ConfigureDefender utility for Windows 10/11

harlan4096 said:
@Andy Ful: what about XLSTATSTART.exe? I got final verdict from KVirusDesk is clean, also appears as Trusted in KSN... :unsure: :emoji_thinking:

I've also tested with KTS2020d (defaults) and :

1570013219324.png1570013370160.png

1570014144212.png1570014168817.png
I've tested and triggers cmd.exe -> conhost.exe for about 1 second and auto terminates, it only left a 0 KB file... false positive??
Click to expand...
It looks like a crack for XLSTAT (AddinSoft) for Excel.
 
  • Like
  • Thanks
  • +Reputation
Reactions: [correlate], Venustus, Mercenary and 3 others
SeriousHoax said:
I checked log, there wasn't anything in the log about this sample.
Click to expand...
Is there any entry in the Log for blocking via ASR rules (search for 1121 in the Log)? You can also post the Log, I am curious how this malware was mitigated.:giggle:(y)
The payload should be blocked when spawning by WmiPrvSE.exe.
 
Last edited:
  • Like
  • Thanks
Reactions: [correlate], Venustus, harlan4096 and 2 others
  • Like
  • +Reputation
Reactions: [correlate], oldschool, silversurfer and 2 others
How is it offtopic, there is an option in your program and it's labeled ??????, I'm wondering what it does/means/do/supposed to say, etc. just answer the question and this will move on.
 
  • Like
Reactions: [correlate]
Special said:
How is it offtopic, there is an option in your program and its labled ??????, I'm wondering what it does/means/do/suspose to say, etc. just answer the damned question and this will move on.
Click to expand...
Please be kind. Your post :
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-837296
is probably displayed improperly. Here what I can see on my computer:
quantas.png

That is why some members completely did not understand what it should mean.
There is one setting ??????? in ConfigureDefender, and it means that the user hid only some features in Windows Security Center by using reg tweaks, GPO, or other software.
 

Attachments

  • quantas.png
    quantas.png
    62.6 KB · Views: 459
Last edited:
  • Like
  • +Reputation
Reactions: [correlate], Venustus, Protomartyr and 4 others
Some notes related to the latest test:
https://malwaretips.com/threads/malware-samples-14-2-10-2019.95369/post-837733

4.bat was analyzed here:
https://app.any.run/tasks/310bde9b-a55c-4525-815c-5c0e6566197e/
If successful then it writes autorun entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
msptermsizes = "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"

DH_695294_7957766861156.vbs was analyzed here:
https://app.any.run/tasks/65743ea0-6e3c-409c-a617-cfdf189501a7/
If successful then it writes autorun entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
wdukuigy = "C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe"

Chrome.Update.cfbe05.js was analyzed here:
https://app.any.run/tasks/79b53a41-6f20-42dd-875f-b8291ab51715/
It is probably a part of some more complex attack - it does not try to do anything dangerous. It can be also that the CnC server is already down.
 
Last edited:
  • Like
  • +Reputation
Reactions: [correlate], silversurfer, Venustus and 2 others
Special said:
Sorry, but I was getting fusterated with all the non-answers. I have no idea why you are seeing what you see, this is what I posted, and this is the link to said pictures (maybe this'll work)...View attachment 226636View attachment 226637
Click to expand...

This was @Andy Ful's reply earlier today:

Andy Ful said:
There is one setting ??????? in ConfigureDefender, and it means that the user hid only some features in Windows Security Center by using reg tweaks, GPO, or other software.
Click to expand...
 
  • Like
  • +Reputation
Reactions: [correlate], Andy Ful, Venustus and 3 others
Andy Ful said:
Is there any entry in the Log for blocking via ASR rules (search for 1121 in the Log)? You can also post the Log, I am curious how this malware was mitigated.:giggle:(y)
The payload should be blocked when spawning by WmiPrvSE.exe.
Click to expand...
There wasn't any. Even in the last malware pack test for the 3 script there wasn't any entry related to those.

oldschool said:
@SeriousHoax In your testing with Max settings I guess you haven't had any ransomware make it far enough to be blocked by Controlled Folder Access? :emoji_thinking:
Click to expand...
So far, no. All the ransomwares have been blocked by signatures.
 
  • Like
Reactions: [correlate], oldschool, Andy Ful and 3 others
SeriousHoax said:
There wasn't any. Even in the last malware pack test for the 3 script there wasn't any entry related to those.
Click to expand...
The two samples from the last test add autorun entries, so I am sure that they were neutralized on your testing system or were already dead. It is also possible that they were stopped by WIndows 10 mitigations. Anyway, we do not know if WD could mitigate/block them.:emoji_thinking:
 
  • Like
  • +Reputation
Reactions: [correlate], oldschool, SeriousHoax and 1 other person
matrixlord said:
Network Protection not working. Opera&Edge // host&vm

View attachment 226703
Click to expand...
The Demo link SmartScreen Test does not work for me too. That happened several times in the past. But, Network Protection still works for the real phishing links. I have just tried this on the one-year-old link and NP works well. If someone wants to check it, then please PM to me.(y)
 
  • Like
  • Thanks
Reactions: [correlate], harlan4096, plat and 2 others

You may also like...