Updates ConfigureDefender utility for Windows 10

oldschool

Level 59
Verified
Mar 29, 2018
4,833
The new ConfigureDefender ver. 1.0.1.0 is available for testing:
Added ASR mitigations introduced in Windows ver. 1803 (they should work also on updated ver. 1709).
In the "Child Protection", all ASR mitigations are enabled, with some folder exclusions:
Windows, Program Files ..., ProgramData\Microsoft\Windows Defender.
.
I noticed that mitigation: "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" is more restrictive than Defender 'Cloud Protection Level' set to Block. Furthermore, most executables blocked by this mitigation (but not all) can be run after one day.
.
The mitigation "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" can block some schtaks.exe processes and also processes started by Windows Defender in the folder: ProgramData\Microsoft\Windows Defender.

Post edited.
The Lsass rule, does not support exclusions.


Do you advise downloading this to replace current version - IF NOT testing?
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
The new ConfigureDefender ver. 1.0.1.1 is available:
for Windows 64-bit: AndyFul/ConfigureDefender
for Windows 32-bit: AndyFul/ConfigureDefender
.
1. Corrected a minor bug related to unnecessary folder exclusion for the ASR mitigation that does not support exclusions.
2. In <Defender high settings> the ASR mitigation 'Use advanced protection against ransomware' is set to ON, and 'Controlled Folder Access' is set to Audit.
.
<Defender high settings> can be adopted by most users.
<Child Protection> is very restrictive due to Controlled Folder Access, hiding the Defender Security Center, and two new mitigations:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
The new version was sent to Microsoft and is whitelisted by Defender. It is not whitelisted by SmartScreen, yet. This will take some time.
Be safe.:)
 

Reldel1

Level 1
Jun 12, 2017
46
Congrats on the official release. Had been running 1.0.1.0 on two 1803 installs without any issues or events showing in event viewer. Already changed both boxes to new 1.0.1.1 this morning. Using both ConfigureDefender and Hard Configurator have saved much time maintaining Pro versions that I used to configure SRP on myself. Greatly appreciated Andy.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
Thanks. I will push the new version (4.0.0.0) ) of Hard_Configurator soon with integrated ConfigureDefender. In Hard_Configurator the user can use NirSoft FullEventLogView with the predefined config file to see Windows Defender alerts. I am waiting for whitelisting Hard_Configurator by Avast.
 

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,241
The new ConfigureDefender ver. 1.0.1.1 is available:
for Windows 64-bit: AndyFul/ConfigureDefender
for Windows 32-bit: AndyFul/ConfigureDefender
.
1. Corrected a minor bug related to unnecessary folder exclusion for the ASR mitigation that does not support exclusions.
2. In <Defender high settings> the ASR mitigation 'Use advanced protection against ransomware' is set to ON, and 'Controlled Folder Access' is set to Audit.
.
<Defender high settings> can be adopted by most users.
<Child Protection> is very restrictive due to Controlled Folder Access, hiding the Defender Security Center, and two new mitigations:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
The new version was sent to Microsoft and is whitelisted by Defender. It is not whitelisted by SmartScreen, yet. This will take some time.
Be safe.:)
Thanks for the update and this great piece of software (y)
What does "Audit" mean?
Do you get a popup?
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
Thanks for the update and this great piece of software (y)
What does "Audit" mean?
Do you get a popup?
'Audit' means that the file will not be blocked (no visible alert), but the info about the possible block (if the setting was Enabled) is written to the Windows Event Log. It helps to find out how safe will be enabling the setting and what the user can expect after enabling it.
Import custom views to see Windows Defender Exploit Guard events
It is convenient to prepare a custom view only for Windows Defender. One can also use NirSoft tool FullEventLogView with the custom config. See the config file in attachment (change the file extension .txt --> .cfg).
 

Attachments

  • FullEventLogView.txt
    1.1 KB · Views: 273
Last edited:

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,241

Yellowing

Level 5
Verified
Jun 7, 2018
223
This is a very nice application! Good work! :)

Could you please keep the initial post up to date? I was wondering for a while if you switched to a different platform because the link threw 404.
I thought because microsoft bought it or something. :D

Thanks!
 
Top