ConfigureDefender utility for Windows 10/11

[oldschool]

@Andy Ful - As I posted earlier, I recently switched from H_C to the new versions of ConfigureDefender and RunbySmartscreen. I have all settings in WD set to max, but I was blocked from doing a couple of things:

1. Prevented from installing Brave Beta browser. Solved by switching off PUA protection and ASR rule "Block executable files from running unless...". I'm not sure which feature was blocking the action. Please explain, was it the former or the latter?

2. I opened Autoruns and was blocked from checking a file via the Virus Total feature. Was this a Windows Defender ASR rule ? or (probably not)maybe RunBySmartrscreen? Or, could it be a registry key, etc.?

As always, thanks in advance as I continue to learn much from you!

 

[Andy Ful]

@Andy Ful - As I posted earlier, I recently switched from H_C to the new versions of ConfigureDefender and RunbySmartscreen. I have all settings in WD set to max, but I was blocked from doing a couple of things:

1. Prevented from installing Brave Beta browser. Solved by switching off PUA protection and ASR rule "Block executable files from running unless...". I'm not sure which feature was blocking the action. Please explain, was it the former or the latter?

2. I opened Autoruns and was blocked from checking a file via the Virus Total feature. Was this a Windows Defender ASR rule ? or (probably not)maybe RunBySmartrscreen? Or, could it be a registry key, etc.?

As always, thanks in advance as I continue to learn much from you!

RunBySmartScreen works only if you run the file via "Run By SmartScreen" option from the right-click Explorer context menu.
Both PUA protection and ASR rule could block the file. Look at the Windows Event Viewer, because both events should be logged. If there is an event ID=1121 with the GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 inside, then this was the ASR rule mentioned by you. If not, then this was something else.
I downloaded the installers from the vendor website Download Brave Beta | Brave Browser .
Installed Brave Browser by using 64-bit and next 32-bit installers - WD Controlled Folder Access blocked the creation of the shortcut on the Desktop.
Downloaded and ran Autoruns - checked Brave Installer entry via VirusTotal - no issues.
After installation I could run Brave Browser without problems by using the entry from the Start Menu.

Could you post me the link from where your installer was downloaded?

 

[oldschool]

RunBySmartScreen works only if you run the file via "Run By SmartScreen" option from the right-click Explorer context menu.
Both PUA protection and ASR rule could block the file. Look at the Windows Event Viewer, because both events should be logged. If there is an event ID=1121 with the GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 inside, then this was the ASR rule mentioned by you. If not, then this was something else.
I downloaded the installers from the vendor website Download Brave Beta | Brave Browser .
Installed Brave Browser by using 64-bit and next 32-bit installers - WD Controlled Folder Access blocked the creation of the shortcut on the Desktop.
Downloaded and ran Autoruns - checked Brave Installer entry via VirusTotal - no issues.
After installation I could run Brave Browser without problems by using the entry from the Start Menu.

Could you post me the link from where your installer was downloaded?

Download Brave Beta | Brave Browser


Here are 4 of the four blocks I had:



I think I solved these issues through setting exclusions. Just wondering which rules blocked each. Thanks!

 

[Andy Ful]

Download Brave Beta | Brave Browser


Here are 4 of the four blocks I had:

View attachment 201165 View attachment 201167 View attachment 201168View attachment 201188

I think I solved these issues through setting exclusions. Just wondering which rules blocked each. Thanks!

The Brave Browser autorun entry was blocked by ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". This can happen when the executable was created recently (on my computer the date was 06.11.2018), so If I have installed the Brave Browser yesterday, then this entry would be probably blocked, too.
The other applications were not blocked from running, but only the access to LSA was blocked by ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)".
In the Defender high settings, both rules are set to audit, because of many false positives.

 

[oldschool]

Thanks @Andy Ful!

 

[Andy Ful]

Some posts of @Lockdown and @Evjl's Rain on the other thread, inspired me to make a test about how can work two combined Windows features: SmartScreen in Edge and "Block at first sight" in WD. This test was performed on Windows 10 Pro 64-bit ver. 1809.

1. Open ConfigureDefender and use "Defender high settings".
2. Turn off "Block at first sight" and check if the SmartScreen in Edge is turned on.
3. Restart Windows.
4. Use Edge to open the WD demo webpage Sign in to your account (requires sign in to Microsoft account).
5. Press the blue button "Create & download new file" and let Edge to save this file. Surprisingly, you will not see the SmartScreen alert, despite the fact that the file has been just created, so it is totally unknown to SmartScreen.
6. Reload the web page. Press again the blue button "Create & download new file" to save another new file.
7. Repeat the point 6 a few times to be sure that the saved files are not blocked..
8. Turn on "Block at first sight" feature.
9. Repeat the point 6 a few times. You can see that the files will be blocked and quarantined after download.

How do I interpret this test?

1. SmartScreen in Edge does not work in the same way as before Windows 10 ver. 1607, when "Block at first sight" feature was introduced. At present, when the user is going to download the unknown executable, then it is not blocked by SmartScreen.
2. After download via the Edge web browser, OneDrive or another online service which is supported, the unknown executables are checked by "Block at first sight" feature.
3. "Block at first sight" feature, has no impact on the detection of files, after they were executed (dynamic detection).

Post edited - the test will be continued on dynamic detection.

 

[Andy Ful]

My previous test was done for Windows 10 Pro ver. 1809 so cannot prove anything about Windows 10 Home. As @Lockdown mentioned, when reading Microsoft documentation one can be misguided by the statement:
"Applies to:

• Windows Defender Advanced Threat Protection (Windows Defender ATP)"

Every one knows that WD ATP can be installed on Windows Pro but not on Windows Home. So, many users think that advanced WD features are not available on Windows Home.
But, when we follow the above link, it is clear that Microsoft uses "WD ATP" phrase also for built-in Windows features, which are available in Windows 10 Home edition, too. For example:

It is evident that the "Next Generation Protection" features are generally the same for Windows 10 Home, Pro, up to Windows E3. From the Microsoft documentation it follows that Next Generation Protection includes :

• Cloud-delivered protection
• Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
• How end-users interact with the client on individual endpoints

The 'Cloud-delivered protection' includes 'Block at first time' feature.
Configure Windows Defender Antivirus features
Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
From the second link it follows that 'Cloud-delivered protection' is enabled by default.

In the next post I will test Windows 10 Home to be certain if the Microsoft claims about "Block at first sight" are true.

 

[Andy Ful]

I made many similar tests like in the post Q&A - ConfigureDefender utility for Windows 10.
The testing environment included two systems:

• S1, the fresh Windows 10 Home 64-bit ver. 1809 installed in the virtual machine;
• S2, the real system: Windows 10 Pro 64-bit ver. 1809.

Some results were new for me.

1. The WD demo from the webpage demo.wd.microsoft.com/Page/BAFS, did not work for FireFox web browser as compared to how it had worked for Edge and Google Chrome. In the case of FireFox, it worked as if the "Block at first sight" feature was disabled (but it was not).
2. If the "Block at first sight" feature was disabled, then the samples created by WD demo for Edge or Google Chrome, were not blocked after download at all (both S1 & S2). Those files were also not blocked after executing them from the Explorer (if the user bypassed SmartScreen). So, I left them on the disk and made a copy online by using OneDrive.
   After enabling the "Block at first sight" (system reboot required), some of the previously-not-blocked files were blocked on execution (from disk) and quarantined (both S1 & S2). The same samples were usually blocked when downloading them from OneDrive.
3. The WD demo worked with Windows Defender default settings in the Windows 10 Home ver. 1809 (S1 system). Some files were blocked, and some were not. If I executed the missed samples (in S1) then none of them were blocked.
4. Next, I executed the missed samples in the real system with Defender high settings (S2 system) and about half of them were blocked and quarantined.
5. I returned to the virtual machine (S1 system), opened the folder with before-not-blocked samples, and the samples which were blocked in the real system (S2 system) were quickly detected and quarantined in the virtual machine (S1 system).

Conclusions

1. "Block at first sight" works well with Edge and Google Chrome on all Windows 10 editions ver. 1809 (including Windows Home).
2. It is enabled by default (default WD settings, no tweaks).
3. The files missed by "Block at First sight" are usually missed on execution if the user bypass SmartScreen.
4. If the sample was blocked by "Block at first sight" on any particular machine, then all other machines can detect that sample, if they have enabled "Block at first sight" (induced detection). The 'induced detection' works on file access, so the sample copied from the pendrive can be detected too.
5. The 'induced detection' can have the important impact on the detection of 'a few-day' malware samples, but not on detection of 'never seen' samples. That can be also concluded from some tests done on Malware Hub by askalan, Av Gurus, and Evjl's Rain .

From Microsoft documentation, follows that the below (among others) Next Generation Protection advanced features are not available in Windows 10 Home and Pro editions (available only in Windows 10 E5):

1. Advanced machine learning and AI based protection for apex level viruses and malware threats.
2. Advanced cloud protection that includes deep inspection and detonation.

Yet, the above features can still provide the 'induced protection' (see point 4 in Conclusions) for the users with Windows Home and Pro editions, if "Block at first sight" is enabled. Such protection can be important against the advanced threats like WannaCry or NotPetya, which first attack Enterprises (Windows 10 E5 installed).
Furthermore, many of MS Office threats are also directed to attack enterprises via embedded macros or scripts. They can usually be detected by 'Advanced cloud protection' and provide the 'induced protection' for Windows 10 Home and Pro editions, too.

 

[ForgottenSeer 72227]

1. The WD demo from the webpage demo.wd.microsoft.com/Page/BAFS, did not work for FireFox web browser as compared to how it had worked for Edge and Google Chrome. In the case of FireFox, it worked as if the "Block at first sight" feature was disabled (but it was not).

Thanks for taking the time to test this out!

I've noticed this too. I think it may be due to (and I could be wrong) that both Edge and Chrome have AMSI support while Firefox does not. I believe this may be the reason as to why it works in both of those browsers and not the other.

Just to make sure I understand everything correctly, it seems like BAFS overall works quite well. It's nice to see that it's enabled by default, especially for home users. Would it be safe to say that BAFS is one of the reasons for WD's improved detection, but also the increased FP's? It's nice to know that once it detects something, every other machine running WD is automatically protected.

 

[oldschool]

@Andy Ful - you leave no stone un-turned! Thanks once again! :notworthy:

 

[Andy Ful]

...
Would it be safe to say that BAFS is one of the reasons for WD's improved detection, but also the increased FP's?
...

I agree - WD with "Block at first sight" turned off, would have much less false positives.

 

[plat]

Hi Andy_Ful--I read the opening statements about ConfigureDefender and its use of PowerShell but need clarification: say you have Windows 10 Home v.1809 and have enabled Group Policy. Would you be able to install and utilize ConfigureDefender while this is active? Also: does it cover all the ground Group Policy does? Any exceptions?

 

[Andy Ful]

Hi Andy_Ful--I read the opening statements about ConfigureDefender and its use of PowerShell but need clarification: say you have Windows 10 Home v.1809 and have enabled Group Policy. Would you be able to install and utilize ConfigureDefender while this is active? Also: does it cover all the ground Group Policy does? Any exceptions?

Generally, you can use ConfigureDefender if the GPO policies related to WD and SmartScreen are set to "Not configured". In many cases this also mean that WD security is activated (as in the case of Behavioral monitoring). If you will not do it, then ConfigureDefender settings will be overriden by GPO refresh feature (GPO policies will be applied).
In your case you will probably want to change sometimes the WD Exploit Guard features which can be done much easier via ConfigureDefender.
So, set all settings in the GPO tab "Windows Defender Exploit Guard" to Not configured. Next run ConfigureDefender and use it to set only WD Exploit Guard settings (ASR, Controlled Folder Access, Network Protection).

All useful Defender settings are included in ConfigureDefender. Many GPO settings were skipped because they should not be changed (the proper setting is Not configured).

 

[HarborFront]

Hi

I have one small issue

My MS SP4 is not downloading the 1809 so I used the Win 10 Update Assistant. When ConfigureDefender was set to 'High Settings' it cannot perform the download until I set it to 'Default'

Can I know which setting in 'High Settings' is preventing the download?

Thanks

 

[Andy Ful]

Hi

I have one small issue

My MS SP4 is not downloading the 1809 so I used the Win 10 Update Assistant. When ConfigureDefender was set to 'High Settings' it cannot perform the download until I set it to 'Default'

Can I know which setting in 'High Settings' is preventing the download?

Thanks

Thanks for reporting that. Did you see any event Id=1121 in the Event Viewer?

 

[HarborFront]

Thanks for reporting that. Did you see any event Id=1121 in the Event Viewer?

Nope. Did not check Event Viewer

 

[Andy Ful]

Nope. Did not check Event Viewer

Could you please give me some additional information?

Did you have the below settings ticked?

• Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
• Block credential stealing from the Windows local security authority subsystem (lsass.exe).
• Block process creations originating from PSExec and WMI commands.

Did you see any alerts?
Did you perform 'Upgrade this PC now' or 'Create installation media...' ?
Thanks.

 

[HarborFront]

Could you please give me some additional information?

Did you have the below settings ticked?

• Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
• Block credential stealing from the Windows local security authority subsystem (lsass.exe).
• Block process creations originating from PSExec and WMI commands.

Did you see any alerts?
Did you perform 'Upgrade this PC now' or 'Create installation media...' ?
Thanks.

My MS SP4 cannot update from 1803 to 1809 for many days so I reformatted thinking that I'll get the 1809 update. I got the 1803 and when I tried to update it always say 'I got the latest update'.

So I used Win 10 Update Assistant and it was updated after I set the ConfigureDefender from 'High Settings' to 'Default' otherwise I cannot download the 1809 update

 

[Andy Ful]

My MS SP4 cannot update from 1803 to 1809 for many days so I reformatted thinking that I'll get the 1809 update. I got the 1803 and when I tried to update it always say 'I got the latest update'.

So I used Win 10 Update Assistant and it was updated after I set the ConfigureDefender from 'High Settings' to 'Default' otherwise I cannot download the 1809 update

Thanks for reporting this issue. This could be one of the ASR rules, especially one of those mentioned by me in my previous post.

 

[oldschool]

Thanks for reporting this issue. This could be one of the ASR rules, especially one of those mentioned by me in my previous post.

Yes, those three appear to be the most troublesome - but as I've had very few issues I can't complain.