ConfigureDefender utility for Windows 10/11

[Andy Ful]

One of the possibilities is that the rule "Block use of copied or impersonated system tools" can block files after opening the folder (no need to execute anything). For example:

*******************************************************
Event[0]:
Time Created : 26/06/2025 00:02:18
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb
ConfigureDefender option: Block use of copied or impersonated system tools
Detection time: 2025-06-25T22:02:18.183Z
User:
Path: C:\Test\sdclt.exe
Process Name: C:\Windows\explorer.exe
Target Commandline:
Parent Commandline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.431.208.0
Engine Version: 1.1.25050.6
Product Version: 4.18.25050.5

*******************************************************

This means that the block event could be triggered by accident when installing the driver (but unrelated to the driver).

 

[Parkinsond]

Are you sure? This driver is for Windows 7. Did you try to install it on Windows 10+?

Yes it works for W 10.

 

[Andy Ful]

Yes it works for W 10.

This driver is outdated. Was the standard Windows 10 driver dysfunctional?
Anyway, you can keep it if it works well.
According to the ASR rules, I decompressed the drivers' package installer via 7-Zip. There are many executables embedded in the installer. One of them may have the internal name of some system tool and can trigger the ASR rule. The second possibility is that noted in my previous post.

The ASR rule "Block use of copied or impersonated system tools" can be useful to prevent dangerous UAC bypasses (Mock Directory method), DLL hijacking, etc.

 

[Parkinsond]

This driver is outdated

It is indeed; however, W update installs an even older version of.

 

[Parkinsond]

The ASR rule "Block use of copied or impersonated system tools" can be useful to prevent dangerous UAC bypasses (Mock Directory method), DLL hijacking, etc.

I will try it again, as I stopped manuall installing graphics driver; that of W update is enough, and the newer version does not add any extra options.

 

[Andy Ful]

I recently considered adding the rule "Block use of copied or impersonated system tools" to ConfigureDefender's HIGH Protection Level, but I was unsure how many false positives it may produce and how often it is triggered in widespread attacks. Anyway, it can be safely used remembering that it allows exclusions.

 

[Parkinsond]

I recently considered adding the rule "Block use of copied or impersonated system tools" to ConfigureDefender's HIGH Protection Level, but I was unsure how many false positives it may produce and how often it is triggered in widespread attacks. Anyway, it can be safely used remembering that it allows exclusions.

Except this driver issue, it did not give me further FPs.

 

[Tiamati]

Hey @Andy Ful

I have a question about the correct way to create an ASR exclusion for a recurring issue.

The ASR rule "Block abuse of exploited vulnerable signed drivers" is repeatedly blocking a trusted application (ASUS Armoury Crate). The event log shows that different trusted processes from this application are trying to load the same vulnerable driver, but the driver file (.sys) is often created in different temporary folders.

In this scenario, what is the best practice? Should I exclude:

a) The file from the 'Path:' field (e.g., C:\Users\...\Temp\...\AsIO3_64.sys) b) The executable from the 'Process Name:' field (e.g., C:\...\ArmouryCrate.Win32Manager.exe)

My thinking is that excluding the 'Process Name' is the correct long-term solution because the file 'Path' changes with every update, but I wanted to confirm the intended method, cause i already tried a few paths but i can't make it stop warning me

Thank you for your great tools and for any guidance you can provide.

===

The MD log shows something like this:

Id : 1121
ConfigureDefender option: Block abuse of exploited vulnerable signed drivers
Path: C:\Users\USER\AppData\Local\Temp\ACFL\AsIO3_1.02.36\AsIO3_64.sys
Process Name: C:\Program Files\ASUS\Armoury Crate Service\ArmouryCrate.Service.exe
Target Command Line: C:\Program Files\ASUS\Armoury Crate Service\ArmouryCrate.Service.exe

or
Path: C:\Users\USER\AppData\Local\Temp\ACFL\AsIO3_1.02.31\AsIO3_32.sys
Process name C:\Program Files\WindowsApps\********.ArmouryCrate_6.1.18.0_x64__************\Win32Diagnostics\ArmouryCrate.Win32Manager.exe
Target Comand line C:\Program Files\WindowsApps\********.ArmouryCrate_6.1.18.0_x64__************\Win32Diagnostics\ArmouryCrate.Win32Manager.exe

or

Path: C:\Program Files\ASUS\Armoury Crate Service\MB_Home\ASIO3\AsIO3_64.sys
Process name C:\Program Files\ASUS\ACOnePackageTemp\ZipTemp\ArmouryCrate.Service\ArmouryCrate.ServiceSetup.exe
Target Comand line C:\Program Files\ASUS\ACOnePackageTemp\ZipTemp\ArmouryCrate.Service\ArmouryCrate.ServiceSetup.exe

and so go on

 

[Andy Ful]

Hey @Andy Ful

I have a question about the correct way to create an ASR exclusion for a recurring issue.

The ASR rule "Block abuse of exploited vulnerable signed drivers" is repeatedly blocking a trusted application (ASUS Armoury Crate). The event log shows that different trusted processes from this application are trying to load the same vulnerable driver, but the driver file (.sys) is often created in different temporary folders.

When excluding the driver, you must look into the ConfigureDefender Log to see which file path was blocked. Can you post the blocked event?

I don't have much experience with this rule, but I think excluding EXE files doesn't make sense for a kernel driver. It is finally installed via the .sys file.
Did you try the method I suggested in my previous post?
https://malwaretips.com/threads/configuredefender-utility-for-windows-10-11.79039/post-1130880

Anyway, the better method would be to find another application that does not use vulnerable drivers.

Decrement by one to rule them all: AsIO3.sys driver exploitation

Cisco Talos uncovered and analyzed two critical vulnerabilities in ASUS' AsIO3.sys driver, highlighting serious security risks and the importance of robust driver design.

blog.talosintelligence.com

 

[Tiamati]

Hey, ty for your support

I disabled the ASR rurle cause it broke the installation process. I'll try now to check if it will work this time

The log is this (i tried to remove personal information )

Spoiler: Log

*************************************************************************

*************************************************************************



Event [1]:

Time Created : ##/##/2025 ##:##:#

Provider Name : Microsoft-Windows-Windows Defender

Event ID : 1121

Message :

Microsoft Defender Exploit Guard blocked an operation that is not allowed by your IT administrator.

For more information, contact your IT administrator.

ID : 56a863a9-875e-4185-98a7-b882c64b5ce5

ConfigureDefender option : Block abuse of exploited vulnerable signed drivers

User : NT AUTHORITY\SYSTEM

Path : C:\Users\**********\AppData\Local\Temp\ACFL\AsIO3_1.02.36\AsIO3_64.sys

Process Name : C:\Program Files\ASUS\Armoury Crate Service\ArmouryCrate.Service.exe

Target Command Line :

Parent Command Line : "C:\Program Files\ASUS\Armoury Crate Service\ArmouryCrate.Service.exe"

Involved File :

Legacy Tags : 0x00000000

Security intelligence version: 1.431.253.0

Engine version : 1.1.25050.6

Product version : 4.18.25050.5



*************************************************************************

*************************************************************************



Event [2]:

Time Created : ##/##/2025 ##:##:#

Provider Name : Microsoft-Windows-Windows Defender

Event ID : 1121

Message :

Microsoft Defender Exploit Guard blocked an operation that is not allowed by your IT administrator.

For more information, contact your IT administrator.

ID : 56a863a9-875e-4185-98a7-b882c64b5ce5

ConfigureDefender option : Block abuse of exploited vulnerable signed drivers

User : **********- \**********

Path : C:\Users\**********\AppData\Local\Temp\ACFL\AsIO3_1.02.31\AsIO3_32.sys

Process Name : C:\Program Files\WindowsApps\B9ECED6F.ArmouryCrate_6.1.18.0_x64__qmba6cd70vzyy\Win32Diagnostics\ArmouryCrate.Win32Manager.exe

Target Command Line :

Parent Command Line : "C:\Program Files\WindowsApps\B9ECED6F.ArmouryCrate_6.1.18.0_x64__qmba6cd70vzyy\Win32Diagnostics\ArmouryCrate.Win32Manager.exe" /InvokerPRAID: App /FirstLaunch

Involved File :

Legacy Tags : 0x00000000

Security intelligence version: 1.431.250.0

Engine version : 1.1.25050.6

Product version : 4.18.25050.5



*************************************************************************

*************************************************************************



Event [3]:

Time Created : ##/##/2025 ##:##:#

Provider Name : Microsoft-Windows-Windows Defender

Event ID : 1121

Message :

Microsoft Defender Exploit Guard blocked an operation that is not allowed by your IT administrator.

For more information, contact your IT administrator.

ID : 56a863a9-875e-4185-98a7-b882c64b5ce5

ConfigureDefender option : Block abuse of exploited vulnerable signed drivers

User : **********- \**********

Path : C:\Users\**********\AppData\Local\Temp\ACFL\AsIO3_1.02.31\AsIO3_64.sys

Process Name : C:\Program Files\WindowsApps\B9ECED6F.ArmouryCrate_6.1.18.0_x64__qmba6cd70vzyy\Win32Diagnostics\ArmouryCrate.Win32Manager.exe

Target Command Line :

Parent Command Line : "C:\Program Files\WindowsApps\B9ECED6F.ArmouryCrate_6.1.18.0_x64__qmba6cd70vzyy\Win32Diagnostics\ArmouryCrate.Win32Manager.exe" /InvokerPRAID: App /FirstLaunch

Involved File :

Legacy Tags : 0x00000000

Security intelligence version: 1.431.250.0

Engine version : 1.1.25050.6

Product version : 4.18.25050.5



*************************************************************************

*************************************************************************



Event [7]:

Time Created : ##/##/2025 ##:##:#

Provider Name : Microsoft-Windows-Windows Defender

Event ID : 1121

Message :

Microsoft Defender Exploit Guard blocked an operation that is not allowed by your IT administrator.

For more information, contact your IT administrator.

ID : 56a863a9-875e-4185-98a7-b882c64b5ce5

ConfigureDefender option : Block abuse of exploited vulnerable signed drivers

User : NT AUTHORITY\SYSTEM

Path : C:\Program Files\ASUS\Armoury Crate Service\MB_Home\ASIO3\AsIO3_64.sys

Process Name : C:\Program Files\ASUS\ACOnePackageTemp\ZipTemp\ArmouryCrate.Service\ArmouryCrate.ServiceSetup.exe

Target Command Line :

Parent Command Line : "C:\Program Files\ASUS\ACOnePackageTemp\ZipTemp\ArmouryCrate.Service\ArmouryCrate.ServiceSetup.exe" -f 15 -b

Involved File :

Legacy Tags : 0x00000000

Security intelligence version: 1.431.243.0

Engine version : 1.1.25050.6

Product version : 4.18.25050.5



*************************************************************************

*************************************************************************



Event [8]:

Time Created : ##/##/2025 ##:##:#

Provider Name : Microsoft-Windows-Windows Defender

Event ID : 1121

Message :

Microsoft Defender Exploit Guard blocked an operation that is not allowed by your IT administrator.

For more information, contact your IT administrator.

ID : 56a863a9-875e-4185-98a7-b882c64b5ce5

ConfigureDefender option : Block abuse of exploited vulnerable signed drivers

User : **********- \**********

Path : C:\Users\**********\AppData\Local\Packages\B9ECED6F.ArmouryCrate_qmba6cd70vzyy\TempState\ACFL\AsIO3_1.02.36\AsIO3_64.sys

Process Name : C:\Windows\System32\backgroundTaskHost.exe

Target Command Line :

Parent Command Line : "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXc206n2x0eevm6mcaqje6aze5tcyc9qt6.mca

Involved File :

Legacy Tags : 0x00000000

Security intelligence version: 1.431.243.0

Engine version : 1.1.25050.6

Product version : 4.18.25050.5



*************************************************************************

*************************************************************************



Event [9]:

Time Created : ##/##/2025 ##:##:#

Provider Name : Microsoft-Windows-Windows Defender

Event ID : 1121

Message :

Microsoft Defender Exploit Guard blocked an operation that is not allowed by your IT administrator.

For more information, contact your IT administrator.

ID : 56a863a9-875e-4185-98a7-b882c64b5ce5

ConfigureDefender option : Block abuse of exploited vulnerable signed drivers

User : NT AUTHORITY\SYSTEM

Path : C:\Users\**********\AppData\Local\Temp\ACFL\AsIO3_1.02.36\AsIO3_64.sys

Process Name : C:\Program Files\ASUS\Armoury Crate Service\ArmouryCrate.Service.exe

Target Command Line :

Parent Command Line : "C:\Program Files\ASUS\Armoury Crate Service\ArmouryCrate.Service.exe"

Involved File :

Legacy Tags : 0x00000000

Security intelligence version: 1.431.243.0

Engine version : 1.1.25050.6

Product version : 4.18.25050.5



*************************************************************************

*************************************************************************

 

[Vasudev]

@Andy Ful What do you think about this software called iDefender? iDefender GitHub
I saw it listed at Majorgeeks and thought it was hoax initially but they have lot of rules and default-deny like whitelist and blacklist. I have CD, DefenderUI, SFH and HC.

 

[Andy Ful]

@Andy Ful What do you think about this software called iDefender? iDefender GitHub
I saw it listed at Majorgeeks and thought it was hoax initially but they have lot of rules and default-deny like whitelist and blacklist. I have CD, DefenderUI, SFH and HC.

It is not a hoax. The older version was tested on default settings here:

New Update - iDefender

Hello, Sorry if already there is a topic about this one, but the search didn't return anything related. Did someone of you is aware and tested this Korean freeware application? I watched some tests and one application caught my eyes. It is called iDefender. Didn't have the time to test it yet...

malwaretips.com

No idea how effective iDefender is in practice. This would require a lot of testing.

 

[micasayyo]

ConfigureDefender is installed, but I'd like to try DefenderUI. How do I uninstall ConfigureDefender? Thanks.

 

[oldschool]

ConfigureDefender is installed, but I'd like to try DefenderUI. How do I uninstall ConfigureDefender? Thanks.

You don't, because it's a portable app. Just change CD settings to default, and then install DUI.

 

[rashmi]

I enabled Controlled Folder Access in ConfigureDefender, but it does not list the default protected folders. Do I need to add these default folders in ConfigureDefender to protect them? Adding folders to protect or programs to allow in either worked well, and they appeared in both. I protected the Hasleo-backed-up images in the "Hasleo" folder on the D partition using ConfigureDefender and allowed Hasleo files using Microsoft Defender. Hasleo created an incremental image with no issues or blocks.

 

[Andy Ful]

I enabled Controlled Folder Access in ConfigureDefender, but it does not list the default protected folders.

Users cannot do anything with predefined (default) folders in CFA.

 

[rashmi]

Users cannot do anything with predefined (default) folders in CFA.

What do you mean? I meant if I want to protect the "Documents" folder, which is a default one in MD, do I also need to add it in CD?

 

[Andy Ful]

... if I want to protect the "Documents" folder, which is a default one in MD, do I also need to add it in CD?

No.
CFA does not allow removing/adding default folders.

 

[rashmi]

No.
CFA does not allow removing/adding default folders.

Okay, I got it. I could add the default folders in CD, so I was confused. I now noticed duplicate entries in MD.

 

[rashmi]

I've set SmartScreen to Block for Explorer on our kids' devices, but not for Internet Explorer. I consider that fine and unneeded. Am I right?