Update ConfigureDefender utility for Windows 10

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,753
No, I am afraid.
This tweak can be recognized as very suspicious by Defender and then ConfigureDefender (and Hard_Configurator) will be flagged as malicious. In such a case, the SmartScreen reputation of my applications would be destroyed.:(
I will rather try to inform Microsoft about this design bug in Defender's History.
Oh, I see. Okay then. Yeah, Microsoft should do something about this. I thought they were going to change some things in Windows 11 but it's still the same.
 

Back3

Level 9
Apr 14, 2019
419
Configure Defender is in Interactive mode. I made an update to Garmin Express, and it was blocked. Configure Defender option: Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
I got an option to unblock. I did that. The notification appeared again. On the third time, I was able to unblock and install the update.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,172
Configure Defender is in Interactive mode. I made an update to Garmin Express, and it was blocked. Configure Defender option: Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
I got an option to unblock. I did that. The notification appeared again. On the third time, I was able to unblock and install the update.
That is normal. The blocks are done also to parent processes (like Explorer).
 

dna7899

New Member
Aug 14, 2021
3
Has anyone noticed that Controlled Folder Access seems to be really inconsistent? I've been using it for over a week now and noticed some peculiarities.

For example, I've been editing .bat scripts with notepad.exe in a protected folder (notepad.exe not added in the exceptions) and I was able to save everything without issues. This evening I've been again editing the same scripts but could no longer save as Controlled Folder Access blocked notepad.exe from making any changes. Had to add it to the exceptions. I can't figure out why this happens. Anyone noticed something similar?

Of course this is not an issue with Configure Defender, so apologies if I shouldn't have posted posted here. Thought I'd ask as you guys have more experience with Defender.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,172
The detailed features of CFA are not well tested. CFA does not work in a common way. For example, I can see on my computer:
  1. If Notepad is executed from Explorer (as a child process of explorer.exe) then it is allowed by CFA.
  2. If Notepad is executed by Total Commander (running as a child process of Explorer) then it is allowed by CFA.
  3. If Notepad is executed from CMD (child process of cmd.exe) then modifications made by Notepad in protected folders are blocked.
  4. If Notepad was executed as a child process of Atlantis (document editor) then changes were initially blocked. But, changes have been allowed next time (not blocked now anymore). I could repeat this behavior also for Notepad++ as a parent process of Notepad.
From the CFA description, the applications that are recognized by Microsoft as benign will be allowed by CFA
 

VecchioScarpone

Level 5
Aug 19, 2017
221
When, long time ago, I tried to apply Defender protected folder feature I was inundate by prompts any time I deleted a file on a protected folder etc.
Since I installed Configure Defender I did a bit of clean up work on several protected folders. No prompts.
Great. (y)
But I am wondering, dumb question coming, how do I know that CD is On, I cannot find it on Task Manager. Where should I look for ?
 

VecchioScarpone

Level 5
Aug 19, 2017
221
@wat0114 Thanks.
So on clicking on taskbar CD Icon, It pops up and shows it is configured as per Screenshot. The circled settings are the way MD is set up on my machine.
CD configuration.png
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,172
@wat0114 Thanks.
So on clicking on taskbar CD Icon, It pops up and shows it is configured as per Screenshot. The circled settings are the way MD is set up on my machine.View attachment 260141
You probably noticed that these are only basic settings. The advanced settings are visible after moving the scroll bar on the right side of the GUI.:)
 

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,753
If one wants to clear the Defender History or solve the problem with crashing Defender History there is a simple solution.
  1. Download the AdvancedRun:
    for Windows 32-bit: https://www.nirsoft.net/utils/advancedrun.zip
    for Windows 64-bit: https://www.nirsoft.net/utils/advancedrun-x64.zip
  2. Run AdvancedRun.exe once and close it - the file AdvancedRun.cfg will be created
  3. Edit the config file AdvancedRun.cfg as it is shown below
  4. Run AdvancedRun.exe to clear the Defender History
After running AdvancedRun it will automatically apply the settings and command lines from the AdvancedRun.cfg and the Defender History will be cleared.

The modified content of AdvancedRun.cfg is as follows:

Code:
...
EXEFilename=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine=net stop windefend; $path = 'c:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db'; if (Test-Path -Path $path) {Remove-Item $path}; $path = 'c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory'; if (Test-Path -Path $path) {Remove-Item $path -Recurse}; net start windefend
AutoRun=1
...
RunAs=8
...

The PowerShell is executed with CommandLine.
AutoRun=1 means that AdvancedRun does not show the application window and automatically applies the AdvancedRun.cfg
RunAs=8 means that the process will be run with TrustedInstaller privileges.

The CommandLine simply stops Windefend service, checks if the file/folder exists and deletes it, starts Windefend service again.

Post edited.
Hi @Andy Ful! Looks like MS has patched this method. Now it's not possible to do this anymore without first disabling the Tamper Protection. The command to stop the Windows Defender service is blocked.
1630291121380.png
The detection itself has been created on July 14 but it was probably updated sometime later after you posted it here.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,172
Hi @Andy Ful! Looks like MS has patched this method. Now it's not possible to do this anymore without first disabling the Tamper Protection. The command to stop the Windows Defender service is blocked.
View attachment 260344
The detection itself has been created on July 14 but it was probably updated sometime later after you posted it here.
Thanks. I updated my post. It is good that Defender's behavior-based post-execution modules stopped this method. It would be even better if Microsoft would like to patch this Protection History issue.:)
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,172
Hi @Andy Ful
I'm getting this notification during my work which is very annoying. I'm kinda sure this is just a false positive but who knows :D

View attachment 260348
It probably uses a kind of server authentication and that can trigger the LSASS ASR rule.
You can ask the developer about this issue. I am not sure if this application is safe or not.
This ASR rule can trigger many false positives. It is disabled in HIGH settings.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,172
The "Warn" feature doesn't work as I expected.
Did you restart Windows?
You should see the alert with two choices :

1630620118713.png


Choose Unblock, and after running the file for a second time, it will be allowed. After 24 hours Defender can block it again - this can depend on its prevalence. Most of the blocked applications are allowed by Microsoft after two days.
It is better to avoid using ASR exclusions (whitelisting) because these exclusions are not for a selected rule but for all rules (except 3 rules that do not allow exclusions).
 
Last edited:
Top