ConfigureDefender utility for Windows 10

Mjolnir

Level 2
Verified
Jul 4, 2019
69
It doesn't update by itself. It's a portable app so nothing to install. @Andy Ful always announces the latest version and posts the download links here or you may go to GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings. to get the latest.

If you use CD by itself* you may want to consider his RunBySmartscreen, which is another useful tool.

*Note: ConfigureDefender is also included with Hard_Configurator Windows hardening application, which is a complete package as a separate option. His GitHub page has all of his tools.
So to clarify.. When new version is available simply download and run - no need to delete existing version?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
So to clarify.. When new version is available simply download and run - no need to delete existing version?
No need, if you like to keep several versions of one portable application. (y)
 
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
I made a quick test:
  1. Disable Defender's real-time protection.
  2. Download/unpack Mimikatz.
  3. Disable the Internet connection.
  4. Copy Mimikatz.exe ---> DumpStack.log in the Mimikatz folder.
  5. Enable Defender's real-time protection (Internet connection still disabled).
    Defender detects Mimikatz.exe but ignores DumpStack.log
  6. Open Command Prompt and execute DumpStack.log by using the CmdLine:
    start c:\PathToMimikatz\DumpStack.log
    Defender detects DumpStack.log as HackTool:Win32/Mimikatz.D
It is worth mentioning that DumpStack.log is correctly detected also when forcing the manual scan via the option in the Explorer right-click menu.(y)
 
Last edited:

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,158
Have you checked this one? What's your thought on this?
GitHub - 0xsp-SRD/mortar: evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
Not all products were tested but so far among the tested one's bypassed Kaspersky, ESET, Malewarebytes, Mcafee, Cortex XDR, Windows defender, Cylance, TrendMicro, Bitdefender, Norton Symantec.
Some were easier to bypass, eg: ESET, MD. Some were harder, eg: Kaspersky, Cortex XDR.
Also check the open and closed issues.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
Have you checked this one? What's your thought on this?
GitHub - 0xsp-SRD/mortar: evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
Not all products were tested but so far among the tested one's bypassed Kaspersky, ESET, Malewarebytes, Mcafee, Cortex XDR, Windows defender, Cylance, TrendMicro, Bitdefender, Norton Symantec.
Some were easier to bypass, eg: ESET, MD. Some were harder, eg: Kaspersky, Cortex XDR.
Also check the open and closed issues.

Interesting read.:)
Such new attack techniques (this one is not entirely new, but new enough) will be always hard to detect by AVs. The original loaders from GitHub had great chances to bypass most AVs (until the signatures will be available). After some time the AVs will try to detect also modified loaders by already known methods for polymorphic or metamorphic malware.
In the case of Defender, the EXE and DLL loader can be prevented by the ASR prevalence rule.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
After some thinking and experimenting, I found easily several other files that are not automatically scanned by Defender. It is easy to predict which files will be ignored by the Defender when opening a folder. After changing their file extension to EXE, Defender can immediately detect them just like in the case of renamed DumpStack.log.

Edit.
When the malicious file is downloaded via Edge (SmartScreen disabled) with the file name DumpStack.log, it is detected by Defender (download fails). If it is downloaded by Firefox (and not blocked by Firefox) then Defender allows the download. It seems that downloading the file via certutil LOLBin is similar to Firefox.
Furthermore, the files like DumpStack.log are scanned by Defender when copying or opening in the notepad.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
good to know, it seemed that mr.d0x was saying he launched DumpStack.log --> luanched mimi.exe without WD detection
thank you
If he did not make some mistake then his and my results would suggest something unpleasant for Defender. But, I must investigate this a little to be sure.:unsure:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
Fortunately, my suspicion was not true. I suspected that running DumpStack.log from CmdLine could bypass Cloud delivered protection (no cloud backend) and mimi.exe was checked against cloud backend. But, on my computer, this is not true. I made a quick test:
  1. Disable Defender real-time protection.
  2. Compile the EXE file and rename it to DumpStack.log.
  3. Enable Defender real-time protection.
  4. Run Dumpstack.log from Command Prompt.
I chose the file that included some suspicious code to trigger the cloud backend. I did not run the original EXE file, but only the Dumpstack.log. Anyway, I could see the normal Defender alert (scanning against cloud backend):

1641911056814.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
If he did not make some mistake then his and my results would suggest something unpleasant for Defender. But, I must investigate this a little to be sure.:unsure:

I could not reproduce running the Dumpstack.log - it is always checked on execution like the EXE file. So the different results between my test and the original test made by mr.d0x , must probably follow from the fact that he made his test in the local network on the Windows Enterprise edition (different environment and different Windows settings).
Anyway, the first part of our tests is the same. There are some files that can be downloaded to disk (by Firefox or LOLBin) without Defender's scan. They are also not scanned when opening the folder. On the home computer, they are automatically scanned when copying, doing the manual scan, or on execution.
 
Last edited:

Mjolnir

Level 2
Verified
Jul 4, 2019
69
Question...I'm currently running Con. Def. on MAX setting. When I open pdf's on the desktop MS Edge launches and the documents are opened with Edge browser...is this expected behavior?
 
  • Like
Reactions: Gandalf_The_Grey

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
Question...I'm currently running Con. Def. on MAX setting. When I open pdf's on the desktop MS Edge launches and the documents are opened with Edge browser...is this expected behavior?

This behavior is related to default Windows settings and unrelated to ConfigureDefender. You can change the default PDF viewer via the Explorer context menu, for example:
 

PD20

New Member
Oct 12, 2019
11
I'm changing the topic a bit here but just saw the article over on Bleeping Computer about the vulnerability in Microsoft Defender where hackers are able to bypass detection. An issue known years ago. Would this be prevented by Configure Defender on High setting?
 
  • Like
Reactions: wat0114

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,158
I'm changing the topic a bit here but just saw the article over on Bleeping Computer about the vulnerability in Microsoft Defender where hackers are able to bypass detection. An issue known years ago. Would this be prevented by Configure Defender on High setting?
Do you mean this one?
Then the answer is, No. Looks like this particular bypassing method will only work if you have put folders into exclusions. So if you haven't put any, then this shouldn't cause any issue.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
I'm changing the topic a bit here but just saw the article over on Bleeping Computer about the vulnerability in Microsoft Defender where hackers are able to bypass detection. An issue known years ago. Would this be prevented by Configure Defender on High setting?

As @SeriousHoax noted, the concern is related to the specific Defender's configurations in Enterprises and are not relevant for home computers. Additional vulnerabilities are also related to the possibility of changing some Defender settings with high privileges, for example.

Such attacks are performed in Enterprises via lateral movement (this can take weeks or months). First, the attacker tries to compromise the network and steal the Administrator credentials to get high privileged access to other computers. Next, something like Zloader is used to infect computers in the network and get persistence by changing Defender's settings (high privileges are used). Such attacks can be prevented in many cases by using ConfigureDefender HIGH settings. But, if the attacker is highly motivated and knows the applied protection, then that protection can be usually bypassed (no matter which AV is installed). See for example:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-970819

Performing similar attacks against home users is much harder (very rare) and not necessary, except for targeted attacks on diplomates, dissidents, or celebrities. The widespread attacks that would require high privileges will mostly fail against Defender, because Microsoft added the behavior-based modules that can detect known UAC bypasses. So actually, Defender has got probably the best "anti-UAC bypass" protection.

Of course, this cannot save people who intentionally install cracks, pirated software, etc. In such cases, the security alerts will be simply ignored, and the 0-day malware will be installed with high privileges.
 
Last edited:

JiSingh12

Level 3
Sep 1, 2018
136
Hi guys, Hi Andy :cool:

Lets just say i wanted to use a 3rd party AV, how would i go about this?

So, currently I use Simple Windows Hardening with both options on, and basic recommended settings.
I also used ConfigureDefender set to HIGH, nothing changed by myself.

If i wanted to use something like Avast One, Kaspersky etc. blah blah, how would i go about this?
Can i just install them as default without worrying about anything or will there be problems?

Thank you
Ji
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
Hi guys, Hi Andy :cool:

Lets just say i wanted to use a 3rd party AV, how would i go about this?

So, currently I use Simple Windows Hardening with both options on, and basic recommended settings.
I also used ConfigureDefender set to HIGH, nothing changed by myself.

If i wanted to use something like Avast One, Kaspersky etc. blah blah, how would i go about this?
Can i just install them as default without worrying about anything or will there be problems?

Thank you
Ji

SWH should work well with Avast, Kaspersky, and most AVs. If you will install another AV then ConfigureDefender settings will stop working (these settings are related only to Microsoft Defender).(y)
 

JiSingh12

Level 3
Sep 1, 2018
136
SWH should work well with Avast, Kaspersky, and most AVs. If you will install another AV then ConfigureDefender settings will stop working (these settings are related only to Microsoft Defender).(y)
Ok, great, thank you.

One more quick question, when I open Powerpoint i get an action blocked by Attack Surface Reduction.
Also when opening word or a new word document, I get a pop up relating to macros or content that requires macro language support.

I am guessing both of these are down to SWH and ConfigureDefender?

Thank you
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,167
Ok, great, thank you.

One more quick question, when I open Powerpoint i get an action blocked by Attack Surface Reduction.
Also when opening word or a new word document, I get a pop up relating to macros or content that requires macro language support.

I am guessing both of these are down to SWH and ConfigureDefender?

Thank you
Probably yes. But normally you should not see those alerts when opening PowerPoint or a new Word document. Such alerts suggest that you use in Word a custom template, 3rd party Add-in, or similar feature that needs VBA. I am not sure why Powerpoint triggers the ASR rule. There can be several reasons for such behavior. Can you post the GUID of this ASR rule? You can also look at ConfigureDefender Security Log for the name of this ASR rule.

Edit.
I assume that your computer is clean. In the worst scenario, such alerts can be also triggered when the computer is infected. But, then you should see other symptoms, so there is no need to worry.
 
Last edited: