ConfigureDefender utility for Windows 10/11

  • Like
Reactions: stefanos, harlan4096, shmu26 and 1 other person
oldschool said:
I really have no patience for users who don't read manuals or change logs! Oh wait, that's me! :LOL::LOL::LOL: Thanks Andy. I'll see if adding exceptions helps with the two small issues (blocks) I see in the log.
Click to expand...
Please, be very careful with adding exclusions for ASR rules. These exclusions will apply for all ASR rules (except 2 rules which do not support exclusions).
 
  • Like
Reactions: simmerskool, harlan4096, shmu26 and 1 other person
  • Like
Reactions: Andy Ful, oldschool and harlan4096
shmu26 said:
Thanks to both of you for pointing this out. And also for the warning that the exclusions are applied almost globally.

Which are the two rules that don't support exclusions?
Click to expand...

"Impede JavaScript and VBScript to launch executables"

"Block process creations originating from PSExe and WMI commands"

And as you said in an earlier post, most of the ASR glitches come from the "lsass.exe" rule. On my system the log shows this rule blocked an operation by Bleachbit but BB seems to be working fine (unless there is some effect I'm not aware of). Same with Brave update. This is puzzling to me. :unsure::emoji_thinking:

Edit: Now that I think of it, it was probably Bleachbit performing its occasional update check.
 
  • Like
Reactions: Andy Ful, harlan4096, shmu26 and 1 other person
oldschool said:
And as you said in an earlier post, most of the ASR glitches come from the "lsass.exe" rule. On my system the log shows this rule blocked an operation by Bleachbit but BB seems to be working fine (unless there is some effect I'm not aware of). Same with Brave update. This is puzzling to me. :unsure::emoji_thinking:

Edit: Now that I think of it, it was probably Bleachbit performing its occasional update check.
Click to expand...
Thanks.
It is common for lsass blocking to fill up the log with entries, but not interfere with functionality of the app involved.
 
  • Like
  • Thanks
Reactions: simmerskool, oldschool, Andy Ful and 1 other person
shmu26 said:
Thanks.
It is common for lsass blocking to fill up the log with entries, but not interfere with functionality of the app involved.
Click to expand...

Thanks. I thought you or Andy had posted a comment about this previously, thus my 2nd question in post #439.
 
  • Like
Reactions: harlan4096, Gandalf_The_Grey, stefanos and 1 other person
@Andy Ful

I updated your excellent program on my ASUS 2-in-1 again and noticed the disable USB execution was greyed out (and automatically turned from on to off). I know it has been reported as not working correctly, but on my Asus 2-in-1 it works fine. Would it be possible to provide an option to enable this (I had forgotten what reg-keys it were, so took me some time to find it again).

Also would you consider to adding rdpshell.exe to the list of sponsors?

** note for myself ** Disable usb-execution (so I find it easily when you keep it switched off :))
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
"Deny_Execute"=dword:00000001

Thanks for all the effort you have put into H_C, ConfigureDefender and documentsanti-exploit). Using your software, WD is the only security I need (y):emoji_clap:
 
  • Like
  • Wow
Reactions: simmerskool, Handsome Recluse, Andy Ful and 4 others
Windows_Security said:
@Andy Ful
...
I updated your excellent program on my ASUS 2-in-1 again and noticed the disable USB execution was greyed out (and automatically turned from on to off). I know it has been reported as not working correctly, but on my Asus 2-in-1 it works fine.
...
Click to expand...
Thanks for the kind words. I will think about it, although it will be risky for some users.:giggle:
Anyway, if you have installed Windows 10, then there is an ASR rule that blocks untrusted and unsigned processes that run from USB. Furthermore, the execution from USB is blocked by recommended SRP settings. Do you have any problem with applying these restrictions?

Windows_Security said:
Also would you consider to adding rdpshell.exe to the list of sponsors?
...
Click to expand...
From what I learned about rdpshell.exe it could work only with opened Remote Desktop session. But, H_C blocks it and some other remote features via <Block Remote Access>.
Do you have in mind the scenario, when the user wants to use some remote features and block only RemoteApp session?
 
  • Like
Reactions: simmerskool, shmu26, harlan4096 and 2 others
@Andy Ful

Blocking USB unsigned. Have to check that ASR, thanks. Since USB block works on all our devices (a Desktop a Leneovo Yoga and a Asus Transformer) the width/impact of the problem is low in my personal experience. No problem when you don't facilitate, but H_C is actively disabling it now.

RDPshell. not really at the moment, but when Microsoft starts to advice to block some unneeded programs (thx to @shmu26 Discuss - Microsoft Recommends Default-Deny (Sort of)) why not block this unnessecary (when not using remote also). Remote desktop allows access, RDPshell the (possibly malicious) action, so blocking both is a sort of double lock.

Regards Kees
 
  • Like
  • Wow
Reactions: simmerskool, oldschool, Andy Ful and 2 others
Windows_Security said:
@Andy Ful
..
No problem when you don't facilitate, but H_C is actively disabling it now.
...
Click to expand...
From the next version, H_C will stop actively disabling this feature. I do not want to enable it in H_C because when it fails, then the computer is bricked even after restarting into Safe Mode.

Windows_Security said:
RDPshell. not really at the moment, but when Microsoft starts to advice to block some unneeded programs (thx to @shmu26 Discuss - Microsoft Recommends Default-Deny (Sort of)) why not block this unnessecary (when not using remote also). Remote desktop allows access, RDPshell the (possibly malicious) action, so blocking both is a sort of double lock.

Regards Kees
Click to expand...
I am sure that you do not need to block it. Blocking remote control is very important for home users, so it is applied in H_C by default. The only way to use rdpshell.exe with disabled Remote Desktop could be related to some unknown Windows exploit and installation of some additional modules. But, your requests are always important to me so I will add rdpshell.exe to blocked Sponsors in the next version of H_C.(y):giggle:
 
Last edited:
  • Like
  • Thanks
Reactions: simmerskool, oldschool, Windows_Security and 3 others
Andy Ful said:
I will add rdpshell.exe to blocked Sponsors in the next version of H_C.(y):giggle:
Click to expand...
Is there a way to make the Sponsors list customizable, sort of like the Whitelist By Path list is? Then, extreme security enthusiasts can torture their own systems as they wish.
 
  • Like
Reactions: simmerskool, oldschool, Gandalf_The_Grey and 2 others
shmu26 said:
Is there a way to make the Sponsors list customizable, sort of like the Whitelist By Path list is? Then, extreme security enthusiasts can torture their own systems as they wish.
Click to expand...
I am thinking about it for a long time, but still not sure. Blocking more than is actively used by malc0ders is dangerous to the system/software stability (H_C can block over 170 programs and modules from Windows folder).
H_C allows only those tortures which cannot kill the victim for sure.:giggle:
 
  • Like
Reactions: simmerskool, oldschool, Gandalf_The_Grey and 2 others
You can use OSArmor. It overlaps a little with ASR rules, but can add some useful protection.
You have to remember that some OSArmor advanced settings related to PowerShell may block the actions of ConfigureDefender, so you have to make exclusions in OSArmor.
 
Last edited:
  • Like
Reactions: simmerskool, Freki123, shmu26 and 5 others
shmu26 said:
Question about "Max" settings: When I get a smartscreen block on a new file, such as a beta version of one of your tools, it seems that I can't click past smartscreen anymore, even if I want to. What is recommended?
Click to expand...

That's because Max sets SS > Block in Edge, etc. Please change > 'warn" or "user". I always first choose a protection level and then manually adjust individual features as needed.
 
  • Like
Reactions: woodrowbone, Andy Ful, Gandalf_The_Grey and 3 others

You may also like...