ConfigureDefender utility for Windows 10/11

LinuxFan58 said:
:-) you misunderstood something

Oldschool wondered/questioned why DefederUI was running in memory while every Defender setting can be set via registry or powershell (as Configure Defender does).
Click to expand...
I meant that DefenderUI Pro is more like a Cyberlock lite, most here know that both DefenderUI and Configure Defender adjust Defenders settings. ;)
 
  • Like
  • Hundred Points
Reactions: [correlate], Zero Knowledge and simmerskool
Digmor Crusher said:
I meant that DefenderUI Pro is more like a Cyberlock lite, most here know that both DefenderUI and Configure Defender adjust Defenders settings. ;)
Click to expand...
Again misundestanding :-)

Oldschool posted that for Defender settings tweaks everything could be set without needing a program running in the background.

I mentioned PRO, because it offers other protections and the free and pro sharing code is probably the reason it runs in memory.

As you stated ;)
 
LinuxFan58 said:
I mentioned PRO, because it offers other protections and the free and pro sharing code is probably the reason it runs in memory.
Click to expand...
Running in real-time allows DefenderUI and the Pro version to generate alerts and configure changes without a system restart, among other functions.

Please avoid cluttering this thread; instead, post questions or information in the DefenderUI thread.
 
  • Like
Reactions: Andy Ful and simmerskool
What can the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" add more than WHHL WDAC for evaluating an exe file?
Are not both using the same backend?
 
  • Like
Reactions: simmerskool and Andy Ful
Parkinsond said:
What can the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" add more than WHHL WDAC for evaluating an exe file?
Click to expand...

Not much. However, the ASR rule is more dependent on the file prevalence, and WDAC on file reputation.

Parkinsond said:
Are not both using the same backend?
Click to expand...

Yes, but in a slightly different way.
 
  • Like
  • +Reputation
  • Thanks
Reactions: Zero Knowledge, simmerskool and Parkinsond
Andy Ful said:
Not much. However, the ASR rule is more dependent on the file prevalence, and WDAC on file reputation.



Yes, but in a slightly different way.
Click to expand...
I think using such ASR rule with WDAC/SAC is redundant to some extent; the ASR rule represents a relatively good substitue for WDAC, when WDAC could not be applied.
 
  • Like
Reactions: pytroman86 and Andy Ful
Andy Ful said:
The ASR rule is a kind of HIPS based on the file prevalence, age. or trust. After a few days, the blocked file can be allowed if more people will run it without problems.
Click to expand...
How can more people run it, if it is already blocked for all people (the age of the installer released today is the same for all people, unless they live in a parallel universe with a different dating).
 
  • Like
Reactions: simmerskool
Parkinsond said:
I think using such ASR rule with WDAC/SAC is redundant to some extent; the ASR rule represents a relatively good substitue for WDAC, when WDAC could not be applied.
Click to expand...
Well in the past, a signed Dutch program with few users was always blocked by that ASR rule and allowed by WDAC (before we bought new laptops, we were bith using WHHL). The stupid thing about that program was that one could not decline updates. So I ended up disabling that ASR rule on het former laptop.

The logic behind that ASR rule is illlustrated with a saying "to survice a lion attack you don't have to run fater than the lion, just run faster than another in the herd" So when 1000 people are using that program without being infected it has a high likelyhood of being benign.
 
  • Like
  • +Reputation
Reactions: Zero Knowledge, simmerskool and Parkinsond
LinuxFan58 said:
Well in the past, a signed Dutch program with few users was always blocked by that ASR rule and allowed by WDAC (before we bought new laptops, we were bith using WHHL). The stupid thing about that program was that one could not decline updates. So I ended up disabling that ASR rule on het former laptop.

The logic behind that ASR rule is illlustrated with a saying "to survice a lion attack you don't have to run fater than the lion, just run faster than another in the herd" So when 1000 people are using that program without being infected it has a high likelyhood of being benign.
Click to expand...
So WDAC/SAC is carrying out ASR rules job, but is more refined.
 
Parkinsond said:
If the ASR rule relies on age, then when the installer is 0-day old, it should be blocked for all users.
Click to expand...

Are you sure? How could Microsoft force all users to apply ASR?:)
The telemetry works with no ASR, too.
 
  • Like
  • +Reputation
Reactions: pytroman86, Zero Knowledge, simmerskool and 2 others
Parkinsond said:
So WDAC/SAC is carrying out ASR rules job, but is more refined.
Click to expand...
Although the WDAC/SAC dcumentation says it also takes prevalence into account, it is different. The beauty of that ASR rule (using 1000 installations as a hard criteria) is that it really lowers infection risk. @Andy Ful has often posted, that the easiest and most effective protection against zero days is delaying installations of new programs with a day. That is IMO the logic behind that ASR rule.

That ASR rule can be compared by blocking new domains (less than 30 days registered) and newly seen domains. It also causes FP's but since most phishing and malicious websites are short lived, it will protect you against most of them (possibly 95% or higher).
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: micasayyo, Zero Knowledge, simmerskool and 3 others

You may also like...