Andy Ful

Level 49
Verified
Trusted
Content Creator
It is worth to recall how the <Validate Admin C.S.> option works. If it is set to ON, then the UAC prompt will be not displayed when the unsigned file is executed and the execution will be blocked if the elevation of privileges is required. But, if the malware can bypass UAC, then this setting will not block the execution with an elevation of privileges.
So, <Validate Admin C.S.> can be useful to stop the installation of malware that pretends to be a legal application, but will not stop the malware which uses UAC bypass.
<Validate Admin C.S.> is stronger on Standard User Account (SUA), because most of the known UAC bypasses (except a few) do not work on SUA.

I also analyzed over 20 of Windows Defender (MAX settings) tests made on Malware Hub this year by Evjl's Rain and SeriousHoax. Only one EXE sample (among all EXE samples) was missed. So, it seems that ConfigureDefender MAX Profile is extremely good for detecting/blocking EXE samples and can be used safely with the H_C profile: Windows_10_MT_Windows_Security_hardening.
 
Last edited:
  1. Unsigned applications will not update when installed in Program Files and Program Files (x86). To update them, the setting <Validate Admin C.S.> has to be turn off temporarily.
  2. Your brother will not be able to bypass SmartScreen when running applications downloaded from the Internet (except if he will unblock the executable via file Properties).
  3. When using "Allow EXE and TMP" in H_C, it is good to apply also the FirewallHardening.
  4. ConfigureDefender MAX Profile is extremely good for detecting/blocking EXE samples and can be used safely with the H_C profile: Windows_10_MT_Windows_Security_hardening.
1. He currently has no unsigned programs
2. Not able to bypass is good. I trust WD's verdict more than my brother's assessment
3. OK will do next time I am at my parents house
4. Also have blocked a lot of LOLBINS in H_C, so together with SRP rules and WD on Max he will be fine

Thanks for the detailed reply