ConfigureDefender utility for Windows 10

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Any SmartScreen settings in WSC or ConfigureDefender (except Disabled setting) have no influence to SmartScreen check.
The "Warn" setting simply allows the user to run the application.
The "Block" setting does not allow the user to run the application.
The "User" setting in ConfigureDefender applies the setting from WSC
The "Warn" and "Block" settings in ConfigureDefender forces WSC to apply these settings and they cannot be changed by the user from WSC.

If you do not see the SmartScreen alert then there are some possibilities, for example:
  1. SmartScreen is Disabled.
  2. The file extension is ignored by design - SmartScreen is triggered only for some executables, like EXE, MSI, COM, SCR, BAT, JSE, VBE, etc.
  3. The file has not MOTW attached.
It is easy to check (before execution) if the file has MOTW:

View attachment 225491

Without MOTW, the Unblock option is absent. The MOTW is skipped for files stored on flash drives or unpacked by many unpackers.
This makes a great case for runbysmartscreen. Not a catch all solution, but helpful in many situations!
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Any SmartScreen settings in WSC or ConfigureDefender (except Disabled setting) have no influence to SmartScreen check.
The "Warn" setting simply allows the user to run the application.
The "Block" setting does not allow the user to run the application.
The "User" setting in ConfigureDefender applies the setting from WSC
The "Warn" and "Block" settings in ConfigureDefender forces WSC to apply these settings and they cannot be changed by the user from WSC.
I see. In case of testing malwares on the hub, we download a password protected zip file then extract that file and execute anything that was not detected by signatures. Will SmartScreen work for these exe malwares when I set it to "Warn" via Configure Defender?
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
I see. In case of testing malwares on the hub, we download a password protected zip file then extract that file and execute anything that was not detected by signatures. Will SmartScreen work for these exe malwares when I set it to "Warn" via Configure Defender?

If your question is in reference to my request, I changed my profile post request to use Max with no SS because I realized this could interfere with your normal testing routine.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I see. In case of testing malwares on the hub, we download a password protected zip file then extract that file and execute anything that was not detected by signatures. Will SmartScreen work for these exe malwares when I set it to "Warn" via Configure Defender?
No. The "Warn" setting (in WSC or ConfigureDefender) can only allow choosing the available option after the SmartScreen alert is already seen. This setting has no influence on showing this alert or not - it cannot add the MOTW to the file.
You will see the SmartScreen alert only if the executable supported by SmartScreen technology has MOTW attached (assuming that SmartScreen is enabled).
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
No. The "Warn" setting (in WSC or ConfigureDefender) can only allow choosing the available option after the SmartScreen alert is already seen. This setting has no influence on showing this alert or not - it cannot add the MOTW to the file.
You will see the SmartScreen alert only if the executable supported by SmartScreen technology has MOTW attached (assuming that SmartScreen is enabled).
Ok, thanks for clarifying :)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
If your question is in reference to my request, I changed my profile post request to use Max with no SS because I realized this could interfere with your normal testing routine.
The SmartScreen can be Disabled in the test. This will not influence other WD settings.:giggle:(y)
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
This script was already being detected by WD but the execution wasn't blocked in my test. Same happened with another script in another test. My internet connection didn't drop. What could be the reason?
scr.PNG
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This script was already being detected by WD but the execution wasn't blocked in my test. Same happened with another script in another test. My internet connection didn't drop. What could be the reason?
View attachment 225818
What is a source of this image?

Edit.
OK - @blackice is right, this was VT.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This script was already being detected by WD but the execution wasn't blocked in my test. Same happened with another script in another test. My internet connection didn't drop. What could be the reason?
View attachment 225818
It seems that VT used more recent signatures or the sample was tested (on VT) with MOTW.
The difference might happen also when Windows E5 was used.

Post edited.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hmm ok, let's see what happens in the next test.
When using ShadowDefender on boot and for some reason, there was a problem with updating the signatures, then you use pretty old signatures. So before the test, it is good to look at WSC if the signatures are freshly updated.
Anyway, If the sample has a standard signature (but not fast signature related to BAFS), then it should be also detected dynamically by signatures in the cloud.
 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
When using ShadowDefender on boot and for some reason, there was a problem with updating the signatures, then you use pretty old signatures. So before the test, it is good to look at WSC if the signatures are freshly updated.
Anyway, If the sample has a standard signature (but not fast signature related to BAFS), then it should be also detected dynamically by signatures in the cloud.
I always update before running shadow defender and it's being detected by a fast signature not the standard one. All the .exe files samples on the dynamic test were also detected by fast signatures but for some reason this .js file wasn't.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I always update before running shadow defender and it's being detected by a fast signature not the standard one. All the .exe files samples on the dynamic test were also detected by fast signatures but for some reason this .js file wasn't.

By fast signatures, I mean the signatures in the WD Cloud related to BAFS. If your samples are unpacked by Winrar or 7-ZIP, then they are ignored by BASF. So, they are not detected by fast signatures. In this case, only standard signatures in the cloud and behavior-based Machine Learning models are used. It is often hard to see the difference between them, because behavior-based ML models can classify some samples as malicious in milliseconds.

If WD detection of .js script on VT is related to BASF, then it will not be detected in the static part of your tests, but rather in dynamic part. In some cases, WD on Windows Home or Pro will not detect such samples (but they can be detected on Windows E5).(y)

Edit.
There is also a possibility that VT has access to most recent signatures in the WD Cloud. Who knows?
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
I am curious on something, Serioushoax did a sample test today with WD at Max settings ,and static only detected 3 samples but WD got 13 others on demand (dynamic), without the max settings of configure defender would these samples have infected computer?


Weak local signatures are the reason for the low static detection. The real time detection uses the cloud which is WD's strong point. The main detection difference between High and Max settings are the the blocking level and the number of ASR rules enabled. One sample
"E6425863124892_460722.js opens wscript.exe and the payload is blocked by two ASR rule". One of these ASR rules "Block executables unless they meet a prevalence, age or trusted criteria" would not have been enabled in High setting. I am not sure whether it would have been a block, partial block, etc. with only the one rule "Use advanced protection against ransomware" instead of two.

Remember, you can enable all of these using High and manually select the additional ASR rules, blocking level, cloud timeout, etc. unless you encounter an ASR rule incompatibility with your system that does not allow exclusions.

Edited: last sentence.
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
I am curious on something, Serioushoax did a sample test today with WD at Max settings ,and static only detected 3 samples but WD got 13 others on demand (dynamic), without the max settings of configure defender would these samples have infected computer?
Just to inform you,
static = on-demand scan
dynamic = on-execution detection
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
In the test made by SeriousHoax, the ConfigureDefender "MAX Protection level" settings cannot change the results of the static (on-demand scan) detection. These settings have an impact on dynamic (on-execution) detection.
The situation is more complicated when the samples have MOTW attached. Such samples can be treated by WD as they were executed, even when the user just opens the folder with samples. The testers usually count such detections as static but then, ConfigureDefender MAX Protection level can have an important impact on static detection results.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top