Problem solved. Microsoft simply removed these detections from PowerShell with the security intelligence update version 1.341.296.0.

Do you think completely removing the detection is a good decision considering how often malware author tries to disable protection (or parts of it) or create exclusions?Problem solved. Microsoft simply removed these detections from PowerShell with the security intelligence update version 1.341.296.0.
![]()
You have to open a thread about your config. Like for example:Hi just wanted to ask ,I got a clean install done of win10 pro and I am running WD for a test run ,just didn't want to install a third part av .I use this computer 1-2 times a week an older machine.Is WD enough with simplewall or should I add something like Wisevector or Voodooshield?THks
It is good for Administrators. A similar problem is for other AVs in Enterprises. Many of them have an option to enable external AV management, for example:Do you think completely removing the detection is a good decision considering how often malware author tries to disable protection (or parts of it) or create exclusions?
I missed this reply. I agree with what you say. I have seen Microsoft adding, removing and adding signatures again in the past for some not so dangerous samples. So I won't be surprised if Microsoft changes their decision again regarding this in the future.It is good for Administrators. A similar problem is for other AVs in Enterprises. Many of them have an option to enable external AV management, for example:
Starting and stopping Kaspersky Endpoint Security
support.kaspersky.com
For Home users, it would be better to block these changes when Tamper Protection is enabled.
In such a case, the ConfigureDefender could be run only when Tamper Protection has been disabled (no problem). Anyway, there are not many Home users who use ASR rules.
Blocked APP or process: svchost.exe
Blocked by: Reducing the attack surface
Rule: Block executable files unless they meet the criteria for
frequency, age or trustworthiness
Affected items: C:\Program Files\AMD\CNext\CNext\cpumetricsserver.exe
Blocked APP or process: AUEPMaster.exe
Blocked by: Reducing the attack surface
Rule: Stealing credentials from the local Windows
security subsystem (Isass.exe).
Affected items: C:\Windows\System32\lsass.exe
Blocked APP or process: atieclxx.exe
Blocked by: Reducing the attack surface
Rule: Stealing credentials from the local Windows
security subsystem (Isass.exe).
Affected items: C:\Windows\System32\lsass.exe
Blocked APP or process: atiesrxx.exe
Blocked by: Reducing the attack surface
Rule: Stealing credentials from the local Windows
security subsystem (Isass.exe).
Affected items: C:\Windows\System32\lsass.exe
In a few weeks, I plan to push the beta version.Hello, when is the new version coming out?
Enabling the attack surface reduction rule “Block abuse of exploited vulnerable signed drivers” in Microsoft Defender for Endpoint blocks the driver that DevilsTongue uses. Network protection blocks known SOURGUM domains.
As we shared in the Microsoft on the Issues blog, Microsoft and Citizen Lab have worked together to disable the malware being used by SOURGUM that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. To limit these attacks, Microsoft has created and built protections into our products against this unique malware, which we are calling DevilsTongue.
There are many good places.other good place is sordum.org
After this, restart the system and from now on when Defender's real-time protection detects something a log containing the file's sha-1 hash will be created in the system log.On Windows 10 and up, create the following registry subkey:
Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
DWORD name: ThreatFileHashLogging
DWORD value: 1
I have created my own custom log to find it quickly.EventID 1120 is recorded in the System log. (Microsoft-Windows-Windows Defender/Operational)
I will look at this. The hashes can be useful when inspecting several files. The cons will be more events in the log. For a single file, I simply upload it to VirusTotal and look at the hash in the report.Hi Andy!
I learned a couple of months ago that it's possible to make Microsoft Defender log hash of files detected by its real-time protection. You may not or may know this already.
Yeah but the problem is, when you restore something from Defender's quarantine it automatically gets added into temporary exclusions and there's no simple way to delete or even see that. I can only see those exclusions in the registry. As long as the file is not moved or deleted from that folder the exclusions remain there. I don't like this behavior. So when the hash is logged I can simply copy and paste it in Virustotal without restoring it from the quarantine.I will look at this. The hashes can be useful when inspecting several files. The cons will be more events in the log. For a single file, I simply upload it to VirusTotal and look at the hash in the report.![]()
Good point. This also solves another problem. The PUA, HackTool, and some other malware types are not logged (severe and high-ranked malware are usually logged). But, PUA (and others) are not quarantined.Yeah but the problem is, when you restore something from Defender's quarantine it automatically gets added into temporary exclusions and there's no simple way to delete or even see that.