ConfigureDefender utility for Windows 10/11

  • Like
  • +Reputation
  • Thanks
Reactions: Kongo, Mercenary, Moonhorse and 6 others
Andy Ful said:
Configuredefender ver. 3.1.1.1
Click to expand...
In the app, the version number still shows: 3.0.1.1
cd.png
 
  • Like
Reactions: plat, Mercenary, blackice and 5 others
SeriousHoax said:
In the app, the version number still shows: 3.0.1.1
View attachment 267970
Click to expand...
Yes. I used the executables from ver. 3.0.1.1 and added the new certificate to them.
So, the code in versions 3.1.1.1 and 3.0.1.1 is identical, only file hashes are different.
The ConfigureDefender version is hardcoded in the executables, so it is still visible as 3.0.1.1.
 
  • Like
Reactions: plat, Kongo, Mercenary and 3 others
Andy Ful said:
Yes. I used the executables from ver. 3.0.1.1 and added the new certificate to them.
So, the code in versions 3.1.1.1 and 3.0.1.1 is identical, only file hashes are different.
The ConfigureDefender version is hardcoded in the executables, so it is still visible as 3.0.1.1.
Click to expand...
New version is detected by Sophos as ML PUA. What's causing this if you only added a new certificate?

Screenshot 2022-07-12 233726.jpg
 
  • Like
  • Wow
Reactions: plat, Zartarra, harlan4096 and 3 others
SecureKongo said:
New version is detected by Sophos as ML PUA. What's causing this if you only added a new certificate?

View attachment 267973
Click to expand...
Sophos probably detects by ML all new ConfigureDefender versions as PUA, until it removes the false positive detection. The new ConfigureDefender files are also new to Sophos (different file hashes).
I submit my executables for whitelisting only to Microsoft, Avast, Bitdefender, and Norton.
 
Last edited:
  • Like
Reactions: plat, Kongo, harlan4096 and 3 others
Andy Ful said:
Sophos probably detects by ML all new ConfigureDefender versions as PUA, until it removes the false positive detection. The new ConfigureDefender files are also new to Sophos (different file hashes).
I submit my executables for whitelisting only to Microsoft, Avast, Bitdefender, and Norton.
Click to expand...
Submitted it as a FP but it will probably take a while as Sophos is quite slow at whitelisting
 
  • Like
Reactions: Mercenary, Andy Ful, Gandalf_The_Grey and 1 other person
How NOT to make tests with ConfigureDefender.



The author did not read the ConfigureDefender help:

How to apply the settings.
Select a Protection Level or custom configuration, press the "Refresh" green button and let ConfigureDefender confirm the changes. ConfigureDefender will alert if any of your changes have been blocked. Reboot to apply chosen protection.
Click to expand...

Without rebooting, most of the MAX settings were not applied which is also visible in this video. :)
 
Last edited:
  • Like
  • Sad
  • Wow
Reactions: plat, EascapenMatrix, Mercenary and 6 others
oldschool said:
It is crashing due to a longtime bug in Defender. Try clearing protection history.
Click to expand...
It is not easy because of Tamper Protection. The events related to ASR rules and CFA require a complex treatment. There are some ways to do it, we talk about this on this thread here:
malwaretips.com

ConfigureDefender utility for Windows 10/11

protection history intented to keep history by purpose It should give an option to delete those on purpose too. That's what almost all other security products do. The protection history is also known to crash randomly or when there's a lot of entry. no try yourself let others do your work for...
malwaretips.com malwaretips.com
 
  • Like
Reactions: Mercenary, SeriousHoax and oldschool
Andy Ful said:
It is not easy because of Tamper Protection. The events related to ASR rules and CFA require a complex treatment. There are some ways to do it, we talk about this on this thread here:
malwaretips.com

ConfigureDefender utility for Windows 10/11

protection history intented to keep history by purpose It should give an option to delete those on purpose too. That's what almost all other security products do. The protection history is also known to crash randomly or when there's a lot of entry. no try yourself let others do your work for...
malwaretips.com malwaretips.com
Click to expand...
Yes, I'm aware of that thread.

@Emanuel Tomasin One way around this is to reduce length of time to keep Protection History before auto-clearing either in GPO or via powershell.
 
  • Like
  • Thanks
Reactions: Mercenary, SeriousHoax, eonline and 1 other person
oldschool said:
Yes, I'm aware of that thread.

@Emanuel Tomasin One way around this is to reduce length of time to keep Protection History before auto-clearing either in GPO or via powershell.
Click to expand...
The last time when I tested this setting it could not clear the advanced blocks. Reducing the time of keeping Protection History could clear the same entries as deleting manually the folder:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory
This can be done easily via PowerShell with Administrator privileges:
Code: 
del "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory"

I posted to Microsoft about this issue, but I did not test if it was solved.
 
  • Like
  • Thanks
Reactions: SeriousHoax, oldschool and eonline
Interesting changelog in the release preview channel build of Windows 11.
  • New! We enhanced Microsoft Defender for Endpoint’s ability to identify and intercept ransomware and advanced attacks.
Click to expand...
I'm guessing this improvement is even coming to the stock Microsoft Defender. Maybe it has some similarity to the advanced ransomware ASR rule.
 
  • Like
Reactions: Andy Ful, oldschool and eonline
Andy Ful said:
How NOT to make tests with ConfigureDefender.



The author did not read the ConfigureDefender help:



Without rebooting, most of the MAX settings were not applied which is also visible in this video. :)
Click to expand...

They released a new video comparison
 
Last edited:
SeriousHoax said:
Interesting changelog in the release preview channel build of Windows 11.

I'm guessing this improvement is even coming to the stock Microsoft Defender. Maybe it has some similarity to the advanced ransomware ASR rule.
Click to expand...
Maybe they're implementing that ASR rule knowing it is stable and suitable for the average user, i.e. it won't throw FPs.
 
  • Like
Reactions: Mercenary and Andy Ful

You may also like...