ConfigureDefender utility for Windows 10

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
Okay, I cleared Windows Defender threat of Hard_Config download. I turned off Windows Defender protection, downloaded and installed Hard_Config, added C/Windows/Hard_Config exclusion to Defender. Loaded Config_Defender 1.1.1.1 to C/Windows/Hard_Config, opened Hard_Config GUI and applied protections, logged out. Logged back in re- activated Windows Defender protections. Bit of a dance but all good.


Nice! That's one of the nice things about using Windows built-in. It's definitely clunky and could be refined, but less problems overall.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Just tried to download Hard_Configurator and latest Microsoft definition 1.227.552.0 is blocking and deleting the download even if MpCmdRun.exe -removedefinitions -dynamicsignatures has been run.

It does allow download of for Windows 64-bit: AndyFul/ConfigureDefender. Note: Using Edge
Confirmed - 64-bit installer is flagged and 32-bit installer is not.:(
Finally, Microsoft realized that Hard_Configurator installs also ConfigureDefender, so expanded the hack-tool detection to Hard_Configurator installer. The 32-bit versions ( (x86) ) of ConfigureDefender and Hard_Configurator are still detected as clean.
Already installed executables except the old version of ConfigureDefender are detected as clean, so after replacing ConfigureDefender to ver. 1.1.1.1, already installed Hard_Configurator will work well.
Yet, the new installation requires turning OFF real-time protection for a while and turn it ON after installation.
I recommend simply not installing the actual version 4.0.0.0. of Hard_Configurator, but waiting for the corrected version 4.0.0.0. I will try to push it in a week.

Edit.
I removed the Hard_Configurator installers ver. 4.0.0.0 from GitHub repository. If someone needs the installer, please PM me.(y)
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Small GUI suggestion: make "enabled" and "disabled" in different colors, or at least different shades. The words are somewhat similar, and the text is kind of small, so it's a little hard to see what settings you have.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This attack uses the technique which bypasses the WD ASR rules, if the script is run directly from Explorer (like in the video). It may be blocked by 'Network Protection' feature, if the malware website with the payload is on the blacklist (not very probable for 0-day).
It can be stopped by ASR when the script is embedded in MS Office document and opened by MS Office application.

The malware will be also blocked (but not by ConfigureDefender settings), if one of the below points is true:
  • disacossiated .js and .jse extensions from wscript.exe (cscript.exe);
  • blocked JScript interpreters (wscript.exe, cscript.exe);
  • PowerShell set to Constrained Language mode
  • blocked PowerShell interpreters (powershell.exe, powershell_ise.exe)
Of course, the malware will be blocked by default-deny setup which can block Windows scripts.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
What about the ASR rule blocking files that do not meet "prevalence, age or trusted list criteria?
It is still an enigma to me. I tested it on Discuss - Python Ransomware .
I downloaded the malware from the malicious website (link was hardcoded) and executed on my computer. The above rule did not stop it. But, it can stop the executables freshly compiled on my computer.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Is there a link for this at all? @Andy Ful

~LDogg
If you mean the malware file I did not run it. I watched the video and found the right malware analysis, which included the execution of PowerShell from JScript file. This is also the characteristic, nested execution, that is necessary for bypassing the ASR.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Small GUI suggestion: make "enabled" and "disabled" in different colors, or at least different shades. The words are somewhat similar, and the text is kind of small, so it's a little hard to see what settings you have.
ConfigureDefender2.0.0.0.png

In Autoit, It would be hard to differentiate options with colors.:giggle:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top