Hard_Configurator - Windows Hardening Configurator

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It seems like im not completely alone in this.
Like post 11 and 15 (It's about them having the same version as I,not about the problems the thread was about :D)
I hope it's not to offtopic but since WD is a mainpart of H_C I hope its ok?
That's an interesting thread. It sounds like the exact WD version that is delivered is not the same for all users. It's a staggered rollout or something like that.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Are you on the insider channel or so by chance?
I tried to find info on MS Defender versions on the internet and from what I found 4.18.2001.x seems to be ok (doc is dated 03/04/2020).
And I'm on c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe

I just wanted to know if got a real engine platform/client problem since WD is my main av with H_C :D
It is from my real system on Windows 10 Pro 64-bit ver. 1909:
WDInfo.png
 

Attachments

  • WDInfo.png
    WDInfo.png
    19.6 KB · Views: 169

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I have:

c:\programdata\microsoft\windows defender\platform\4.18.2001.10-0\msmpeng.exe

on 1903, build 18362.657

Windows Updates paused, but I update WD signatures manually each day.
There are several kinds of WD updates. I have only a few WD platform updates from December 2020. Most of them are under the 'Definition Updates' tab in the History of Windows Updates (4.18.2001.7, 4.18.2003.4, 4.18.2003.5, 4.18.2003.6). But, the WD platform update 4.18.2001.10 is among 'Quality Updates' (February 2020) on my computer (Windows 10 ver. 1909 64-bit).
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,872
I'm on this older 4.18.2001.10 version as well.
On Microsoft's official site still this is the final version.
Microsoft will release another version soon fixing the bug mentioned in techforum link above. This happened last month too when I received an update which supposedly had a bug then Microsoft stopped the rollout and few days later released a new bug free update.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Just got updated today to Platform\4.18.2003.6-0. So either staggered rollout or I was one of the slower moving guinea pigs for MS :D
I am sure you already got this one right, but in advanced Update settings, at the bottom, there is a poorly labeled option called "Choose when updates are installed." It allows you to defer for a certain number of days or weeks or months. If you choose to defer, Windows updater will not even identify available updates, even if you click on "check for updates".
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
@shmu26 Thanks for the info. I started using it after I found out that it just delays "feature" updates (which I couldn't care less about) while still getting the needed "security" updates.
I unwisely deferred also "quality" updates, which includes security updates, and it took me a while to figure out what was going wrong...
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
@Andy Ful Is there a way to exclude only one exe/service from "credential stealing lsass.exe" protection?
I don't want to exclude it from all protection via "Manage ASR Exclusions". Tried whitelisting by hash as a test, didn't work.

e.g: User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\lsass.exe
Process Name: C:\Program Files\Macrium\Common\MacriumService.exe

I can run Max settings and the log is really quite with only one exeption: Macrium
So I don't want to disable the whole lsass.exe protection because one file is annoying. Is it possible?
I know I could just turn it to "high" settings or disable "lsass.exe" protection but I prefer to know if there is a choice to make it work since I'm curious :)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
@Andy Ful Is there a way to exclude only one exe/service from "credential stealing lsass.exe" protection?
I don't want to exclude it from all protection via "Manage ASR Exclusions". Tried whitelisting by hash as a test, didn't work.

e.g: User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\lsass.exe
Process Name: C:\Program Files\Macrium\Common\MacriumService.exe

I can run Max settings and the log is really quite with only one exeption: Macrium
So I don't want to disable the whole lsass.exe protection because one file is annoying. Is it possible?
I know I could just turn it to "high" settings or disable "lsass.exe" protection but I prefer to know if there is a choice to make it work since I'm curious :)
Hard_Configurator is integrated with two external configurators (two violet buttons in H_C): ConfigureDefender and FirewallHardening. Whitelisting is related only to SRP blocks.
If something is not blocked by SRP but by Windows Defender, then you have to use ConfigureDefnder Exclusions. If the outbound connection is blocked by FirewallHardening rule, then you have to use FirewallHardening tool to unblock it. Some outbound connections can be also blocked by direct rules in Windows Firewall or another application (not by FirewallHardening tool) - if so then you have to use them to unblock the connection.

MS claims that it is possible to add exclusions for LSASS ASR rule. You should add the path:
C:\Program Files\Macrium\Common\MacriumService.exe
to ASR Exclusions in ConfigureDefender.
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
MS claims that it is possible to add exclusions for LSASS ASR rule. You should add the path:
C:\Program Files\Macrium\Common\MacriumService.exe
to ASR Exclusions in ConfigureDefender.
The block was labeled as: Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
When using the ASR Exclusion would it "disable/ignore" then all the other 15 options that Exploit Guard offers? Starting from "block executable contend from email" till "Block persistence trough WMI" (since its excluded then). Yes or no?
I would think yes and thats why I wanted to be sure.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
The block was labeled as: Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
When using the ASR Exclusion would it "disable/ignore" then all the other 15 options that Exploit Guard offers? Starting from "block executable contend from email" till "Block persistence trough WMI" (since its excluded then). Yes or no?
I would think yes and thats why I wanted to be sure.
Yes and No.
Adding the file path exclusion for one ASR rule = Adding it for all ASR rules that allow exclusions.
There are tree ASR rules that do not allow exclusions (two for WMI and one for scripts). In ConfigureDefender they have "****" in the beginning.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top