Andy Ful

Level 63
Verified
Trusted
Content Creator
For some reason, when I chose "Remove" or "Quarantine" for some of the files/threats detected.. nothing is done. Only when I chose "Allow on device" then the entry will be removed or else It just stays there. Did I miss out on some settings? I'm using SUA with ConfigureDefender @ High
Sometimes the files are locked and are removed by WD after reboot.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Guys, I need some help/feedback to clarify the usability of ConfigureDefender MAX settings, especially the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" (this rule is disabled in HIGH settings).

From my quick tests, it follows that when running fresh (less than 24 hours old) application installers/updaters from Softpedia, almost all digitally signed files are not blocked at all by this ASR rule. For now, I found only one blocked example (blocked for 2 days) which was ZHPDiag application similar to Farbar Recovery Scan Tool (FRST is not signed and was also blocked for 2 days).

So, please post here if anybody had problems with blocking the installation/update of any application especially digitally signed.🙏:)
 

security123

Level 25
Verified
Today i found the first problems.
As Backup program i use Personal-Backup
The problem is that this program isn't digital signed. Before the ASR rule i allowed unsigned files temporary but this isn't possible as the ASR rule block SmartScreen check:
SmartScreen.png

Also the rule block adding the program exe to H_C whitelist :
Whitelist.png

The error logs are:
Microsoft Defender Exploit Guard hat einen Vorgang blockiert, der vom IT-Administrator nicht zugelassen wurde.
Weitere Informationen erhalten Sie von Ihrem IT-Administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Erkennungszeit: 2020-09-17T10:06:55.499Z
Benutzer: XXX
Pfad: D:\XXX\Downloads\XXX\pb-setup-x64-6.1.0801.exe
Prozessname: C:\Windows\explorer.exe
Version der Sicherheitsinformationen: 1.323.1332.0
Modulversion: 1.1.17400.5
Produktversion: 4.18.2008.9

Microsoft Defender Exploit Guard hat einen Vorgang blockiert, der vom IT-Administrator nicht zugelassen wurde.
Weitere Informationen erhalten Sie von Ihrem IT-Administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Erkennungszeit: 2020-09-17T10:06:55.849Z
Benutzer: XXX
Pfad: D:\XXX\Downloads\XXX\pb-setup-x64-6.1.0801.exe
Prozessname: C:\Windows\Hard_Configurator\Hard_Configurator(x64).exe
Version der Sicherheitsinformationen: 1.323.1332.0
Modulversion: 1.1.17400.5
Produktversion: 4.18.2008.9

Microsoft Defender Exploit Guard hat einen Vorgang blockiert, der vom IT-Administrator nicht zugelassen wurde.
Weitere Informationen erhalten Sie von Ihrem IT-Administrator.
ID: 01443614-CD74-433A-B99E-2ECDC07BFC25
Erkennungszeit: 2020-09-17T10:06:24.728Z
Benutzer: XXX
Pfad: D:\XXX\Downloads\XXX\pb-setup-x64-6.1.0801.exe
Prozessname: C:\Windows\Hard_Configurator\InstallBySmartScreen(x64).exe
Version der Sicherheitsinformationen: 1.323.1332.0
Modulversion: 1.1.17400.5
Produktversion: 4.18.2008.9
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Today i found the first problems.
As Backup program i use Personal-Backup
The problem is that this program isn't digital signed. Before the ASR rule i allowed unsigned files temporary but this isn't possible as the ASR rule block SmartScreen check:
View attachment 246373

Also the rule block adding the program exe to H_C whitelist :
View attachment 246374

The error logs are:
Thanks for reporting.:)
WD blocks access to the installer so "Install By SmartScreen" cannot work. You cannot also copy the file to another location. Adding the ASR exclusions for blocked installers will not solve the problem because the next installer will be blocked, too. Whitelisting in H_C cannot help, because this block is not related to SRP.
As I noted in one of my previous posts, the simple solution is setting the prevalence ASR rule to Audit, run the installer to update (reboot or Log off not necessary), and finally run the updated application. Next, you can set this ASR rule to ON again. WD will remember that it should not be blocked.

Edit.
The file pb-setup-x64-6.1.0801 is now allowed by ASR on my computer.
It was pushed to Softpedia 15.09.2020, so the block has lasted 2 days.
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
I have received some emails from a guy who wants to rebrand ConfigureDefender. Here is one of the emails:

"Hey Andy,

Thanks for the response! You understand correctly, but I would as well like to rebrand with a different name.

I am personally not a developer and have no preference as to what language is used. Typically, I pass the code to freelance developers who are able to accomplish whatever changes needed. I don't usually reach out directly to the authors but I really enjoy ConfigureDefender and wouldn't want to ruin the elegance of the program with a different author.

Are you taking projects right now and would you like to be paid to work on this together? I have already designed what the new GUI would look like.

It would be great to talk more on either a call or by email. Happy to accommodate your schedule.
"

Here is my answer:
"Hi,
AutoIt has got limited GUI capabilities. So, if you will use another programming language, sufficiently different GUI, and will rebrand the application with a different name and different author, then it should be OK.
I have enough money so I do not need to sell my projects. They are made to improve users' computer safety.

Regards."
 

Raiden

Level 18
Verified
Content Creator
I have received some emails from a guy who wants to rebrand ConfigureDefender. Here is one of the emails:

"Hey Andy,

Thanks for the response! You understand correctly, but I would as well like to rebrand with a different name.

I am personally not a developer and have no preference as to what language is used. Typically, I pass the code to freelance developers who are able to accomplish whatever changes needed. I don't usually reach out directly to the authors but I really enjoy ConfigureDefender and wouldn't want to ruin the elegance of the program with a different author.

Are you taking projects right now and would you like to be paid to work on this together? I have already designed what the new GUI would look like.

It would be great to talk more on either a call or by email. Happy to accommodate your schedule.
"

Here is my answer:
"Hi,
AutoIt has got limited GUI capabilities. So, if you will use another programming language, sufficiently different GUI, and will rebrand the application with a different name and different author, then it should be OK.
I have enough money so I do not need to sell my projects. They are made to improve users' computer safety.

Regards."
Sounds like your typical opportunist looking to make money off your work. ;)
 

Raiden

Level 18
Verified
Content Creator
He stated that it will not be a paid application (probably with some Ads). I do not mind if someone will make a better GUI, if it will be a good program.:)

Thats fair.

Believe me im not here to tell you what you should and shouldn't do hehe, after all its your program(s).

Personally I truly appreciate all the hard work you put into these programs. You've done a great service to us security geeks and those who want to be able to secure their systems more easily. I'm very much a cautious person and tend to view things like this with some sort of skepticism.

IMHO, while the GUI may not be the prettiest out there, for the most part once someone uses your software to configure their systems, rarely does one a have to go back in, unless they want to change something.

Again not here to pressure you one way or another, I just know there's no such thing as free and sometimes people have other motives than what they are telling you.

Keep up the great work!(y):emoji_beer:
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
...
Personally i wouldn't allow that guy release your tools with changes.
I am not sure if I could call ConfigureDefender completely my program. In fact, it is my GUI and some research, but much is done by the well documented PowerShell cmdlets. This will be another application made by another developer.
As you know, I am not the person who would like to spend all my life to work on GUIs. I rather prefer researching the security problems and propose a good solution, than working on a good looking design. Furthermore, I do not like to stop the development of configuring Windows Defender. :)(y)
 
Last edited:
Top