Update ConfigureDefender utility for Windows 10

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
...
Is there a possibility (in a future version perhaps) to highlight the set protection level?
The same request could be made for Hard_Configurator.
Is it on recommended, one of the profiles or custom settings?
Suppose that you applied the HIGH preset and the <HIGH> button was highlighted. Next, you had many blocks on one of the enabled ASR rules, and you had to disable it. Is it possible to see this from the highlighted <HIGH> button (protection level button)? The same problem will be when you enable an additional rule.
There are many possibilities of adding/removing some rules, so highlighting the Protection Level buttons is not the solution.:unsure:
The Protection Level buttons are only to apply the predefined settings (and save many clicks). They are not for getting information about the settings - the user has to look at what settings are applied.
That is why ConfigureDefender is for semi-advanced users.:)
 
Last edited:

Arequire

Level 27
Verified
Content Creator
Feb 10, 2017
1,654
7,045
Suppose that you applied the HIGH preset and the <HIGH> button was highlighted. Next, you had many blocks on one of the enabled ASR rules and you have to disable it. Is it possible to see this from the highlighted button <HIGH> (protection level button)? The same problem will be when you enable an additional rule.
There are many possibilities of adding/removing some rules, so highlighting the Protection Level buttons is not the solution.:unsure:
A potential solution could be to add a "Custom" button and highlight that if any rules are changed from the ones applied by the Default/High/Max protection levels.
The button could be non-interactable; just highlighted to indicate a custom configuration.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
A potential solution could be to add a "Custom" button and highlight that if any rules are changed from the ones applied by the Default/High/Max protection levels.
The button could be non-interactable; just highlighted to indicate a custom configuration.
OK. So, you would like to know if the settings have been tampered with. This can be done by showing an alert after running ConfigureDefender.

Edit.
If the application supposed to be fully portable then the alert can only inform the user that the current settings are DEFAULT, HIGH, MAX, or CUSTOM. The alert about tampering would require saving the configuration (not fully portable).
 
Last edited:

Arequire

Level 27
Verified
Content Creator
Feb 10, 2017
1,654
7,045
OK. So, you would like to know if the settings have been tampered with. This can be done by showing an alert after running ConfigureDefender.

Edit.
If the application supposed to be fully portable then the alert can only inform the user that the current settings are DEFAULT, HIGH, MAX, or CUSTOM. The alert about tampering would require saving the configuration (not fully portable).
I'll defer to @Gandalf_The_Grey as they were the one who asked about highlighting the current protection level.

What I think would be good is a list (maybe placed in the README or Help pdf?) of all the changes that the HIGH and MAX levels implement when moving from Defender's default settings.
I know you've already got a dialogue box that pops up when hovering over each protection level, but a list of the exact changes would be helpful.
Something along the lines of:
HIGH:
  • PUA Protection enabled
  • Cloud Protection Level set to Highest
  • Cloud Check Time Limit increased from 10 to 20 seconds
  • [List of ASR rules that're enabled]
  • Network Protection enabled
MAX:
  • PUA Protection enabled
  • Cloud Protection Level set to Block
  • Cloud Check Time Limit increased from 10 to 60 seconds
  • Explorer/Edge/Internet Explorer SmartScreen implementations changed from Warn to Block
  • All ASR rules enabled
  • Network Protection enabled
  • Controlled Folder Access enabled
  • Windows Security Centre hidden
I've probably messed up which settings are actually enabled in those protection levels but you get the point. 😅
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
In the next version, the user will be able to see the settings enabled in DEFAULT, HIGH, and MAX Levels. I will also add some information about using ASR rules that are disabled in HIGH preset.

1612178853957.png
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
I found some interesting additional info about the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria":

1614269389768.png

We can see this rule under the Polymorphic threats section. From this document, one can conclude that prevalence is related to 1000 machines and age to 24 hours. From my experience, most executable files blocked by this rule (application installers/updaters) are allowed after 48 hours.

 
Last edited by a moderator:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
This info will be displayed after pressing the <INFO> button:

*************************
PROTECTION LEVELS **
*************************

### The below settings are the same for DEFAULT, HIGH, and MAX Protection Levels:

BASIC DEFENDER SETTINGS
- Behavior Monitoring = ON
- Block At First Sight = ON
- Cloud-delivered Protection = ON
- Automatic Sample Submission = Send
- Scan all downloaded files and attachments = ON
- Script Scanning = ON
- Average CPU load while scanning = 50%


### The DEFAULT Protection Level applies the other settings as follows:

BASIC DEFENDER SETTINGS
- PUA Protection = Disabled
- Cloud Protection Level = Default
- Cloud Check Time Limit = 10s

ADMIN: SMARTSCREEN
- For Explorer = User
- For Edge (not Chromium) = User
- For Internet Explorer = User

EXPLOIT GUARD ---> All settings set to Disabled

ADMIN: HIDE SECURITY CENTER = Visible


### The HIGH Protection Level applies the other settings as follows:

BASIC DEFENDER SETTINGS
- PUA Protection = ON
- Cloud Protection Level = Highest
- Cloud Check Time Limit = 20s

ADMIN: SMARTSCREEN
- For Explorer = User
- For Edge (not Chromium) = User
- For Internet Explorer = User

EXPLOIT GUARD ---> All settings set to ON, except the below:
- Block executable files from running unless they meet a prevalence, age, or
trusted list criteria = Disabled
- Block credential stealing from the Windows local security = Disabled
- Block process creations originating from PSExec and WMI commands = Disabled
- Controlled Folder Access = Disabled

ADMIN: HIDE SECURITY CENTER = Visible


### The MAX Protection Level applies the other settings as follows:

BASIC DEFENDER SETTINGS
- PUA Protection = ON
- Cloud Protection Level = Block
- Cloud Check Time Limit = 60s

ADMIN: SMARTSCREEN
- For Explorer = Block
- For Edge (not Chromium) = Block
- For Internet Explorer = Block

EXPLOIT GUARD ---> All settings set to ON

ADMIN: HIDE SECURITY CENTER = Hidden


**************************
TAMPER PROTECTION **
**************************

The below settings cannot be disabled while Defender Tamper Protection is enabled:
- Behavior Monitoring = ON
- Scan all downloaded files and attachments = ON
- Script Scanning = ON


***********************************************
SOME NOTES ABOUT ASR RULES AND CFA **
***********************************************

## Block credential stealing from the Windows local security

This rule can make a lot of noise in the Defender Security Log. Most of the blocked events are usually false positives when the legal application tries to enumerate running processes and attempts to open them with exhaustive permissions. These applications can be excluded by using <Manage ASR Exclusions>.

## Block executable files from running unless they meet a prevalence, age, or trusted list criteria

This rule is strong prevention against Polymorphic malware (EXE, DLL, etc.), but one has to accept the higher rate of false positives for application installers/updaters. The prevalence is related to 1000 machines and age to 24 hours. The trusted list criteria are managed by Microsoft. The rule can recognize the executable as suspicious only when Defender can connect to the Microsoft cloud.
From my experience, most executable files blocked by this rule (application installers/updaters) are allowed after 48 hours. Anyway, some applications with a very low prevalence can be blocked for several days, and the users usually do not know how to unblock them.
Please note: It is useless to add exclusions for this rule. The proper procedure to unblock files is as follows:
  1. Set the rule temporarily to Audit.
  2. Run the installer/updater > install/update application > run the installed/updated application.
  3. Set the rule to ON - Defender is smart enough to allow running the application.

## Block process creations originating from PSExec and WMI commands

This rule is important because malware can try to bypass the parent-child checking by using WMI. So, other ASR rules based on checking child processes will fail. On some computers, the WMI can be used by the computer firmware so it is better to set initially this ASR rule to Audit.

## Controlled Folder Access

It can be very useful, but only after excluding the applications that need to access protected folders and applications that need to access the protected disk areas. The second group can include backup applications, disk management applications, and disk optimization programs. It is recommended to set initially this rule to Audit.


Post updated.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
Yes. Microsoft updated ASR rules but did not add new rules. The update is related to the new mode = Warn.
Before this update, the ASR rules had 3 modes: Disabled, Enabled, Audit. I will add the Warn Mode to ConfigureDefender in a few months.:)

Warn mode for users​

(NEW!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.

Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.

Requirements for warn mode to work​

Warn mode is supported on devices running the following versions of Windows:

Microsoft Defender Antivirus must be running with real-time protection in Active mode.

In addition, make sure Microsoft Defender Antivirus and antimalware updates are installed.

  • Minimum platform release requirement: 4.18.2008.9
  • Minimum engine release requirement: 1.1.17400.5
For more information and to get your updates, see Update for Microsoft Defender antimalware platform.

Cases where warn mode is not supported​

Warn mode is not supported for the following attack surface reduction rules:

In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
 

Templarware

Level 6
Mar 13, 2021
269
913
Hey guys, I've done a Defender and Windows 10 hardening, not thorough this utility, but followed a guide. Not too hardcore, but I've noticed that I'm unable to run some online installers, like Opera GX', I had to use the offline installer. What is more likely to be causing this?
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
Look into the Protection history to identify what Defender feature is involved. For more detailed info you can also run ConfigureDefender (do not change any setting) and use <Defender Security Log> to identify the problem.
 

Templarware

Level 6
Mar 13, 2021
269
913
Look into the Protection history to identify what Defender feature is involved. For more detailed info you can also run ConfigureDefender (do not change any setting) and use <Defender Security Log> to identify the problem.
There's nothing in history. That's' why I think this is something being deneid by default.
 

Templarware

Level 6
Mar 13, 2021
269
913
Do you see any alerts?
No, nothing at all. Maybe it could be a problem with the installer, but seems unlikely.
Also, when installing my monitor's driver, I wasn't being able to install the driver, it was still Generic PnP monitor. But then I noticed that the driver got installed to the computer, but not active for the device/monitor. I had to go to the "list of drivers drivers present in the computer" and select it.
Both things are weird and seem related do Defender/Windows hardening blocking something.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
No, nothing at all. Maybe it could be a problem with the installer, but seems unlikely.
Also, when installing my monitor's driver, I wasn't being able to install the driver, it was still Generic PnP monitor. But then I noticed that the driver got installed to the computer, but not active for the device/monitor. I had to go to the "list of drivers drivers present in the computer" and select it.
Both things are weird and seem related do Defender/Windows hardening blocking something.
Revert the hardening >> check if this helped >> apply the hardening gradually (y)
Try to identify what Id events are related to blocking by the applied hardening features. In this way, you will be able to identify the issues in the future by looking into the Windows Event Log.
 

Templarware

Level 6
Mar 13, 2021
269
913
Revert the hardening >> check if this helped >> apply the hardening gradually (y)
Try to identify what Id events are related to blocking by the applied hardening features. In this way, you will be able to identify the issues in the future by looking into the Windows Event Log.
I would have to try to run Opera's installer again. I was now able to install HWinfo without any problem.
I wouldn't be surprised if Microsoft could use Defender to block competition, like other browser installations, using security as an excuse.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,283
42,877
I would have to try to run Opera's installer again. I was now able to install HWinfo without any problem.
I wouldn't be surprised if Microsoft could use Defender to block competition, like other browser installations, using security as an excuse.
Such online installers are frequently blocked by Defender PUA protection. Sometimes Defender do not show an alert, so the user can be misguided. Anyway, the detection event should be noted in the Protection History. If not, then it is highly probable that Defender had nothing to do with this issue. The online installer could be blocked by web browser protection (like SmartScreen).
 

Templarware

Level 6
Mar 13, 2021
269
913
Such online installers are frequently blocked by Defender PUA protection. Sometimes Defender do not show an alert, so the user can be misguided. Anyway, the detection event should be noted in the Protection History. If not, then it is highly probable that Defender had nothing to do with this issue. The online installer could be blocked by web browser protection (like SmartScreen).
You think I didn't try running the installer outside the browser immediately after? 😛
It was probably MAPS, block at first sight, MpEngine... I think it's not being blocked, but it maybe it's being suspended to be analyzed, but something doesn't work right and immediately gives the error "installer cold not start".
 
Last edited:
Top