Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
ConfigureDefender utility for Windows 10/11
Message
<blockquote data-quote="Andy Ful" data-source="post: 812462" data-attributes="member: 32260"><p>Some changes in ConfigureDefender GUI and Help (thanks [USER=71262]@oldschool[/USER] <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite135" alt=":giggle:" title="Giggle :giggle:" loading="lazy" data-shortname=":giggle:" />).</p><p></p><p>[ATTACH=full]213096[/ATTACH]</p><p></p><p>Here is the section added to the new Help:</p><p></p><p>Most settings available in ConfigureDefender are related to Windows Defender real-time protection and work only when Windows Defender real-time protection is set to "ON".</p><p></p><p>Important: <em>These two settings (below) should <strong>never</strong> be changed</em> <em>because important features like "Block at First Sight" and "Cloud Protection Level" will not work properly:</em></p><p></p><p>"Cloud-delivered Protection" = "ON"</p><p>"Automatic Sample Submission" = "Send"</p><p></p><p><em><u>ConfigureDefender Protection Levels (pre-defined settings)</u>: </em></p><p></p><p>"DEFAULT"</p><p>Microsoft Windows Defender default configuration which is applied automatically when installing the Windows system. It provides basic antivirus protection and can be used to quickly revert any configuration to Windows defaults.</p><p></p><p>"HIGH"</p><p>Enhanced configuration which enables Network Protection and most of Exploit Guard (ASR) features. Three Exploit Guard features and Controlled Folder Access ransomware protection are disabled to avoid false positives. This is the recommended configuration which is appropriate for most users and provides significantly increased security.</p><p></p><p>"MAX"</p><p>This is the most secure protection level which enables all advanced Windows Defender features and hides Windows Security Center. Configuration changes can be made <em>only</em> with the ConfigureDefender user interface. The "MAX" settings are intended to protect children and casual users but can be also used (with some modifications) to maximize the protection. This protection level usually generates more false positives compared to the "HIGH" settings and may require more user knowledge or skill.</p><p></p><p><em><u>ConfigureDefender custom settings</u>:</em></p><p>You may customize your configuration by choosing any of the three protection levels and then change individual features.</p><p></p><p><em><u>How to apply the settings:</u></em></p><p>Select a Protection Level or custom configuration, press the "Refresh" green button and let ConfigureDefender confirm the changes. ConfigureDefender will alert if any of your changes have been blocked. <strong>Reboot to apply chosen protection.</strong></p><p></p><p><em><u>Audit mode:</u></em></p><p>Many ConfigureDefender options can be set to "Audit". In this setting, Windows Defender will log events and warn the user about processes which would otherwise be blocked with this setting "ON". This feature is available for users to check for software incompatibilities with applied Defender settings. The user can avoid incompatibilities by adding software exclusions for ASR rules and Controlled Folder Access.</p><p></p><p><em><u>Defender Security Log:</u></em></p><p>This option can gather the last 200 entries from the Windows Defender Antivirus events. These entries are reformated and displayed in the notepad. The following event IDs are included: 1006, 1008, 1015, 1116, 1117, 1118, 1119, 1121, 1122, 1123, 1124, 1125, 1126, 1127, 1128, 3002, 5001, 5004, 5007, 5008, 5010, 5012. Inspecting the log can be useful when a process or file execution has been blocked by Windows Defender Exploit Guard.</p><p></p><p>The example of the Log:</p><p>[CODE]Event[0]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-23 Time: 06:36:25.315</p><p> Event ID: 5007</p><p>(Changed Windows Defender settings)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p><p> Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\</p><p> New value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1902.2-0\</p><p></p><p></p><p>Event[1]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-23 Time: 06:33:43.581</p><p> Event ID: 1121</p><p>(Blocked by ASR rule)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus has blocked an operation that is not allowed by your IT administrator.</p><p>For more information please contact your IT administrator.</p><p> ID: d1e49aac-8f56-4280-b9ba-993a6d77406c</p><p> ConfigureDefender option: Block process creations originating from PSExec and WMI commands</p><p> Detection time: 2019-02-23T14:33:43.580Z</p><p> User: NT AUTHORITY\NETWORK SERVICE</p><p> Path: C:\Windows\System32\cmd.exe</p><p> Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe</p><p> Signature Version: 1.287.606.0</p><p> Engine Version: 1.1.15700.8</p><p> Product Version: 4.18.1812.3</p><p></p><p></p><p>Event[2]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-23 Time: 06:23:54.221</p><p> Event ID: 5007</p><p>(Changed Windows Defender settings)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p><p> Old value:</p><p> New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c</p><p> ConfigureDefender option: Block process creations originating from PSExec and WMI commands = 0x1</p><p></p><p>Event[3]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-23 Time: 06:09:15.534</p><p> Event ID: 5004</p><p>(Changed Windows Defender settings)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus Real-time Protection feature configuration has changed.</p><p> Feature: Network Inspection System</p><p> Configuration: 0</p><p></p><p>Event[4]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-23 Time: 06:09:15.533</p><p> Event ID: 5007</p><p>(Changed Windows Defender settings)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p><p> Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x1</p><p> New value: Default\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x0</p><p></p><p>Event[5]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-23 Time: 06:08:55.665</p><p> Event ID: 5004</p><p>(Changed Windows Defender settings)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus Real-time Protection feature configuration has changed.</p><p> Feature: Network Inspection System</p><p> Configuration: 1</p><p></p><p>Event[6]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-23 Time: 06:08:55.663</p><p> Event ID: 5007</p><p>(Changed Windows Defender settings)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p><p> Old value: Default\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x0</p><p> New value: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x1</p><p></p><p>Event[7]:</p><p>*****************************************</p><p>*****************************************</p><p> Date: 2019-02-10 Time: 15:40:51.108</p><p> Event ID: 1122</p><p>(Audited by ASR rule)</p><p>*****************************************</p><p>*****************************************</p><p> User Name: NT AUTHORITY\SYSTEM</p><p> Computer: DESKTOP-5HUB7VC</p><p> Description:</p><p>Windows Defender Antivirus audited an operation that is not allowed by your IT administrator.</p><p>For more information please contact your IT administrator.</p><p> ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2</p><p> ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)</p><p> Detection time: 2019-02-10T23:40:51.106Z</p><p> User: NT AUTHORITY\SYSTEM</p><p> Path: C:\Windows\System32\lsass.exe</p><p> Process Name: C:\Windows\System32\VBoxService.exe</p><p> Signature Version: 1.285.1306.0</p><p> Engine Version: 1.1.15600.4</p><p> Product Version: 4.18.1812.3[/CODE]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 812462, member: 32260"] Some changes in ConfigureDefender GUI and Help (thanks [USER=71262]@oldschool[/USER] :giggle:). [ATTACH type="full" alt="213096"]213096[/ATTACH] Here is the section added to the new Help: Most settings available in ConfigureDefender are related to Windows Defender real-time protection and work only when Windows Defender real-time protection is set to "ON". Important: [I]These two settings (below) should [B]never[/B] be changed[/I] [I]because important features like "Block at First Sight" and "Cloud Protection Level" will not work properly:[/I] "Cloud-delivered Protection" = "ON" "Automatic Sample Submission" = "Send" [I][U]ConfigureDefender Protection Levels (pre-defined settings)[/U]: [/I] "DEFAULT" Microsoft Windows Defender default configuration which is applied automatically when installing the Windows system. It provides basic antivirus protection and can be used to quickly revert any configuration to Windows defaults. "HIGH" Enhanced configuration which enables Network Protection and most of Exploit Guard (ASR) features. Three Exploit Guard features and Controlled Folder Access ransomware protection are disabled to avoid false positives. This is the recommended configuration which is appropriate for most users and provides significantly increased security. "MAX" This is the most secure protection level which enables all advanced Windows Defender features and hides Windows Security Center. Configuration changes can be made [I]only[/I] with the ConfigureDefender user interface. The "MAX" settings are intended to protect children and casual users but can be also used (with some modifications) to maximize the protection. This protection level usually generates more false positives compared to the "HIGH" settings and may require more user knowledge or skill. [I][U]ConfigureDefender custom settings[/U]:[/I] You may customize your configuration by choosing any of the three protection levels and then change individual features. [I][U]How to apply the settings:[/U][/I] Select a Protection Level or custom configuration, press the "Refresh" green button and let ConfigureDefender confirm the changes. ConfigureDefender will alert if any of your changes have been blocked. [B]Reboot to apply chosen protection.[/B] [I][U]Audit mode:[/U][/I] Many ConfigureDefender options can be set to "Audit". In this setting, Windows Defender will log events and warn the user about processes which would otherwise be blocked with this setting "ON". This feature is available for users to check for software incompatibilities with applied Defender settings. The user can avoid incompatibilities by adding software exclusions for ASR rules and Controlled Folder Access. [I][U]Defender Security Log:[/U][/I] This option can gather the last 200 entries from the Windows Defender Antivirus events. These entries are reformated and displayed in the notepad. The following event IDs are included: 1006, 1008, 1015, 1116, 1117, 1118, 1119, 1121, 1122, 1123, 1124, 1125, 1126, 1127, 1128, 3002, 5001, 5004, 5007, 5008, 5010, 5012. Inspecting the log can be useful when a process or file execution has been blocked by Windows Defender Exploit Guard. The example of the Log: [CODE]Event[0]: ***************************************** ***************************************** Date: 2019-02-23 Time: 06:36:25.315 Event ID: 5007 (Changed Windows Defender settings) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\ New value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1902.2-0\ Event[1]: ***************************************** ***************************************** Date: 2019-02-23 Time: 06:33:43.581 Event ID: 1121 (Blocked by ASR rule) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: d1e49aac-8f56-4280-b9ba-993a6d77406c ConfigureDefender option: Block process creations originating from PSExec and WMI commands Detection time: 2019-02-23T14:33:43.580Z User: NT AUTHORITY\NETWORK SERVICE Path: C:\Windows\System32\cmd.exe Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Signature Version: 1.287.606.0 Engine Version: 1.1.15700.8 Product Version: 4.18.1812.3 Event[2]: ***************************************** ***************************************** Date: 2019-02-23 Time: 06:23:54.221 Event ID: 5007 (Changed Windows Defender settings) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c ConfigureDefender option: Block process creations originating from PSExec and WMI commands = 0x1 Event[3]: ***************************************** ***************************************** Date: 2019-02-23 Time: 06:09:15.534 Event ID: 5004 (Changed Windows Defender settings) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus Real-time Protection feature configuration has changed. Feature: Network Inspection System Configuration: 0 Event[4]: ***************************************** ***************************************** Date: 2019-02-23 Time: 06:09:15.533 Event ID: 5007 (Changed Windows Defender settings) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x1 New value: Default\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x0 Event[5]: ***************************************** ***************************************** Date: 2019-02-23 Time: 06:08:55.665 Event ID: 5004 (Changed Windows Defender settings) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus Real-time Protection feature configuration has changed. Feature: Network Inspection System Configuration: 1 Event[6]: ***************************************** ***************************************** Date: 2019-02-23 Time: 06:08:55.663 Event ID: 5007 (Changed Windows Defender settings) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x1 Event[7]: ***************************************** ***************************************** Date: 2019-02-10 Time: 15:40:51.108 Event ID: 1122 (Audited by ASR rule) ***************************************** ***************************************** User Name: NT AUTHORITY\SYSTEM Computer: DESKTOP-5HUB7VC Description: Windows Defender Antivirus audited an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Detection time: 2019-02-10T23:40:51.106Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\lsass.exe Process Name: C:\Windows\System32\VBoxService.exe Signature Version: 1.285.1306.0 Engine Version: 1.1.15600.4 Product Version: 4.18.1812.3[/CODE] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
