ConfigureDefender utility for Windows 10

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
harlan4096 said:
@Andy Ful: what about XLSTATSTART.exe? I got final verdict from KVirusDesk is clean, also appears as Trusted in KSN... :unsure: :unsure:

I've also tested with KTS2020d (defaults) and :

I've tested and triggers cmd.exe -> conhost.exe for about 1 second and auto terminates, it only left a 0 KB file... false positive??
Click to expand...
It looks like a crack for XLSTAT (AddinSoft) for Excel.
 
  • Like
  • Thanks
  • +Reputation
Reactions: [correlate], Venustus, Mercenary and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
SeriousHoax said:
I checked log, there wasn't anything in the log about this sample.
Click to expand...
Is there any entry in the Log for blocking via ASR rules (search for 1121 in the Log)? You can also post the Log, I am curious how this malware was mitigated.:giggle:(y)
The payload should be blocked when spawning by WmiPrvSE.exe.
 
Last edited:
  • Like
  • Thanks
Reactions: [correlate], Venustus, harlan4096 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
  • Like
  • +Reputation
Reactions: [correlate], oldschool, silversurfer and 2 others
Special

Special

Level 1
Verified
Mar 24, 2016
43
How is it offtopic, there is an option in your program and it's labeled ??????, I'm wondering what it does/means/do/supposed to say, etc. just answer the question and this will move on.
 
  • Like
Reactions: [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
Special said:
How is it offtopic, there is an option in your program and its labled ??????, I'm wondering what it does/means/do/suspose to say, etc. just answer the damned question and this will move on.
Click to expand...
Please be kind. Your post :
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-837296
is probably displayed improperly. Here what I can see on my computer:
quantas.png

That is why some members completely did not understand what it should mean.
There is one setting ??????? in ConfigureDefender, and it means that the user hid only some features in Windows Security Center by using reg tweaks, GPO, or other software.
 

Attachments

  • quantas.png
    quantas.png
    62.6 KB · Views: 346
Last edited:
  • Like
  • +Reputation
Reactions: [correlate], Venustus, Protomartyr and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
Some notes related to the latest test:
https://malwaretips.com/threads/malware-samples-14-2-10-2019.95369/post-837733

4.bat was analyzed here:
https://app.any.run/tasks/310bde9b-a55c-4525-815c-5c0e6566197e/
If successful then it writes autorun entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
msptermsizes = "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"

DH_695294_7957766861156.vbs was analyzed here:
https://app.any.run/tasks/65743ea0-6e3c-409c-a617-cfdf189501a7/
If successful then it writes autorun entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
wdukuigy = "C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe"

Chrome.Update.cfbe05.js was analyzed here:
https://app.any.run/tasks/79b53a41-6f20-42dd-875f-b8291ab51715/
It is probably a part of some more complex attack - it does not try to do anything dangerous. It can be also that the CnC server is already down.
 
Last edited:
  • Like
  • +Reputation
Reactions: [correlate], silversurfer, Venustus and 2 others
oldschool

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,106
Special said:
Sorry, but I was getting fusterated with all the non-answers. I have no idea why you are seeing what you see, this is what I posted, and this is the link to said pictures (maybe this'll work)...View attachment 226636View attachment 226637
Click to expand...

This was @Andy Ful's reply earlier today:

Andy Ful said:
There is one setting ??????? in ConfigureDefender, and it means that the user hid only some features in Windows Security Center by using reg tweaks, GPO, or other software.
Click to expand...
 
  • Like
  • +Reputation
Reactions: [correlate], Andy Ful, Venustus and 3 others
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,633
Andy Ful said:
Is there any entry in the Log for blocking via ASR rules (search for 1121 in the Log)? You can also post the Log, I am curious how this malware was mitigated.:giggle:(y)
The payload should be blocked when spawning by WmiPrvSE.exe.
Click to expand...
There wasn't any. Even in the last malware pack test for the 3 script there wasn't any entry related to those.

oldschool said:
@SeriousHoax In your testing with Max settings I guess you haven't had any ransomware make it far enough to be blocked by Controlled Folder Access? :unsure:
Click to expand...
So far, no. All the ransomwares have been blocked by signatures.
 
  • Like
Reactions: [correlate], oldschool, Andy Ful and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
SeriousHoax said:
There wasn't any. Even in the last malware pack test for the 3 script there wasn't any entry related to those.
Click to expand...
The two samples from the last test add autorun entries, so I am sure that they were neutralized on your testing system or were already dead. It is also possible that they were stopped by WIndows 10 mitigations. Anyway, we do not know if WD could mitigate/block them.:unsure:
 
  • Like
  • +Reputation
Reactions: [correlate], oldschool, SeriousHoax and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
matrixlord said:
Network Protection not working. Opera&Edge // host&vm

View attachment 226703
Click to expand...
The Demo link SmartScreen Test does not work for me too. That happened several times in the past. But, Network Protection still works for the real phishing links. I have just tried this on the one-year-old link and NP works well. If someone wants to check it, then please PM to me.(y)
 
  • Like
  • Thanks
Reactions: [correlate], harlan4096, plat and 2 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
254
Views
17,017
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
21,950
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus with Andy Ful WHHLight
Replies
38
Views
3,868
Video Reviews - Security and Privacy
LennyFox
L

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top