9

93803123

What is the location of your 'pause scan' tweak in GPO?
There is "Allow users to pause scan" tweak, but it works by default when not configured (the same when Enabled). If you set it to Disabled, then it will prevent stopping the scan. (y)
While this control setting is present in GPO, it does nothing on Windows 10 when enabled.

All it is supposed to do is to make a control available in the Windows Security tray area icon in the context menu to pause a scan. Yet, it doesn't do that when enabled.

On Windows 10, there is only a Cancel option via the main Windows Defender Security Center GUI.

Like much of GPO, it is halfassed. GPO is an ancient relic from pre-XP that Microsoft willfully neglects. They keep kicking the GPO can down the road because of the few enterprise admins that use it. Otherwise, it is essentially legacy crapware because of the enumerable problems with it on both workstations and servers.

Not to mention the divisions that develop and maintain Windows Defender, GPO, AppLocker, Device Guard, Application Control, and so on do the following on Windows 10:

1. put in a new feature unannounced
2. remove it unannounced
3. change it unannounced
4. do not support and maintain all aspects of the features despite those features being shipped with Windows

So Windows 10 security is like an ongoing tinkering experiment and a lot of people do not realize that there are a lot of areas of Windows with really sketchy development and support. Windows Security is one of those areas.

Things like GPO and AppLocker are very rarely ever maintained by Microsoft at this point. Both are on life-support.

It's really unfortunate that Microsoft handles things in this manner because all it does is cause a lot of confusion, frustration and disappointment. Just search through TechNet about GPO alone and you will literally find thousands of pages of problems with GPO. And like they just don't fix things in it any longer.
 
Last edited by a moderator:

oldschool

Level 35
Verified
Hi what are the best settings with this utility for windows defender, trying out WD after a fresh install?THks
You may try "High" profile which will leave 3 ASR rules and Controlled Folder Access set to "Off". You may either set these to "Audit" to check for potential conflicts with other software or you may enable them. I generally use "Max" profile with WSC set > "Visible" and Smartscreen for Edge and Explorer set > "Warn". It also sets Cloud Protection Level to "Block" and extends time limit to 60 sec. Remember that after selecting a profile (setting) you may adjust individual features to your liking.
 

simmerskool

Level 7
Verified
Malware Tester
You may try "High" profile which will leave 3 ASR rules and Controlled Folder Access set to "Off". You may either set these to "Audit" to check for potential conflicts with other software or you may enable them. I generally use "Max" profile with WSC set > "Visible" and Smartscreen for Edge and Explorer set > "Warn". It also sets Cloud Protection Level to "Block" and extends time limit to 60 sec. Remember that after selecting a profile (setting) you may adjust individual features to your liking.
(I'm new to using Windows 10 ) I ran configuredefender on w10_1903_vm the other day, "High" -- played awhile then shutdown w10, came back today and I see a security alert re
Virus & threat protection settings: Tamper protection is off. Your device may be vulnerable.
Is this tamper setting something that configuredefender should have tweaked? any way to "test" that all High settings were enabled?? :unsure:

EDIT update: reading that tamper protection is turned on by default. Ok, does that mean configuredefender turn it off. seems unlikely :emoji_fearful:
 
Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
(I'm new to using Windows 10 ) I ran configuredefender on w10_1903_vm the other day, "High" -- played awhile then shutdown w10, came back today and I see a security alert re
Virus & threat protection settings: Tamper protection is off. Your device may be vulnerable.
Is this tamper setting something that configuredefender should have tweaked? any way to "test" that all High settings were enabled?? :unsure:
ConfigureDefender does not change Tamper Protection setting in any way.
Windows 10 ver. 1903 has sometimes the issue of sudden rebooting. I have also one or two events when Tamper Protection was turned OFF after such reboot. Anyway (in rare cases), this can be also caused by some malware.
If you use the latest version of ConfigureDefender then after applying HIGH Protection level, you should press <REFRESH> button. This will also check if the settings were correctly written into Windows Registry. Please note, that most changes in Defender settings require rebooting the computer.
 

simmerskool

Level 7
Verified
Malware Tester
ConfigureDefender does not change Tamper Protection setting in any way.
Windows 10 ver. 1903 has sometimes the issue of sudden rebooting. I have also one or two events when Tamper Protection was turned OFF after such reboot. Anyway (in rare cases), this can be also caused by some malware.
If you use the latest version of ConfigureDefender then after applying HIGH Protection level, you should press <REFRESH> button. This will also check if the settings were correctly written into Windows Registry. Please note, that most changes in Defender settings require rebooting the computer.
makes sense, very helpful, as usual :)
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Andy Ful I saw Oldschool increase the cloud lookup time to 60 sec, instead of 10 sec in High mode.
Is there any benefits to this?
Does MS cloud perform more actions/tests on the checked up file due to the time difference?

And again, thx a lot for this awesome app! (y)

/W
This can sometimes can be an advantage, especially with a low-speed Internet connection, when the sample is uploaded for analysis to the cloud. But usually, the malware classification takes only a few seconds.
 

SeriousHoax

Level 9
Verified
Malware Tester
Andy Ful I saw Oldschool increase the cloud lookup time to 60 sec, instead of 10 sec in High mode.
Is there any benefits to this?
Does MS cloud perform more actions/tests on the checked up file due to the time difference?

And again, thx a lot for this awesome app! (y)

/W
After executing a file, WD cloud protection checks the file in the cloud to see if the file is safe or not. If the file you're running is already known to WD cloud then the checking usually happens within 10 seconds. In fact in less than 10 seconds. Maybe 1 or 2. When the option is set to 10 sec, if WD don't get any result from the cloud within 10 seconds, it will let the sample run but if you increase to let's say 60 seconds then WD will wait at least 60 seconds to get a verdict from the cloud. Increasing the time is more helpful in case of executing unknown files.
Let me give you an example, few days ago I ran a fresh malious sample in Sanboxie. The sample was not known WD. Not even by their cloud (I checked before executing). My cloud checkup time was set 10 seconds. WD waited 10 seconds but couldn't get any result from the cloud so let the sample ran. It ran successfully and also created a startup entry.
Only 2 minutes later, I went on to delete the contents of Sandboxie but as soon as my PC accessed that file again, WD detected and deleted the file. I manually scanned the source sample on my PC and Windows Defender this time detected that file as well.
So, what probably happened was, after running the file WD uploaded the sample in cloud and then their AI checked the file and verified that as a malware. But this took more than 10 seconds. If my cloud protection timeout was set to 60 seconds, WD probably would be able to block the malware before it was allowed to execute.
After that, I have set the timeout to 60 seconds. I think it's better this way. You'll almost never to wait 60 seconds unless you're running something brand new which is not even known to WD cloud.
I hope this clarifies your question.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
...
Let me give you an example, few days ago I ran a fresh malious sample in Sanboxie. The sample was not known WD. Not even by their cloud (I checked before executing). My cloud checkup time was set 10 seconds. WD waited 10 seconds but couldn't get any result from the cloud so let the sample ran. It ran successfully and also created a startup entry.
Only 2 minutes later, I went on to delete the contents of Sandboxie but as soon as my PC accessed that file again, WD detected and deleted the file. I manually scanned the source sample on my PC and Windows Defender this time detected that file as well.
...
There are some possibilities.
  1. WD could detect your sample after the limit of 10 seconds.
  2. WD could finish the analysis before 10 seconds and the computer was infected. Next, WD could detect the malware after some time due to postinfection telemetry.
  3. WD could detect the sample from another computer at a similar time on Windows E3 or E5 (enterprise editions). These editions allow more comprehensive analysis, including detonation in the sandbox.
For the poins 1. and 3. , extending the cloud checkup time can be beneficial.
But not for the point 2. :giggle: (y)
 
Last edited:

blackice

Level 10
Verified
There are some possibilities.
  1. WD could detect your sample after the limit of 10 seconds.
  2. WD could finish the analysis before 10 seconds and the computer was infected. Next, WD could detect the malware after some time due to postinfection telemetry.
  3. WD could detect the sample from another computer at a similar time on Windows E3 or E5 (enterprise editions). These editions allow more comprehensive analysis, including detonation in the sandbox.
For the poins 1. and 3. , extending the cloud checkup time can be beneficial.
But not for the point 2. :giggle: (y)
I’d rather be protected by points 1 & 3, and be thankful for point 2 eventually getting it, than have files work faster on occasion.
 

SeriousHoax

Level 9
Verified
Malware Tester
For the poins 1. and 3. , extending the cloud checkup time can be beneficial.
I’d rather be protected by points 1 & 3, and be thankful for point 2 eventually getting it, than have files work faster on occasion.
For points 1 & 3 WD has a pretty huge advantage over other AVs I think. Almost all AVs has some sort of cloud servers where with the help of AI and sandbox they analyze malwares and protect users against new threats via their cloud protection before creating signatures. For example, Kaspersky's KSN, ESET's Live Grid, etc has similar purpose. WD has this too. Microsoft being the owner of Azure cloud service and WD, they can afford to invest a lot of their cloud infrastructure to WD. So, Microsoft's Azure Cloud AI server network is a lot larger than other AVs server. As a result, they can process a lot more threats every minutes than their competitors. This clearly shows in many of the recent AV labs results. WD is still weak at signature based detection, they are late at creating signatures but their investment in the cloud is being paid of.