Q&A ConfigureDefender utility for Windows 10

Bundled with PUP
None

Andy Ful

Level 29
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,808
OS
Windows 10
Antivirus
Microsoft
#1
ConfigureDefender utility for Windows 10.
The actual ConfigureDefender installers' links (ver. 1.0.1.1):
.
ConfigureDefender utility is a GUI application to view and configure important Defender settings on Windows 10. It mostly uses PowerShell cmdlets (with a few exceptions). Furthermore, the user can apply one of three predefined settings: default, high, and child protection. Some settings require restarting the computer.
The child protection is mostly set to block anything suspicious via Attack Surface Reduction, Controlled Folder Access, SmartScreen (set to block) and 0-tolerance cloud level - also Defender Security Center is hidden.
ConfigureDefender utility is a part of Hard_Configurator project, but it can be used as a standalone application.
.
Some important remarks on the possible ways used to configure Defender (for advanced users).
.
Windows Defender settings are stored in the Windows Registry and most of them are not available form Windows Defender Security Center. They can be managed via:
a) Group Policy Management Console (gpedit.msc, not available in Windows Home edition),
b) Direct Registry editing (manual, *.reg files, scripts).
c) PowerShell cmdlets (set-mppreference, add-mppreference, remove-mppreference, only Windows 8.1+).
.
Normally, Windows Defender stores most settings under the key (owned by SYSTEM):
HKLM\SOFTWARE\Microsoft\Windows Defender
They can be changed when using Defender Security Center or PowerShell cmdlets.
.
Administrators can use Group Policy Management Console to override those settings. Group Policy settings are stored under another key (owned by ADMINISTRATORS):
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Group Policy settings do not delete the normal Defender settings.
.
The Direct Registry editing is usually made, under the second key (the first requires System Rights).
Applying Defender settings by Direct Registry editing under the key:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
is not recommended, on Windows editions which support Group Policy Management Console (for example PRO and Enterprise editions), because of some cons:
a) Those settings are not recognized by Group Policy Management Console.
b) They can temporarily overwrite Group Policy Management Console setup in the Registry, because they share the same Registry keys. Those changes are not permanent, because Group Policy configuration is not overwritten.
c) After some hours, those settings are automatically and silently back-overwritten by Group Policy Refresh feature.
d) Those settings cannot be changed via Defender Security Center (or PowerShell cmdlets), even if they are visible there (like folders and applications related to Controlled Folder Access).
.
In Windows 8.1+ Home edition, one can configure Defender settings (outside of the Defender Security Center), when using PowerShell cmdlets or via the manual Registry editing.
This may confuse some users, so ConfigureDefender utility can remove the settings made via Direct Registry editing under the key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender .
That is required, because those settings would override ConfigureDefender settings.
.
ConfigureDefender utility may be used also on Windows 10 Professional and Enterprise editions, if Administrator did not apply Defender policies via Group Policy Management Console. Normally all those policies are set to 'Not configured'. So, if Administrator applied Defender policies, then they must be set first to 'Not configured' before using ConfigureDefender.
.
Those settings can be found in Group Policy Management Console:
Computer configuration >> Policies >> Administrative templates >> Windows components >> Windows Defender Antivirus.
The tabs: MAPS, MpEngine, Real-time Protection, Reporting, Scan, Spynet, and Windows Defender Exploit Guard, should be examined.
.
The below list shows which settings are available in different Windows versions:
.
At least Windows 8.1:
Real-time Monitoring, Behavior Monitoring, Scan all downloaded files and attachments, Reporting Level (MAPS membership level), Average CPU Load while scanning
.
At least Windows 10:
Automatic Sample Submission, PUA Protection, Cloud Protection Level (Default), Cloud Check Time Limit.
.
At least Windows 10, version 1607 (Anniversary Update):
Block At First Seen.
.
At least Windows 10, version 1703 (Anniversary Update):
Cloud Protection Level (High level for Windows Pro and Enterprise), Cloud Check Time Limit (Extended to 60s).
.
At least Windows 10, version 1709 (Creators Fall Update):
Attack Surface Reduction, Cloud Protection Level (extended Levels for Windows Pro and Enterprise), Controlled Folder Access, Network Protection.
.
Edit
Post edited - new link to ConfigureDefender added.
 

Attachments

Last edited:
Joined
Apr 28, 2017
Messages
312
OS
Windows 10
Antivirus
Webroot
#2
Am I beating a irrelevant horse, or should everyone using Windows Defender also set Application Settings to (Allow from the Windows Store only).

For the record that doesn't mean you can never approve non WS apps, but a strong denial and essentially warning of non Windows apps are being installed.

*Always check every .exe with VirusTotal dot com
 

shmu26

Level 65
Verified
Joined
Jul 3, 2015
Messages
5,419
OS
Windows 10
#3
Am I beating a irrelevant horse, or should everyone using Windows Defender also set Application Settings to (Allow from the Windows Store only).

For the record that doesn't mean you can never approve non WS apps, but a strong denial and essentially warning of non Windows apps are being installed.

*Always check every .exe with VirusTotal dot com
Thanks, Andy!
Which settings, if any, would be applicable to people using a 3rd party AV?
 

Andy Ful

Level 29
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,808
OS
Windows 10
Antivirus
Microsoft
#4
Am I beating a irrelevant horse, or should everyone using Windows Defender also set Application Settings to (Allow from the Windows Store only).

For the record that doesn't mean you can never approve non WS apps, but a strong denial and essentially warning of non Windows apps are being installed.

*Always check every .exe with VirusTotal dot com
This setting (Allow from the Windows Store only) is mainly equivalent to SmartScreen = Block.
One should understand that this setting allows running any application:
  • downloaded via Internet Downloader software,
  • embedded in archives (ZIP, 7-ZIP, ARJ, etc.)
  • from non-NTFS sources (pendrives, DVDs, ISO images, etc.)
So, one can be easily infected when opening the malicious document (DOC, RTF, PDF, etc.):
embedded script trojan downloader -> run downloaded malware.exe

Thanks, Andy!
Which settings, if any, would be applicable to people using a 3rd party AV?
I am afraid that those features (except SmartScreen and Hide Security Center) work only for Windows Defender.
 
Last edited by a moderator:

Andy Ful

Level 29
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,808
OS
Windows 10
Antivirus
Microsoft
#6
You are welcome.:)
Yet, Microsoft has to improve some features like 'Average CPU load while scanning' and 'Network Protection'.
They do not work on some computers. This issue was also commented by members on Wilderssecurity forum.
 
Last edited:

Andy Ful

Level 29
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,808
OS
Windows 10
Antivirus
Microsoft
#14
...think this only Hide WDSC. Right?

View attachment 178173
Yes. The setting ????? is only visible when one made some WDSC restrictions using reg tweaks or GPO.

Exploit Protection don't remember settings.
I set all to "Enable" after Refresh/Restart settings are back to "Disabled".

View attachment 178172
Thanks. Confirmed. I will correct this today.:)
In fact, the ASR settings are enabled, but ConfigureDefender when compiled for Windows 32-bit and ran on Windows 64-bit, shows wrongly that ASR is disabled. I did not notice this and pushed only one executable compiled for Windows 32-bit. I will upload ConfigureDefender for 64-bit Windows in an hour.

New link to ConfigureDefender ver. 1.0.0.1
ConfigureDefender/ConfigureDefender_1.0.0.1.zip at master · AndyFul/ConfigureDefender · GitHub
The file contains the ConfigureDefender_x32.exe (Windows 32-bit) and ConfigureDefender_x64.exe (Windows 64-bit).
 
Last edited by a moderator:

Andy Ful

Level 29
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,808
OS
Windows 10
Antivirus
Microsoft
#18
The importance of 'Cloud Protection Level' and 'Cloud Check Time Limit' can be seen here:
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
.
"If you are organization that is willing to accept a higher false positive risk in exchange for stronger protection, you can configure the cloud protection level to tell the Windows Defender AV cloud protection service to take a more aggressive stance towards suspicious files, such as blocking at lower machine learning probability thresholds. In the Tibbar example above, for example, a configuration like this could have protected patient zero using the initial 81% confidence score, and not wait for the higher confidence (detonation-based) result that came later. You can also configure the cloud extended timeout to give the cloud protection service more time to evaluate a first-seen threat.

As another layer of real-time protection against ransomware, enable Controlled folder access, which is one of the features of the new Windows Defender Exploit Guard. Controlled folder access protects files from tampering by locking folders so that ransomware and other unauthorized apps cant access them.

For enterprises, Windows Defender Exploit Guards other features (Attack Surface Reduction, Exploit protection, and Network protection) further protect networks from advanced attacks."
 

shmu26

Level 65
Verified
Joined
Jul 3, 2015
Messages
5,419
OS
Windows 10
#19
Works great.
This comment is about Office exploit protection in general, not about ConfigureDefender:
I have a certain Word add-on, "SaveReminder Ver 2.1.dotm", it lives in the Word startup folder in Appdata/Roaming/Microsoft. After enabling Office exploit protection, I got an error message when opening Word, saying that the file was blocked. Okay fine, but when I open the exceptions tab to fix the problem, I discover that the add-on file is gone entirely. It is not even in WD quarantine. Cute, huh?
 

Andy Ful

Level 29
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,808
OS
Windows 10
Antivirus
Microsoft
#20
Works great.
This comment is about Office exploit protection in general, not about ConfigureDefender:
I have a certain Word add-on, "SaveReminder Ver 2.1.dotm", it lives in the Word startup folder in Appdata/Roaming/Microsoft. After enabling Office exploit protection, I got an error message when opening Word, saying that the file was blocked. Okay fine, but when I open the exceptions tab to fix the problem, I discover that the add-on file is gone entirely. It is not even in WD quarantine. Cute, huh?
That is strange, it should be quarantined. It can be a Defender bug.