ConfigureDefender utility for Windows 10

[Andy Ful]

Is it possible to update CD by downloading the latest version and replacing the one in H_C?

It is possible (not recommended), but the H_C must be run without the -p switch. The standalone version of ConfigureDefender uses the "Windows\Temp" folder for intermediate files and the execution from this folder is usually blocked by H_C. Without the -p switch, the H_C does not block processes executed with high privileges, so the standalone version of ConfigureDefender will not be blocked too.
Of course, one has to rename the standalone version and use the file name from the H_C installation.

 

[SeriousHoax]

Hi! @Andy Ful. Does the network protection feature reduce web browsing performance? Have you ever noticed anything? I see that during heavy downloads, the network protection related process uses 2-5% CPU constantly. I don't know if it slows down anything like downloading or browsing speed. AV-Test and MRG-Effitas tests web browsing speed delay caused by an AV. AV-Test also tests downloading time. Microsoft Defender is usually always the fastest in those test. But that's in default settings where the network protection feature is off, unlike Configure Defender at High where it's enabled. So I'm just curious what sort of impact it has. Is there any way to test it? I don't know how AV-Test and MRG test this.

 

[Andy Ful]

Hi! @Andy Ful. Does the network protection feature reduce web browsing performance? Have you ever noticed anything? I see that during heavy downloads, the network protection related process uses 2-5% CPU constantly. I don't know if it slows down anything like downloading or browsing speed. AV-Test and MRG-Effitas tests web browsing speed delay caused by an AV. AV-Test also tests downloading time. Microsoft Defender is usually always the fastest in those test. But that's in default settings where the network protection feature is off, unlike Configure Defender at High where it's enabled. So I'm just curious what sort of impact it has. Is there any way to test it? I don't know how AV-Test and MRG test this.

Network protection should not have an impact on the download speed of big files. But, it can have some impact on browsing (like any such feature). Anyway, I do not see any visible impact on my computers.
The potential impact is not related to CPU, but rather to the number of links that have to be checked when opening a website or web application.

Edit.
It is not easy to test it, because the same website can open differently at different times. If you have a stable Internet connection then you can make a test by opening a complex website 10 times at random moments during a day with enabled NP, and next repeat this test with disabled NP. Then repeat these tests a few times.

 

[South Park]

I have H_C 5.1.1.2 and was able to update to the latest C_D with no problems, though I changed the ASR rule for drivers from Warn to Audit based on an earlier suspected FP. ASR Analyzer confirmed all rules were working as intended. I look forward to updating H_C when it comes out of beta.

 

[Gandalf_The_Grey]

A question from Krusty at Wilders:

I just uninstalled KSC to test something and when I try to run Configure Defender I get this:



Any ideas? I've disabled OSA, BlackFog Privacy and even Hard_Configurator, all with no help.

OT: Web pages open way faster in Firefox without KSC installed.

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Seems disabling default deny protection brought it back. Odd. Do you mean this?: [ATTACH]

www.wilderssecurity.com

 

[Gandalf_The_Grey]

A question from Krusty at Wilders:

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Seems disabling default deny protection brought it back. Odd. Do you mean this?: [ATTACH]

www.wilderssecurity.com

The issue is resolved by a repair installation of Windows 10 21h2, but was that necessarily?

I have an update though. A clean install of Windows 10 21h2 was a consideration, however I decided on a slightly less painful repair installation. Basically in in-place upgrade using the ISO to 'upgrade' the machine. The result of that was that I can now open Configure Defender. Clearly something was a little messed up with my installation but it appears to be resolved now.

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Seems disabling default deny protection brought it back. Odd. Do you mean this?: [ATTACH]

www.wilderssecurity.com

 

[Andy Ful]

A question from Krusty at Wilders:

https://www.wilderssecurity.com/thr...windows-10-needs.383448/page-144#post-3052732

It looks like the PowerShell execution was restricted by something. The AVs can restrict the execution of PowerShell by other applications. This is usually done by some HIPS or ATP features. If these restrictions can survive after uninstalling the AV then we have a problem. The incomplete uninstallation can be related to the presence of other security applications.
The H_C can run ConfigureDefender flawlessly (from the H_C GUI) even when PowerShell is blocked by <Blocked Sponsors>. Unfortunately, Krusty has used too many security applications, so I cannot be sure what was the reason. I did not hear that KSC could produce such an issue after normal uninstallation, but if I find some time I will test KSC today.

Edit.
Test done. I did not find a problem with KSC and H_C (including ConfigureDefender).

 

[Andy Ful]

Hard_Configurator tools - the new version of FirewallHardening added.

https://github.com/AndyFul/ConfigureDefender/raw/master/H_C_HardeningTools_2000.zip

There are some important changes in the FirewallHaredening tool:

1. The <Blocked Events> can show only the events related to FirewallHardening Blocklist. If the FirewallHardening BlockList is empty then <Blocked Events> does not show any blocked events.
2. From point one, it follows that events related to blocks made by other Windows Firewall settings, Windows privacy settings, etc., will not be included in the <Blocked Events>.
3. New LOLBins are added to the BlockList:
   In ver. 2001 : Csc, Cvtres, CasPol, Finger, ilasm, Jsc, Microsoft.Workflow.Compiler, Mscorsvw, Ngen, Ngentask, Vbc.
   In ver. 2010: CertOc, CertReq, Dllhost, Findstr.exe, Desktopimgdownldr.exe, ExtExport, Ieexec.exe (new location), Pktmon, Register-cimprovider, Verclsid, Wsl, Wuauclt, Xwizard.

Until the new version will be pushed (can use Load/Save option), the simplest method to update the rules is using:

1. "Recommended H_C" <ADD> button - most important new LOLBins will be added & blocked.
2. "LOLBins" <ADD> button - all new LOLBins will be added & blocked.

 

[Andy Ful]

I think that adding in FirewallHardening the Load/Save options will be useful. Here is a fragment of the help info:

The <Load> and <Save> buttons under the 'BlockList' label allow using several Blockists from the *.fhbl files. The new FirewallHardening version is usually published with the file 'Update_?.?.?.?.fhbl' that includes the new rules. Each rule starts with terms: 'Blockck :', 'Inactive :', 'Block!:', 'Inactive!:'.
The exclamation mark means that the file path is not checked, so the rule will be added even if the file does not exist on the disk. The rules without the exclamation mark are checked and if the file is not on the disk in the required location, then the rule will be skipped.
The rules can contain the known Windows environment variables like %SystemRoot%, %ProgramData%, %ProgramFiles%, %ProgramFiles(x86)%, or %SystemDrive%. For simplicity, FirewallHardening can also accept a few custom variables like:

%System32% (usually C:\Windows\System32),
%SysWOW64% (usually C:\Windows\SysWOW64),
%Framework% (usually C:\Windows\Microsoft.NET\Framework),
%Framework64% (usually C:\Windows\Microsoft.NET\Framework64).
%PowerShell% (usually C:\Windows\System32\WindowsPowerShell\v1.0),
%PowerShell64% (usually C:\Windows\SysWOW64\WindowsPowerShell\v1.0).

It may happen that the rule included in the file Update.fhbl is already on the FirewallHardening BlockList. In such a case the new rule will be skipped. On Windows 32-bit the entries included in the *.fhbl file and related to the 64-bit system are ignored - only the entries related to the 32-bit system will be loaded.
The new rules are initially added at the end of the FirewallHardening BlockList, but after running the tool a second time all rules are sorted, so the Block rules are at the beginning and Inactive rules at the end.

 

[SeriousHoax]

Microsoft Defender for more than 2 weeks is not quarantining/deleting malware often. It detects it, says that it's quarantined but when I go to folder the file is there, and it again gets detected by Defender and the same process keeps happening. It doesn't happen all the time but like 2/5 times for me for malware and 4/5 times for PUP detections. This happens for real time protection only. If I do a right-click scan of the folder containing the malware/PUP and select to quarantine/remove it from there, then it gets removed normally. I even saw couple of reports like this on Reddit.
I faced this issue more than a year ago when I tried the insider builds of Windows 10. Windows Defender Sandbox feature was "on" in Windows 10 insider builds. I thought it's a bug of the sandbox feature, and I was right because the issue was gone after disabling it.
Now Microsoft Defender on Windows 11 comes with the sandbox feature on by default and looks like the bug has returned. At least partially returned. Because like my previous experience, after turning off the Defender sandbox things are normal again.
Microsoft is probably the toughest AV to report a bug to as a consumer. Even in the Forrester Wave™: Endpoint Security report, Microsoft Defender Endpoint was kind of the best product in everything except customer support. They rank it the worst in customer support, if I remember correctly.
So, how do I report something like this to them that probably is not happening on all the PCs. In my case, it happens on stable builds, insider builds, freshly installed stable builds, everywhere.
Also, @Andy Ful the Advanced Run method that you shared for removing Defender's protection history gets detected by MD's Tamper Protection, but the protection history gets removed anyway. Is this a bug too? Is this a bug of the tamper protection? Why it doesn't stop it even after the detection?

ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...vDisableAV.H&threatid=2147785083&enterprise=0
Name: Trojan:Win32/MpTamperSrvDisableAV.H
ID: 2147785083
Severity: Severe
Category: Trojan
Path: CmdLine:_C:\Windows\System32\net.exe C:\Windows\system32\net.exe stop windefend
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: Unknown
Security intelligence Version: AV: 1.355.229.0, AS: 1.355.229.0, NIS: 1.355.229.0
Engine Version: AM: 1.1.18800.4, NIS: 1.1.18800.4

*************************************************************************
*************************************************************************

Event[1]:
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...vDisableAV.H&threatid=2147785083&enterprise=0
Name: Trojan:Win32/MpTamperSrvDisableAV.H
ID: 2147785083
Severity: Severe
Category: Trojan
Path: CmdLine:_C:\Windows\System32\net.exe stop windefend
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: Unknown
Security intelligence Version: AV: 1.355.229.0, AS: 1.355.229.0, NIS: 1.355.229.0
Engine Version: AM: 1.1.18800.4, NIS: 1.1.18800.4

 

[Andy Ful]

...
Also, @Andy Ful the Advanced Run method that you shared for removing Defender's protection history gets detected by MD's Tamper Protection, but the protection history gets removed anyway. Is this a bug too? Is this a bug of the tamper protection? Why it doesn't stop it even after the detection?

Is the file "c:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db" deleted?
You can see that by comparing the file size before using AdvancedRun and after this. If the file has been deleted then Defender creates a fresh file that has smaller filesize. AdvancedRun is required for deleting this file which contains the log of blocks related to ASR rules, CFA, and Network Protection. Other History events are deleted without stopping Defender.

Edit.
On my computer (Windows 10), Tamper Protection prevents net.exe (run as TrustedInstaller) from disabling the Defender service. The file "mpenginedb.db" is not deleted. This still works after temporarily disabling Tamper Protection.

 

[SeriousHoax]

AdvancedRun is required for deleting this file which contains the log of blocks related to ASR rules, CFA, and Network Protection. Other History events are deleted without stopping Defender.

Ow, I see. I just checked. Yeah, other histories are deleted without disabling tamper protection except ASR, CFA, NP histories.

 

[South Park]

Microsoft Defender for more than 2 weeks is not quarantining/deleting malware often. It detects it, says that it's quarantined but when I go to folder the file is there, and it again gets detected by Defender and the same process keeps happening. It doesn't happen all the time but like 2/5 times for me for malware and 4/5 times for PUP detections. This happens for real time protection only. If I do a right-click scan of the folder containing the malware/PUP and select to quarantine/remove it from there, then it gets removed normally. I even saw couple of reports like this on Reddit.
I faced this issue more than a year ago when I tried the insider builds of Windows 10. Windows Defender Sandbox feature was "on" in Windows 10 insider builds. I thought it's a bug of the sandbox feature, and I was right because the issue was gone after disabling it.
Now Microsoft Defender on Windows 11 comes with the sandbox feature on by default and looks like the bug has returned. At least partially returned. Because like my previous experience, after turning off the Defender sandbox things are normal again.
Microsoft is probably the toughest AV to report a bug to as a consumer. Even in the Forrester Wave™: Endpoint Security report, Microsoft Defender Endpoint was kind of the best product in everything except customer support. They rank it the worst in customer support, if I remember correctly.
So, how do I report something like this to them that probably is not happening on all the PCs. In my case, it happens on stable builds, insider builds, freshly installed stable builds, everywhere.
Also, @Andy Ful the Advanced Run method that you shared for removing Defender's protection history gets detected by MD's Tamper Protection, but the protection history gets removed anyway. Is this a bug too? Is this a bug of the tamper protection? Why it doesn't stop it even after the detection?

I had the same problem without the sandbox on various Windows 10 versions up to 21H2. MD would crash or give error messages that malware wasn't deleted when I was using Eicar or Microsoft's own malware test file to ensure the product was configured properly. Removing the MS AMSI test file required over 10 minutes of reboots and rescans, which is why I finally gave up on using MD and switched to a more user-friendly 3rd-party AV. (It seemed that someone could cause a temporary Denial of Service attack by merely sending an affected user the harmless MS AMSI test file.)

 

[oldschool]

Now Microsoft Defender on Windows 11 comes with the sandbox feature on by default and looks like the bug has returned.

My hunch is that the problem is both W11 and MD sandbox.

 

[SeriousHoax]

I had the same problem without the sandbox on various Windows 10 versions up to 21H2. MD would crash or give error messages that malware wasn't deleted when I was using Eicar or Microsoft's own malware test file to ensure the product was configured properly. Removing the MS AMSI test file required over 10 minutes of reboots and rescans, which is why I finally gave up on using MD and switched to a more user-friendly 3rd-party AV. (It seemed that someone could cause a temporary Denial of Service attack by merely sending an affected user the harmless MS AMSI test file.)

Yeah, these type of things sometimes happens with Defender often, which is frustrating. Only Microsoft knows why they don't put more attention into this.

My hunch is that the problem is both W11 and MD sandbox.

Maybe, but I don't think Windows 11 in particular is responsible. As user South Park (I love South Park btw. Have watched all seasons) said above, it can even happen on Windows 10 and even without sandbox.

 

[SeriousHoax]

Maybe it's something @Andy Ful will like to explore:

https://twitter.com/i/web/status/1479094189048713219

(I couldn't find any appropriate thread to post this, so sharing it here).

 

[oldschool]

Maybe it's something @Andy Ful will like to explore:

https://twitter.com/i/web/status/1479094189048713219

(I couldn't find any appropriate thread to post this, so sharing it here).

Maybe. Scanning his posts I can't decide if this is a Defender-hater, "just for fun", hobbyist sec researcher or if he's a legitmate security researcher. I'm sure this will be grist for @Andy Ful 's mill.

Nice find! Should make for a good discussion.

 

[Andy Ful]

Maybe it's something @Andy Ful will like to explore:
...

This method can be used for hacking or lateral movement. The author suggests that it does not affect other features, so the malware can still be detected on execution. If so (I did not confirm this yet), then the home users do not have to worry. Such a method will be used in targeted attacks.
This method has some disadvantages for the attackers. It uses a LOLBin (curl.exe) and scripting interpreter, which can make the process tree more suspicious and trigger the AV detection. In the targeted attacks the increase of suspiciousness is balanced by more stealthy behavior.

Anyway, this and several other possible methods show that Defender free on default settings is not the best solution for celebrities, dissidents, and people who can be potential targets of hackers.

 

[Mjolnir]

Question..Does configure defender automatically update to the newest version? - AND if not - what is the proper way to update it - completely remove the existing install and install new version, or install new version over existing version?

 

[oldschool]

Question..Does configure defender automatically update to the newest version? - AND if not - what is the proper way to update it - completely remove the existing install and install new version, or install new version over existing version?

It doesn't update by itself. It's a portable app so nothing to install. @Andy Ful always announces the latest version and posts the download links here or you may go to GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings. to get the latest.

If you use CD by itself* you may want to consider his RunBySmartscreen, which is another useful tool.

*Note: ConfigureDefender is also included with Hard_Configurator Windows hardening application, which is a complete package as a separate option. His GitHub page has all of his tools.