ConfigureDefender utility for Windows 10/11

[Parkinsond]

Although the WDAC/SAC dcumentation says it also takes prevalence into account, it is different. The beauty of that ASR rule (using 1000 installations as a hard criteria) is that it really lowers infection risk. @Andy Ful has often posted, that the easiest and most effective protection against zero days is delaying installations of new programs with a day. That is IMO the logic behind that ASR rule.

That ASR rule can be compared by blocking new domains (less than 30 days registered) and newly seen domains. It also causes FP's but since most phishing and malicious websites are short lived, it will protect you against most of them (possibly 95% or higher).

Currently I am re-reading @Andy Ful threads of CD and WHHL in a trial to reach a conclusion whether SAC can replace all or some of ASR rules or if they complement each other (at least some of the rules).

 

[Andy Ful]

It also causes FP's but since most phishing and malicious websites are short lived, it will protect you against most of them (possibly 95% or higher).

I am not sure if I understood you well. However, about half of all phishing domains were newly registered (up to 30 days old).
41% of all phishing domains were up to 14 days old.
The attackers can wait a few weeks after registration before starting the attacks. There are also many attacks via compromised websites.

 

[Parkinsond]

It never worked for me. Here is a screenshot (Defender's full scan):

To make it work on on-demand scan, I have to disable this

 

[Parkinsond]

The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" blocks *.exe files.

 

[Parkinsond]

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Use advanced protection against ransomware

These ASR rules require an Internet connection.

 

[Parkinsond]

ASR rules are HIPS-like and 'built-in'. When enabled don't require cloud (not cloud-dependent).

Except for three.

 

[Andy Ful]

To make it work on on-demand scan, I have to disable this

View attachment 295794

What is this?

 

[Parkinsond]

What is this?

To unlock custom or on-deman (not scheduled) scan cpu control.

 

[Parkinsond]

then using OneDrive, MS Office, or other very popular document editors/viewers will be less safe than today.

CFA sometimes blocks winword.exe for me; it is unpredictable, just as ASR rules and SAC.

 

[Andy Ful]

View attachment 295796

SCR files are technically EXE files (as binary content). This rule mainly blocks DLLs when executed by some LOLBins like RunDll32. After such a block, such a DLL is also blocked on access, so the content of the DLL cannot be read.

 

[Andy Ful]

To unlock custom or on-deman (not scheduled) scan cpu control.

What application shows this window?

 

[Parkinsond]

SCR files are technically EXE files (as binary content). This rule mainly blocks DLLs when executed by some LOLBins like RunDll32. After such a block, such a DLL is also blocked on access, so the content of the DLL cannot be read.

If blocking side-loading dll files, I may ditch SAC comfortably.

 

[Andy Ful]

If blocking side-loading dll files, I may ditch SAC comfortably.

It could block side-loading, but only after the block event related to running via LOLBin. This is not a prevalent method. So, you cannot ditch SAC easily.

 

[Parkinsond]

1000 machines

Me waiting for 1000 Windows users to install the latest version of MPC-HC to be able to install on mine

 

[Andy Ful]

Me waiting for 1000 Windows users to install the latest version of MPC-HC to be able to install on mine

I wonder what can happen first: 1000 users or 24-hour limit.

 

[oldschool]

If blocking side-loading dll files, I may ditch SAC comfortably.

Why would you disable SAC? Some incompatibility? Inability to use certain apps?

SAC with a user's preferred ASR rules provides some defense layers.

Various Defender features are buggy, or don't work seamlessly, which is why many users don't use them if they even know about them. CFA being a prime example.

Currently I am re-reading @Andy Ful threads of CD and WHHL in a trial to reach a conclusion whether SAC can replace all or some of ASR rules or if they complement each other (at least some of the rules).

It's a good idea to go over those threads regardless of your motivation or conclusion, though it's a lot of reading.

 

[Parkinsond]

Why would you disable SAC?

Lack of exclusions; MD has, Several ASR rules have, SAC has not.

It's a good idea to go over those threads regardless of your motivation or conclusion, though it's a lot of reading.

Trying to decide if ASR rules are sufficient without SAC for my personal pattern of use or not.
I never get bored of reading and re-reading Andy's threads; large number of participants, smart discussion, and rich, applicable knowledge.

 

[Parkinsond]

I wonder what can happen first: 1000 users or 24-hour limit.

Need both or one of them? I can recall some blocked installers remained blocked for more than 24 hours duration.

 

[Parkinsond]

I think that WD on default settings can score slightly worse in Malware Protection tests due to the lack of BAFS protection.

Is not these two are the required for BAFS?
They are enabled by default!

 

[Parkinsond]

ome problems can be greater with CFA because it protects not only the folders but also some system protected disk areas.

I like CFA of Avast (Ransomware shield) more as it allows to remove the default folders, keeping only the folder I want to protect.