Update ConfigureDefender utility for Windows 10

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,166
Although I have a Windows Pro, I prefer to use Hard_Configurator (and Configure Defender) over group policy settings.

@Andy Ful question: could you also add the update (interval) values to increase? Except for the "disable update while using battery", all other values could be cranked up automatically when people choose HIGH or MAX setting for Configure Defender.

I use Configure Defender and add below registry values manually (link to explanation: Signature Updates | Windows security encyclopedia)
_________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"ASSignatureDue"=dword:00000001
"AVSignatureDue"=dword:00000001
"DisableScheduledSignatureUpdateOnBattery"=dword:00000000
"DisableUpdateOnStartupWithoutEngine"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000001
"ScheduleDay"=dword:00000000
"UpdateOnStartUp"=dword:00000001
"SignatureUpdateInterval"=dword:00000001
Hi, @Kees1958.
It is good to see you here back again.:)

For the reasons mentioned below, I skipped the settings related to local signatures. I am convinced (for now) that adding such settings would produce more trouble than gain (for most users).

Some AVs rely on local signatures and require frequent signature updates (like secondary AV scanners). When the computer is connected to the Internet, Microsoft Defender relies on signatures in the cloud and does not require frequent updates. The local scanning can be still useful for deleting some inactive malware leftovers.
Frequent signature updates can cause performance issues, especially on Windows startup, or when the user is running many tasks, or when gaming, etc.

The additional protection caused by frequent signature updates in Defender is close to 0, except when the Internet connection is broken or disabled.

So, the problem can occur when the computer is disconnected from the Internet. Some users can open unsafe files and run unsafe applications from flash drives (USB drives). It is worth mentioning that in such cases the Defender's signatures are relatively poor even with frequent updates. So, another protection layer is required (like for example H_C or manual scanning with another AV engine).

Anyway, I am opened to the discussion. Maybe I have missed something important.:)(y)
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,166
Maybe it would be sensible to add the <Advanced settings> button to ConfigureDefender. There are probably more settings that can be important for some users in some situations.:unsure:
But this is something to consider for future versions.
 
Last edited:

Kees1958

Level 2
Verified
Sep 5, 2021
85
Hi @Andy Ful thanks

It has been some time ago when I talked to a Microsoft Engineer (link), but I think you are overlooking the added value of the intelligence updates. Looking at the frequency of updates of Microsoft, they seem to update roughly every two hours. (source: https://https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.349.1271.0).

When people have set Configure Defender to HIGH or MAX, they also receive the intelligence updates from the threat response. As far as I understood, these are the fingerprints for the latest emerging threats. When you look at the category of the intelligence updates they are nearly always classified as severe.

The intelligence update feature were developed for the corporate environment as early threat response. The use case of receiving the intelligence updates for the latest (severe) threats was for mobile employees having on and off internet connection. This could also be beneficial for people meeting at public places meeting friends and exchanging data via USB.

So while I agree that the home laptop users is a different use case scenario than the mobile corporate worker, why would Microsoft bring threat response to home users, when there would not be any benefit? These 'trickle' updates are not used when AV's are tested for their offline malware protection (e.g. the malware protection test of AV-Comparatives). Microsoft Defender has the third worst offline detection (after Trend Micro and Panda), but as stated this is without the intelligence updates.


Regards Kees

From this commandlet I think the following should be considered:

SignatureDisableUpdateOnStartupWithoutEngine
SignatureScheduleDay
SignatureUpdateInterval
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,166
Hi @Andy Ful thanks

It has been some time ago when I talked to a Microsoft Engineer (link), but I think you are overlooking the added value of the intelligence updates. Looking at the frequency of updates of Microsoft, they seem to update roughly every two hours. (source: https://https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.349.1271.0).

If I correctly recall the updates for home users are not as frequent as for Enterprises. Some time ago I noticed 3 or 4 updates a day (no more). Many computers in Enterprises are not connected to the Internet but can download updates from the local server. Frequent updates can have some value for them. But, such an environment is very different from the home environment or mobile user environment.

The intelligence update feature were developed for the corporate environment as early threat response. The use case of receiving the intelligence updates for the latest (severe) threats was for mobile employees having on and off internet connection. This could also be beneficial for people meeting at public places meeting friends and exchanging data via USB.

I am afraid that this is pretty much an illusion because the protection without an Internet connection is not very good even after the update. In such cases, one cannot rely on Defender alone.


Allow ad hoc changes to protection based on cloud-delivered protection

Microsoft Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.

If you have enabled cloud-delivered protection, Microsoft Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender AV to automatically receive that protection update. Other important protection updates can also be applied."

The fast threat response updates are not available without an Internet connection.
Anyway, most ASR rules work as advanced HIPS and do not require frequent updates and Internet connection.
There are also exceptions:
These ASR rules require an Internet connection.

So while I agree that the home laptop users is a different use case scenario than the mobile corporate worker, why would Microsoft bring threat response to home users, when there would not be any benefit? These 'trickle' updates are not used when AV's are tested for their offline malware protection (e.g. the malware protection test of AV-Comparatives).

The AV testing labs always make an update just before testing Defender. So, the offline results can reflect the situation when the user has set Defender to update most frequently. Still the results are not great when offline.
If the malware samples were executed from the USB drive with ASR rules enabled then the results would be probably much better. But this would not follow from the frequent updates.

(y):coffee:
 
Last edited:

Kees1958

Level 2
Verified
Sep 5, 2021
85
ASR rules are HIPS-like and 'built-in'. When enabled don't require cloud (not cloud-dependent).
True, that they provide "OS-aware" HIPS like (smart) protection, but I can imagine that for the ASR "Block executable files from running unless that meet the prevelence, age, trusted list criteria" it needs access to the cloud to determine the latest prevelence. PrevX was the first with this type of protection (seen by the community) and that feature was cloud based. Maybe @Andy Ful can give us the answer on which ASR protections need internet connection.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,166

oldschool

Level 62
Verified
Mar 29, 2018
5,138
Updated Hard_Configurator tools
updated: ConfigureDefender
not-updated: FirewallHardening, RunBySmartscreen, DocumentsAntiExploit

Thanks @Andy Ful If my memory serves me well, the Palantir blog post has been updated since my earlier reading: it appears they have changed some recommendations based on a larger data set.
Microsoft Defender Attack Surface Reduction recommendations I appreciate the links on your GitHub ConfigureDefender page. (y) (y)
 

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,560
Asking on behalf of Krusty


Will a new version of Hard Configurator be available soon that includes the updated Configure Defender?
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,166
Asking on behalf of Krusty


Will a new version of Hard Configurator be available soon that includes the updated Configure Defender?

Yes, probably in one or two weeks.(y)

The ConfigureDefender in the H_C 6 beta 1 is fully functional on Windows 11. In the newest standalone version I added:
  • support for event Id=1120.
  • new CFA setting BDMO = Block Disk Modifications Only.
 
Last edited:

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,560
Yes, probably in one or two weeks.(y)

The ConfigureDefender in the H_C 6 beta 1 is fully functional on Windows 11. In the newest standalone version I added:
  • support for event Id=1120.
  • new CFA setting BDMO = Block Disk Modifications Only.
Is it possible to update CD by downloading the latest version and replacing the one in H_C?

 
Top