Advice Request Microsoft Defender Recommended settings

Please provide comments and solutions that are helpful to the author of this topic.
DDE_Server

DDE_Server

Level 23
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Sep 5, 2017
1,248
6,571
2,169
Egypt
Hello everybody.
i wish you are in a good health
i want to know if we have some guide here to fine tune windows defender setting for best performance and protection possible.
i want to depend only in it as AV solution beside Ad guard desktop which has good web protection to have complete AV security package which has most of premium security features. Also i want to make use of ransomware protection provided with windows defender beside solve the slow computer performance when opening folders has a lot of exe files thanks in advance
 
  • Like
Reactions: xcentricit, Venustus, Nevi and 7 others
I would suggest starting with ConfigureDefender, GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings.

The recommended settings are definitely a good starting point. If you aren't already using some form of Windows Hardening have a look at Simple Windows Hardening by the same author, AndyFul, Hard_Configurator/SimpleWindowsHardening.exe at master · AndyFul/Hard_Configurator

Alternatively you could used hard/configurator for hardening. It has some addition features but may be a bit more of a learning curve
 
  • Like
Reactions: SeriousHoax, Venustus, Nevi and 9 others
I would suggest go all the way with Microsoft Defender.
Use the new Edge as browser or at least install the Microsoft Defender Browser Protection extension in any other chrome-based browser you use.

ConfigureDefender at High settings are the best settings for Microsoft Defender.

Enable Controlled Folder Access and set it to audit first for some time with ConfigureDefender so you can see what frequently used apps need to be whitelisted.

You can exclude the folders with a lot of exes from Microsoft Defender.

Maybe @Andy Ful and/or other members have more suggestions?
 
  • Like
  • Thanks
Reactions: SeriousHoax, xcentricit, Venustus and 13 others
Gandalf_The_Grey said:
I would suggest go all the way with Microsoft Defender.
Use the new Edge as browser or at least install the Microsoft Defender Browser Protection extension in any other chrome-based browser you use.

ConfigureDefender at High settings are the best settings for Microsoft Defender.

Enable Controlled Folder Access and set it to audit first for some time with ConfigureDefender so you can see what frequently used apps need to be whitelisted.

You can exclude the folders with a lot of exes from Microsoft Defender.

Maybe @Andy Ful and/or other members have more suggestions?
Click to expand...
You can’t go wrong with setting ConfigureDefender to Max either. If you face any problems you can still set it to high afterwards imo.
 
  • Like
Reactions: windows1064, Venustus, Nevi and 8 others
SecureKongo said:
You can’t go wrong with setting ConfigureDefender to Max either. If you face any problems you can still set it to high afterwards imo.
Click to expand...
Maybe, but recommended by Andy is High:
"HIGH"
Enhanced configuration, which enables many Exploit Guard features like Network Protection and most
of ASR rules. Three ASR rules and Controlled Folder Access ransomware protection are disabled to
avoid false positives. This is the recommended configuration that is appropriate for most users and provides significantly increased security.
Click to expand...
"MAX"
The most secure protection level, which enables all advanced Microsoft Defender features and hides
Windows Security Center. Configuration changes can be made only with the ConfigureDefender user
interface. The "MAX" settings are intended to protect children and casual users but can be also used
(with some modifications) to maximize the protection. This protection level usually generates more false positives compared to other settings and may require more user knowledge or skill.
Click to expand...
 
  • Like
  • Thanks
Reactions: SeriousHoax, Venustus, Nevi and 11 others

DDE_Server,​

The problem with big folders full of EXEs can be solved easily by creating two subfolders (OLD and VERY_OLD).
Just move your old and very old EXEs there. You will probably still suffer when opening these subfolders, but this will happen rarely.
 
Last edited:
  • Like
  • Applause
Reactions: SeriousHoax, Venustus, Nevi and 9 others
Andy Ful said:

DDE_Server,​

The problem with big folders full of EXEs can be solved easily by creating two subfolders (OLD and VERY_OLD).
Just move your old and very old EXEs there. You will probably still suffer when opening these subfolders, but this will happen rarely.
Click to expand...
Doesnot windows defender caches any info about scanned exe to enhance its on access scan ??
 
  • Like
Reactions: Nevi, oldschool and Venustus
Parvoo said:
to avoid window defnder from analyze large folder, 4gb, i navigate or launch files using cmd, .bat or powershell console, no wd impact :p use explore gui wd scans and slow resources :mad:
Click to expand...
Exactly sometimes i disable real time protection because windows explorer isnot responding . just after Disabling WD real time protection, it responds and list the exe files . that very bad behavior . most AV solution , you may face this for first time until AV learn them and cache some info about them which enhance the performance after little period of time
 
  • Like
Reactions: Nevi, oldschool, KonradPL and 1 other person
DDE_Server said:
you extended configure defender digital signature expiry date @Andy Ful or it is expired at the last month.
Click to expand...
Is there any problem with it? ConfigureDefender is not a commercial application so I use signing only to make sure that the executable is genuine.
DDE_Server said:
Do you provide hash value for verifying it is integrity after download ??
Click to expand...
It is not necessary when the file is digitally signed. Any altering that could change the hash would also make the file unsigned.
 
  • Like
Reactions: Venustus, Nevi, DDE_Server and 3 others
If you only keep trusted files in that folder then you may put the folder into exclusions.
Another solution is to arrange them properly. I used to have a folder full of exe files and Defender made browsing that folder super slow. Because of this, I put each of them into their separate folders which completely solved the issue for me. No more slowdowns and my PC is not cluttered anymore like it used to be thanks to Defender. It's funny that Microsoft Defender's failure helped me tidy things up.
 
Last edited:
  • Like
Reactions: Venustus, Nevi, DDE_Server and 3 others
DDE_Server said:
Doesnot windows defender caches any info about scanned exe to enhance its on access scan ??
Click to expand...
Each time after reboot, the files in the opened folder are scanned again. After this initial scan, the files are not scanned (until reboot).
 
  • Like
  • Thanks
Reactions: Venustus, Nevi, DDE_Server and 4 others
Andy Ful said:
Each time after reboot, the files in the opened folder are scanned again. After this initial scan, the files are not scanned (until reboot).
Click to expand...
This explains why my desktop has little issue with this, but my laptop had more problems and I didn’t realize this was why. It only reboots 1-2 times a month when updated.
 
  • Like
Reactions: SeriousHoax, Venustus, Nevi and 3 others
Moonhorse said:
Most of time using microsoft defender, i have had it on default settings....cant really go wrong there
Click to expand...
These settings are recommended by Microsoft for average users, because of the low false positives rate. Using Defender's advanced settings can slightly increase the number of false positives, just like with any other AV.
Different users require different protection levels. Users who cannot get occasional help to solve the problems with false positives should probably use the AV on default settings. Others can consider using advanced settings, especially when they do not install/use non-prevalent applications.
 
  • Like
  • +Reputation
Reactions: SeriousHoax, Venustus, Moonhorse and 6 others
Andy Ful said:
Is there any problem with it? ConfigureDefender is not a commercial application so I use signing only to make sure that the executable is genuine.

It is not necessary when the file is digitally signed. Any altering that could change the hash would also make the file unsigned.
Click to expand...
I mean you wrote in your github it will expire june 2020 so i just want to ask if you renewed it or not. sorry for misunderstanding
 
  • Like
Reactions: Venustus, Andy Ful, Nevi and 1 other person
DDE_Server said:
I mean you wrote in your github it will expire june 2020 so i just want to ask if you renewed it or not. sorry for misunderstanding
Click to expand...
Yes. The version integrated with Hard_Configurator beta is already signed with a new certificate. The standalone version (beta 2) is going to be published soon.
 
  • Like
  • Applause
Reactions: South Park, SeriousHoax, Venustus and 5 others
  • Like
Reactions: oldschool, SeriousHoax and Gandalf_The_Grey
  • Like
  • Thanks
Reactions: plat, oldschool, SeriousHoax and 1 other person

You may also like...