Updates ConfigureDefender utility for Windows 10

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
Hi @Andy Ful
The current Windows version is 1803 and I have HMPA too. Any issue with them?

I guess I have to read through all the pages now.

Just ran the x64 version and I think there's a bug

When the GUI is open and I press to minimize it minimizes to the lower task bar ie. there's an icon there. There's another icon in the system tray. Is this correct?

Should I close (or press the 'X') the GUI after setting to 'High' setting?

Should I just use default setting and let HMPA handles all exploit issues?

Thanks
There should not be any issues with HMPA.
The icon on the System Tray (after minimizing ConfigureDefender) is related to the possibility of adding some options available via right-click Explorer context menu. I simply did not decide yet, If it would be necessary or not.
After configuring any settings, you should press the REFRESH (green) button to see if the changes were properly applied. Sometimes another external protection can block PowerShell cmdlets from applying the settings.
Some HMPA features may double a few WD ASR mitigations, especially those related to MS Office. But, I am not expert on HMPA. Generally, it is recommended to activate "Defender high Settings".

Edit.
HMPA would double in a great deal the mitigations related to Windows 10 Exploit Protection, which is not included in ConfigureDefender (it works independently of WD).
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
I made the test with the ASR rule Block executable files from running unless they meet a prevalence, age, or trusted list criteria. It can block the read access to the suspicious executables (.exe, .dll, etc.). That can prevent the file execution and even reflective DLL injection:
Update - Hard_Configurator - Windows Hardening Configurator
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
A few days ago, I looked in the mirror and could see my real face - I am a black hat.
Four months ago, I created a very "stealthy trojan". I managed to hide it in the installer, and sent the installer to some AV vendors for analysis, claiming that it is a legal software. They checked the installer and accepted as clean. After some months, it was accepted even by SmartScreen Application Reputation. I was very happy, until Windows Defender AI finally detected my malware (but the installer is still clean). Yet, I did not give up and sent the "malware" to analysis, maybe I will be lucky again?:emoji_pray:
Am I a genius? Wait ..., could not it be just a false positive?:unsure:
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
Cylance has been flagging configure defender for a while now.
Probably some heuristics (clean on Virus Total). Microsoft suddenly flagged it as Trojan:Win32/Vigorf.A .
I am waiting for the answer from Microsoft, how the file which was already analyzed and accepted as clean, can be detected as malicious after near 4 months.
Antivirus scan for 0cc3bb3fc1bf52a791c2461ebea3affd1beff5b8629b969c63b0a2f452a1fc8a at 2018-09-30 15:02:39 UTC - VirusTotal
That can question the Microsoft channel for "software providers wanting to validate detection of their products" : Submit a file for malware analysis - Windows Defender Security Intelligence
I always send the installers to Microsoft, because I want to avoid just such problems.
 

ticklemefeet

Level 24
Jan 31, 2018
1,303
Yes I wonder why VT's online Cylance doesn't detect it but the home version does? By your link 4 are flagging it now plus Cylance home. That makes 5.
 
  • Like
Reactions: oldschool

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
Yes I wonder why VT's online Cylance doesn't detect it but the home version does? By your link 4 are flagging it now plus Cylance home. That makes 5.
Flagging such program as ConfigureDefender by the AV is normal if the file was not sent to analysis. I did not send it to Cylance, McAfee, Rising etc. The problem is when the file is flagged, despite the fact that it was previously analyzed and accepted as clean. Something wrong is with Microsoft WD false positives, because I cannot even download, for example, the Excubits Bouncer - it is blocked by SmartScreen and after disabling SmartScreen the Bouncer installer is quarantined by WD. The Bouncer vendor is well known on MalwareTips and Wilders forums, and Bouncer installer is signed with EV certificate.
 
Last edited:

Homer712

New Member
Oct 1, 2018
1
Joined this forum just to say thank you for Configure Defender, and . . . after "lurking/reading" here for days once Defender started "flagging" my installed version of Configure Defended, to say thank you for confirming that I am not crazy. Could not understand how, after months of being installed, Windows Defender all of a sudden started deleting the file. Wouldn't even allow me to download a fresh copy (thinking maybe mine had become corrupt). As soon as you hit "download" it would be flagged.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
Joined this forum just to say thank you for Configure Defender, and . . . after "lurking/reading" here for days once Defender started "flagging" my installed version of Configure Defended, to say thank you for confirming that I am not crazy. Could not understand how, after months of being installed, Windows Defender all of a sudden started deleting the file. Wouldn't even allow me to download a fresh copy (thinking maybe mine had become corrupt). As soon as you hit "download" it would be flagged.
I hope that Microsoft will solve this issue soon. I checked today, the file analysis is not yet finished.(y)
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
Finally I have got the answer. Shortly, ConfigureDefender is detected as a malware because it has an option to disable WD real time protection.

The below is a full answer:
"Analyst comments:

Hello Andy Ful,

Thank you for your inquiry.

We have reviewed the file(s) and have determined that the file(s) meets our criteria for detection. At this time detection will remain in place.

The software changes the Defender settings including disabling real time protection so we cannot remove the detection.

More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here:
How Microsoft identifies malware and potentially unwanted applications

Thank you for contacting Microsoft.

Best regards,
Windows Defender Response
"

OK. In the next version, I will remove that option.:emoji_popcorn:
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,725
I removed the option "Real-time monitoring", because I think that developer who created the AV configurator should respect the opinion of AV vendor. Furthermore, removing that option does not change the usability of ConfigureDefender.

That does not mean that I agree with unjustified flagging the legal and already accepted software as malicious. The proper way would be sending the email informing the developer, that his already accepted software actually cannot be accepted for the concrete reason. But, that would require some respect from AV vendor for the small developers - that is not the behavior of corporations.:coffee:
 

Reldel1

Level 1
Jun 12, 2017
47
The version 1.0.1.1 which was flagged by Microsoft as a Trojan:Win32/Vigorf.A is now (after my reclamation) detected as HackTool:Win32/MpTamper.D . The analysis of the new version 1.1.1.1 is still pending. :emoji_pray:

Yes, my morning has been spent trying to counter this problem on two machines, two others I haven't even opened yet. When I opened the first Windows 10 with 1809 installed I got the warning from Defender. From that point on Edge would open but not connect to the internet. Not having read this link I wasn't sure at first what was causing the issue. I restored Windows back to Oct.1 with Macrium Reflect. Upon first opening the restored version all was fine but if I tried to open Hard-Configurator GUI Defender reacted immediately and reported finding three trojans one of which was the above Vigorf.A plus two other versions of Vigorf. Thereafter Edge would again not connect to the internet. After figuring the problem was with Microsoft and H_C I did serval more restores trying to troubleshoot to no avail. Now as long as I don't open H_C GUI all is working properly on one machine, but the issue is not resolved, I can't uninstall H_C without opening the GUI and then boom back into the loop of having to restore again.

After figuring out what the problem was, I was able to quickly turn of Defender, uninstall H_C before Edge was corrupted on the other machine. I have now restored SRP on that machine with gedit.msc. and left H_C uninstalled.

Andy, before I open he other two machines any guidance that could save me some time?
 
Top