ConfigureDefender utility for Windows 10/11

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
especially the part about "Behavior Monitoring".
It's a big part of antivirus protection these days. Not like in the old days, when an antivirus would basically just compare a file to a list of known malicious files, nowadays the AV tries to watch what the file is doing in real-time, and if it misbehaves, it gets arrested.
 

I3rYcE

Level 12
Verified
Top Poster
Well-known
Nov 4, 2011
582
214782


What can I do ?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
My general impression is that if someone specifically crafts malware to bypass ASR, he might succeed, but regular malware will be blocked.
That was the author's (and my) conclusion too.:giggle:
I can bypass ASR rules by myself, so why not others. The author is very good at bypassing Windows security. A few bypasses were new to me.

Edit.
I read this article and watched a video (thank to @enemyofarsenic) two months ago. :giggle:
Most bypasses use scripts or VBA macros, so can be prevented by H_C.
 
Last edited:

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
My question is if the average malware coder would bother since most people don’t even know how to turn ASR on or off in the security center, at least at home. Minimal effort for biggest return. I would hope most enterprises do it as part of their standard system image. But enterprise focused malware is a whole different beast. But I guess we here are concerned beyond the average malware coder.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
This article can be summed up by two author citations:

My opinion is that with ASR, Microsoft attempt to shut down whole category of phishing exploits.
For example, the rule “Block all Office applications from creating child processes” probably block 99.9% macro-based droppers found in the wild.
.....
.....
I think ASR are a great feature to prevent common malware attacks. At the same time, most rules seem broken or way too easy to bypass. In fact, during my tests I can say I had more problems with bypassing AMSI for scripts/office documents than ASR.
Currently, ASR is not well known by blue teams. Its probable that as more defenders adopt these measures, attackers will adapt their tools to bypass them.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Is this why I have had certain blocks but it appears the app still functions? Or is it that the app functions generally but not that specific blocked process? :unsure:
The second.(y)
Most such alerts you get due to Lsass ASR rule or Controlled Folder Access.
 

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
I want to add a ConfigureDefender section to the Hard_Configurator home page because ConfigureDefender is an important part of H_C. But I'm still missing a text/phrase. @Andy Ful @shmu26 @oldschool

A section with the test results from the Hub (H_C tweaks and SmartScreen without any AV as usual) will be added later. Any help or advice (EDIT: changed tip to advice perhaps of confusion) is welcome! (maybe an extra FAQ?)
 

Attachments

  • Auswahl_051.png
    Auswahl_051.png
    114.2 KB · Views: 402
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top