Update ConfigureDefender utility for Windows 10

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
Today I tried to launch ConfigureDefender v3.0.0.1 and I get...



...

Only running Windows Defender.

Win10 Home x64 v2004.
I investigated this issue a little on the AutoIt forum. The problem can be related to upgrading from Windows 8 or 8.1 to Windows 10 and still preserving the possibility to downgrade. In this situation, the AutoIt function recognizes that the system is not fully Windows 10. That is good for ConfigureDefender, because there could be a problem when the user did apply the advanced settings and next downgraded to Windows 8 or 8.1 (preserving the WD setup). These settings can be configured only by PowerShell ver. 5.0+ which is not present in Windows 8 and 8.1.
So the current behavior of ConfigureDefender is in fact the safest for the user.
I will add the info about it in the ConfigureDefender manual.(y)
 
Last edited:

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
While this may be... it doesn't explain my experience, as I have no means to revert to Win 8/8.1 short of bare metal.
Did you remove the files related to the previous version? You can use the Windows built-in cleanup:
  1. Open Settings
  2. Select System > Storage > This PC and then scroll down the list and choose Temporary files.
  3. Under Remove temporary files, select the Previous version of Windows check box and then choose Remove files.
Another thing. Did you run ConfigureDefender in compatibility mode? This can also happen when running via custom file Explorer. If so, then the AutoIt function will see the Windows version used for compatibility (not Windows 10).
 
Last edited:

Telos

Level 21
Verified
Content Creator
Jan 29, 2017
1,014
Did you remove the files related to the previous version? You can use the Windows built-in cleanup:
When I upgraded to Win10 I used repair install. Since then I've regularly used "Disk Cleanup" in admin mode.

Presently...

So it seems there is something else triggering the Win10 warning (nothing runs in compatibility mode, AFAIK).
 

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
When I upgraded to Win10 I used repair install. Since then I've regularly used "Disk Cleanup" in admin mode.

Presently...

So it seems there is something else triggering the Win10 warning (nothing runs in compatibility mode, AFAIK).
Yes, it is strange.
I created the Windows version checker which uses the same AutoIt function as ConfigureDefender. Could you use it to check what version can see ConfigureDefender on your computer?
ConfigureDefender/CheckVersion.zip at master · AndyFul/ConfigureDefender (github.com)

There are two executables in the ZIP archive. The CheckVersion64.exe is for 64-bit Windows.
Thank you.
 

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
I posted a short false positives test of ConfigureDefender MAX settings (without Controlled Folder Access) as compared to Norton LifeLock (default settings):
User Feedback - Microsoft Defender 6/12/2020 Review | MalwareTips Community

Conclusion.
It seems that Norton LifeLock (default settings) and WD (ConfigureDefender MAX settings) use a similar protection method that includes file reputation of PE files. It is very strong but can give more false positives for fresh files. The false positives rate is similar to Norton and WD (ConfigureDefender MAX settings). In most cases, the WD blocks are released after two days.
 

oldschool

Level 59
Verified
Mar 29, 2018
4,857
@Andy Ful
How does Defender's Cloud Protection Level set to Block and the "prevelence, age or trusted list" ASR rule differ in terms of protection?
Does one invalidate the other or do they provide different functionality?
I don't know if my limited understanding helps:

ASR rule = blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: executable files (such as .exe, .dll, or .scr) using M$ criteria, which isn't otherwise specifically defined in supporting docs. "This rule uses cloud-delivered protection to update its trusted list regularly."

Block setting = Zero tolerance: Blocks all unknown executables. Higher number of FPs.
 
Last edited:

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
@Andy Ful
How does Defender's Cloud Protection Level set to Block and the "prevelence, age or trusted list" ASR rule differ in terms of protection?
Does one invalidate the other or do they provide different functionality?
They provide different protection.
The first works to detect both fresh and older malware. It uses behavior-based detections. It is the primary protection. The Block Level can slightly increase the number of false positives.
The second is a kind of file reputation for the fresh files. The reputation is based on the file prevalence, age, and some unknown trust criteria managed by Microsoft. It is very strong against PE malware (EXE, SCR, etc.) and can produce some false positives (when an application uses auto-update) for about 2 days - after this time almost all clean applications are allowed.
 
Last edited:

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
It seems that people still can have a problem with the ASR prevalence rule:

The solution described by @Nightwalker is not optimal:

I would like to recall the easy procedure to bypass this rule if it is necessary:
  1. Run ConfigureDefender and temporarily set the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" to Audit (do not choose Disabled).
  2. Run the blocked application. If it is an installer then run the installer and next run the installed application.
  3. Set the ASR rule to ON. WD will automatically remember that the application has to be allowed locally, so it will not be blocked again by this ASR rule on this particular computer.
A similar thing cannot be done by disabling the ASR rule, because after enabling this rule the file will be blocked again. When disabling the rule the application executable has to be additionally excluded by using <Manage ASR Exclusions> in ConfigureDefender and Windows has to be also restarted (changing ON<--->Audit does not require restarting). This procedure is more complicated than the procedure described in points 1-3. :) (y)
 
Last edited:

Nagisa

Level 6
Verified
Jul 19, 2018
286

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
This vulnerability is not related to advanced WD settings that can be enabled by ConfigureDefender. It is also improbable that it could be used in widespread attacks, because it cannot give the attacker any profit. Anyway it seems that it can be used for some time to abuse websites for fun.
This NTFS driver vulnerability is related to a specific command line with the $I30 attribute or shortcut's faulty icon path. On reboot, the Windows check disk utility can probably repair the error (as it follows from the BleepingComputer article), but I did not test it. In Enterprises, this vulnerability can be used to force Windows restart which can be some advantage to the attacker (especially when attacking the servers).

Edit.
As an author explains the exploit can be delivered via HTML webpage, so it will be probably blocked soon by the AV web protection modules.
 
Last edited:

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
Is there any way to reset protection history for attack surface reduction rules? I deleted files under history folder but all detections related to ASR remained on the GUI. It crashes often because of that.
Do you mean the Windows Defender GUI? If so, then it is possible after disabling WD service:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-837954
The bug with crashing WD history is not related to displaying ASR entries. It can often cause crashes when there are too many history entries.
 
Last edited:

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,103
@Andy Ful In the attack on IOBIT users exception were added to Microsoft Defender:
Emsisoft analyst Elise van Dorp, who also analyzed the ransomware, stated the ransomware adds the following Windows Defender exclusions to allow the DLL to run.

@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"
@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"\Temp\\"
@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionExtension=\".dll\"
@WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionProcess=\"rundll32.exe\"
Can we protect ourselves from this by the use of any of your tools?
 

silversurfer

Level 68
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,746
I believe in such cases it's already "game over", just said in general, user downloading any malicious installer from homepage XY, then installing this abused "software" with admin-rights... of course, AVs may be monitoring suspicious file behavior but it's probably too late to intercept all malicious activities...
 
Top