Skip to content

ConfigureDefender

Intro

This section is a supplement for ConfigureDefender's existing documentation. It's made to give more detail about certain functions of the tool. CD is one of my favorite hardening tools for Defender. Defender by default has some settings that're too relaxed, though Microsoft has to do it that way to keep people from running into compatibility issues. If you use this tool to harden Windows and have something legitimate get blocked, it's easy to turn the settings down temporarily, though that's rarely been an issue that I've noticed.

Default Settings

CD has 4 different protection settings buttons you can choose from, provided you'd rather use them than manually configure each setting. If you click the info button on the tool, it'll explain the details of each. Here's what I've found after using this software for multiple years:

If you have any issues with a legit app being blocked when you try to run it, you can click the default settings and run the app. There can be multiple reasons the block happens, which I'll cover later on.

The max setting has worked great for me and caused very few issues. It has a warning when you try to enable it that it's for power users and will require more attention to be able to use properly. The extra protection that max provides is well worth it, since most people won't notice much with it on and it's easy to turn down for a moment if needed.

Settings

Let's cover each of the settings listed in CD, so you have a better idea of how the program functions.

Behavior Monitoring

This is one of the most important functions of an antivirus and it should be left on at all times. Once in a while, I'll see someone recommend turning this and/or other features of an AV off to install or run something, which is a terrible idea. That's how attackers can social engineer someone into getting malware on their systems.

Behavior monitoring uses something called heuristics. In the context of AV, this is the software checking files and processes to see if what they're doing is suspicious. For example, let's say a new virus starts to spread and it happens to get on your computer. Because there isn't a signature for it yet, the AV has to analyze the behavior of the malicious app to find out if it should continue to run or not. If the app were to try to make malicious changes to the registry, Windows files, etc, the AV should be able to notice that and quarantine the app. This doesn't work all the time, so you don't want to rely on it.

Block At First Sight

This setting allows Defender to upload suspicious files to the cloud (MS servers) to check them there for any malicious patterns. If it detects anything add, it'll block it from being able to run on your computer. This setting can also temporarily block a process from running if Defender's first impression of it is that it could be malicious, while the file is checked through the cloud. This is a critical feature that should be enabled.

Cloud Delivered Protection

This is the function inside of Defender itself that allows block at first sight to run. You won't find BAFS inside of Defender itself - it's only through CD. In order for BAFS to work, this setting has to be enabled to send files to MS.

Automatic Sample Submission

Sample submission works hand-in-hand with cloud delivered protection and should be left enabled. If this setting is on, it allows for Defender to send a sample of the file to MS servers to be looked at further while Defender blocks it locally on your computer. This is a fast process that'll happen in the background without you noticing. You can set this to prompt if you'd like to allow this on a case-by-case basis. If you select send all, it'll send all files, even if they might have personal info in them.

Scan All Downloaded Files And Attachments

This setting is also critical, as downloads are a common way for malware to spread. There's not much in the way of official documentation about this feature, though it's a recommended setting and is also mentioned in the DISA STIGs. Defender will scan anything as soon as it gets downloaded.

Warning

An exception to this is any archive/file that's password protected. Because of the encryption, the AV isn't able to scan them ahead of time to see if they're malicious or not. Anytime you see someone offering a password protected archive, be cautious. If you need to look at it, I recommend using something like a properly configured VM first to examine it and have it checked by a site like VirusTotal. Be aware also of file sizes, as bad actors are aware of this. If the file is over 650MB, it can't be checked through VirusTotal, which hackers have figured out.

Script Scanning

Scripts have become a popular way to spread malware, due to how effective they are. This function allows Defender to scan all scripts before they get executed on the system.

PUA Protection

Potentially unwanted applications (PUA) are pieces of software you don't want on your system. You might have been around in the older days when browser toolbars were still a thing and BonziBuddy was still around. This software generally slows your computer, tries to get you to buy some random garbage, and may even be able to spread something actually malicious.

Cloud Protection Level

This is one of the settings that may give you some annoyance once in a while. If the highest setting (block) is selected, then it'll keep any unknown software from running on your computer if you don't have an internet connection, as it won't be able to check it through the cloud for malicious behavior.

  • Cloud Check Time Limit When Defender sends a sample to the cloud for analysis, Defender will block a suspicious file for 10 second by default while it waits for results of the scan. You can use this option to increase it by 10 second intervals up until 60 seconds. If you want to read more about how this works, here's a link to official documentation

  • Average CPU Load While Scanning You can tweak how much Defender can use the CPU while a scan is running, going to a maximum of 80%. If you set it that high and a full scan is running, you might notice a significant slowdown of your system until it's done. If you run a lot of scans but don't want performance impacted much, you could try 10% and see if the scan times are acceptable for you.

  • SmartScreen You'll see three different options: Explorer, Edge, and Internet Explorer. SmartScreen is a good tool to have enabled. It uses several metrics to decide if a file if safe to download/URL is safe to visit, such as how many times something is downloaded, if AV flagged the file in the past, and what the reputation of the URL is. Explorer refers to File Explorer, which helps catch malicious downloads.

  • Productivity Apps This subsection has five different options, which I'll explain briefly here. If you want to read about these in-depth, here's documentation from Microsoft.

Block Win32 API calls from Office macros - This option will keep macros from being able to make Win32 API calls. The Windows API is a set of functions built into the OS which lets programs do things like launch processes and access network resources. Macros in an Office doc can make these API calls, which bad actors use as a way to infect other computers. A malicious macro can allow a hacker to take over your computer by you just opening a doc and having the macro run, by using methods such as fileless malware. Unless you need to do something advanced with Office apps, it's best to keep this option on.

Block Office applications from creating child processes - This option keeps Office apps from being able to launch a child process (which is a process created by another process, a.k.a. parent process). Malware inside of an Office file will try to launch other processes to start an infection process. There's a separate option to block Adobe Reader from creating child processes, which should be enabled as well.

Block Office applications from creating executable content - This option keeps Office apps from being able to make malicious executable code and blocks it from being saved on your disk.

Block Office applications from injecting into other processes - This keeps code from using code injection to infect other processes, which could allow for something malicious to look clean. There's no good reason Office apps should be doing code injection.

  • Script Rules Block JS/VBS from launch downloaded executable content - JS refers to JavaScript and VBS refers to Visual Basic Script. Scripts can be written with one of these to download and run malware.

Block execution of potentially obfuscated scripts - Obfuscation can involve using something like encryption to hide what the script is actually doing. This isn't always an indicator something is malicious, as something could be closed source and obfuscated to keep anyone from being able to rip the work for themselves.

The problem is malware can use this to its advantage. With this option enabled, Defender will block scripts that look like they've been obfuscated. You may have to deal with something legitimate being blocked once in a while. If you do, I suggest you triple check the script and source before you allow it to run on your system.

  • Email Rules Block only Office communication applications from creating child processes - This is similar to the Office apps and Adobe Reader rule listed above. This can help prevent malware spreading from Outlook. This rule could interfere with add-ins if you use them.

Block executable content from email client and webmail - This rule blocks some of the high risk file types from running, examples being .exe, .ps (PowerShell), .dll, .scr. There almost no good reasons for someone to be sending you something like an exe or a dll, so this is a good option to have enabled. Be aware this rule won't work for email clients like Thunderbird - it only works for the Outlook app and some webmail providers.

  • Other Rules Block executable files from running unless they meet a prevalence, age, or trusted list criteria - This is the option that may give you the most trouble out of anything listed here. It's good to have this set, as it can help protect against new strains of malware, but it'll occasionally catch legit software too. You could have it set to "on" and just let it block anything, or you can set it to "warn." Warn will block files, and you'll get a popup from Defender saying what the app was, and you have the option of clicking the unblock button and relaunching the app.

Any software that is considered "untrusted" will be blocked by this rule, until it's been installed on 1000 machines and the app is at least 24 hours old. This might sound problematic, but in my years of using this software, it only is an issue once in a while. For example, if you use the Mullvad Browser and launch it when an update is being rolled out, you'll likely notice it is blocked for a day or two, while both the conditions listed above are waiting to be met. If you set the rule to "warn," it's not going to be an issue for legit software.

Block credential stealing from the Windows local security authority subsystem (lsass.exe) - lsass.exe is a critical part of Windows security, which handles things like password changes and verifying usernames and passwords to make sure they're valid.

This rule helps prevent an attacked from being able to grab the credentials through lsass.exe, which will keep other apps from accessing its memory. You have the option of using "audit," which will log any suspicious activity but allow apps to access it anyway, as well as "warn," or "on." I've seen a few cases in the past of an app that tried to access lsass.exe. The app was blocked from doing so and worked fine anyway. According to MS documentation, many apps that try to access this process don't need to do so.

Block process creations originating from PSExec and WMI commands - This is something that might not have much use for home users, but you can still enable it anyway. This rule helps prevent remote code execution processes created through PSExec and WMI. If you have some kind of odd homebrew setup where you do remote management on your machines, this may cause you issues.

Block untrusted and unsigned processes that run from USB - This blocks file types such as .dll, .scr, and .exe, that are unsigned or untrusted. As long as you're aware of those two limitations, this is still a good option to have enabled.

Use advanced protection against malware - This rule does heuristic analysis of files locally and through the cloud to see if a file might be ransomware. It won't block anything that meets one of the following criteria: the file is considered unharmful by the MS cloud, the file has a valid signature, and/or the file is prevalent enough to not be considered ransomware. >>Cloud protection needs to be enabled for this rule to work<<

Block persistence through WMI even subscription - This rule can help prevent malware from being able to persist on a computer by using WMI. This is an attack method commonly used by fileless malware. If the SCCM agent (CcmExec.exe) is found on your computer, this rule won't work. Unless you use the Configuration Manager, which is what SCCM is, the option should work.

Block abuse of exploited vulnerable signed drivers - This rule can help malware from being spread through legitimate, signed drivers that have vulnerabilities. The issue with mhyprot2.sys is an example of this, where malware was being spread through a kernel level anti-cheat driver. This type of exploit can be nasty for someone. This particular case didn't even require the user to have installed the driver to be affected by it.

Warning

This rule won't apply to any driver which has already been installed on the system.

Network Protection

This feature uses SmartScreen to block outbound connections to sites with a low reputation. I've tested this before and it works okay, but you shouldn't rely on this being able to catch a lot of malicious domains. DNS filtering services like Quad9 are going to give you better protection in that aspect, though this is still a good option to have enabled. MS has written thorough documentation just for this feature.

Controlled Folder Access

This is one of Defenders protection mechanisms against ransomware. By default, it blocks a malicious app from being able to make changes to important folders (e.g. Documents, Photos, etc). The problem is that it frequently blocks legitimate apps from being able to access those folders. It had a lot of issues when it first came out, and when I tested it last year, I noticed even some Windows processes were being blocked. What you'll notice is something like a game will need to make a settings file and put saves in the "Documents" folder. CFA will block it and make you open a window to add an exception for each program that needs access. Feel free to test this to see if it's something you're willing to deal with.

Admin: Hide Security Center

This option will allow you to hide the Defender icon in the system tray. This might be useful if other people use your computer and you don't want them to be able to click in there and change something, though it doesn't prevent you from being able to make changes in other ways (e.g. Group Policy). If you select the max protection settings, you'll get a popup asking if you want the icon to be hidden or not.