Update ConfigureDefender utility for Windows 10

ErzCrz

Level 10
Verified
Aug 19, 2019
454
You think I didn't try running the installer outside the browser immediately after? :ROFLMAO:
If it's not MpEngine, then it's something from Windows 10, outside Defender.
Are you using WindowsSimpleHardening or Hard_Configurator along with CD? Try right clicking the icon and see if a Install By Smartscreen option is there or run as administrator. There are lots of browser options out there and if your using Microsoft Defender anyway, that's best accompanied with Chromium-Edge.
 
  • Like
Reactions: Nevi and Andy Ful

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
You think I didn't try running the installer outside the browser immediately after? 😛
It was probably MAPS, block at first sight, MpEngine... I think it's not being blocked, but it maybe it's being suspended to be analyzed, but something doesn't work right and immediately gives the error "installer cold not launch".
Yes, this might happen when you have several executables in the folder. When you open the folder (first time after starting Windows session) these executables are checked by Defender. Some of them (not checked yet) can be suspended.
 
  • Like
Reactions: ForgottenSeer 85179

Templarware

Level 6
Mar 13, 2021
270
Are you using WindowsSimpleHardening or Hard_Configurator along with CD? Try right clicking the icon and see if a Install By Smartscreen option is there or run as administrator. There are lots of browser options out there and if your using Microsoft Defender anyway, that's best accompanied with Chromium-Edge.
None. I manually changed group policies, following a video, because I wanted to learn exactly what I was changing. I did this:
and this:

Running as administrator didn't work, I tried.
 
  • Like
Reactions: Nevi

Templarware

Level 6
Mar 13, 2021
270
Yes, this might happen when you have several executables in the folder. When you open the folder (first time after starting Windows session) these executables are checked by Defender. Some of them (not checked yet) can be suspended.
There were no executables, only a few documents and video files.
 
  • Like
Reactions: Nevi

SecureKongo

Level 22
Verified
Feb 25, 2017
1,153
Because I wanted to know what I was changing. I found it doesn't really explain what is doing, group policies have better explanation, and there aren't many policies to change, it's a quick thing to do.
I can assure you that Simple Windows Hardening does it's job perfectly fine, thats why so many people are using it here. Same with Configure Defender... And if you face any issues, you can revert the changes easily.

I also think that the information that is provided within the tool, is enough for people to understand what it's doing:
Screenshot 2021-04-24 202520.png
Unbenannt2.PNG

Unbenannt.PNG
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
The more detailed info about SWH options is included in the manual:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf

The comprehensive info about SRP and Registry changes related to hardening can be found in the H_C documentation:
https://github.com/AndyFul/Hard_Configurator/tree/master/Documentation

The info about Defender ASR rules can be found in articles (included on the ConfigureDefender GitHub webpage):
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
Thanks Andy (y)
How does the new warn option work?
Do you get a popup or something like that where you can decide if you allow or deny something or just info that a rule is triggered?
It works like most ASR rules. If it is set to Warn, then the driver is initially blocked and you can see the alert, that allows unblocking. The next time the driver will be allowed. One can also use ASR exclusions. The blocked driver can be submitted for analysis to Microsoft.

1622368759749.png 1622368961086.png

 
Last edited by a moderator:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
...
This rule will be set as follows:
DEFAULT -------------> Disabled
HIGH -------------------> Audit
INTERACTIVE -----> Warn
MAX -------------------> ON
I have overlooked that this rule does not block the drivers already installed on the system. So, maybe it will be better to set it to ON in the HIGH preset.:unsure:

DEFAULT -------------> Disabled
HIGH -------------------> ON
INTERACTIVE -----> Warn
MAX -------------------> ON
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
Microsoft disabled its own PowerShell cmdlets for managing ASR rules (Disabled, AuditMode) when Tamper Protection is enabled. When the user opens PowerShell console and tries to set any ASR rule to Disabled or Audit Mode, then Defender blocks the cmdlet and Logs the event as :
Trojan:Win32/MpTamperASRRule.PSA (for AuditMode attempt)
Trojan:Win32/MpTamperASRRule.PSD (for disabling attempt)

This does not affect the PowerShell cmdlets when the user wants to enable ASR rules.

For now, these changes do not affect the functionality of <DEFAULT>, <HIGH>, <INTERACTIVE>, <MAX> options in ConfigureDefender. They work as usual. Anyway, when the user wants to set a particular ASR rule manually to Disabled or Audit, Defender will block the attempt with an alert. It is still possible to do it when Tamper Protection is temporarily disabled.

I will try to negotiate with Microsoft to whitelist ConfigureDefender in Tamper Protection, but the chances for that are not great.:(
Furthermore, I think that Microsoft is doing the right thing, except labeling the action as Trojan.
 
Top