Andy Ful

Level 62
Verified
Trusted
Content Creator
hi guys, need help here.
I tried to setting "High" instead of "Default". I am running Kaspersky Antivirus and ran some OOshutup and debotnet in the past. Firewall is simplewall
How do i resolve this?

ConfigureDefender is useless when using Kaspersky. ConfigureDefender is for configuring WD real-time protection, which is disabled when using another AV.
 

conditions

New Member
ConfigureDefender is useless when using Kaspersky. ConfigureDefender is for configuring WD real-time protection, which is disabled when using another AV.
Noted Sir. Let me try without KAV. Thanks for reply.

I used O&O with nearly every setting ticked and had no problem with Configure Defender "High" or "Max". O&O doesn't restrict powershell afaik.
In O&O under "Actions" is "undo all changes aka factory reset"
Yes i can try to reset through O&O. Thanks

Can you Give me incite?I have 3 computers at home 2 are used every day,third for when the kids visit, Am I a candidate for SPEM,and if so how would one of my computers be the dedicated server? Thanks(dont feel obliged to respond)
I think it would be good if you contact @Vitali Ortzi.

How is that going performance wise ?
Applications are launching much faster than before so I am happy for now but probably it may not last longer.
Update - Kaspersky stops Kaspersky Free!
 

Vitali Ortzi

Level 20
Verified
Applications are launching much faster than before so I am happy for now but probably it may not last longer.
Update - Kaspersky stops Kaspersky Free!
Good to hear you don't have anymore performance issues.
As essentially SEP full installation can be heavy on some machines whatever it's because of IO/CPU usage (default settings have high amount of impact on both for low end computers) or even ram usage (ram usage can sometimes even have a huge impact on performance because it might cause less prefetch data or worse forcing apps to use HDD instead ).

Usually I recommend to whom have too much performance downgrade to use it as an IPS/ firewall plus a low resource security product as it is very helpful to mitigate attacks in early stages especially with the DeepSight intelligence and the very smart IPS while using very little resources other then the disk space footprint (still slightly lower than full installation).
Anyway to anyone who is looking for rules to added to SEP firewall .
I would recommend to start by putting it into default deny config (if possible )

And playing with built in rules and importing Andy H_C windows firewall rules into SEP.
 
Last edited:

oldschool

Level 54
Verified
Here is a handy list of powershell commands to configure some extra Defender settings not included (or normally needed) in ConfigureDefender:

 

Moonhorse

Level 28
Verified
Content Creator
Dont want to post other thread since this is false positive, but while running emsisoft emergency kit i got this trojan alert from WD, after clean install

wddd1.png


@Andy Ful how i can see wich caused this ?

edit2 : whenever i run emsisoft emergency kit , it will spawn this tmp000000.. file and whenver i exit emsisoft emergency kit it will get removed itself

tmppp41.png


Since its 0kt i cant upload it to virustotal , so how im supposed to get this false positive reported?
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
Dont want to post other thread since this is false positive, but while running emsisoft emergency kit i got this trojan alert from WD, after clean install

View attachment 245351

@Andy Ful how i can see wich caused this ?

edit2 : whenever i run emsisoft emergency kit , it will spawn this tmp000000.. file and whenver i exit emsisoft emergency kit it will get removed itself

View attachment 245352

Since its 0kt i cant upload it to virustotal , so how im supposed to get this false positive reported?
You can post about this issue to Emsisoft. They should be obliged to inform Microsoft (developer whitelisting request) and then the file will be whitelisted by Microsoft.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
I made the test on my machine (Windows 10 64-bit Pro, ver 2004) with ConfigureDefender MAX Protection Level and latest EEK ver. 2020.5.0.10152.
Microsoft Defender :
AntispywareSignatureVersion 1.321.1681.0
AMProductVersion 4.18.2008.4
AMEngineVersion 1.1.17300.4

After the execution, EEK creates the tmp00000000 file, but it is not detected as malicious both on my and your computer. On your computer, a different file is detected as malicious (tmp000028d5).
On ConfigureDefender MAX setup, I have got one alert related to ASR rules (lsass.exe) and one related to CFA (block changes in memory, \Device\Harddisk0\DR0). Both are not important. No false positives from Microsoft Defender engines (antispyware or antimalware).

You can use <Defender Security Log> in ConfigureDefender to see some info about the blocked file tmp000028d5.
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
ASR exclusions.

ASR rules are part of WD behavior blocking and work after the suspicious action is taken by running processes. Such protection could be also called advanced HIPS or behavior blocker (on-execution and post-execution blocking). Most ASR rules work locally (no cloud backend), but they have to be updated from time to time.

There is one ASR rule (eg. "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25) which highly depends on the cloud backend.
This rule is a valuable additional protection against malicious executables (EXE, SCR, DLL, etc.), but can produce false positives for not-popular applications. In such a case, WD blocks access to the executable so it cannot be executed, copied, or uploaded. This can be annoying because (rarely) some applications can be blocked for several days. Furthermore, after disabling this ASR rule and installing the application, it will be usually blocked after enabling the rule.

So, what to do?
1. One can disable this rule (like in ConfigureDefender HIGH Protection Level).
2. One can temporarily disable the rule, install (or update) an application, and add the ASR exclusion for the application folder.

When adding the ASR exclusions it is worth remembering that these exclusions will be active for all ASR rules that allow exclusions (3 rules do not allow exclusions). Also, these ASR exclusions will have no impact on WD antimalware exclusions.
It seems, that adding the exclusion for "Program Files" (or "Program Files (x86)") folder does not decrease much the ASR protection, but one should not exclude the Windows system folder.
Excluding the application folders in the UserProfile could be in theory exploited by the attacker, but I did not see it in the wild. So, probably it is better to keep this ASR rule activated with some folder exclusions than not using it at all.

Please, post here about your own experience related to ASR rules and ASR exclusions. (y)
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
You might face issues when you're writing custom BAT scripts or python scripts that automate few things.
Normally there should not be issues, except when the scripts try to download and run something or do some other actions similar to fileless malware. Python scripts are not blocked by ASR rules, but Python executable interpreter can be blocked in some scenarios as a child process.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
I found a nice picture of the WD local and cloud script protection:

WDscriptprot.png


"On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.
These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running.
"

AMSI and ASR rules are a part of the WD behavior blocking protection (local and cloud-based, pre and post-execution) focused on scripting attacks.
 
Top