Hard_Configurator - Windows Hardening Configurator

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Thank to you both for the info, South Park and Andy.

Glaswire whitelists the realy realy important windows parts as default and I didn't try to block them :D
(c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe whitelisted per default).

Atm only MS stuff on blocklist: Device Census, Speech Runtime, Windows Error Reporting and Compatibility Telemetry. Nothing should have anything to do with MS Defender, or?

For my different version number: Could it be because I deffered "feature updates"? [Not talking about pausing updates just delaying "feature" updates] Are new versions of the Windows Defender feature or security updates?

Did I understand the site: Cloud-delivered protection - Windows Defender Testground correct that when I try to download the file with e.g. Firefox and save it on my desktop I should get a virus warning (for the testfile)? So just for the download without executing?

As far as I remember I haven't tweak much of win it was just Glaswire, O&O Shutup 10 and H_C.
 
F

ForgottenSeer 85179

You better don't block windows internal features until you know what they're for. For example it doesn't make sense to block error reporting.
Tools like o&o disable such useful features because they don't know what they do / provide false sense of privacy to the enduser which only mark all check boxes and voila, broken windows.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
So I put O&O on factory reset, rebooted and searched for updates again. MS Defender still on 4.18.2001.10-0 (Glaswire was on "allow all till I block it mode"). Now time will tell if the H_C Firewall logs will have WD problems again :D
You inspired me to turn on the firewall logs and look at them. I don't have any recommended H_C firewall rules enabled at all. I have only one custom rule that I made, to block a certain program from calling home.
And I have no third-party security or privacy software running on this VM.
But I still see blocks of Windows processes. Here's some:

Local Time: 2020/03/18 12:31:51
ProcessId: 6752
Application: C:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49691
DestAddress: 13.107.4.254
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 12:31:51
ProcessId: 3360
Application: C:\program files\windowsapps\microsoft.windowsstore_12003.1001.1.0_x64__8wekyb3d8bbwe\winstore.app.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49756
DestAddress: 92.123.37.54
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 11:38:32
ProcessId: 3408
Application: C:\windows\system32\svchost.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 50121
DestAddress: 93.184.220.29
DestPort: 80
Protocol: 6
FilterRTID: 89222
LayerName: %%14611
LayerRTID: 48
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
...
Did I understand the site: Cloud-delivered protection - Windows Defender Testground correct that when I try to download the file with e.g. Firefox and save it on my desktop I should get a virus warning (for the testfile)? So just for the download without executing?
...
This test works only for Edge and Chrome. But, if you will execute the file you should see the red alert:
SmartScreen.png

You inspired me to turn on the firewall logs and look at them. I don't have any recommended H_C firewall rules enabled at all. I have only one custom rule that I made, to block a certain program from calling home.
And I have no third-party security or privacy software running on this VM.
But I still see blocks of Windows processes. Here's some:

Local Time: 2020/03/18 12:31:51
ProcessId: 6752
Application: C:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49691
DestAddress: 13.107.4.254
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 12:31:51
ProcessId: 3360
Application: C:\program files\windowsapps\microsoft.windowsstore_12003.1001.1.0_x64__8wekyb3d8bbwe\winstore.app.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 49756
DestAddress: 92.123.37.54
DestPort: 443
Protocol: 6
FilterRTID: 90752
LayerName: %%14611
LayerRTID: 48

Local Time: 2020/03/18 11:38:32
ProcessId: 3408
Application: C:\windows\system32\svchost.exe
Direction: Outbound
SourceAddress: 192.168.100.6
SourcePort: 50121
DestAddress: 93.184.220.29
DestPort: 80
Protocol: 6
FilterRTID: 89222
LayerName: %%14611
LayerRTID: 48
These are probably related to your privacy Windows settings.

So I put O&O on factory reset, rebooted and searched for updates again. MS Defender still on 4.18.2001.10-0 (Glaswire was on "allow all till I block it mode"). Now time will tell if the H_C Firewall logs will have WD problems again :D
Glasswire default settings can also block some Defender telemetry.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598

plat

Level 29
Top Poster
Sep 13, 2018
1,793
A general question: if you're running an Insiders build, you must have Full Telemetry enabled. Would Hard_Configurator or any component of it (as Firewall Hardening) have any issues with this?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
A general question: if you're running an Insiders build, you must have Full Telemetry enabled. Would Hard_Configurator or any component of it (as Firewall Hardening) have any issues with this?
No, but the full telemetry is required for WD to upload very suspicious files to the cloud backend.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
There are more of them. But, I have restricted Windows privacy settings and do not have any of your entries except svchost.exe . What Windows version do you have in VM?
Lockdown used to say that if you worry about every error recorded in the Windows Event logs, you will make yourself crazy. If you don't experience an actual problem, forget about all those errors and failures.
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
I really wanted to say thanks all for the kind and friendly answers :)
Edge blocked the download from the test site like it is said in the description. As a none native I sometimes understand stuff exactly the opposite way it is meant :D
Anybody know if the Windows Defender version is a "feature update" or a "security update" since Andy Ful got a newer number then mine (and I'm delaying "feature updates").
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Lockdown used to say that if you worry about every error recorded in the Windows Event logs, you will make yourself crazy. If you don't experience an actual problem, forget about all those errors and failures.
It is generally true, but not in the case of WD AMService.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
...
Anybody know if the Windows Defender version is a "feature update" or a "security update" since Andy Ful got a newer number then mine (and I'm delaying "feature updates").
WD platform updates are under Definition Updates (in the History of updates). Look at the entries with the word "platform".
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Wait so just wanted to confirm WD won't send all suspicous files unless set to full? I thought there used to be a thing that said that device security and health wouldn't be effected?

View attachment 235047
I had in mind another setting (Automatic sample submission) :
windows_defender_1.png
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Something wrong can be with your WD updates - on my computer the msmpeng.exe is in
C:\programdata\microsoft\windows defender\platform\4.18.2003.6-0
folder (4.18.2003.6-0 is a version of the file and WD Anti Malware service).
Are you on the insider channel or so by chance?
I tried to find info on MS Defender versions on the internet and from what I found 4.18.2001.x seems to be ok (doc is dated 03/04/2020).
And I'm on c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe

I just wanted to know if got a real engine platform/client problem since WD is my main av with H_C :D
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Are you on the insider channel or so by chance?
I tried to find info on MS Defender versions on the internet and from what I found 4.18.2001.x seems to be ok (doc is dated 03/04/2020).
And I'm on c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe

I just wanted to know if got a real engine platform/client problem since WD is my main av with H_C :D
I have two folders in there:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2003.5-0
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2003.6-0

I am on Windows 10 version 1909
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top