New Update DefenderUI by VoodooShield - Turn on Hidden Security Features of Microsoft Defender

[danb]

Would this work as a replacement for Configure Defender?? Enquiring minds want to know.

Actually, DUI is a feature-rich user-friendly UI for Defender and is designed to replace traditional AV products. In other words, DUI should be indistinguishable from a traditional AV product and should contain all common features, and possibly even more. Hopefully this remains true for the rest of the features as I implement them. It should be ready in a week or so, and you will see what I mean.

Defender really is great under the hood, but a lot of users are turned off by its UI, and it is certainly the biggest, most frustrating pain point for me in Windows 10. And when I noticed it was not updated in Windows 11, I decided to build a UI for Defender.

As far as CD goes, the intention is not to replace it, especially for users who love portable apps and are content with the current Defender UI. But for users who want a super light and clean full-fledged UI for Defender, and do not mind adding 1 extra megabyte to their C Drive, DUI just might be for them. To correctly develop a full-fledged UI for Defender that does everything a traditional AV does, the app cannot be portable and needs to be designed like a native app. There was a lot more involved than I initially anticipated, but I am getting close.

Anyway, I will have to test and make sure CD is compatible with DUI, and ultimately you will be able to use either or both.

 

[Balrog]

Yeah, most people feel strongly one way or the other about Defender. I actually like it pretty well, but it is impossible to use and manage. Hopefully DUI will change that .

Precisely the lack of an interface to manipulate the program's settings is one of the reasons why I don't like it. However, the great improvement that is achieved with interfaces like the one they have designed here is a plus. At the end of the day. Defender is free and integrates, could you say naturally? with Windows.

 

[codswollip]

Would this work as a replacement for Configure Defender??

Why would we replace CD? Just for dark mode?

 

[plat]

Dan, this is GREAT. Neat and well-organized. Thanks a lot for being innovative and re-designing something that actually needs it.

Regards,

plat

 

[danb]

Why would we replace CD? Just for dark mode?

CD is great, but I wanted a UI for Defender that would do things like...

Enable / disable real-time protection
Enable / disable Windows Firewall
Auto reactivate Windows Firewall
Auto reactivate real-time protection
Auto reactivate cloud-delivered protection
Auto reactivate controlled folder access
Adjust the signature update interval
Manage and add exclusions
Manage notification settings
Check for updates
Perform scans
View and edit protection history
Actively monitor if Defender is disabled, and reactivate if it is
Tray icon to quickly disable / enable Defender, run scans, etc.
Along with MANY other features…

You know, like a real AV .

 

[danb]

Dan, this is GREAT. Neat and well-organized. Thanks a lot for being innovative and re-designing something that actually needs it.

Regards,

plat

Thank you, I appreciate that!

 

[Andy Ful]

For most people, DUI will be a replacement for the CD. But technically, DUI can be started with Windows so it will be a real-time GUI that can do some more actions (like the Auto-reactivate features mentioned by @danb).
Real-time GUI has pros and cons. If the developer takes care much about the product (true for @danb ) then DUI can be a very good replacement for CD. This will not be easy for several reasons as for example:

1. Microsoft does not like applications that can tweak Defender too much. I was forced by Microsoft to remove from CD the management of Defender's real-time protection.
2. The Defender post-execution protection (behavior-based ML detections) can suddenly flag some tweaks as malicious, so some configuration actions will be blocked. That can depend on the techniques used by malware to dismantle Defender's protection.
3. The application must be submitted to Microsoft via the developer channel for whitelisting because some advanced Defender settings can block the updated version.

Shortly, the developer has to test CD or DUI constantly, must be in touch both with users and Microsoft, and must quickly react to potential problems - all of this must be done very quickly if the GUI is of real-time type.

 

[show-Zi]

This is my personal impression. Perhaps DUI provides blueprints and parts. The CD is a ready-made finished product. I think the big advantage of CDs is that they can maintain a certain level of protection no matter who uses them. If DUI aims to organize and simplify the Defender's UI, I don't think it's a competing relationship.

 

[danb]

For most people, DUI will be a replacement for the CD. But technically, DUI can be started with Windows so it will be a real-time GUI that can do some more actions (like the Auto-reactivate features mentioned by @danb).
Real-time GUI has pros and cons. If the developer takes care much about the product (true for @danb ) then DUI can be a very good replacement for CD. This will not be easy for several reasons as for example:

1. Microsoft does not like applications that can tweak Defender too much. I was forced by Microsoft to remove from CD the management of Defender's real-time protection.
2. The Defender post-execution protection (behavior-based ML detections) can suddenly flag some tweaks as malicious, so some configuration actions will be blocked. That can depend on the techniques used by malware to dismantle Defender's protection.
3. The application must be submitted to Microsoft via the developer channel for whitelisting because some advanced Defender settings can block the updated version.

Shortly, the developer has to test CD or DUI constantly, must be in touch both with users and Microsoft, and must quickly react to potential problems - all of this must be done very quickly if the GUI is of real-time type.

Yeah, I fully understood that going in to it, but it started out as just building a Defender UI for myself and releasing it was optional, while working on a new design theme for VS. It is super hot and Covidy outside in KC, so I have been staying indoors as much as possible, and I started working on DefenderUI, and one thing led to another and I kind got carried away . I am always playing around with new ideas and most of them I never release, simply because maintaining them would take way too much of my time away from VS.

But anyway, I am trying to play by MS's rules as much as possible. I was initially considering bypassing Tamper Protection, but in the end it turned out that I did not need to, and it was then that I decided it would be best to play by MS's rules as much as possible, so that is what I have done.

As far as CD being flagged for malware, in all fairness, CD initially was not signed, it runs as admin, it writes to a different random folder each time in the Windows Directory and is written in one of the more popular languages for malware, AutoIT . I am certainly not picking on CD, it is a great app, but I wonder if you think these issues had anything to do with CD getting flagged as malware?

Either way, there are obstacles in anything worth pursuing, so I am not worried about it.

ON a side note, I know I was the one who started calling DefenderUI "DUI", but I personally am going to refer to it as DefenderUI, and if one of the mods can change the title of this thread to DefenderUI, I would appreciate it.

 

[danb]

This is my personal impression. Perhaps DUI provides blueprints and parts. The CD is a ready-made finished product. I think the big advantage of CDs is that they can maintain a certain level of protection no matter who uses them. If DUI aims to organize and simplify the Defender's UI, I don't think it's a competing relationship.

I totally agree. Microsoft created the options for Defender (and there are only so many), and I am simply organizing them so that they are usable. And adding a few of my own .

The funny thing is that after spending all of this time with the native Defender GUI, I STILL get confused and cannot find what I am looking for. If anyone knows how to create a shortcut to a specific page in Windows Settings, PLEASE let me know .

 

[show-Zi]

If anyone knows how to create a shortcut to a specific page in Windows Settings, PLEASE let me know .

It may be a little different from what you want the shortcut to mean, but you may find some hints under HKEY_CLASSES_ROOT\CLSID in the registry editor. For example, you could name your new folder
xxx(any name). {4026492F-2F69-46B8-B9BF-5654FC07E423}
it will be a shortcut to the fw settings screen.

 

[marcopaone]

Awesome! Waiting beta version.


However, I don't understand why Microsoft has to keep certain options for Windows Defender disabled and hidden.
Strange choice.

 

[show-Zi]

Awesome! Waiting beta version.


However, I don't understand why Microsoft has to keep certain options for Windows Defender disabled and hidden.
Strange choice.

I think it means "If you can't find a place to set that option, don't touch it".
It's the same reason why we keep lighters and matches out of the reach of young children. Maybe.

 

[Arequire]

I don't understand why Microsoft has to keep certain options for Windows Defender disabled and hidden.

In Microsoft's defence, ASR rules aren't something the majority of users would understand. They're not going to know what a child process, macro, or LSASS is, and many of those rules can cause software to not act in the way they'd expect, or not execute at all.
With that said I do think there are select options that should be accessible, like Cloud Protection Level (without the Block option; that should remain hidden, and a warning that upping the protection level can lead to a higher chance of false positives) and Network Protection, as these are generally available in third-party antivirus software.

 

[Andy Ful]

...

As far as CD being flagged for malware, in all fairness, CD initially was not signed, it runs as admin, it writes to a different random folder each time in the Windows Directory and is written in one of the more popular languages for malware, AutoIT . I am certainly not picking on CD, it is a great app, but I wonder if you think these issues had anything to do with CD getting flagged as malware?
...

Yes, I am sure that this false positive did not have anything to do with your notes. As Microsoft answered to my resubmission, the only reason was the management of Defender's real-time protection. This violated the new rules that were introduced by Microsoft to classify malware. A few months earlier the file was submitted to Microsoft for whitelisting (and was successfully whitelisted in June 2018). In September the file was accepted by SmartScreen. The false-positive occurred suddenly at the end of September 2018.
See also:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-767955
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-945704

Edit.
The most popular programming platform for malware is Visual Studio (AutoIT malware is rare because of Python and Java).

 

[danb]

It may be a little different from what you want the shortcut to mean, but you may find some hints under HKEY_CLASSES_ROOT\CLSID in the registry editor. For example, you could name your new folder
xxx(any name). {4026492F-2F69-46B8-B9BF-5654FC07E423}
it will be a shortcut to the fw settings screen.

Yeah, exactly like that , except the shortcut would point to a specific page in Windows Settings (not the Control Panel). If anyone knows how to do this, please let me know, thank you!

 

[danb]

Awesome! Waiting beta version.


However, I don't understand why Microsoft has to keep certain options for Windows Defender disabled and hidden.
Strange choice.

I agree, it makes it impossible to use. I seriously thought they would change this with Windows 11, but I guess not.

 

[danb]

Yes, I am sure that this false positive did not have anything to do with your notes. As Microsoft answered to my resubmission, the only reason was the management of Defender's real-time protection. This violated the new rules that were introduced by Microsoft to classify malware. A few months earlier the file was submitted to Microsoft for whitelisting (and was successfully whitelisted in June 2018). In September the file was accepted by SmartScreen. The false-positive occurred suddenly at the end of September 2018.
See also:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-767955
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-945704

Edit.
The most popular programming platform for malware is Visual Studio (AutoIT malware is rare because of Python and Java).

I am simply suggesting that there is a high probability that CD would have never been flagged in the first place if the issues I mentioned did not exist.

Either way, it does not look like we are going to have an issue. All 3 of the executables (Installer, DefenderUI, DefenderUIService) have been cleared by SmartScreen since the beginning, and there is only one false positive on VirusTotal. I really am making the code as clean and tight as possible, and doing my absolute best to play by the rules.

And actually, users will be more secure when running DefenderUI because it is going to monitor Microsoft Defender to make sure it is not disabled, so I do not think MS will have an issue with it. Other AV's should not have an issue with it either, because in all fairness, a lot of AV products completely disable MD .

Yes, I agree, more malware is probably created with Visual Studio, but what I meant was proportionally there is a lot more AutoIT malware than Visual Studio, simply because script kiddies love to use AutoIT to create malware, so it is certainly a red flag for engines and researchers when an app is coded in AutoIT. Whereas Visual Studio has a greater proportion of clean apps compared to malware. It is not AutoIT's fault by any means, it is simply the reality.

 

[Andy Ful]

I am simply suggesting that there is a high probability that CD would have never been flagged in the first place if the issues I mentioned did not exist.

Your suggestions make sense only for files that are not whitelisted by Microsoft. For these reasons, before whitelisting, ConfigureDefender executables are often recognized as malicious (false positive). That is why I do not publish applications before whitelisting by Microsoft. Another reason for whitelisting is the ASR prevalence rule that would block non-whitelisted executables.

Edit.
The examples noted in my posts were exceptional (2 events over several years), so if you will be lucky they may not happen to you. The second example is not related directly to ConfigureDefender, but to PowerShell - the same behavior was visible when the command lines were executed from the PowerShell console.

 

[Andy Ful]

...
Either way, it does not look like we are going to have an issue. All 3 of the executables (Installer, DefenderUI, DefenderUIService) have been cleared by SmartScreen since the beginning, and there is only one false positive on VirusTotal.

As you could see from my second example it can happen anyway, because the execution of the application is not blocked, but only some of its actions. SmartScreen and VirusTotal detections are irrelevant in such a case.

I really am making the code as clean and tight as possible, and doing my absolute best to play by the rules.
And actually, users will be more secure when running DefenderUI because it is going to monitor Microsoft Defender to make sure it is not disabled, so I do not think MS will have an issue with it. Other AV's should not have an issue with it either, because in all fairness, a lot of AV products completely disable MD .

Yes, probably. Properly made DUI is a good idea in the hands of a good developer.
You must add a feature to not activate Defender when the user installed 3rd party AV.