Andy Ful

Level 39
Content Creator
Trusted
Verified
Ok... so that was the feature! I thought it was whitelisted system files and its children from being detected as malware. Child Protection = Max web safety and protection for Kids or paranoid users.
That is right.:giggle:
It is the protection for kids and computer illiterate users, which is supervised by the advanced user (kind of family computer administrator). The Child Protection in ConfigureDefender is very aggressive, and can generate false positives.
 
Last edited:

Andy Ful

Level 39
Content Creator
Trusted
Verified
View attachment 211065
@Andy Ful Suddenly WD blocks Wise Uninstaller's Uninstall monitor module saying lsass.exe minor risk rule was applied.
You have activated the custom settings or 'Child Protection', with the ASR rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
I do not know for what reason UnMonitor.exe wants to interfere with lsass.exe, it should not.
If you are certain that the application is clean and safe, then it is OK. The alert does not mean that all actions of UnMonitor.exe are blocked, but only access to lsass.exe, so probably you can ignore it. This ASR rule can alert for some other monitoring legal applications, so it is Disabled in ConfigureDefender "Defender high settings''.
 

Vasudev

Level 28
Verified
You have activated the custom settings or 'Child Protection', with the ASR rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
I do not know for what reason UnMonitor.exe wants to interfere with lsass.exe, it should not.
If you are certain that the application is clean and safe, then it is OK. The alert does not mean that all actions of UnMonitor.exe are blocked, but only access to lsass.exe, so probably you can ignore it. This ASR rule can alert for some other monitoring legal applications, so it is Disabled in ConfigureDefender "Defender high settings''.
I enabled it since the beginning. By default, its disabled, correct?
I think 19H1 is very strict for Default deny based rulesets or ASR rules. I'm on 19h1 build so its becoming paranoid these days and guess what 1902.5 WD engine which is shipped in 19h1 you cannot clear protection history and even move/delete items from quarantine. I always preferred MSE UI which was clean and did its job unlike UWP version with confusing dashboard.
 
Last edited:

Raiden

Level 10
Content Creator
Verified
I think "Block at First Sight" isnt working as it should in my machine, I tried the demo file from Windows Defender Testground and WD didnt blocked it.


View attachment 212097


Should it be allowed to execute?

@Andy Ful
Try setting the block level in configure defender to block instead of highest. I have ran this test before and for some reason it only seems to work with it set to block. I know @Andy Ful has said in the past that for home users it doesn't matter as it works more like heuristics, but in my experience it seems to make a difference, at least with that test. A so which browser are you using? I find it doesn't work as well with Firefox for some reason, but with Edge and Chrome it works fine. My guess is that both Edge and Chrome use AMSI and Firefox doesn't so, I am not sure if that's the reason behind it or not.
 

Andy Ful

Level 39
Content Creator
Trusted
Verified
I think "Block at First Sight" isnt working as it should in my machine, I tried the demo file from Windows Defender Testground and WD didnt blocked it.


View attachment 212097


Should it be allowed to execute?

@Andy Ful
I did the same test and Smartscreen blocked it, and WD thus "failed" the BAFS test. Curious indeed!
The demo for BASF is outdated and does not work well. It does not work at all for Firefox.
It is a simple way to see if it works. If you download the malicious (or highly suspicious) EXE file (via Edge or Chrome) which has not the signature in WD, then you should see the WD alert that the file requires further inspection for 10s (or 60s when ConfigureDefender high settings were used). If the file is recognized as malicious, then it is automatically quarantined (or sometimes deleted).
BASF is the default WD feature so it should work without any issues.
 

Raiden

Level 10
Content Creator
Verified
Mine is set to :Block" on 1809.
Hmm interesting. I just tried it in Chrome, also on 1809 with it set to block and it worked for me. Now what I did find out is that it may not work every time. I ran it like 3-4 times and it didn't work once out of the 3-4 times. If I'm not mistaken, it relies on the cloud component and if it cannot make a determination during the time out period, it allows the file to finish downloading, but also sends it to the cloud for further analysis. I could be wrong, but maybe @Andy Ful can explain it better.

The demo for BASF is outdated and does not work well. It does not work at all for Firefox.
It is a simple way to see if it works. If you download the malicious (or highly suspicious) EXE file (via Edge or Chrome) which has not the signature in WD, then you should see the WD alert that the file requires further inspection for 10s (or 60s when ConfigureDefender high settings were used). If the file is recognized as malicious, then it is automatically quarantined (or sometimes deleted).
BASF is the default WD feature so it should work without any issues.
Thanks for the clarification. I do wish that MS would keep up with their test page, but then again, maybe they don't think too many people use it.
 

Andy Ful

Level 39
Content Creator
Trusted
Verified
Hmm interesting. I just tried it in Chrome, also on 1809 with it set to block and it worked for me. Now what I did find out is that it may not work every time. I ran it like 3-4 times and it didn't work once out of the 3-4 times. If I'm not mistaken, it relies on the cloud component and if it cannot make a determination during the time out period, it allows the file to finish downloading, but also sends it to the cloud for further analysis. I could be wrong, but maybe @Andy Ful can explain it better.
I made many tests with BASF some time ago. In the beginning, almost all samples were blocked in high settings. But after some tests, the rate dropped to about 50%. Those samples are really not malicious. They differ only by a small binary part at the end of the file.
 

Andy Ful

Level 39
Content Creator
Trusted
Verified
If you're on Windows 19H1 you need to disable Tamper protection for Configuredefender's custom rule-sets to work.
Tamper protection blocks only two entries in ConfigureDefender, which normally are not changed by the user (tested on Windows 10 Insider Build 18841):
  1. Behavior Monitoring.
  2. Scan all downloaded files and attachments.
Other options work as usual.
 

Vasudev

Level 28
Verified
Tamper protection blocks only two entries in ConfigureDefender, which normally are not changed by the user (tested on Windows 10 Insider Build 18841):
  1. Behavior Monitoring.
  2. Scan all downloaded files and attachments.
Other options work as usual.
For me, Configuredefender always stays in Script Paused state and disabling Tamper protection solved it. Oterwise, some rulesets weren't applying or not working. 20H1 has some fixes unlike 19H1. When will MSFT learn?
 

Andy Ful

Level 39
Content Creator
Trusted
Verified
For me, Configuredefender always stays in Script Paused state and disabling Tamper protection solved it. Oterwise, some rulesets weren't applying or not working. 20H1 has some fixes unlike 19H1. When will MSFT learn?
What is the script paused state?
 
  • Like
Reactions: oldschool

Andy Ful

Level 39
Content Creator
Trusted
Verified
CofigureDefender doesn't respond and UI appears stuck! When you hover the tray icon you'll see Script Paused message.
So you are using the early Insider version which will be finally pushed in the next year. We have to wait until it will be more mature, and then we will see if it is a bug or M$ decided to block more configuration changes (also with PowerShell) when Tamper Protection is active.(y)