block executables ..." does not block MSI files and DLLs loaded by EXEs (cannot prevent DLL hijacking), but SAC (and WDAC ISG) can.
When protecting happy clickers with an enabled rule "Block executables ...", enabling also SAC makes sense.
 
Last edited:
  • +Reputation
  • Like
  • Thanks
Reactions: Parkinsond, rashmi, simmerskool and 3 others
When I click on the button Folders in the section Controlled Folder, the popup window CFA Folders doesn't show the default entries (Protected Folders).
This corresponds to an empty folder in the registry. Is this normal behavior? Windows security dashboard shows the default protected folders (from which source?). I never added folders to it.
 

Attachments

  • CFA protected.jpg
    CFA protected.jpg
    31.8 KB · Views: 120
  • Like
Reactions: piquiteco, simmerskool and Andy Ful
Jan Willy said:
When I click on the button Folders in the section Controlled Folder, the popup window CFA Folders doesn't show the default entries (Protected Folders).
This corresponds to an empty folder in the registry. Is this normal behavior?
Click to expand...

Yes, this normal (intended) behavior.
The default CFA protection cannot be decreased - the default folders cannot be removed from CFA (they are skipped in ConfigureDefender).
 
  • Like
  • +Reputation
  • Thanks
Reactions: piquiteco, simmerskool, Jan Willy and 1 other person
Tiamati said:
@Andy Ful i couldn't find anything related to "Block use of copied or impersonated system tools" in configure defender manual. Any tips? Ty!
Click to expand...
This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. Some malicious programs might try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines.
Click to expand...
Block use of copied or impersonated system tools
 
  • Like
  • +Reputation
Reactions: simmerskool, Allego, Andy Ful and 1 other person
Tiamati said:
@Andy Ful i couldn't find anything related to "Block use of copied or impersonated system tools" in configure defender manual. Any tips? Ty!
Click to expand...

I can only add that this ASR rule will block:
  • any executable in UserSpace with a file name of a system tool,
  • any system tool copied from the original location and renamed (can recognize the internal name).
Edit.
Fortunately, the blocked file path can be excluded via ASR exclusions.
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: simmerskool, Tiamati, Allego and 1 other person
Andy Ful said:
I can only add that this ASR rule will block:
  • any executable in UserSpace with a file name of a system tool,
  • any system tool copied from the original location and renamed (can recognize the internal name).
Edit.
Fortunately, the blocked file can be excluded via ASR exclusions.
Click to expand...
This specific rule blocked graphics driver after manual install, so I never used it again.
My top rules are those cloud-dependent.
 
  • Like
Reactions: oldschool
Parkinsond said:
This specific rule blocked graphics driver after manual install, so I never used it again.
My top rules are those cloud-dependent.
Click to expand...

It was not this rule, but probably "Block abuse of exploited vulnerable signed drivers". If you need to install the vulnerable driver for some important reason, just temporarily set the rule to Audit (Windows restart may be required) and install the driver .(y)

Post edited.
 
Last edited:
  • +Reputation
  • Like
Reactions: simmerskool and Parkinsond
Andy Ful said:
It was not this rule, but probably "Block abuse of exploited vulnerable signed drivers". If you need to install the vulnerable driver for some important reason, just temporarily set the rule to Audit and install the driver.(y)
Click to expand...
It was "Block use of copied or impersonated system tools", not "Block abuse of exploited vulnerable signed drivers".
The driver was Intel HD graphics one downloaded from the official support page of hp.
Seems MD considered the driver files impersonating the one installed earlier through Windows update.
 
  • Like
Reactions: Andy Ful
Parkinsond said:
It was "Block use of copied or impersonated system tools", not "Block abuse of exploited vulnerable signed drivers".
The driver was Intel HD graphics one downloaded from the official support page of hp.
Seems MD considered the driver files impersonating the one installed earlier through Windows update.
Click to expand...

Interesting. Do you have access to this driver? I would like to test why it triggered this rule.
 
  • Like
  • +Reputation
Reactions: simmerskool, Gandalf_The_Grey and Parkinsond
Last edited:
  • Wow
  • Like
Reactions: Parkinsond and simmerskool
Parkinsond said:
Intel Graphic Driver Win7 64b: sp78306.exe
Click to expand...

Tried to install this driver on my machine (Windows 11 x64) with both ASR rules enabled. I expected that one of the ASR rules would be triggered even if the installation has no chance to be successful (different Windows version and different hardware).
The installation finally failed after a few seconds (as expected) with error:

1750886074929.png


No blocks from ASR rules.
Anyway, different behavior was possible on the HP computer.
 
Last edited:
  • Like
  • +Reputation
Reactions: Parkinsond, simmerskool and Capiche

You may also like...