Thanks Arequire, pretty much exactly what I was looking for, especially the part about "Behavior Monitoring".
ConfigureDefender utility for Windows 10/11
- Thread starter Andy Ful
- Start date
It's a big part of antivirus protection these days. Not like in the old days, when an antivirus would basically just compare a file to a list of known malicious files, nowadays the AV tries to watch what the file is doing in real-time, and if it misbehaves, it gets arrested.
The most common cause is that some other security prevents executing PowerShell.
Please try HIGH profile, Refresh and send here the screenshots of ConfigureDefender after refreshing.
List your other security software. And wait for help
If it's for example SysHardener look at the powershell restrictions.
It is not SysHardener, but OSArmor can block PowerShell.List your other security software. And wait for help
Someone wrote up a whitepaper about bypassing ASR:
You probably read more of it, so it took you longer...I literally was just set to post this!
I read the whole thing and understood it generally, but the specifics of code, etc. were over my head.
My general impression is that if someone specifically crafts malware to bypass ASR, he might succeed, but regular malware will be blocked.
That was the author's (and my) conclusion too.
I can bypass ASR rules by myself, so why not others. The author is very good at bypassing Windows security. A few bypasses were new to me.
Edit.
I read this article and watched a video (thank to @enemyofarsenic) two months ago.
Most bypasses use scripts or VBA macros, so can be prevented by H_C.
Last edited:
My question is if the average malware coder would bother since most people don’t even know how to turn ASR on or off in the security center, at least at home. Minimal effort for biggest return. I would hope most enterprises do it as part of their standard system image. But enterprise focused malware is a whole different beast. But I guess we here are concerned beyond the average malware coder.
Agreed. I can see it being used in a targeted attack on a system that is known to employ ASR.
This article can be summed up by two author citations:
My opinion is that with ASR, Microsoft attempt to shut down whole category of phishing exploits.
For example, the rule “Block all Office applications from creating child processes” probably block 99.9% macro-based droppers found in the wild.
.....
.....
I think ASR are a great feature to prevent common malware attacks. At the same time, most rules seem broken or way too easy to bypass. In fact, during my tests I can say I had more problems with bypassing AMSI for scripts/office documents than ASR.
Currently, ASR is not well known by blue teams. Its probable that as more defenders adopt these measures, attackers will adapt their tools to bypass them.
My opinion is that with ASR, Microsoft attempt to shut down whole category of phishing exploits.
For example, the rule “Block all Office applications from creating child processes” probably block 99.9% macro-based droppers found in the wild.
.....
.....
I think ASR are a great feature to prevent common malware attacks. At the same time, most rules seem broken or way too easy to bypass. In fact, during my tests I can say I had more problems with bypassing AMSI for scripts/office documents than ASR.
Currently, ASR is not well known by blue teams. Its probable that as more defenders adopt these measures, attackers will adapt their tools to bypass them.
Last edited:
Is this why I have had certain blocks but it appears the app still functions? Or is it that the app functions generally but not that specific blocked process?
The second.Is this why I have had certain blocks but it appears the app still functions? Or is it that the app functions generally but not that specific blocked process?
Most such alerts you get due to Lsass ASR rule or Controlled Folder Access.
In fact, I don't think I've ever seen any other but these two.
I want to add a ConfigureDefender section to the Hard_Configurator home page because ConfigureDefender is an important part of H_C. But I'm still missing a text/phrase. @Andy Ful @shmu26 @oldschool
A section with the test results from the Hub (H_C tweaks and SmartScreen without any AV as usual) will be added later. Any help or advice (EDIT: changed tip to advice perhaps of confusion) is welcome! (maybe an extra FAQ?)
A section with the test results from the Hub (H_C tweaks and SmartScreen without any AV as usual) will be added later. Any help or advice (EDIT: changed tip to advice perhaps of confusion) is welcome! (maybe an extra FAQ?)
Attachments
Last edited:
@askalan @Andy Ful @shmu26
I imagine you want something short and sweet. Here's my first shot at it:
"ConfigureDefender is an open source tool that enables users to easily configure Windows Defender advanced features. It includes three predefined security profiles and allows the user to customize Windows Defender settings."
I imagine you want something short and sweet. Here's my first shot at it:
"ConfigureDefender is an open source tool that enables users to easily configure Windows Defender advanced features. It includes three predefined security profiles and allows the user to customize Windows Defender settings."
You may also like...
-
Windows 11 Defender Tuning: Safer Settings That Don’t Hurt Performance- Started by Bot
- Replies: 1
-
Microsoft finally admits almost all major Windows 11 core features are broken- Started by Brahman
- Replies: 18
-
-
Windows 11 Patch Tuesday January 2026 (KB5074109, KB5073455)- Started by silversurfer
- Replies: 18
-
AExtending Bluetooth® LE Audio on Windows 11 with shared audio (preview)
- Started by Amanda Langowski
- Replies: 0