ConfigureDefender utility for Windows 10

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
When using Outlook and accessing my calendar Outlook gets unresponsive when fetching the weather forecast for my location with ConfigureDefender on High.
What (ASR rule?) could be causing this?
It's not happening with ConfigureDefender at Default.

Any events in the ConfigureDefender Log?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
No problem with MS Office 2019 and ConfigureDefender Interactive.

1647987596453.png


Cannot test it on MS Office 365.:(
 

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,110
Just tried Interactive, same problem.

Trying to explain the "problem" better 🤔
I have a problem when switching from mail to calendar and back that Outlook get unresponsive for a few seconds when using the high or interactive settings.
1648021656806.png
That does not happen on default.

I will try now with the ASR rules disabled and let you know the result.

EDIT: it also happens with these ASR rules disabled:
1648022001837.png

Now I have to work, later today i will try to experiment with the various settings to see if I can find the ones responsible.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
Just tried Interactive, same problem.

Trying to explain the "problem" better 🤔
I have a problem when switching from mail to calendar and back that Outlook get unresponsive for a few seconds when using the high or interactive settings.
View attachment 265189
That does not happen on default.

I will try now with the ASR rules disabled and let you know the result.

EDIT: it also happens with these ASR rules disabled:
View attachment 265190

Now I have to work, later today i will try to experiment with the various settings to see if I can find the ones responsible.

Try to lower the Cloud Protection Level.:unsure:
 

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,110
Try to lower the Cloud Protection Level.:unsure:
That didn't make a difference, the search continues...

EDIT: Could it be the Cloud Check Time Limit?
Setting it to 40s seems to have solved the issue.
Will keep monitoring my Outlook to see if the issue returns.

EDIT2: Spoke too soon, the issue is back.
Going to start with the default settings and slowly work towards the high settings to see if I can find the setting that causes this.
 
Last edited:

oldschool

Level 67
Verified
Top poster
Well-known
Mar 29, 2018
5,692

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,110
That didn't make a difference, the search continues...

EDIT: Could it be the Cloud Check Time Limit?
Setting it to 40s seems to have solved the issue.
Will keep monitoring my Outlook to see if the issue returns.

EDIT2: Spoke too soon, the issue is back.
Going to start with the default settings and slowly work towards the high settings to see if I can find the setting that causes this.
Now the issue is also present on default or on a system without Microsoft Defender enabled.

So, it has nothing to do with ConfigureDefender.

Outlook is just too heavy to work fluently. :mad:
Hopefully MS will deliver the new One Outlook client soon...
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
If one uses MS Office, then it is good to use Defender's ASR rules and also block Add-ins file extensions. ASR rules do not prevent malicious Add-ins. The problem is that running Add-ins often does not spawn child processes (similarly to loading DLLs).

Access Add-ins
MDA, ACCDA, ACCDU

Excel Add-ins
XLA, XLAM, XLL

Outlook Add-ins
ECF

PowerPoint Add-ins
PA, PPA, PPAM

Word Add-ins
WLL, WWL

The attacks via Add-ins can be efficiently blocked (so far) by Defender's HIGH settings + SWH (H_C) on default settings. This happens because they use VBA (blocked by SWH / H_C on default settings) or LOLBins (blocked by ASR rules). But these attacks can be in theory more sophisticated, so it is better to block the Add-in extensions, especially with Defender on default settings. These extensions will be added to the default settings in the next versions of H_C and SWH.

Another solution is blocking all Add-ins in MS Office applications (this solution can cause problems).
The Add-ins mentioned by me, work mostly like DLLs. The DLLs can be run via RunDLL32, Regsrv32, and similar LOLBins, but this would require access to the CmdLine or some exploit. On the contrary, Add-ins can be run by Access, Excel, Outlook, PowerPoint, and Word, when the user simply clicks on the Add-in file.
 
Last edited:

HarborFront

Level 61
Verified
Top poster
Content Creator
Oct 9, 2016
5,094
Can ConfigureDefender be used in Win 11 Pro? If yes, is it time that the title and post #1 be updated to reflect this?

One question

Just now when I clicked on Default in ConfigureDefender and Refresh it I saw my Automatic Sample Submission in Windows Security Center under Reputation-based protection disappeared. I also see that the Spynet entry in my registry disappeared. What have I done................?

So, if I want to uninstall ConfigureDefender how should I do it? Will all my previous settings (before running ConfigureDefender) in Windows be reverted?

I'm not seeing a Save//Restore Original Settings (or something similar) before I execute ConfigureDefender so that if anything happens I can just restore my original settings and start all over again.

Thanks
 
Last edited:
  • Like
Reactions: Nevi and Correlate

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
Can ConfigureDefender be used in Win 11 Pro? If yes, is it time that the title and post #1 be updated to reflect this?

Yes.
Just now when I clicked on Default in ConfigureDefender and Refresh it I saw my Automatic Sample Submission in Windows Security Center under Reputation-based protection disappeared. I also see that the Spynet entry in my registry disappeared. What have I done................?

Automatic Sample Submission in Windows Security Center was never under Reputation-based protection. It is under Virus & threat protection settings.
What concrete registry key disappeared? The Spynet settings should be under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet
If you used Windows Policies instead of the native Defender settings then these policies were removed, because they would override the native Defender settings applied by ConfigureDefender. More info about it is included in the ConfigureDefender help or manual.

So, if I want to uninstall ConfigureDefender how should I do it? Will all my previous settings (before running ConfigureDefender) in Windows be reverted?

Press <Default> green button - this will restore the default native settings. ConfigureDefender does not remember any previous settings, except those applied via <DEFAULT>, <INTERACTIVE, and <MAX> buttons. So, your settings before using ConfigureDefender cannot be restored. (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
Yes, I'm using Group Policies for seeting quite a number of things

Too bad now that some were gone

If you use GPO (via gpedit.msc) then they were not gone, The GPO refresh feature will restore them after some hours. If you used reg tweaks then your tweaks were gone.
If you use GPO Defender settings via gpedit.msc then ConfigureDefender settings will be incompatible with them. This information and info on what to do are included in the ConfigureDefender help files. The GPO refresh feature will restore the policies after some hours so using the GPO Defender policies with ConfigureDefender makes no sense. You can still use GPO for other settings only the settings shared by GPO and ConfigureDefender can be a problem.

If I can advise you something, then it is good to read the help files or manual before using security software. Your current problem will be solved automatically, but when installing something else you can face serious problems.(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
Recently, I tested Defender against ransomware simulator:
https://malwaretips.com/threads/ransomware-knowbe4-vs-10-avs.113267/post-984441

It seems that the setting "Cloud Protection Level" = Block, was very efficient against ransomware samples:
  1. Defender Default ---> 12 vulnerable, 2 false positives.
  2. Defender Default + Cloud Block Level = Highest ----> 5 vulnerable, 2 false positives.
  3. Defender Default + Cloud Block Level = Block ----> 0 vulnerable, 2 false positives.
Today, I made a false positive test:
  1. Downloaded a few tenth fresh application installers from Softpedia (all uploaded to Softpedia today).
  2. These installers were for any kind of applications, including niche/unpopular ones.
  3. Tried to install each of them.
Results:
  • 40% were blocked by SmartScreen
  • 30% were blocked by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", and one installation by the ASR rule "Use advanced protection against ransomware".
  • "Cloud Protection Level" = Block, did not block any installation.
Conclusion
It seems that Microsoft worked hard on decreasing the rate of false positives. This can be seen in the tests of AV-Comparatives and AV-Test from the year 2021. The setting "Cloud Protection Level" = Block, looks well and should not increase much the very good (low) rate of false positives.
 

Digmor Crusher

Level 15
Verified
Top poster
Well-known
Jan 27, 2018
704
Hi Andy, weird glitch on W11. I downloaded the newest version from your link in the Firewall Hardening thread today. I deleted my older version of CD and moved new version to desktop, when I tried to open these 2 boxed popped up. Just to check I restored old version from Recycle Bin and same thing happened. This leads me to think that maybe its my computer although I've had no issues in the past.

Screenshot 2022-05-18 153301.png
Screenshot 2022-05-18 153328.png