ConfigureDefender utility for Windows 10/11

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,171
You think I didn't try running the installer outside the browser immediately after? :ROFLMAO:
If it's not MpEngine, then it's something from Windows 10, outside Defender.
Are you using WindowsSimpleHardening or Hard_Configurator along with CD? Try right clicking the icon and see if a Install By Smartscreen option is there or run as administrator. There are lots of browser options out there and if your using Microsoft Defender anyway, that's best accompanied with Chromium-Edge.
 
  • Like
Reactions: Nevi and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
You think I didn't try running the installer outside the browser immediately after? 😛
It was probably MAPS, block at first sight, MpEngine... I think it's not being blocked, but it maybe it's being suspended to be analyzed, but something doesn't work right and immediately gives the error "installer cold not launch".
Yes, this might happen when you have several executables in the folder. When you open the folder (first time after starting Windows session) these executables are checked by Defender. Some of them (not checked yet) can be suspended.
 
  • Like
Reactions: ForgottenSeer 85179

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
462
Are you using WindowsSimpleHardening or Hard_Configurator along with CD? Try right clicking the icon and see if a Install By Smartscreen option is there or run as administrator. There are lots of browser options out there and if your using Microsoft Defender anyway, that's best accompanied with Chromium-Edge.
None. I manually changed group policies, following a video, because I wanted to learn exactly what I was changing. I did this: and this:

Running as administrator didn't work, I tried.
 
  • Like
Reactions: Nevi

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
462
Yes, this might happen when you have several executables in the folder. When you open the folder (first time after starting Windows session) these executables are checked by Defender. Some of them (not checked yet) can be suspended.
There were no executables, only a few documents and video files.
 
  • Like
Reactions: Nevi

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
462
Why wasting so much time while it could be so easy hardening Windows/Defender with Andy's tools in which he puts so much effort? 🤨
Because I wanted to know what I was changing. I found it doesn't really explain what is doing, group policies have better explanation, and there aren't many policies to change, it's a quick thing to do.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,585
Because I wanted to know what I was changing. I found it doesn't really explain what is doing, group policies have better explanation, and there aren't many policies to change, it's a quick thing to do.
I can assure you that Simple Windows Hardening does it's job perfectly fine, thats why so many people are using it here. Same with Configure Defender... And if you face any issues, you can revert the changes easily.

I also think that the information that is provided within the tool, is enough for people to understand what it's doing:
Screenshot 2021-04-24 202520.png
Unbenannt2.PNG

Unbenannt.PNG
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
The more detailed info about SWH options is included in the manual:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf

The comprehensive info about SRP and Registry changes related to hardening can be found in the H_C documentation:
https://github.com/AndyFul/Hard_Configurator/tree/master/Documentation

The info about Defender ASR rules can be found in articles (included on the ConfigureDefender GitHub webpage):
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
Could someone of you guys check, if the disabling of telemetry of windows will cause defender to prevent that?

I guess the adguard desktop caused to run that commandline and md prevented it from running , right?
View attachment 258443
This CmdLine is also blocked by Defender on my computer.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
Thanks Andy (y)
How does the new warn option work?
Do you get a popup or something like that where you can decide if you allow or deny something or just info that a rule is triggered?
It works like most ASR rules. If it is set to Warn, then the driver is initially blocked and you can see the alert, that allows unblocking. The next time the driver will be allowed. One can also use ASR exclusions. The blocked driver can be submitted for analysis to Microsoft.

1622368759749.png 1622368961086.png

 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
...
This rule will be set as follows:
DEFAULT -------------> Disabled
HIGH -------------------> Audit
INTERACTIVE -----> Warn
MAX -------------------> ON
I have overlooked that this rule does not block the drivers already installed on the system. So, maybe it will be better to set it to ON in the HIGH preset.:unsure:

DEFAULT -------------> Disabled
HIGH -------------------> ON
INTERACTIVE -----> Warn
MAX -------------------> ON
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,512
Microsoft disabled its own PowerShell cmdlets for managing ASR rules (Disabled, AuditMode) when Tamper Protection is enabled. When the user opens PowerShell console and tries to set any ASR rule to Disabled or Audit Mode, then Defender blocks the cmdlet and Logs the event as :
Trojan:Win32/MpTamperASRRule.PSA (for AuditMode attempt)
Trojan:Win32/MpTamperASRRule.PSD (for disabling attempt)

This does not affect the PowerShell cmdlets when the user wants to enable ASR rules.

For now, these changes do not affect the functionality of <DEFAULT>, <HIGH>, <INTERACTIVE>, <MAX> options in ConfigureDefender. They work as usual. Anyway, when the user wants to set a particular ASR rule manually to Disabled or Audit, Defender will block the attempt with an alert. It is still possible to do it when Tamper Protection is temporarily disabled.

I will try to negotiate with Microsoft to whitelist ConfigureDefender in Tamper Protection, but the chances for that are not great.:(
Furthermore, I think that Microsoft is doing the right thing, except labeling the action as Trojan.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top