New Update DefenderUI by VoodooShield - Turn on Hidden Security Features of Microsoft Defender

Jan Willy

Jan Willy

Level 13
Verified
Top Poster
Well-known
Jul 5, 2019
605
Divine_Barakah said:
Same here. Tamper Protection is there for a reason. Now as @cruelsister mentioned, there is malware that specifically targets MD.
Click to expand...
If I understood cruelsister's video from December 26 well, it's possible that malware makes an exclusion in MS Defender behind your back. So in this case Tamper Protection doesn't offer protection. Nevertheless disabling TP feels like removing all door locks.
 
  • Like
Reactions: Jonny Quest, Nevi, danb and 2 others
Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Jan Willy said:
If I understood cruelsister's video from December 26 well, it's possible that malware makes an exclusion in MS Defender behind your back. So in this case Tamper Protection doesn't offer protection. Nevertheless disabling TP feels like removing all door locks.
Click to expand...
I was not talking about a specific sample. If malware targets MD, then malware authors will always know what to look for. One should never under any circumstances disable tamper protection no matter what the benefits are if there is any.
 
  • Like
Reactions: Nevi, danb and Jan Willy
Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
danb said:
I apologize, I should have been more clear.

You only need to disable Tamper Protection in DefenderUI if you want to use the following features. Disabling Tamper Protection is not a DefenderUI requirement, it is a Microsoft requirement, and applies to ALL software that manages, controls or configures Microsoft Defender.

Real-time Protection
Behavior Monitoring
Scan all downloaded files and attachments
Script scanning
Threat Default Actions.

Otherwise, you can leave Tamper Protection enabled.
Click to expand...
Users would be protected better with MD and Voodooshield if they like to. They should not disable tamper protection. If they feel MD is not enough, they should complement it with other layers or migrate to another 3rd party.

Now what happens if MD was turned off by some malware, would the other feature of Defender UI fill the gap?
 
  • Like
Reactions: Nevi, danb and Jan Willy
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,249
I have more or less same issue with VoodooShield (and DefenderUI Pro) on my laptop with Windows 11 22H2.
Almost everything has a slight delay.
Mailed the developer log log to @danb but he couldn't find anything wrong.
Hope that as more users report this issue @danb can find and resolve this annoying problem.
 
Last edited:
  • Like
Reactions: Nevi, simmerskool and danb
danb

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Thank you guys for letting me know! Is there an older version of VS or DefenderUI Pro that does not have this issue? If so, I can compare the old code to the new code and it will be a super quick and easy fix. I think @Gandalf_The_Grey ran VS for a long time without any issues, so it must be a recent change in the code that caused this issue. So if possible, if you can install the last version of VS or DefenderUI you know was working and let me know which version it is, we will have a fix very quickly. BTW, I will probably need to send you a modified version of the old version you were using because it probably expired today. Just email me at support at voodooshield.com and I will send you a version you can test.

The only other thing that might be causing this is when I downgraded our SQL server 3 or so weeks ago. The SQL Server we were using was extreme overkill, so I downgraded it to a more appropriate level. I do not think this would cause this issue, but I can certainly upgrade it to the previous level to test. Thanks again!
 
  • Like
  • +Reputation
Reactions: Nevi, simmerskool, plat and 2 others
danb

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
BTW, it appears this issue started with 22H2. I am not able to reproduce the bug on my system, but if anyone is able to create a short video screenshot of the slowdown and send it to me (support at voodooshield.com), it will probably give me some really great clues on where the issue might be. Thanks again!
 
  • Like
Reactions: Nevi, simmerskool, plat and 1 other person
danb

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Does DefenderUI disable Smart App Control?

www.wilderssecurity.com

DefenderUI

Not correct, the only thing you can't configure with tamper protection on are the threat default actions. Are you active on MalwareTips? Perhaps you...
www.wilderssecurity.com www.wilderssecurity.com

Ummmm, NOPE!!! I did a quick reboot at the end to make sure.



I tested Smart App Control against a lot of safe and malicious files, and I have to say some of the results surprised me, and it would be great if @Shadowra would take it for a test drive. One of the most perplexing files was a file I complied in Visual Studio that contained only safe code (it was a test sample of our new digital signature code), but it was only a couple of minutes old and SAC did not block it. I cannot be too hard on SAC, because it did render the correct verdict afterall, but any product that follows true zero-trust principles would have blocked that file, even if it did not originate from the web. So I am thinking that SAC is more of a refined version of smart screen / MOTW, and less a true zero-trust solution. SAC is very young and I need to play around with it more to really figure it out, but I will say that I was surprised by several of the verdicts. I was even a little surprised it let me install DefenderUI, although DefenderUI is up to 15,000 downloads a day now, so maybe that is not too surprising.

Also, the 22H2 bug that 2 users have reported is not related to DefenderUI, it is only related to the Pro version of DefenderUI.

And just in case anyone missed this ;)... DefenderUI
 
  • Like
  • Thanks
  • +Reputation
Reactions: Nevi, plat, simmerskool and 2 others
Morro

Morro

Level 18
Verified
Top Poster
Well-known
Jul 8, 2012
895
Now just to see the difference between DefenderUI and CD, I installed DefenderUI this evening. I picked Recommended settings but I also activated so to speak "Controlled Folder Access" and the "File Hash Computation" settings. Now I have a question about the Controlled Folder Access part. Like in CD I have set it to Audit for a while just incase there is still something left to add to the whitelist. BUT... when I set the audit function in DefenderUI, Controlled Folder Access seems to get deactivated in the Windows 11 settings itself? Even though inside the DefenderUI the Controlled Folder Access is still in the on position?

Does this mean that CFA is still working, despite it being deactivated in the Windows 11 settings? ( I believe CD Keeps it active in the Windows 11 settings when set to audit. )
 
  • Like
Reactions: Nevi, plat, danb and 1 other person
danb

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Morro said:
Now just to see the difference between DefenderUI and CD, I installed DefenderUI this evening. I picked Recommended settings but I also activated so to speak "Controlled Folder Access" and the "File Hash Computation" settings. Now I have a question about the Controlled Folder Access part. Like in CD I have set it to Audit for a while just incase there is still something left to add to the whitelist. BUT... when I set the audit function in DefenderUI, Controlled Folder Access seems to get deactivated in the Windows 11 settings itself? Even though inside the DefenderUI the Controlled Folder Access is still in the on position?

Does this mean that CFA is still working, despite it being deactivated in the Windows 11 settings? ( I believe CD Keeps it active in the Windows 11 settings when set to audit. )
Click to expand...
Thank you for looking into this! I tested on Windows 10 and 11, and DefenderUI 1.10 seems to be working properly on both.

You can test this with powershell using the command "Set-MpPreference -EnableControlledFolderAccess 2"

Where the "2" at the end corresponds to the value references (0-4) in this link...

Configure Controlled folder access

Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: - Modify or delete files in protected folders, such as the Documents folder - Write to disk sectors
admx.help

BTW, that link is a pretty cool reference guide for anyone who is interested. It was my main guide when building DefenderUI and it made everything go a lot quicker.

So basically, when CFA is in Audit mode, the toggle button should be off. But please keep in mind, you might need to refresh Microsoft Defender to ensure it is reading the current setting after changing it in DefenderUI. I tried to make DefenderUI refresh automatically as much as possible after adjusting the settings in MD, but sometimes you might even need to refresh DefenderUI by clicking on one of the tabs at the top (Home, Basic, Advance, ASR, DefenderGuard), just to make sure it is reading the current setting as well. Thanks again!
 
  • Like
  • +Reputation
Reactions: Nevi, oldschool, plat and 5 others
Morro

Morro

Level 18
Verified
Top Poster
Well-known
Jul 8, 2012
895
danb said:
Thank you for looking into this! I tested on Windows 10 and 11, and DefenderUI 1.10 seems to be working properly on both.

You can test this with powershell using the command "Set-MpPreference -EnableControlledFolderAccess 2"

Where the "2" at the end corresponds to the value references (0-4) in this link...

Configure Controlled folder access

Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: - Modify or delete files in protected folders, such as the Documents folder - Write to disk sectors
admx.help

BTW, that link is a pretty cool reference guide for anyone who is interested. It was my main guide when building DefenderUI and it made everything go a lot quicker.

So basically, when CFA is in Audit mode, the toggle button should be off. But please keep in mind, you might need to refresh Microsoft Defender to ensure it is reading the current setting after changing it in DefenderUI. I tried to make DefenderUI refresh automatically as much as possible after adjusting the settings in MD, but sometimes you might even need to refresh DefenderUI by clicking on one of the tabs at the top (Home, Basic, Advance, ASR, DefenderGuard), just to make sure it is reading the current setting as well. Thanks again!
Click to expand...

Thank you for the help and explanation. :)
 
  • Like
Reactions: Nevi, simmerskool and Gandalf_The_Grey
damien76

damien76

New Member
Jan 3, 2023
2
Hi,

I have not reinstalled VS since last year. I have lifetime license and I want to ask if there has members that used it with OSA free version and Comodo firewall?

I had some blue screen issues with VS last year on Win 10 and when I uninstalled it the bsdo was gone thus what happened.

I like to use VS again but am confused now especially it seems new...I am using Win 11 21H2 now and plan to pair it with Avast Free + Comodo firewall + OSA free. Any tips?
 
Andrew3000

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
537
danb said:
Does DefenderUI disable Smart App Control?

www.wilderssecurity.com

DefenderUI

Not correct, the only thing you can't configure with tamper protection on are the threat default actions. Are you active on MalwareTips? Perhaps you...
www.wilderssecurity.com www.wilderssecurity.com

Ummmm, NOPE!!! I did a quick reboot at the end to make sure.



I tested Smart App Control against a lot of safe and malicious files, and I have to say some of the results surprised me, and it would be great if @Shadowra would take it for a test drive. One of the most perplexing files was a file I complied in Visual Studio that contained only safe code (it was a test sample of our new digital signature code), but it was only a couple of minutes old and SAC did not block it. I cannot be too hard on SAC, because it did render the correct verdict afterall, but any product that follows true zero-trust principles would have blocked that file, even if it did not originate from the web. So I am thinking that SAC is more of a refined version of smart screen / MOTW, and less a true zero-trust solution. SAC is very young and I need to play around with it more to really figure it out, but I will say that I was surprised by several of the verdicts. I was even a little surprised it let me install DefenderUI, although DefenderUI is up to 15,000 downloads a day now, so maybe that is not too surprising.

Also, the 22H2 bug that 2 users have reported is not related to DefenderUI, it is only related to the Pro version of DefenderUI.

And just in case anyone missed this ;)... DefenderUI
Click to expand...

The problem with SAC is that once it is disabled, it cannot be re-enabled except with a clean Windows installation (There seems to be no method to bypass this). At least it is a start by Microsoft of moving toward Zero Trust
 
  • Like
  • +Reputation
Reactions: Nevi, oldschool, Tume and 5 others

Similar threads

Shadowra
    • Like
    • Thanks
    • +Reputation
App Review Microsoft Defender Antivirus feat DefenderUI (Interactive Mode)
Replies
11
Views
2,878
Video Reviews - Security and Privacy
Shadowra
Shadowra
silversurfer
    • Like
    • Thanks
Opera GX is now available on the Microsoft Store
Replies
0
Views
1,286
Opera
silversurfer
silversurfer
fdsearchandrescue
  • Locked
malware problem out of control Its fast 10G of new data less then an hr
Replies
1
Views
2,526
Windows Malware Removal Help & Support
Ink
I

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top