oldschool

Level 55
Verified
Okay, I cleared Windows Defender threat of Hard_Config download. I turned off Windows Defender protection, downloaded and installed Hard_Config, added C/Windows/Hard_Config exclusion to Defender. Loaded Config_Defender 1.1.1.1 to C/Windows/Hard_Config, opened Hard_Config GUI and applied protections, logged out. Logged back in re- activated Windows Defender protections. Bit of a dance but all good.

Nice! That's one of the nice things about using Windows built-in. It's definitely clunky and could be refined, but less problems overall.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Just tried to download Hard_Configurator and latest Microsoft definition 1.227.552.0 is blocking and deleting the download even if MpCmdRun.exe -removedefinitions -dynamicsignatures has been run.

It does allow download of for Windows 64-bit: AndyFul/ConfigureDefender. Note: Using Edge
Confirmed - 64-bit installer is flagged and 32-bit installer is not.:(
Finally, Microsoft realized that Hard_Configurator installs also ConfigureDefender, so expanded the hack-tool detection to Hard_Configurator installer. The 32-bit versions ( (x86) ) of ConfigureDefender and Hard_Configurator are still detected as clean.
Already installed executables except the old version of ConfigureDefender are detected as clean, so after replacing ConfigureDefender to ver. 1.1.1.1, already installed Hard_Configurator will work well.
Yet, the new installation requires turning OFF real-time protection for a while and turn it ON after installation.
I recommend simply not installing the actual version 4.0.0.0. of Hard_Configurator, but waiting for the corrected version 4.0.0.0. I will try to push it in a week.

Edit.
I removed the Hard_Configurator installers ver. 4.0.0.0 from GitHub repository. If someone needs the installer, please PM me.(y)
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Small GUI suggestion: make "enabled" and "disabled" in different colors, or at least different shades. The words are somewhat similar, and the text is kind of small, so it's a little hard to see what settings you have.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
This attack uses the technique which bypasses the WD ASR rules, if the script is run directly from Explorer (like in the video). It may be blocked by 'Network Protection' feature, if the malware website with the payload is on the blacklist (not very probable for 0-day).
It can be stopped by ASR when the script is embedded in MS Office document and opened by MS Office application.

The malware will be also blocked (but not by ConfigureDefender settings), if one of the below points is true:
  • disacossiated .js and .jse extensions from wscript.exe (cscript.exe);
  • blocked JScript interpreters (wscript.exe, cscript.exe);
  • PowerShell set to Constrained Language mode
  • blocked PowerShell interpreters (powershell.exe, powershell_ise.exe)
Of course, the malware will be blocked by default-deny setup which can block Windows scripts.
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
What about the ASR rule blocking files that do not meet "prevalence, age or trusted list criteria?
It is still an enigma to me. I tested it on Discuss - Python Ransomware .
I downloaded the malware from the malicious website (link was hardcoded) and executed on my computer. The above rule did not stop it. But, it can stop the executables freshly compiled on my computer.
 
Top