├── ConfigureDefender.exe
├── ConfigureDefenderHelp.pdf
├── H_C_HardeningTools
    ├── H_C_HardeningTools_3000.zip
    ├── H_C_HardeningTools_3001.zip
    ├── H_C_HardeningTools_3011.zip
    └── readme.txt
├── License.txt
├── README.md
└── What_is_new.txt


/ConfigureDefender.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AndyFul/ConfigureDefender/2840aca7c97fde4763cda0c81ca5a8e8448a56d9/ConfigureDefender.exe


--------------------------------------------------------------------------------
/ConfigureDefenderHelp.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AndyFul/ConfigureDefender/2840aca7c97fde4763cda0c81ca5a8e8448a56d9/ConfigureDefenderHelp.pdf


--------------------------------------------------------------------------------
/H_C_HardeningTools/H_C_HardeningTools_3000.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AndyFul/ConfigureDefender/2840aca7c97fde4763cda0c81ca5a8e8448a56d9/H_C_HardeningTools/H_C_HardeningTools_3000.zip


--------------------------------------------------------------------------------
/H_C_HardeningTools/H_C_HardeningTools_3001.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AndyFul/ConfigureDefender/2840aca7c97fde4763cda0c81ca5a8e8448a56d9/H_C_HardeningTools/H_C_HardeningTools_3001.zip


--------------------------------------------------------------------------------
/H_C_HardeningTools/H_C_HardeningTools_3011.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AndyFul/ConfigureDefender/2840aca7c97fde4763cda0c81ca5a8e8448a56d9/H_C_HardeningTools/H_C_HardeningTools_3011.zip


--------------------------------------------------------------------------------
/H_C_HardeningTools/readme.txt:
--------------------------------------------------------------------------------
 1 | H_C Hardening Tools (Hard_Configurator Hardening Tools).
 2 | 
 3 | These tools contain some tools used in Hard_Configurator.
 4 | 
 5 | ConfigureDefender - can activate many advanced Windows Defender settings.
 6 | 
 7 | DocumentsAntiExploit - can be used to block macros and harden MS Office applications.
 8 | 
 9 | FirewallHardening - can be used to block Windows Firewall outbound connections of many LOLBins and other executables chosen by the user. 
10 | 
11 | RunBySmartScreen - can be used to safely run/open files.
12 | 
13 | ------------------------------------------------------------------------------------------
14 | Disclaimer of Warranty
15 | THIS SOFTWARE IS DISTRIBUTED "AS IS". NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE IT AT YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS, DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING THIS SOFTWARE.
16 | 
17 | Distribution
18 | These tools may be freely distributed as long as no modification is made to it. 
19 | 
20 | Andrzej Pluta (@Andy Ful)
21 | 


--------------------------------------------------------------------------------
/License.txt:
--------------------------------------------------------------------------------
 1 | ConfigureDefender and Hard_Configurator Hardening Tools Disclaimer of Warranty
 2 | THIS SOFTWARE IS DISTRIBUTED "AS IS". NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE IT AT YOUR OWN RISK. 
 3 | THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS, DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING  THIS SOFTWARE.
 4 | 
 5 | Distribution
 6 | This software may be freely distributed (but not sell) as long as no modifications are made to them.
 7 | The applications use Nullsoft Scriptable Install System which has additional Software License Terms.
 8 | 
 9 | I would like to thank the members of https://www.autoitscript.com/forum/ , especially: Ascend4nt, Erik Pilsits, FredAI, Melba23,
10 | trancexx, Valuater, and many others, for sharing their insightful code.
11 | 
12 | Andrzej Pluta (@Andy Ful)
13 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | # ConfigureDefender stable version 4.0.1.1 - February 2025
 4 | https://github.com/AndyFul/ConfigureDefender/raw/master/ConfigureDefender.exe
 5 | 
 6 | ## Overview
 7 | ConfigureDefender is a small utility for configuring Windows 10/11 (and Windows Server) built-in Defender Anti-Virus settings. It is a part of the Hard_Configurator project (including source files), but it can be used as a standalone application (portable).
 8 | 
 9 | #### ConfigureDefender sources
10 | https://github.com/AndyFul/Hard_Configurator/tree/master/src/
11 | 
12 | 
13 | ## Useful links
14 | https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide
15 | 
16 | https://medium.com/palantir/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8
17 | 
18 | https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
19 | 
20 | https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Demystifying%20ASR%20rules
21 | 
22 | 
23 | ## Installation
24 | ConfigureDefender is a portable application, no installation is needed. Download and run the executable ConfigureDefender.exe - the application can run both on Windows 32-bit and Windows 64-bit.
25 | 
26 | ## Short program description
27 | ConfigureDefender utility is a small GUI application to view and configure important Defender settings on Windows 10/11 and Windows Server 2019+. It uses PowerShell cmdlets (with a few exceptions) to change the Windows Defender settings. Furthermore, the user can apply one of three pre-defined protection levels: DEFAULT, HIGH, INTERACTIVE, and MAX. Changing one of the protection levels requires a reboot to take effect.
28 | 
29 | ### Using the Maximum Protection Level
30 | The MAX Protection Level blocks anything suspicious via Attack Surface Reduction, Controlled Folder Access, SmartScreen (set to block), and Cloud Level (set to block). These settings are very restrictive and using them can produce many false positives even in the home environment. Such a setup is not recommended in the business environment.
31 |  
32 | ### Advanced Users
33 | Some important remarks on the possible ways used to configure Defender (for advanced users). 
34 | 
35 | Windows Defender settings are stored in the Windows Registry and most of them are not available from Windows Defender Security Center. They can be managed by using:
36 | 
37 | * Group Policy Management Console (gpedit.msc is not available in Windows Home edition) 
38 | * Direct Registry editing (manually, via *.reg files or scripts) 
39 | * PowerShell cmdlets (set-mppreference, add-mppreference, remove-mppreference, PowerShell 5.0).
40 |  
41 | ### Windows Defender Registry Keys
42 | Normally, Windows Defender stores most settings under the key (owned by SYSTEM):  
43 | * `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender`
44 | 
45 | The registry keys can be changed when using Defender Security Center or PowerShell cmdlets.
46 | 
47 | ### Overwriting settings via Group Policy Management Console (GPO)
48 | Administrators can use the Windows Group Policy Management Console (GPO) utility to override certain Windows Defender registry values. Group Policy settings are stored under another key (owned by ADMINISTRATORS):  
49 | * `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`
50 | 
51 | Keep in mind that GPOs do not delete the normal Defender settings!
52 | 
53 | ### Manually changing WD settings via registry 
54 | Registry editing is usually made, under the second key (see below), the first requires system privileges. 
55 | Applying Defender settings by directly manipulating the registry under:
56 | * `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
57 | 
58 | is not recommended (!) on Windows editions that officially support Group Policy Management Console e.g. PRO & Enterprise editions. 
59 | * Those settings are not recognized by the Group Policy Management Console.
60 | * They can temporarily overwrite the GPO setup in the Registry because they share the same Registry keys. Those changes are not permanent, because Group Policy configuration is not overwritten. 
61 | * After some hours, those settings are automatically and silently back-overwritten by the Group Policy Refresh feature. 
62 | * Those settings cannot be changed via Defender Security Center (or PowerShell cmdlets), even if they are visible (like folders and applications related to Controlled Folder Access).
63 |  
64 | ### Windows Home Editions
65 | Under Windows Home editions, someone can configure Defender settings (outside of the Defender Security Center), when using PowerShell cmdlets or via the manual Registry editing method. This may confuse some users, but the ConfigureDefender utility can remove the settings made under the policy path: 
66 | * `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender` 
67 | 
68 | This is required, because those settings would override ConfigureDefender settings.
69 | 
70 | ### ConfigureDefender utility and GPOs
71 | ConfigureDefender utility can be used on Windows Professional & Enterprise editions if an Administrator did not apply Defender policies via the Group Policy Management Console. Normally, all those policies are by default set to 'Not configured'. They can be found in the Group Policy Management Console:
72 | * Computer configuration >> Policies >> Administrative templates >> Windows components >> Windows Defender Antivirus. 
73 |  
74 | The tabs: MAPS, MpEngine, Real-time Protection, Reporting, Scan, Spynet, and Windows Defender Exploit Guard, should be inspected before using ConfigureDefender. The corresponding policies have to be set to 'Not configured'. If not, then the GPO Refresh feature will override the settings applied via ConfigureDefender.
75 | 
76 | ## Available Windows Defender settings on different Windows versions
77 | Configuredefender requires Windows ver. 1809 or later.
78 | 
79 | The ASR rule "Block persistence through WMI event subscription" requires Windows ver. 1903 or later.
80 | 
81 | See also:
82 | https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide
83 | 


--------------------------------------------------------------------------------
/What_is_new.txt:
--------------------------------------------------------------------------------
 1 | Version 4.0.1.1 stable (the same as the latest beta)
 2 | Added two new ASR rules.
 3 | Some corrections in the help files and manual.
 4 | 
 5 | Version 4.0.0.1 
 6 | New certificate (July 2024).
 7 | Adjusted the code to work with Windows Hybrid Hardening.
 8 | 
 9 | Version 4.0.0.0
10 | Added mouse-wheel scrolling.
11 | 
12 | Version 3.1.1.1 (new certificate July 2023) - no functional changes.
13 | Version 3.1.1.1 (new certificate July 2022) - no functional changes.
14 | 1. The current application binaries are from version 3.0.1.1 + updated certificate. The application window still shows the older
15 |    version 3.0.1.1.
16 | 
17 | Version 3.0.1.1
18 | 1. Added support for Windows Server 2019+
19 | 
20 | Version 3.0.1.0 (points 1-10 were already included in the beta 2 version)
21 | 1. Added some useful information to the Help and manual.
22 | 2. Added "Send All" setting to Automatic Sample Submission.
23 | 3. Updated ASR rules (1 new rule added).
24 | 4. Added the Warn mode to ASR rules.
25 | 5. Added INTERACTIVE Protection Level which uses ASR rules set to Warn.
26 | 6. Added the <Info> button next to the Protection Levels buttons. It displays which settings are enabled in DEFAULT, HIGH, INTERACTIVE,
27 |    and MAX Protection Levels.
28 | 7. Redesigned slightly the layout of the Exploit Guard section.
29 | 8. Added support for Windows 11.
30 | 9. Added support for event Id=1120. If the proper policy is applied, then this event can be logged by Windows.
31 |    If the user has manually applied this policy by registry tweak or GPO, then the events related to Id=1120 
32 |    will also be included in the "Defender Security Log".
33 | 10. Added CFA setting BDMO = Block Disk Modifications Only - folders will not be protected, but some 
34 |    important disk sectors will be still protected (Id = 1127).
35 | 11. Corrected a minor bug related to displaying the empty log.
36 | 
37 | Version 3.0.0.1
38 | 1. Added tip text feature to some buttons (<REFRESH, <DEFAULT>, <HIGH>, <MAX>).
39 | 2. Removed the feature of adding an icon to the taskbar notification area.
40 | 3. Removed event Id=5007 from Defender Security Log.
41 | 
42 | Version 3.0.0.0
43 | 1. Corrected a bug related to the error when the "Defender Security" Log is empty.
44 | 2. Removed the event Id=1117 from the Defender Security Log.
45 | 3. Extended the maximal number of entries in the Log to 300.
46 | 4. Extended the "Cloud Time Check Limit" in the HIGH Protection Level from 10s to 20s. 
47 | 5. Added DLL hijacking protection - 64-bit and 32-bit installers are wrapped into one installer by NSISS.
48 | 6. Corrected some minor bugs.
49 | 
50 | Version 2.0.1.1
51 | 1. Added additional ASR rule: "Block persistence through WMI event subscription".
52 | 2. Minor GUI improvements.
53 | 
54 | Version 2.0.1.0
55 | The ConfigureDefender executables are now digitally signed with a Certum Open Source Code Signing certificate.
56 | 
57 | Version 2.0.0.1
58 | 1. Added icon.
59 | 2. Added the section PROTECTION LEVELS which includes the renamed buttons: 
60 | <Defender default settings>  ----> <DEFAULT>
61 | <Defender high settings>     ----> <HIGH>
62 | <Child Protection>           ----> <MAX>
63 | 3. Added the button <Defender Security Log>, which allows seeing last 200 Windows Defender events. It also
64 | shows the names of ASR rules alongside GUIDs.
65 | 4. Added the splash alert when applying time-consuming features.
66 | 5. Renamed option "Reporting Level (MAPS membership level)" to "Cloud-delivered Protection" (the name used
67 | in the WD Security Center) and renamed its "Advanced" setting to "ON".
68 | 6. Extended the abilities of <REFRESH> button.
69 | 7. Updated the changes made by Microsoft to allow file & folder exclusions for some additional ASR rules.
70 | 8. Corrected the issue with closing the application.
71 | 9. Extended the help.
72 | 
73 | Version 2.0.0.0
74 | Added two new WD ASR rules:
75 | 1. Block only Office communication applications from creating child processes (includes Outlook protection).
76 | 2. Block Adobe Reader from creating child processes
77 | 
78 | Version 1.1.1.1
79 | The option 'Real-time Monitoring' was removed, because of the new Microsoft criteria for malware detection.
80 | With this option, ConfigureDefender would be classified as a hack tool.
81 | 
82 | Version 1.0.1.1
83 | 1. Corrected a minor bug related to unnecessary folder exclusion for the ASR mitigation that does not support
84 | exclusions.
85 | 2. In <Defender high settings> the ASR mitigation 'Use advanced protection against ransomware' is set to ON,
86 | and 'Controlled Folder Access' is set to Audit.
87 | 
88 | 
89 | Version 1.0.1.0
90 | Added ASR mitigations introduced in Windows ver. 1803.
91 | {"mode":"full","isActive":false}
92 | 


--------------------------------------------------------------------------------