Update ConfigureDefender utility for Windows 10

blueblackwow65

Level 21
Verified
Dec 19, 2012
1,032
2,009
Hi just wanted to ask ,I got a clean install done of win10 pro and I am running WD for a test run ,just didn't want to install a third part av .I use this computer 1-2 times a week an older machine.Is WD enough with simplewall or should I add something like Wisevector or Voodooshield?THks
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
Hi just wanted to ask ,I got a clean install done of win10 pro and I am running WD for a test run ,just didn't want to install a third part av .I use this computer 1-2 times a week an older machine.Is WD enough with simplewall or should I add something like Wisevector or Voodooshield?THks
You have to open a thread about your config. Like for example:
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
Do you think completely removing the detection is a good decision considering how often malware author tries to disable protection (or parts of it) or create exclusions?
It is good for Administrators. A similar problem is for other AVs in Enterprises. Many of them have an option to enable external AV management, for example:

For Home users, it would be better to block these changes when Tamper Protection is enabled.
In such a case, the ConfigureDefender could be run only when Tamper Protection has been disabled (no problem). Anyway, there are not many Home users who use ASR rules.
 
Last edited:

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,823
23,292
It is good for Administrators. A similar problem is for other AVs in Enterprises. Many of them have an option to enable external AV management, for example:

For Home users, it would be better to block these changes when Tamper Protection is enabled.
In such a case, the ConfigureDefender could be run only when Tamper Protection has been disabled (no problem). Anyway, there are not many Home users who use ASR rules.
I missed this reply. I agree with what you say. I have seen Microsoft adding, removing and adding signatures again in the past for some not so dangerous samples. So I won't be surprised if Microsoft changes their decision again regarding this in the future.
 
F

ForgottenSeer 85179

After/ with new AMD graphic driver update installation and Windows reboot i got that in Defender:
Blocked APP or process: svchost.exe
Blocked by: Reducing the attack surface
Rule: Block executable files unless they meet the criteria for
frequency, age or trustworthiness
Affected items: C:\Program Files\AMD\CNext\CNext\cpumetricsserver.exe
Blocked APP or process: AUEPMaster.exe
Blocked by: Reducing the attack surface
Rule: Stealing credentials from the local Windows
security subsystem (Isass.exe).
Affected items: C:\Windows\System32\lsass.exe
Blocked APP or process: atieclxx.exe
Blocked by: Reducing the attack surface
Rule: Stealing credentials from the local Windows
security subsystem (Isass.exe).
Affected items: C:\Windows\System32\lsass.exe
Blocked APP or process: atiesrxx.exe
Blocked by: Reducing the attack surface
Rule: Stealing credentials from the local Windows
security subsystem (Isass.exe).
Affected items: C:\Windows\System32\lsass.exe

anything i should do? Installation was successful and i can open AMD center.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
The first will not be blocked after a few days. It can be related to CPU optimization or overclocking (I am not sure).
The second is AMD telemetry (not important):

The last two are the parts of ATI External Events Utility.
https://www.file.net/process/atieclxx.exe.html
https://www.file.net/process/atiesrxx.exe.html
It can have an impact on FreeSync.
"AMD External Events Utility" service allows FreeSync to run for only borderless windowed games for new AMD drivers. Without this service FreeSync will work for fullscreen games."
https://www.reddit.com/r/Amd/comments/8bvcfo
ASR LASS rule does not prevent these executables from running, but only blocks access to LSASS. I do not know if it can have an impact on FreeSync.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
Defender's ASR rules in action. As an example, I have chosen the spam campaign delivering banking trojans (IcedID and Qbot). The scenario of the attack is very common in the wild.

The malware delivery starts as usual via email attachment or the link to the hacked website. In both cases, the ZIP archive with an Excel document is downloaded to disk. When the user opens the document and allows macros (Excel 4.0), the malware loader is downloaded and executed by Excel (directly or via LolBin) - in both cases, the child process is created. So, the infection chain is stopped by the ASR rule "Block Office applications from creating child processes".
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
Defender's ASR rules in action.

Enabling the attack surface reduction rule “Block abuse of exploited vulnerable signed drivers” in Microsoft Defender for Endpoint blocks the driver that DevilsTongue uses. Network protection blocks known SOURGUM domains.

The ASR rule mentioned in the article is a new one (will be added to HIGH, INTERACTIVE, and MAX presets in the ConfigureDefender soon). Network Protection can be enabled via ConfigureDefender.

About the malware:

As we shared in the Microsoft on the Issues blog, Microsoft and Citizen Lab have worked together to disable the malware being used by SOURGUM that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. To limit these attacks, Microsoft has created and built protections into our products against this unique malware, which we are calling DevilsTongue.
 

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,823
23,292
Hi Andy!
I learned a couple of months ago that it's possible to make Microsoft Defender log hash of files detected by its real-time protection. You may not or may know this already.
On Windows 10 and up, create the following registry subkey:

Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

DWORD name: ThreatFileHashLogging
DWORD value: 1
After this, restart the system and from now on when Defender's real-time protection detects something a log containing the file's sha-1 hash will be created in the system log.
EventID 1120 is recorded in the System log. (Microsoft-Windows-Windows Defender/Operational)
I have created my own custom log to find it quickly.

wd2.PNGwd.png
Now can you make the next version of Configure Defender's log to also show/log event id 1120 for those who have it enabled.
I'm someone who finds logging of hash in any AV very useful especially when it detects something false positive so that I can verify it on sites like VirusTotal. Unfortunately, most AVs don't log hashes of detected threats. Some exceptions are ESET, Kaspersky, and maybe one or two other.
Anyway, I think many users will find this info helpful.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
Hi Andy!
I learned a couple of months ago that it's possible to make Microsoft Defender log hash of files detected by its real-time protection. You may not or may know this already.
I will look at this. The hashes can be useful when inspecting several files. The cons will be more events in the log. For a single file, I simply upload it to VirusTotal and look at the hash in the report.:unsure:
 

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,823
23,292
I will look at this. The hashes can be useful when inspecting several files. The cons will be more events in the log. For a single file, I simply upload it to VirusTotal and look at the hash in the report.:unsure:
Yeah but the problem is, when you restore something from Defender's quarantine it automatically gets added into temporary exclusions and there's no simple way to delete or even see that. I can only see those exclusions in the registry. As long as the file is not moved or deleted from that folder the exclusions remain there. I don't like this behavior. So when the hash is logged I can simply copy and paste it in Virustotal without restoring it from the quarantine.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
Yeah but the problem is, when you restore something from Defender's quarantine it automatically gets added into temporary exclusions and there's no simple way to delete or even see that.
Good point. This also solves another problem. The PUA, HackTool, and some other malware types are not logged (severe and high-ranked malware are usually logged). But, PUA (and others) are not quarantined.
OK, I will think about it.(y)
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
Helping the people on other forums, I would like to recall that Defender with ConfigureDefender settings is already tested by professional AV Labs:
  1. MRG Effitas in 360 Degree Assessment & Certification tests (ConfigureDefender MAX settings)
  2. AV-Comparatives in Business Security tests (Cloud Protection Level set to High, no ASR rules, WDBP extension installed in Chrome).
In these tests, the AV business products (with ATP modules) are tested and most AVs have non-default (tweaked) settings. So, their protection is generally stronger as compared to the Home versions.

MRG Effitas tests are made specifically for or Enterprises (include a special Fileless Malware test). So, the strength of ASR rules is tested, too. I made the cumulative results for several tests, here:

AV-Comparatives settings in these tests are similar to ConfigureDefender HIGH settings but with disabled ASR rules (HIGH settings are stronger, especially in Enterprises). I made the cumulative results for several tests, here:

Edit1
Changed the link to the recent scorings of AV-Comparatives Business Security tests.

Edit2
Simple conclusion. In AV-Comparatives tests, the protection of Defender on HIGH settings is comparable to KIS on default settings. I think, that a similar comparison is probably true in the daily life of Home users.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,892
ConfigureDefender 3.0.1.0 beta 2

Download location ( x64 and x86):

Updated help:

The file is accepted by SmartScreen and has been whitelisted by Microsoft Defender and Avast. The submission to Norton and Bitdefender is not finished, yet.

The changelog (v
ersion 3.0.1.0 beta 2):
  1. Added some useful information to the Help and manual.
  2. Added "Send All" setting to Automatic Sample Submission.
  3. Updated ASR rules (1 new rule added).
  4. Added the Warn mode to ASR rules.
  5. Added INTERACTIVE Protection Level which uses ASR rules set to Warn.
  6. Added the <Info> button next to the Protection Levels buttons. It displays information about which settings are enabled in DEFAULT, HIGH, INTERACTIVE, and MAX Protection Levels.
  7. Redesigned slightly the layout of the Exploit Guard section.
  8. Added support for Windows 11.
  9. Added support for Id=1120 to Defender Security Log. If this event is logged by Windows Event Log, then it will be also included in ConfigureDefender.
  10. Added CFA setting BDMO = Block Disk Modifications Only - folders will not be protected, but some important disk sectors will be still protected (Id = 1127).
Be safe. :) (y)
 
Last edited:
Top