Updates ConfigureDefender utility for Windows 10

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
Thanks.
I have no problems with the Partial setting. I only had problems when I set the <Documents Anti-Exploit> option to ON, and I did a system restore to get things back to the way they were.
Understood.
Blocking VBA by <Documents Anti-Exploit> caused problems because, in your setup, MS Word needed macros to start properly. If you next tried to set <Documents Anti-Exploit> to OFF, then this should revert MS Office and Adobe Reader to default settings, which were different from your initial setup.
 

m1kethe

Level 1
Jun 10, 2018
12
Hey guys i need help where, i am always getting this audit relative to Macrium Reflect 7 Free Edition service. (MacriumService.exe)

There is anyway to stop logging this audit relative to this .exe in particular?
Also i think is relative to lsass.exe
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,005
Which features does this warning pertain to: "!! - file/folder exclusions not supported."?
It means that the so-marked rule does not allow you to exclude a file or folder from this particular protection.
For example, let's say you enabled the protection for lsass.exe, and now you are getting blocks for Macrium Reflect licence service. You cannot make an exception to allow Macrium. Your only option is to disable the protection for lsass.exe.

@m1kethe, this post is relevant to your issue, too. I had the same problem as you with Macrium Reflect.
 

oldschool

Level 59
Verified
Mar 29, 2018
4,808
Those with !! on the beginning (there are 4 such mitigations).:giggle:

Yes, as I thought since warning was not included before these new mitigations. I have imported filters into EV. I show nothing in Event Viewer other than Informations re: change in my WD settings. I am only using Event Viewer, not Nirsoft, and assume this is sufficient. New mitigations currently enabled and everything is working fine. So, if something doesn't work in the future I can simply check logs even though I'm not auditing?
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
NirSoft FullEvenLogView only filters out the important entries from Windows Event Log, so they can be easily viewed. If you set the mitigation to Disabled it will be not included in Windows Event Log.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,005
How does the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" compare to Avast Hardened/Aggressive? Which is better, and is either of them reliable?
As far as I know, Avast Hardened/Aggressive only monitors files with the .exe extension.
What about the ASR rule? What file types does it apply to?
 

Hi Brothers

Level 2
Apr 19, 2018
79
Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:

  • Executable files (such as .exe, .dll, or .scr)

I searched my damn hardest but I couldn't find how or where to set the "criteria set by admins"

Funnily enough, it turns out that ASR Exclusions only work on Windows 10 Enterprise (or Server), yet you can enable ASR on Windows 10 Pro
At least that's what I get from here: Use Attack surface reduction rules to prevent malware infection , I haven't tested it but the Evaluate page says you can use ASR on Windows 10 Pro, so does the Enable page, however the Customize page says it only applies to Windows 10 Enterprise (or Server), while the Troubleshoot page says

If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
  1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can first add an ASR exclusion.
  2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to us

However the demo tool only supports 7 rules, Block executable files from running unless they meet a prevalence, age, or trusted list criteria not being one of them, and it gives me unhandled exceptions anyway, you can find it on the Evaluate page

You can try to use Audit mode and see what this rule would block with a lot of testing. But then again, why do that when you can just use Windows Defender (or your preferred AV) + something like appguard / voodoo shield / nvt exe radar pro instead of troubling yourself with this stupid thing
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,005
  • Executable files (such as .exe, .dll, or .scr)
If this ASR rule monitors dlls, that's very good.
I am wondering whether it is effective enough to be a kind of default/deny anti-exe mechanism. Despite the writeup describing it as configurable by system admin, it seems to work out-of-the-box with a set of default rules.
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
...
Funnily enough, it turns out that ASR Exclusions only work on Windows 10 Enterprise (or Server), yet you can enable ASR on Windows 10 Pro
...
Not true. The Microsoft articles are somewhat misguiding on the Windows version requirements.
It is easy to test, that for example, the exclusions for the rule:
Block untrusted and unsigned processes that run from USB
works for Windows 10 Home.
.
But then again, why do that when you can just use Windows Defender (or your preferred AV) + something like appguard / voodoo shield / nvt exe radar pro instead of troubling yourself with this stupid thing
.
With ConfigureDefender the user can easily enable/disable advanced Defender settings. There is nothing stupid in configuring the strength of Anti Virus - in fact, most AVs have this ability.:emoji_ok_hand:
Furthermore, there is nothing stupid in using Defender with advanced settings + something like AppGuard / VoodooShield / NVT EXE Radar Pro.:emoji_fingers_crossed:
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,005
Not true. The Microsoft articles are somewhat misguiding on the Windows version requirements.
It is easy to test, that for example, the exclusions for the rule:
Block untrusted and unsigned processes that run from USB
works for Windows 10 Home.
.

.
With ConfigureDefender the user can easily enable/disable advanced Defender settings. There is nothing stupid in configuring the strength of Anti Virus - in fact, most AVs have this ability.:emoji_ok_hand:
Furthermore, there is nothing stupid in using Defender with advanced settings + something like AppGuard / VoodooShield / NVT EXE Radar Pro.:emoji_fingers_crossed:
I would add that apps like AppGuard / VoodooShield / NVT EXE Radar Pro, for all their power, can also be a colossal headache. Windows Defender with a couple good ASR rules is much more friendly.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
Advanced (slightly paranoid) users can adjust SRP or Anti-Exe to their needs. This requires some initial learning, but the user can have the reward in the long run. It follows both from the stronger setup and from the gathered knowledge.
SRP or Anti-Exe can be a headache for everyone, especially when configured by non-advanced users. Anyway, such setups can be useful for locking the computer of the child, grandfather or the average (inexperienced) user when occasionally supervised by an experienced user.
 

oldschool

Level 59
Verified
Mar 29, 2018
4,808
….
.
With ConfigureDefender the user can easily enable/disable advanced Defender settings. There is nothing stupid in configuring the strength of Anti Virus - in fact, most AVs have this ability.:emoji_ok_hand:
Furthermore, there is nothing stupid in using Defender with advanced settings + something like AppGuard / VoodooShield / NVT EXE Radar Pro.:emoji_fingers_crossed:

I would add that apps like AppGuard / VoodooShield / NVT EXE Radar Pro, for all their power, can also be a colossal headache. Windows Defender with a couple good ASR rules is much more friendly.


+ 1 to this. I am evidence of this - more knowledgeable than the average "never been on a forum" user but in no way do I possess the skill of many here on MT. Thanks to all of you. By the way, I've had all new mitigations enabled since release of new version and everything running smooth!
 
Last edited:

Hi Brothers

Level 2
Apr 19, 2018
79
With ConfigureDefender the user can easily enable/disable advanced Defender settings. There is nothing stupid in configuring the strength of Anti Virus - in fact, most AVs have this ability.:emoji_ok_hand:

I meant the "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" rule specifically, I agree with the other things u said, but I don't see where I can configure this rule - the prevalence age or trusted list criteria for it in your Configure Defender thingy

Also btw, ur github link is broken on the 1st post
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
I meant the "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" rule specifically, I agree with the other things u said, but I don't see where I can configure this rule - the prevalence age or trusted list criteria for it in your Configure Defender thingy

Also btw, ur github link is broken on the 1st post
OK.(y)
I did not find any info about configuring this mitigation, too. For now, we can use it only with predefined settings. That would be nice if someone could test it against malware samples (fresh and old).
.
There is a new version of ConfigureDefender, so the old download link is dead. The first post is still locked so I cannot update the link. But will contact again with the staff to unlock/update it.
The actual installers can be found in this post: ConfigureDefender utility for Windows 10
 

Hi Brothers

Level 2
Apr 19, 2018
79
OK.(y)
I did not find any info about configuring this mitigation, too. For now, we can use it only with predefined settings. That would be nice if someone could test it against malware samples (fresh and old).
.
There is a new version of ConfigureDefender, so the old download link is dead. The first post is still locked so I cannot update the link. But will contact again with the staff to unlock/update it.
The actual installers can be found in this post: ConfigureDefender utility for Windows 10

In the meantime I figured out it can be downloaded from https://github.com/AndyFul/ConfigureDefender/archive/master.zip , you could put that link in the first post next time? Or is it different?
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
Top