ConfigureDefender utility for Windows 10/11

Here is a simple VBS script to check the ASR rule related to running something via WMI:
Code: 
'Using WMI Win32_Process
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 0
set process = GetObject("winmgmts:Win32_Process")
result = process.Create ("powershell_ise",null,objConfig,processid)
WScript.Quit

It should be blocked if the rule "Block process creations originating from PSExec and WMI commands" (d1e49aac-8f56-4280-b9ba-993a6d77406c) is enabled. If not blocked, then it will run the PowerShell script editor/debugger (PowerShell Integrated Scripting Environment).
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: Step 1, Protomartyr, simmerskool and 8 others
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
 
  • Like
  • HaHa
Reactions: plat, toto_10, South Park and 6 others
Azure said:
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
Click to expand...
I doubt there is anyone working for Microsoft who knows everything about every aspect of Windows. It's just too vast and constantly changing. The experts are compartmentalized.
 
  • Like
Reactions: toto_10, simmerskool, harlan4096 and 5 others
Azure said:
Yeah, I have seen the logs myself when I used configure defender. I'm more surprised that someone in Microsoft doesn't know those rules can work in Home.

Makes me wonder how many things employees or volunteers don't know about their own product.
Click to expand...
I think that he knows about Windows Home capabilities, but the article is related to Microsoft Defender ATP (paid software) which is not available on Windows Home. Technically he is not wrong, but simply not especially precise when ignoring Windows Home. The same approach is visible in MS documentation, so the only way is testing the advanced WD features on Windows Home to see how they work.
 
Last edited:
  • Like
  • +Reputation
Reactions: toto_10, Gandalf_The_Grey, tsunami and 8 others
Both should apply their mitigations. So, if you will apply the mitigation A by HMPA and mitigation B by Exploit Guard, then both should work. Of course, two anti-exploit solutions can sometimes produce conflicts.
 
  • Like
  • Thanks
Reactions: simmerskool, Protomartyr, toto_10 and 2 others
Andy Ful said:
Both should apply their mitigations. So, if you will apply the mitigation A by HMPA and mitigation B by Exploit Guard, then both should work. Of course, two anti-exploit solutions can sometimes produce conflicts.
Click to expand...
I haven't seen good documents on hitman pro alert so i can't understand
What defenders exploit guard can defend that hitman lacks ?
 
  • Like
Reactions: Protomartyr and Andy Ful
  • Like
  • +Reputation
Reactions: toto_10, simmerskool, Protomartyr and 4 others
Andy Ful said:
This is a good question for the developer.:)
There is some information on the developer website (slightly outdated):
Click to expand...
Thanks so much for researching the
Web!
Shame on sophos on yhe lack of documentation despite hitman pro alert being exported to intercept x endpoint protection !
Not much enterprise venders have this much lack of documentation !
Im abandoning these products unfortunately
 
  • Like
Reactions: toto_10, simmerskool, Protomartyr and 4 others
Vitali Ortzi said:
Thanks so much for researching the
Web!
Shame on sophos on yhe lack of documentation despite hitman pro alert being exported to intercept x endpoint protection !
Not much enterprise venders have this much lack of documentation !
Im abandoning these products unfortunately
Click to expand...
This job was not done by me. I found this document in one of the posts of @Sampei Nihira, when we discussed his Windows XP config.:)
 
  • Like
Reactions: Step 1, toto_10, simmerskool and 6 others
Is there a way to troubleshoot this? I have tried disabling the AV (trend Micro), but still doesn't work. I don't have any other security tool.

1588110810107.png
 
  • Like
Reactions: harlan4096, toto_10 and Andy Ful
l0rdraiden said:
So the exploit guard settings (not the AV ones) only apply if windows defender is enable? Is tied to WD?
Click to expand...

Yes, but you may use exploit protection for browsers and other programs in Windows Security Center>App and browser control>Exploit protection settings. These are OS protection capabilities separate from Windows Defender.
 
  • Like
Reactions: Andy Ful, SeriousHoax, toto_10 and 5 others
SeriousHoax said:
Windows Defender has received a new program update today: KB4052623 (Version 4.18.2004.6)
Haven't found any changelog yet:

Microsoft Update Catalog

www.catalog.update.microsoft.com
Click to expand...
Strange, I have got this Windows Update KB4052623 in February (27.02.2020).:unsure:
It seems that KB4052623 may update different versions (mine was 4.18.2001.10). My current version is also 4.18.2004.6, but was done via normal WD signature updates (21.04.2020) and not by Windows Updates.
 
Last edited:
  • Like
Reactions: Protomartyr, ForgottenSeer 85179, toto_10 and 1 other person
Andy Ful said:
Strange, I have got this Windows Update KB4052623 in February (27.02.2020).:unsure:
It seems that KB4052623 may update different versions (mine was 4.18.2001.10). My current version is also 4.18.2004.6, but was done via normal WD signature updates (21.04.2020) and not by Windows Updates.
Click to expand...
I noticed this too. Same KB version for both updates. My one was downloaded by signature update too.
One thing that I noticed is that, since the 4.18.2001.10 came out, after installing a new Windows, it always downloads this update before downloading any newer one's. I guess from now on after this 4.18.2004.6 update, Windows will download this one instead of the older one. This is probably their cumulative product updates for Windows Defender. Anyway, I'm just guessing this because of the same KB version.
 
  • Like
Reactions: Andy Ful and Protomartyr

You may also like...