Q&A ConfigureDefender utility for Windows 10

Bundled with PUP
None

Andy Ful

Level 30
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,964
OS
Windows 10
Antivirus
Microsoft
Andy, would ConfigureDefender at max settings block the ransomware attack used on this video?

Video - Windows Defender vs GandCrab Ransomware: video review
After the first update update of Windows 10 ver. 1809 (I just did it yesterday), the trick with executing PowerShell from VBScript (JScript) is now blocked. The trick was for fooling one of the ASR rules which blocked the execution when VBScript (JScript) malware downloaded the payload and next executed it, by using only one script engine.
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content" (or the old name used in Configuredefender "Impede JavaScript and VBScript to launch executables"). But, this malware technique will be surely enhanced in the next versions to bypass WD protection.
Generally the ASR rules are evolving and are stronger than before.
 

RoboMan

Level 24
Content Creator
Verified
Joined
Jun 24, 2016
Messages
1,312
OS
Windows 10
Antivirus
Default-Deny
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content"
Is this a default option on WD or only if you enable ConfigureDefender? The very same scenario of this video with latest Windows update should block it?
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,922
After the first update update of Windows 10 ver. 1809 (I just did it yesterday), the trick with executing PowerShell from VBScript (JScript) is now blocked. The trick was for fooling one of the ASR rules which blocked the execution when VBScript (JScript) malware downloaded the payload and next executed it, by using only one script engine.
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content" (or the old name used in Configuredefender "Impede JavaScript and VBScript to launch executables"). But, this malware technique will be surely enhanced in the next versions to bypass WD protection.
Generally the ASR rules are evolving and are stronger than before.
It is just craziness. An overly complicated mousetrap that sometimes catches mice and other times does nothing or, perhaps, smashes the trap setter's fingers. Users looking at ASR and asking "Wut ?... Will it protect against this ?" And then the user not realizing that the ASR rules must be present (Microsoft has to create them - and they are always playing catch-up) and enabled. If not, they have to figure it out and then do it.

It's fine for us that want to tinker and figure stuff out, but for others who just want to protect their systems this Microsoft spaghetti protection is insane. Not to mention it is just a matter of time that the malc0ders bypass the fixed bypass. It's cuck-cah !

SRP can be crafted such that there is no wondering about "Will this protect against this ?" The only real protection to be had is at the process level - either allowing or denying the process. The fine-grained rules blocking specific behaviors is a pipe-dream fallacy - because new malicious behaviors that bypass current rules are implemented. Merely disable wscript and the rest of unwanted stepchild processes. This is not difficult. This is really easy. It is almost "push button" protection.
 
Last edited:

Andy Ful

Level 30
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,964
OS
Windows 10
Antivirus
Microsoft
Is this a default option on WD or only if you enable ConfigureDefender? The very same scenario of this video with latest Windows update should block it?
ASR rules are deactivated in WD default settings. They can be activated via PowerShell cmdlets or via policies on Windows 10 Home (policies would require editing the Registry). ConfigureDefender is a GUI that uses PowerShell to activate ASR. I checked the "two script engines" trick some time ago and it could fool ASR, so the malware was probably successful. I did not test this trick again until today, after the first update of Windows 10 ver. 1809. I do not know if the same is true for other Windows 10 versions.
 

Andy Ful

Level 30
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,964
OS
Windows 10
Antivirus
Microsoft
...
The fine-grained rules blocking specific behaviors is a pipe-dream fallacy - because new malicious behaviors that bypass current rules are implemented. Merely disable wscript and the rest of unwanted stepchild processes. This is not difficult. This is really easy. It is almost "push button" protection.
This is recommended and most efficient for home users. Those users who cannot do it, for some reason, can consider activating WD ASR rules.:giggle:
 
Joined
Aug 28, 2018
Messages
178
LOL... it is a whole lot easier to disable wscript than to enable WD ASR. Some people just like being difficult. :X3:
What home user is going to genuinely need features like VBScript or local JScript? I cannot think of a single one. I think it is simpler for it to just be disabled and be done with it than relying on ASR which is going to be a risky game of hit'n'miss each time.
 

Latest Posts

Latest Threads