Hard_Configurator - Windows Hardening Configurator

[Freki123]

Thank to you both for the info, South Park and Andy.

Glaswire whitelists the realy realy important windows parts as default and I didn't try to block them
(c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe whitelisted per default).

Atm only MS stuff on blocklist: Device Census, Speech Runtime, Windows Error Reporting and Compatibility Telemetry. Nothing should have anything to do with MS Defender, or?

For my different version number: Could it be because I deffered "feature updates"? [Not talking about pausing updates just delaying "feature" updates] Are new versions of the Windows Defender feature or security updates?

Did I understand the site: Cloud-delivered protection - Windows Defender Testground correct that when I try to download the file with e.g. Firefox and save it on my desktop I should get a virus warning (for the testfile)? So just for the download without executing?

As far as I remember I haven't tweak much of win it was just Glaswire, O&O Shutup 10 and H_C.

 

[ForgottenSeer 85179]

You better don't block windows internal features until you know what they're for. For example it doesn't make sense to block error reporting.
Tools like o&o disable such useful features because they don't know what they do / provide false sense of privacy to the enduser which only mark all check boxes and voila, broken windows.

 

[oldschool]

@Freki123 - @security123 is correct. You should undo your O & O settings, check Windows Update and finally test WD again. Only after solving your issue should you consider using O & O again, and exercise caution even then.

 

[Freki123]

So I put O&O on factory reset, rebooted and searched for updates again. MS Defender still on 4.18.2001.10-0 (Glaswire was on "allow all till I block it mode"). Now time will tell if the H_C Firewall logs will have WD problems again

 

[shmu26]

So I put O&O on factory reset, rebooted and searched for updates again. MS Defender still on 4.18.2001.10-0 (Glaswire was on "allow all till I block it mode"). Now time will tell if the H_C Firewall logs will have WD problems again

You inspired me to turn on the firewall logs and look at them. I don't have any recommended H_C firewall rules enabled at all. I have only one custom rule that I made, to block a certain program from calling home.
And I have no third-party security or privacy software running on this VM.
But I still see blocks of Windows processes. Here's some:

Local Time: 2020/03/18 12:31:51
ProcessId: 6752
Application: C:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49691
DestAddress: 13.107.4.254
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 12:31:51
ProcessId: 3360
Application: C:\program files\windowsapps\microsoft.windowsstore_12003.1001.1.0_x64__8wekyb3d8bbwe\winstore.app.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49756
DestAddress: 92.123.37.54
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 11:38:32
ProcessId: 3408
Application: C:\windows\system32\svchost.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 50121
DestAddress: 93.184.220.29
DestPort: 80
Protocol: 6
FilterRTID: 89222
LayerName: %%14611
LayerRTID: 48

 

[Andy Ful]

...
Did I understand the site: Cloud-delivered protection - Windows Defender Testground correct that when I try to download the file with e.g. Firefox and save it on my desktop I should get a virus warning (for the testfile)? So just for the download without executing?
...

This test works only for Edge and Chrome. But, if you will execute the file you should see the red alert:

You inspired me to turn on the firewall logs and look at them. I don't have any recommended H_C firewall rules enabled at all. I have only one custom rule that I made, to block a certain program from calling home.
And I have no third-party security or privacy software running on this VM.
But I still see blocks of Windows processes. Here's some:

Local Time: 2020/03/18 12:31:51
ProcessId: 6752
Application: C:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49691
DestAddress: 13.107.4.254
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 12:31:51
ProcessId: 3360
Application: C:\program files\windowsapps\microsoft.windowsstore_12003.1001.1.0_x64__8wekyb3d8bbwe\winstore.app.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49756
DestAddress: 92.123.37.54
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 11:38:32
ProcessId: 3408
Application: C:\windows\system32\svchost.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 50121
DestAddress: 93.184.220.29
DestPort: 80
Protocol: 6
FilterRTID: 89222
LayerName: %%14611
LayerRTID: 48

These are probably related to your privacy Windows settings.

So I put O&O on factory reset, rebooted and searched for updates again. MS Defender still on 4.18.2001.10-0 (Glaswire was on "allow all till I block it mode"). Now time will tell if the H_C Firewall logs will have WD problems again

Glasswire default settings can also block some Defender telemetry.

 

[shmu26]

These are probably related to your privacy Windows settings.

I don't have much privacy, see screenshot

 

[Andy Ful]

I don't have much privacy, see screenshot

View attachment 235044

View attachment 235045

There are more of them. But, I have restricted Windows privacy settings and do not have any of your entries except svchost.exe . What Windows version do you have in VM?

 

[plat]

A general question: if you're running an Insiders build, you must have Full Telemetry enabled. Would Hard_Configurator or any component of it (as Firewall Hardening) have any issues with this?

 

[Andy Ful]

A general question: if you're running an Insiders build, you must have Full Telemetry enabled. Would Hard_Configurator or any component of it (as Firewall Hardening) have any issues with this?

No, but the full telemetry is required for WD to upload very suspicious files to the cloud backend.

 

[shmu26]

There are more of them. But, I have restricted Windows privacy settings and do not have any of your entries except svchost.exe . What Windows version do you have in VM?

Lockdown used to say that if you worry about every error recorded in the Windows Event logs, you will make yourself crazy. If you don't experience an actual problem, forget about all those errors and failures.

 

[Freki123]

I really wanted to say thanks all for the kind and friendly answers
Edge blocked the download from the test site like it is said in the description. As a none native I sometimes understand stuff exactly the opposite way it is meant
Anybody know if the Windows Defender version is a "feature update" or a "security update" since Andy Ful got a newer number then mine (and I'm delaying "feature updates").

 

[Andy Ful]

Lockdown used to say that if you worry about every error recorded in the Windows Event logs, you will make yourself crazy. If you don't experience an actual problem, forget about all those errors and failures.

It is generally true, but not in the case of WD AMService.

 

[DJ Panda]

No, but the full telemetry is required for WD to upload very suspicious files to the cloud backend.

Wait so just wanted to confirm WD won't send all suspicous files unless set to full? I thought there used to be a thing that said that device security and health wouldn't be effected?

 

[Andy Ful]

...
Anybody know if the Windows Defender version is a "feature update" or a "security update" since Andy Ful got a newer number then mine (and I'm delaying "feature updates").

WD platform updates are under Definition Updates (in the History of updates). Look at the entries with the word "platform".

 

[Andy Ful]

Wait so just wanted to confirm WD won't send all suspicous files unless set to full? I thought there used to be a thing that said that device security and health wouldn't be effected?

View attachment 235047

I had in mind another setting (Automatic sample submission) :

 

[Freki123]

Something wrong can be with your WD updates - on my computer the msmpeng.exe is in
C:\programdata\microsoft\windows defender\platform\4.18.2003.6-0
folder (4.18.2003.6-0 is a version of the file and WD Anti Malware service).

Are you on the insider channel or so by chance?
I tried to find info on MS Defender versions on the internet and from what I found 4.18.2001.x seems to be ok (doc is dated 03/04/2020).

Microsoft Defender Antivirus security intelligence and product updates - Microsoft Defender for Endpoint

Manage how Microsoft Defender Antivirus receives protection and product updates.

docs.microsoft.com

And I'm on c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe

I just wanted to know if got a real engine platform/client problem since WD is my main av with H_C

 

[shmu26]

Are you on the insider channel or so by chance?
I tried to find info on MS Defender versions on the internet and from what I found 4.18.2001.x seems to be ok (doc is dated 03/04/2020).

Microsoft Defender Antivirus security intelligence and product updates - Microsoft Defender for Endpoint

Manage how Microsoft Defender Antivirus receives protection and product updates.

docs.microsoft.com

And I'm on c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe

I just wanted to know if got a real engine platform/client problem since WD is my main av with H_C

I have two folders in there:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2003.5-0
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2003.6-0

I am on Windows 10 version 1909

 

[Freki123]

1909 here also, OS build 18363.720

 

[shmu26]

1909 here also, OS build 18363.720

We have exactly the same build. It indeed looks like Windows Defender is not updating properly on your system.