Thanks Andy, I find your effort, product and support to be impeccable. I knew it was "them", :devil:.
ConfigureDefender utility for Windows 10/11
- Thread starter Andy Ful
- Start date
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
Thanks. I did not know the word impeccable. I learned something.
- Mar 29, 2018
- 7,596
@Reldel1 @Andy Ful Yes, I checked and found Edge Dev Upda was also blocked here by this rule.
Also, I looked through WSC Protection History and see it keeps the log quite a long time. I found some older blocks which required exclusions so no problem there. I would advise users to check not only ConfigureDefender logs but also Protection History in WSC to check for blocks which won't receive WD notifications. I think I needed 3 ASR exclusions after checking.
And finally, I see that WD scans have all been optimized with this last update. Have others noticed this?
Also, I looked through WSC Protection History and see it keeps the log quite a long time. I found some older blocks which required exclusions so no problem there. I would advise users to check not only ConfigureDefender logs but also Protection History in WSC to check for blocks which won't receive WD notifications. I think I needed 3 ASR exclusions after checking.
And finally, I see that WD scans have all been optimized with this last update. Have others noticed this?
- Jan 27, 2018
- 1,401
Why am I seeing this in my logs? Running on high protection, and as far as I remember I did nothing to WD on the date shown. Thanks.
- Mar 29, 2018
- 7,596
I wondered the same. I was away for 2 days and came back to find it disabled. Maybe just Windows being Windows around an update? That's what I figured.
It appears Microsoft found their problem and have provided and update, below is from their Edge Insider notes:Thanks. I did not know the word impeccable. I learned something.
Hi everyone, just a quick note to say that we deployed a new build 78.0.268.3 to the Dev channel today for Windows only. This corrects an issue with our digital signature that prevented Microsoft Edge from working on Windows 10 S and caused some people to see an "unverified publisher" or similar message. There are no other changes in this update.
- Mar 29, 2018
- 7,596
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
Something disabled WD.
There are a few events Id=5010 on my computer, but they are correlated with moments when I disabled WD via Defender Control tool (confirmed a few minutes ago).
I think that it can be also related to updating WD engines (not signatures).
It would be interesting to know how many ConfigureDefender users have this event in the Log.
No 5010 events in my log.Something disabled WD.
There are a few events Id=5010 on my computer, but they are correlated with moments when I disabled WD via Defender Control tool (confirmed a few minutes ago).
I think that it can be also related to updating WD engines (not signatures).
It would be interesting to know how many ConfigureDefender users have this event in the Log.
- Apr 1, 2019
- 2,867
I just got an engine update when I switched back to Defender. I will check the event log later when I’m at my computer to see if it’s in there.Something disabled WD.
There are a few events Id=5010 on my computer, but they are correlated with moments when I disabled WD via Defender Control tool (confirmed a few minutes ago).
I think that it can be also related to updating WD engines (not signatures).
It would be interesting to know how many ConfigureDefender users have this event in the Log.
- Apr 16, 2017
- 2,576
something was amiss with the msedge update to v78, give me BSOD :emoji_grimacing:
- Mar 29, 2018
- 7,596
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
ConfigureDefender and the fileless malware.
I would like to share some information about WD ASR rules in the context of fileless attacks. Fileless attack (common definition) is an attack during which no portable executable (PE) file is written to and executed from disk.
The below ASR rules are strictly related to the protection of MS software:
As can be seen from the above points, WD ASR rules do not prevent the attacks performed via Python scripts or Java files ( .jar files), which are sometimes used by malc0ders too. But, such attacks require installing Python or Java engines.
I would like to share some information about WD ASR rules in the context of fileless attacks. Fileless attack (common definition) is an attack during which no portable executable (PE) file is written to and executed from disk.
The below ASR rules are strictly related to the protection of MS software:
- Block executable content from email client and webmail (Outlook or Outlook.com).
It blocks the following file types: EXE, SCR, DLL, PS, JS, VBS, etc. when these files are launched from Outlook or Outlook.com (and probably some other popular webmail providers). - Block Office applications from creating child processes - blocks also the execution of script engines and other LOLBins by Office exploits.
- Block Office applications from injecting into other processes - prevents the Office exploits to inject the malicious code into other processes.
- Block Win32 imports from Macro code in Office - restricts VBA macros when they try to use Win32 API calls.
- Block only Office communication applications from creating child processes - prevents Outlook exploits from creating child processes, also script engines and other LOLBins.
- Use advanced protection against ransomware - includes also remediation of PowerShell trojan-downloaders.
- Impede JavaScript and VBScript to launch executables - blocks common JavaScript and VBScript trojan-downloaders.
- Block credential stealing from the Windows local security authority subsystem (lsass.exe) - protects passwords and credentials.
- Block process creations originating from PSExec and WMI commands - prevents spying, blocks wmic.exe, prevents remote code execution.
- Block Adobe Reader from creating child processes - blocks also the execution of script engines, Office applications, and other LOLBins by Adobe Reader exploits.
- Block execution of potentially obfuscated scripts - blocks some obfuscated JS, VBS, PS, VBA code.
- Block persistence through WMI event subscription - prevents the threats that abuse WMI to persist and stay hidden in WMI repository.
Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint
Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
docs.microsoft.com
As can be seen from the above points, WD ASR rules do not prevent the attacks performed via Python scripts or Java files ( .jar files), which are sometimes used by malc0ders too. But, such attacks require installing Python or Java engines.
Last edited:
- Apr 1, 2019
- 2,867
- Mar 29, 2018
- 7,596
@simmerskool - you may find the latest ConfigureDefender download here, along with other @Andy Ful tools: Hard_Configurator — Download Scroll down to CD, etc. I suggest to upgrade to W10 before too long.
- Apr 16, 2017
- 2,576
@simmerskool - you may find the latest ConfigureDefender download here, along with other @Andy Ful tools: Hard_Configurator — Download Scroll down to CD, etc. I suggest to upgrade to W10 before too long.
thanks!!
- Mar 29, 2018
- 7,596
It may not be possible due to Windows Defender itself.
Lemon60
Level 2
- Jun 11, 2019
- 71
I didn't try it yet but you can enable with gpedit.msc.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,484
Do you mean the option that prevents users to 'pause scan'?
ConfigureDefender can hide WSC to prevent children or newbies to pause scans or change WD settings.
Similar threads
-
- Sticky
