Update ConfigureDefender utility for Windows 10

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,790
@Andy Ful Can you clarify the warn mode for us?
Here's what I found in MS document.

What is meant by the word "content" in this case? Is it the particular blocked content or the whole ASR rule will be unblocked for 24 hours if I select allow.
Only the particular content will be unblocked.
More precisely, the < OK / Unblock > alert can prompt several times when running a single application. By pressing Unblock each time, the process is blocked but is going to be unblocked if you repeat running the application in the next 24 hours. This has no impact on the ASR rule - it will still block other suspicious actions/processes.
So, one alert is related to unblocking a particular content, but several alerts (for one application) are related to unblocking the whole blocked content (for this application).
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,790
md @ max + hc all @ max + hc firewall @ max
perfekt
Requires an advanced user to manage the whitelisting, adjust exclusions, perform software updates, etc. Some knowledge to read & understand the Logs available in H_C is also required. This setup will not be convenient for most users, mostly due to making manual software updates (protection temporarily switched OFF). Many software auto-updates will be silently blocked in this setup, so the user should periodically look into the H_C Logs (including FirewallHardening Log).
 
Last edited:

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,809
23,196
Only the particular content will be unblocked.
More precisely, the < OK / Unblock > alert can prompt several times when running a single application. By pressing Unblock each time, the process is blocked but is going to be unblocked if you repeat running the application in the next 24 hours. This has no impact on the ASR rule - it will still block other suspicious actions/processes.
So, one alert is related to unblocking a particular content, but several alerts (for one application) are related to unblocking the whole blocked content (for this application).
This is great. I'll try the interactive/warn mode then.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,790
block happen 1 per 6 month
view log
turn off
make policy change
turn on
so easy for child
Ha, ha. Try to convince someone else than you. :)

People hear:
incidents happen 1 per 6 months
inspect how you feel
rest a little if needed
change the path if required
continue the way to Mount Everest
it is so easy for the Sherpa 😇
 
Last edited:

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,809
23,196
@Andy Ful So I set Defender in Interactive mode yesterday and just now I noticed these in the log.
1.PNG2.PNG
I was not aware of this as I saw no notification when this happened. Is this normal for Warn mode?

I also found another one after updating Ventoy on my flash drive. This behavior is expected as it is designed to do that. It only says, detected suspicious behavior. Doesn't say whether it was blocked or not. I don't think it was blocked but curious to what you know about these types of logs.
3.PNG
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,790
@Andy Ful So I set Defender in Interactive mode yesterday and just now I noticed these in the log.
View attachment 259995View attachment 259996
I was not aware of this as I saw no notification when this happened. Is this normal for Warn mode?

The ASR LSASS rule can usually block something without any alert (even set to ON). It is probably due to the fact that the process itself is not blocked but only the LSASS query. I think that when the whole process would be blocked by this rule then the alert should be shown.

I also found another one after updating Ventoy on my flash drive. This behavior is expected as it is designed to do that. It only says, detected suspicious behavior. Doesn't say whether it was blocked or not. I don't think it was blocked but curious to what you know about these types of logs.
View attachment 259998
That is a normal post-execution behavior-based detection. The process should be blocked after doing some non-suspicious actions when trying to do the suspicious action.
 

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,809
23,196
The ASR LSASS rule can usually block something without any alert (even set to ON). It is probably due to the fact that the process itself is not blocked but only the LSASS query. I think that when the whole process would be blocked by this rule then the alert should be shown.


That is a normal post-execution behavior-based detection. The process should be blocked after doing some non-suspicious actions when trying to do the suspicious action.
Okay, got it.
 

Digmor Crusher

Level 11
Verified
Jan 27, 2018
548
3,788
Hi Andy, a buddy on another forum is trying to run CD, the smartscreen warning popped up and he clicked 'Run Anyways" then this popped up. Any ideas as to why? Thanks.
 

Attachments

  • 2021-08-03 15_28_53-ESET Renewal Pending - Do I really need to sign on for this again_ - Page ...png
    2021-08-03 15_28_53-ESET Renewal Pending - Do I really need to sign on for this again_ - Page ...png
    37 KB · Views: 142

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,790
Hi Andy, a buddy on another forum is trying to run CD, the smartscreen warning popped up and he clicked 'Run Anyways" then this popped up. Any ideas as to why? Thanks.
Something wrong is with the executable.

The official ConfigureDefender executables are accepted by SmartScreen and are digitally signed. Files that trigger SmartScreen with an unknown publisher should not be run. It is probable that the downloaded executable was corrupted. Here are the links to official executables from GitHub:

I checked all of them and after download, they run without SmartScreen alert. I suspect that the AV could detect the corrupted file as suspicious or malicious.
 
Last edited:

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,987
9,942
So I set Defender in Interactive mode yesterday and just now I noticed these in the log.
1.PNG 2.PNG
I was not aware of this as I saw no notification when this happened. Is this normal for Warn mode?
Noticed this now too, 3 threats showing up, adguard is one as expected

I just reverted from max > high to avoid it
 

oldschool

Level 63
Verified
Mar 29, 2018
5,243
38,264
lsass block ignore it nothing broke windows itself block lsass acess
do not revert securatay cause you do not want to see block events
:ROFLMAO:
The ASR LSASS rule can usually block something without any alert (even set to ON). It is probably due to the fact that the process itself is not blocked but only the LSASS query. I think that when the whole process would be blocked by this rule then the alert should be shown.
This is what you're referring to? Yes?
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,790
...
basic windows internals that no process need access lsass memory yet no concern when home pc not part of domain nor active directory
...
You are right. This also logically suggests that the ASR LSASS rule can be disabled in the Home environment. :)
It can make a lot of unnecessary entries in the Log. Of course, if one uses applications that do it rarely, then this ASR rule can be enabled as well.
 

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,809
23,196
One more problem is that these ASR rules logs can't be deleted at all from Windows Security's "Protection History". Microsoft hasn't provided any way to delete any protection history log. There are tricks available to remove malware-related entries but it doesn't work for ASR rules. Now my protection history is filled with those. A very childish design from Microsoft. I'm so annoyed that I can't explain it in words. I even switched to a third-party AV out of annoyance (temporarily at least).
Anyway, it's Microsoft's fault. Configure Defender is awesome as always.
 

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,809
23,196
why? just logs windows full of logs
:ROFLMAO:

os and ocd is bad mix

might this work but obsession of logs is problem

Clear Protection History in Windows Defender on Windows 10
I'm not talking about those logs, I'm talking about the logs in Windows Security's protection history. There should be options in the UI to delete those but there aren't any. I don't want to open protection history and be greeted with old unnecessary ASR rule blocking logs.
I don't know if the solution you showed works to remove ASR rules-related entries. Maybe Andy or someone else can try and share the info.
 
Top