Hey, sorry for all the name changes of Microsoft Defender. I work at MSec (Microsoft's security org).
We ended up absorbing and acquiring a few companies to provide a better offering and a lot of re-branding happened. For example Security Center's old portal for active threat protection, automatic remediation, incident investigation etc is all now absorbed into (the better) security.microsoft.com which is (to my understanding, just an engineer) the current and last (for the foreseeable future) rebrand. The team I work at started as one person working on the frontend for MDE (Microsoft Defender for Endpoint) and now has hundreds of people working on the security portal across India, Israel and the US (as well as a few other smaller sites contributing).
Also, as an engineer I have to say the offering is good. The anti-virus and the telemetry is worked on by some really smart people. Client information is sacred, logging into production takes multiple audits and PII is scrubbed (heavily) any time logs are needed. We still have a lot of room to improve but I am confident in Microsoft both delivering a good product and acting in good faith (and there is a clear business incentive in the enterprise security space to do so rather than benevolence).
Hey, we (Nim programming language[1]) get constant false positives on Windows Defender. This has started relatively recently and we think is due to a recent increase in the number of whitehats using Nim but it really affects our community negatively. It seems that Windows Defender marks anything that looks like Nim[2] as being a virus which is very unreliable and causes many of our users to get hit by virus warnings as soon as they attempt to install Nim. We've attempted to submit the files concerned as false positives to no avail[3].
This false-positive problem is a major headache for a lot of open-source programming languages and programs, whose source code is also sitting right there on GitHub to be inspected and compared with.
Think that Microsoft could do better with its false-positive review process, particularly doing something more for open-source developers and projects.
As long as you guys are not going the route of google's approach to messaging, I'm sure we will forgive you. Nor the route of an NFC pay/wallet/money app that...
You know what? Just don't do the thing where you launch products to consumers so that someone achieves a promotion internally, and then abandon the product.
Frankly, MS has a long history of backwards compatibility, so signs are already positive.
Anything being worked on the IO performance side of Defender? I’m still using a paid third party AV for this sole reason. The impact is so huge with NPM packages as an example…
IO impact is why I disable it on all my dev machines.
Microsoft really needs to make this easier to turn off too. Right now, I have to use an undisclosed privilege escalation hack-around to force things my way.
The challenge is that excluded folders/extensions apply to both real-time scanning and manual/periodic scanning.
What we really need is the ability to disable real-time scanning on one set of folders/extensions, while still including them with scheduled system-wide scans.
Thanks, that's a great point.
It made me think we could probably do this programmatically - perhaps as part of a script to carry out the full scan? Add the folders of interest, scan, then remove when completed.
>I’m still using a paid third party AV for this sole reason.
Would you mind naming it? AFAIK most third party anti-malware solutions act like rootkits, possibly introducing new attack vectors, or have become basically ad-ware and malware themselves trying yo bait you in various subscriptions.
I’m using Nod32 from Eset for almost a decade now.
All AV somehow have to hook into low level system calls so can’t really avoid the kernel driver. Nonetheless, nod32 has been an install and forget AV with no interruption nor bait/nag screen at all. It’s a no bullshit AV and it does well.
I supposedly get the same protection as Defender (according to various AV tests review) and most importantly I get the IO performance back.
> All AV somehow have to hook into low level system calls so can’t really avoid the kernel driver.
While I don’t doubt this true for Windows, on macOS Apple is phasing out kernel modules with APIs that allow software to hook into those low level calls without actually running in the kernel. For AV vendors there’s the Endpoint Security System Extension: https://developer.apple.com/documentation/endpointsecurity
All the AV/endpoint security solutions I’ve seen have switched to this.
I don't really see a difference, as a consumer. If the AV sits at the kernel level or between userspace and kernel, it's still sitting below userspace and can do whatever it wants to the system. Sure, if I trust the kernel is better written than the AV software, I may have a few extra guarantees, but that is not a given and anyway it doesn't mean I can confidently run an AV I think may be poorly written.
It overall seems like a more complex solution that has more chances of being wrong. I would bet the core reason Apple did it was control to lock down their own control of your OS, not any security reason. Perhaps it also simplifies their development somewhat, if they can rid of some stability guarantees for some in-kernel APIs that AV would have needed.
> it's still sitting below user space and can do whatever it wants to the system.
I don't know much about the Endpoint Security extension, but for Apple's network filtering extension they actually DO address this!
The code that runs on every network call is heavily sandboxed and can't communicate at all with the outside. Its only action is emitting some basic signal like "block" or "accept". This means that while the system extension can evaluate all your network communication, and block what it chooses, it can't exfiltrate the specific content. I might have the details wrong, but that's the general intention.
But the security benefits aside, I think the real reason for preventing code from running in the kernel is about stability and not security. Buggy code won't crash the system anymore. They can also enforce stricter performance requirements.
(And at the moment, you can still run kernel extensions on your own system if you really want by disabling SIP and other things, it's just infeasible for any AV vendor to have their customers step through that very onerous process.)
That's also what I'm using and for the same reasons. Defender's protection is fine according to testing, but the IO performance is insanely bad. I wouldn't bother with running ESET's AV if Defender didn't slow heavy disk IO operations to a crawl. And I'm not excluding any development directories because malicious code can come in either as part of the project I just pulled down from github or from pulling in one of its dependencies from a package index.
I've been forced to use a number of products over the years at work from Trend Micro to McAfee. They all need curated exclusion lists and we have to ask developers to put all source controlled files under an excluded path common for all devs.
McAfee is by far the worst offender IMO when it comes to file IO. We eventually dropped it in part to it's insistence on locking files in App Data which is a common scratch space for almost every Windows App.
to be fair, most malware hides in App Data too... it's a convenient place thats hard to find using windows explorer and guaranteed to be user-writable.
Yes and McAfee was locking files for tens of seconds while it scanned. Things like Visual Studio and Notepad++ would become unresponsive after a single keystroke.
Back when I had to use McAfee on a work PC; I was using WSL 1 for building the projects I was running. Symptom was basically: do a compile, lose most of your RAM until next reboot. Stopping WSL wouldn't reclaim it; nothing showed up in Task Manager, Process Explorer, etc. The RAM was just gone; unusable. Post a bug to WSL, was immediately asked if I had McAfee and if so to disable/uninstall. Problem solved. But, due to insurance reasons, I had to have an AV running, and powers that be decided Defender was sufficient. Never McAfee again. It's been a pile of crap for decades; no signs of it getting better, either.
I really don't understand why the IO hit... If you're designing the OS, you can either scan a file when it's written to disk, or when it's read from disk, or sometime inbetween. when you have scanned a given file, you need not rescan it if the file hasn't changed.
These facts together mean that it should be really rare that any application needs to be waiting for any scanning - since scanning can happen anytime between a data write and a read of the same data.
But if you control the kernel and all the code that runs in the kernel, you know exactly who has written to disk and when. So if nobody wrote that data, then it hasn't changed.
In Windows there's a hook on file handle close which AV products use to implement their file scanning.
I know this because I did a bunch of reading on the topic after encountering catastrophic halts inside of CloseHandle, deep inside the kernel. And even with administrator privileges I could not kill the process, or the attached debugger, and the machine was unable to shutdown because even it could not kill the stuck process. I had to hard power cycle to get back to a usable system. Near as I can tell this was because of the AV product the company was using that crashed or deadlocked or something.
I recently had a new issue with the Defender: there are 2 apps I use that can delete files from disk, one is a mp3 player (foobar2000), the other is a video player (PotPlayer), both have a hotkey to "delete the current file being played". I've been doing it for years, but recently when I do it, the app will freeze for 5 seconds, meanwhile the CPU usage of window defender will shoot up in Task Manager. I tried to tweak all kinds of different settings in the Defender, and couldn't find a fix.
So on the one hand I want to validate and recognize both that you're having this problem and that finding a real live person who might be able to help you with it totally, very reasonably, evokes a "hey, can I tell you my problem?" response.
I don't want to minimize that, but I do want to (gently, good-naturedly) say that I think it's kinda funny.
As someone who once worked at a big tech company I think it's totally hilarious how telling people "I work on X product at Y company" totally evokes this sort of response. Tell enough people where you work and you'll see some non-zero percentage of people respond like this.
Like, when I was talking with a mover who was unloading my stuff and he asked "So, what brings to you these parts?" and I told him his first response was "Really? Y'know, I've got that software and it doesn't work for me under these very specific conditions. Why is that?" (At the time I think I mumbled something about "I don't know". In retrospect I was moving to start work there so I realistically couldn't have known yet).
So - I hope you get your problem sorted out, thank you for giving me the opportunity to talk about this, and I think I'm gonna go chase some kids off my lawn now :)
The problem is that quite often asking some random person that works on X at Y company to take pity on you and look into your problem is more effective than the official support channels because they are so useless that they may as well not exist.
As a mechanic in a previous career, I can verify that.
The only answer I ever gave was:
"Sure I can look at that, bring it into the shop, we're open eight to five Monday through Friday, eight to two on Saturday, and open until eight PM on Wednesday and Thursday, but only for drop off, pick up, and tire changes."
I have no idea and I don't work on that bit but there are lots of troubleshooting guides on "what to do if Defender is slow in situation X" in our docs - in 99% of cases it's interference (another program scanning) or specific programs acting in ways that trigger scanning often.
In all cases there are workarounds - I'm not using the Windows version (I'm on a mac) but when I had a performance issue it ended up being a script that created and deleted thousands of files quickly and tweaking it was fairly simple.
This is a pretty drastic fix, but if you don't really care about the video and audio files, and you're willing to lower security a bit, you can exclude the library locations from defender. I've done this with a couple of folders so defender doesn't scan executables from local compilation of code. Just remember to scan things when you download or copy from friends.
Saying "Client information is sacred" and stealing executables off all windows machines with the automatic sample submission on by default does not go well together.
Thats an awfully low standard to set don't you think?
I don't think it makes sense for the public. Stealing files from unsuspecting users without as much as a popup saying "hey, we just snatched this file without you knowing this is even a possibility" is just sad.
While it has been normalized, the ops point is correct that the lip service to client data being sacred, does not match the actions of uploading clients data!
That's whataboutism. I absolutely do not want Microsoft grabbing stuff from my PC without asking me, it's so insidious. And then they put the switches to turn these off behind so many loops and registry flags that's it's a nightmare to turn this crap off.
And, if you turn off automatic sample submission, the Windows Defender icon in the task tray displays a scary exclamation mark, warning you that you might not be secure.
That incident did not provide proof. A text string is not a program. Given that over the last 20 years no one has shown that there is any code for the fantasy backdoor is near proof there isn't. Reversing the binaries and demonstrating such a backdoor would make one famous.
So no, this is not proof. At this point the lack of proof is near proof no backdoor existed.
"Reversing the binaries and demonstrating such a backdoor would make one famous."
At the risk of sounding tin hatty, not true. (In)Famy doesn't equal success or money, anyone attempting to post state secrets without the help of another state is probably not hard to intercept and buy off...
Anyways, there doesn't need to be proof - a (forced) system update straight from the source (Microsoft), targeted to your machine, is all it takes to make all security redundant, and there are enough publicly known phone home systems in Windows that we don't really need to prove they don't already dragnet.
I'll grant you, subverting corporate sec is a bit harder, but usually boils down to a bit of carfully targeted infil, put the right exceptions in the right corporate solutions, and corp security is also nill.
Hasn't this been debunked multiple times, or at least never been proved to be a backdoor? I mean I don't doubt there are backdoors or exploits used by the NSA in most mainstream OS, but I don't think this is a good example of that
The naming and, from what I've gathered, recent changes are a mess.
Recently I looked at M365 business premium and thought that would only include Defender for O365 (why not M365?) and require a separate subscription for Defender for Endpoint, but now it looks like Defender for Business is included.
I am not an expert - just a user and an engineer working on this. I'm happy to ask one of our PMs to review it they know and understand the product a lot better than I do.
From reading the article everything "sounded right" but that's hardly an educated opinion since I only worked on _some_ parts of the product.
Actually - I think I'll ask our red team or security guid - that's also probably a good source.
Why are Windows updates such an absurd experience? All my Macs and Linux machines update without any hassle and without taking so much time, Windows always takes very, very long and what is even more annoying it not only takes forever, but even after waiting 20 minutes for updates and rebooting it still needs new updates.
It is absolutely embarrassing and horrible. A bad, unusable system.
Fortunately I replaced all Windows machines with actual operating systems, so I do not have to use that ugly joke system too much.
First of all thank you for a great job. Since its Windows XP Security Essentials incarnation I consider it the best choice for Windows PCs protection.
But bloody please add an option to turn off hunting for "hack tools". As an advanced user, SMB admin and private programmer I use NirSoft tools and also keygens for my own apps but Windows vigorously deletes NirSoft (and perhaps some SysInternals also, but I'm not sure) tools and every keygen it would notice. So I have to disable it. It has even deleted qBitTorrent once although it is a perfectly legitimate app and I use it to download legal things like Linux distros and legitimately purchased Humble Bundle stuff.
Why can't I [with reasonable ease] configure it to only watch for real viruses/spyware/ransomware which really threatens to infect the PC?
In my opinion we even have to consider actual pirates using really illegal keygens because this simple fact: there are many of such in mediocrely developed countries, they get confused, disable the protection, get infected and join the botnets. Even when there is a criminal we dislike to support and want to punish, we don't want them to get infected with anything and spread the infection further.
There should be clear distinction between unquestionable malware everyone wants and needs to be protected from for everyone's good vs questionable apps some people (justifiably or not) actually want to use for sake of their pragmatic interest.
Does Microsoft offer favourable treatment or withhold patches when it comes to state level APTs? Can we trust Microsoft to be neutral and offer security patches in a timely manner and defend the interests of their consumer customers above all? With the whole conflict in Europe, the issue of state level adversaries is raring its head again.
A state level attacker can likely acquire 0-day exploits that are not patched and bypass defenses.
Microsoft's offering does some really cool stuff like:
- Automatically detecting anomalous behavior in the network and isolating suspected devices/ips/machines/programs.
- Have real time security engineers constantly monitoring your network and hunting attackers and suspicious activity.
- Tools that automatically isolate possible attackers and help measure the impact of attacks.
> Can we trust Microsoft to be neutral and offer security patches in a timely manner
Yes, that for sure. Once an exploit is discovered it is typically very quickly identified. A lot of the times security patches don't come from Microsoft though - if you consider something like Log4Shell (the Log4J vulnerability) for example.
> defend the interests of their consumer customers above all?
I'm... not sure about "above all" since I am not sure what "all" is but if the implication is that Microsoft won't patch a security flaw for a state level APT then "yes". At least - if it ever happened it happened _way_ above my pay grade and if employees would learn of it there would be outrage.
> With the whole conflict in Europe, the issue of state level adversaries is raring its head again.
I think state level actors have consistently been a problem.
Note again as already mentioned none of this represents the opinion of my employer, just my thoughts.
> I'm... not sure about "above all" since I am not sure what "all" is but if the implication is that Microsoft won't patch a security flaw for a state level APT then "yes". At least - if it ever happened it happened _way_ above my pay grade and if employees would learn of it there would be outrage.
cough NSAKEY cough
Provided a backdoor for state security forces. Did it in NT, and then even after they were caught, did it again in Win2k.
You underestimate people's moral flexibility, especially that of "patriots."
You have to assume that the state is collecting every scrap of data that MS gets from telemetry. I'm sure MS is collecting a ton of data for themselves as well. As much as the company line might say that PI is scrubbed we know anonymization is a joke, and PI isn't limited to names and credit card numbers. You can learn a lot about a person by the contents of their Prefetch folder, their Steam folder, their internet history, the amount of *.h *.c *.py files are on their drive and how often they are updated etc.
I'm sure on enterprise systems MS is pretty hands off. They've got a very stable cash cow there they don't want to scare away, but home users are probably screwed and you should expect that. MS has been making their opinion of their user's right to privacy and to control what their own computer very clear over the years. They've repeatedly demonstrated a willingness to leverage their OS against the users and their wishes for power and profit. Act accordingly.
Even with LTSC you can't disable all telemetry, It could have been a great (and very popular) option for companies (even though it wouldn't help home users), but MS didn't want that and discouraged its use in everything but the most extreme cases (https://www.computerworld.com/article/3326065/microsoft-tras...) even before they cut support to 5 years instead of 10.
Is there something you could say about complementing Defender with paid MalwareBytes? Is there too much overlap to justify this? Or is performance hindered more than the additional benefit accrued (not that I feel it, system is responsive enough)?
> Hey, sorry for all the name changes of Microsoft Defender.
Let's be fair, naming is not a strength of Microsoft. It seems that every product other than Windows and Office is renamed every couple of weeks; and even in those two examples, explosions of SKUs manages to muddle the waters just as well (Apple's "Choose a Vista" was very much on-point, even if you preferred Windows over Mac).
When I was at microsoft, I campaigned hard that we should name windows releases after dog breeds. Apple did big cats, who wouldn’t love to download windows 10 golden retriever? No one wants windows 10 fall 2021 update for creators.
As an avid Apple user, I can't stand their naming conventions. I don't have any idea if High Sierra came before or after Mojave, or if Lion was before or after Mountain Lion. I would much prefer version numbers/years.
Yup, I also hate this in the Linux world. Debian Bullseye? Ubuntu Focal? WTF? Ubuntu 20.04LTS thank you very much please cease and desist with the "cute" names that force me to consult a chart every time I encounter them.
iPhone 10, Galaxy S7, RX470, such product names are significantly easier to keep track of.
Debian, Ubuntu, and Android names are all alphabetical, so you can tell which versions are newer and older. That's all version numbers are really useful for anyways.
Just checked. Android and Ubuntu, yes. TIL. Debian I don't think so though? It goes Jessie(8), Stretch(9), Buster(10), Bullseye(11). Many other examples of non-alphabetical products exist.
Regardless, numbers are easier to work with, easier to remember, and it's immediately apparent what's going on with them. "debootstrap focal target" is more difficult to remember than a hypothetical "debootstrap ubuntu 20.04 target" would be. In practice I have to consult a chart almost every time.
Honestly, I had no idea. I recently had to have my MBP repaired (new logic board... as always). So, I got it back with the latest OS (Monterey). I needed to download some software that was for specific versions of MacOS, and I honestly didn't even know there was a OS 12. I thought I was still on "OSX".
If it wasn't "Monterey" and was just MacOS 12 there would've been no confusion. I feel like it's always an exercise of looking up the code name to find the version whenever someone is like "Yeah, I'm on Big Sur" .... ok one sec, let me google what that even means.
I spent some time as CPE so I guess the naming convention always made sense? You went from lesser cats to greater cats and now to different sites in CA. Each naming always comes with a version number to fall back on...
That doesn't help when people like to refer to the version by its name only, omitting the number, which forces you to do a lookup against wikipedia or whatever.
TIL that they're alphabetical. I always hated them before just now but I guess that's slightly more tolerable. Really though, please just stick to numbers if you ever have to name a product lineup. It's immediately obvious to anyone that Firefox 77 came after Firefox 76.
Once you run out of letters, it gets confusing too. Ubuntu's wrapped around I think twice in its history; it goes through code names from A to Z before starting over again. Is Gutsy Gibbon newer or older than Babbling Baboon? At least the $YEAR.$MONTH release numbers make sense, no questions about the relationship 18.04 and 21.10 have.
Didn't they drop it? Or de-emphasize it? I know current version is android 12 but have no clue of the name. Same for all previous. My old note 8 has android 9. My original htc I think enddd on 1.6 or something. I still have an ancient Asus tablet on android 4. Etc - I never knew or cared, and didn't HAVE to, about the cute name.
Naming and version numbers together. I still can't get my head around the series of organisational perversions that would be required to go through that whole period (lasting years) of .NET/.NET Core/.NET Standard/crazy versioning/divergence and convergence malarkey. This all appears to be on a more sane course now but it's taken far too long.
I still don't fully understand which parts of the various .NET frameworks I can safely use with a fully FOSS stack on an arbitrary Linux distro or a Mac or whatever and which parts are effectively limited to Windows. The entire thing is incredibly confusing.
`dotnet-dump analyze` allows analysis of dumps on Linux using the same SOS debugging commands that work under windbg. They even added some native memory examination commands. You are lacking the rest of a native debugger, but well, asking the team to produce a full blown multi-platform native code debugger would be a bit much. You can instead SOS into lldb for mixed mode debugging of both live processes and dumps on linux.
For tracing, well that means very different things to different people. One can capture most of the CLR level events that would go through ETW on windows with the `dotnet-trace` tool, which can also function as a primitive sampling profiler. But despite its name it does not use the profiling apis to implement a tracing profiler.
The analysis side of the dotnet-trace tool is subpar, but honestly even the best tools I can find often leave me underwhelmed on the analysis side.
Ahem.. Looking at you Visual Studio 2005 Team System, I mean Visual Studio Team System 2008... I mean Team Foundation Server, no wait Visual Studio Team Services.. So sorry, Azure DevOps, obviously.
Github Azure Edition doesn't seem to be a real product that I could find any reference to.
Searching "Github Azure Edition" brings up this page[0]. That's the name of this promo page, and it talks about Github integrations into various Azure products. The very first product it talks about is Azure DevOps. Direct quote:
"Simplify deployment from your repository with seamless access to the Azure portal and Azure DevOps using your GitHub account credentials."
I can confirm that the parent comment you replied to is correct, as I used to work at Microsoft during the time when the renaming from Visual Studio Team Services to Azure DevOps was happening internally. As in, not that I was involved in it, but that we used VSTS, and then we noticed that the name was changing to Azure DevOps everywhere. All while we were still accessing the same service and all as before.
I see, so they offer Github hosted on Azure as well now, thanks for sharing it, I actually didn't know.
Though the parent point still stands valid, as Visual Studio Team Services indeed became Azure DevOps. Github hosted on Azure is just self-hosted Github and has nothing to do with VSTS/Azure DevOps.
> Microsoft both delivering a good product and acting in good faith
I’m going to call you out on that. Microsoft lost my trust to act in good faith with personal data when they started capturing my private OS user input (e.g. the history from Windows R (run) and forced me to link it to my personal identity.
I observed first hand that disabling sending telemetry also disabled the history for win+r.
It’s also quite easy to observe that when you type anything into the start search interface you are steered or defaulted to searching Microsoft internet services.
> I observed first hand that disabling sending telemetry also disabled the history for win+r.
1. Okay, but how's that relevant to my original question? Is the history being broken supposed to be smoking gun evidence that windows is sending your "history from Windows R (run)" to microsoft?
2. I just tried and failed[1] to reproduce this on a VM with a fresh install of Windows 10 Enterprise LTSC 2019 with "telemetry disabled". There isn't an universal standard for "telemetry disabled", but at the very least I have the "Allow Telemetry" and various search related group policies activated. I suspect what's happening is that you ran one of those "disable telemetry scripts", and that unintentionally broke it.
>It’s also quite easy to observe that when you type anything into the start search interface you are steered or defaulted to searching Microsoft internet services.
but we were talking about the run (windows-R) dialog, not the start menu?
> I suspect what's happening is that you ran one of those "disable telemetry scripts", and that unintentionally broke it.
I am 100% certain that’s not the case.
—
Yes - the point is when setting all the most private privacy options on Windows 10 stops keeping a win+r run history. I didn’t go as far as installing a custom root CA and intercepting binary telemetry data to prove that the data was being sent. I think the fact that the MRU list is disabled strongly suggests that the product team assumed or new that it was collected.
If your experience is based on LTSC Windows/Office you probably have a different experience.
While MS isn't collecting your run history (at least not as you type it) the point stands. They've decided to use their OS to collect personal info on users for their own profit. The extent to which this happens can be limited, but not disabled entirely (for most users). That's reason enough to not trust them.
If they are doing a keystroke logger (ie, capturing typed private user data) where are they logging this keystroke log too? Or is the run command history sent up?
Are you talking about folks with Send my activity history to microsoft checked?
I have a script that sets default privacy preferences to my own preference when I start using a machine, you might consider that.
> I have a script that sets default privacy preferences
Then you will probably notice that you no longer have a history for Win+R run history.
It’s not unique to Windows to mine user input but it’s more recent than for example the search in iOS and less obvious than Google search.
I believed that the “personal” in Personal Computer meant that it belonged to me, and that used to be true. We are sliding down the slippery slope of allowing the software vendors to own our devices.
I think the staring point with Windows was product activation in XP, and that was quite legitimately intended to stop software licence abuse. I am still comfortable paying for closed source software but Microsoft seem to have given up on that business model.
hello, they send anything you type in the start menu right into bing, and they cut every way to disable it. by lying they trick every inexperienced in their methods user to enable online/edge account so everything you type almost anywhere except may be notepad but pretty sure include office are linked to you, your payment and billing info, your ssn, your location, your purchases, and all people your interact with. and then they feed you with generic tabloid puke from enforced by spyware internet explorer site msn.com you also can’t remove easily from appearing at start. the amount of trackers on this site is staggering.
The inability to simply "see client data" even if you go through multiple bastions did kind of surprise me. I worked at several startups before Microsoft where just asking the client for permission was considered OK.
This certainly makes debugging production issues much much much harder - there are certain environments whose data you simply can't access (either as a user or as an administrator) and you have to rely on telemetry (much of which you can't gather since it can possibly be used for PII - this is all an audited process) to debug issues (attaching a debugger is also prohibited since you can read data that way and the port is closed).
Instead of trusting me - think of the corporate incentive to do well here. Consider how much it would cost a company like Microsoft if employees were exposed to confidential customer data (our customers can work with medical data, so a fairly expensive legal nightmare) vs. what the company gains (engineers have a slightly easier time debugging). At Microsoft scale I guess it simply makes sense to be super strict about this.
>Instead of trusting me - think of the corporate incentive to do well here.
Unfortunately, when it comes to anything Microsoft related, due diligence research and logical thinking is rarely employed by the HN crowd, and instead replaced with anger and FUD. I've lost count of the amount of comments saying Microsoft is forcing TPM to spy on us.
Not saying that the alphabet agencies or nation states couldn't misuse Microsoft's reach to get more private customer data, but that would apply to all US based corporations, not just Microsoft. And since AFAIK, Microsoft seems to never have been hacked for its customers' data to be leaked like it happened to Sony and Facebook, it seems they're doing a good job so far of keeping the amateur bad actors out and their customers safe.
So thanks for commenting and sharing inside infos, as some big companies ban their employees from doing the same.
> Instead of trusting me - think of the corporate incentive to do well here. Consider how much it would cost a company like Microsoft if employees were exposed to confidential customer data (our customers can work with medical data, so a fairly expensive legal nightmare)
The last 3 decades of big players misbehaving taught us they usually get a slap on the wrist for pretty much everything at worst, and a fine of half the money they made from the feature at best.
> Instead of trusting me - think of the corporate incentive to do well here. Consider how much it would cost a company like Microsoft if employees were exposed to confidential customer data (our customers can work with medical data, so a fairly expensive legal nightmare) vs. what the company gains (engineers have a slightly easier time debugging). At Microsoft scale I guess it simply makes sense to be super strict about this.
Your employer has been caught twice providing NSA backdoors in its operating system and its "home" edition makes it impossible to disable a stunning and completely unnecessary level of telemetry data.
Look, it really was not a personal attack on Microsoft engineers, but the plain and simple reality that Microsoft is a US Corporation and Azure falls under the "Cloud-Act" says everything, the fact that engineers don't have access to customer data is probably just to prevent leaks. And i bet Microsoft makes more than 99.9% compared to others to protect customer data...but then, no one can proof it.
In quite a few cases, we identified that ultimately a server has been popped using this unknown zero day, but never before seen webshells and Cobalt strike droppers all ended up dropped on servers and then deleted by Windows Defender. We recommended rebuilds regardless but the product clearly provided more security than people give it credit for.
Then we identified a number of places it didn't appear to work. Why? The answer was people following "best practices" of adding AV exclusions for the whole web root folder, and for some reason the whole user profile folder.
That big Kaseya hack? Every Kaseya user was told by Kaseya to add exclusions for every folder used by the product.
One of the understated issues with modern EDR products is people simply following vendor advise and making it useless. I've got a software product that handles payment details that randomly drops EICAR test files in random folders all of the user PC while it's running just so it can shut itself down if it detects Defender in use "for support reasons".
All the top EDR products in the world and all the hardening advice you can find can go down the toilet pretty quickly if you let vendors tell you how to run these products - ignoring them is a highly rated hardening tip.
My firm belief is the that hardware vendors do end users a disservice by preloading 3rd party anti-virus software that expires ans requires payment after a period of time for virus signature updates. Typically this 3rd party software disables Defender, so once the pre-installed AV trial runs out, the user is exposed.
But surely windows will activate defender? Since any AV must register in windows and considering that MS isn't exactly known for respecting user wishes I'd expect defender to start up the same nanosecond any other AV stops.
Though I'd never out myself in a position to test that.
It has been my experience while fixing family members computers that unless you uninstall the third-party antivirus software Windows Defender doesn't kick in. If I recall correctly there was an instance where I tried to switch from third-party to Defender (without uninstalling 3rd party) it would not let me stating that AV was managed by group policy (? I forget the exact phrasing) and I had to uninstall the other antivirus software first.
From memory and vague experience, if Defender detects another registered AV product it disables its engine. Techniques used by non OEM AV's to get the telemetry and visibility they need to make decisions probably aren't "safe" when another non-cooperative AV is installed
Agreed. Additionally I I think it may look more impressive to novice buyers when the product lists a bunch of free (albeit worthless) software included in their purchase.
Hardware vendors know their buyers are too poor to afford a MacBook, and therefore load their overpriced plastic junk with enough offerings that they make massive profits. Dell and hp rely heavily upon their users not understanding tech and will sell a laptop with a 5400rpm drive that does not function. They are meant to be sued by the FTC but consumer protection in the U.S. has been bought out.
>Typically this 3rd party software disables Defender
I run Glasswire [1] which started as a detailed bandwidth monitor but now has a firewall feature that sits on top of Defender and works with the rules list so not trying to replace anything.
Its simple and adds the biggest win in this article's list of recommendations imho which is Block on Fist Sight. In addition to asking, Glasswire also checks every new or updated network service requestor's VirusTotal score. No Group Policy or PowerShell magic required.
I think GlassWire's bandwidth monitor is great, but don't think their firewall feature is equivalent to "Block on First Sight."
Taking a quick look MAPS block at first sight, it appears to look at both the executable file and non-portable executable files such as JS, VBS, or macros, then stop execution, however it isn't clear if this also includes things such as dll files or the python script being executed by python.exe.
The firewall feature of GlassWire, or any application level firewall will only block traffic for your typical, well behaved programs, to save some bandwidth, and possibly block some telemetry if the program isn't too mischievous. This is because GlassWire doesn't stop the program, and can't tell if you're the one running the executable or another application is running it programmatically, so if EvilApp.exe notices it can't connect to the internet, it could just use something innocent you've allowed such as Firefox or python to send/receive data on its behalf (or just do that from the start).
This is why it's still important to check the bandwidth of programs you trust for abnormalities, even if you've only allowed trusted programs and block everything else, and why it's so important to keep programs up to date and only run stuff you don't fully trust in a sandbox (since I doubt MAPS block on first sight is perfect either).
Thanks for that clarification & I agree the best solution is always going to be keeping a close eye on your top talkers and understanding what the normal baseline should look like.
Definitely, getting rid of them pretty much requires an OS reinstall too which is incredibly annoying when it feels like I've had to waste an hour or so of my time so that the hardware vendor could make an extra buck. I occasionally get batches to do at work and I advocate against buying from vendors that do this kind of thing (for the little good it does, since they all seem to these days)
My first steps with a new personal computer is to boot to thumb drive, format the disk and install what I believe to be a clean copy of windows.
In a business environment I've always been an advocate of staging one machine taking a drive image and using that image to clone the rest. Resolved so many issues if the end-user mucks up their machines so bad you just reflash the drive image and send them on their way.
Have the options for making and installing images on windows improved? I've looked into some a while in the past for work but they always seemed to come with enough caveats that they wouldn't quite work for our case. E.g. very few of the machines have the same hardware configuration, and outside of a few bits of common software each department has its own unique software requirements and variation within departments
To really answer this you need to separate OS image deployment from software install; put out a common base with essentially just management, security, and observability tooling in place. Then use a package management tool to roll out your LoB software. Bonus points for making that self-service so users can do it themselves.
Given how many devices use out of the box drivers, combined with the amount of drivers distributed with Windows update, that part of the story has gotten much better as well.
At work, we use SCCM to do this. You just plug the PC on the network, PXE boot, and it does its thing. You can also create a USB drive installs the same image. It then proceeds to install the third-party software via SCCM, too, so you don't need to upgrade the installation image every time a new app version is released.
One caveat is that SCCM is not free, and we have a dedicated guy managing it. Not sure how much work that entails (he's not full-time), I rarely if ever touch our Windows environment (I'm running Linux on my own machine).
Yes, since Windows 8 it's improved dramatically. I've taken hard drives from a desktop that failed and booted said hard drive in a USB enclosure on a laptop (very dissimilar hardware, obviously) and after a few minutes of Updating Device Configuration, Windows boots.
I have run into that and in my experience it doesn't make sense to have dozens of different images for all the different variations. However, after getting a baseline image, one of my employees created multiple batch files (one for each department) that is run to do a silent install of department specific software.
Yes with Windows 10 you are able to refresh the image deleting all files and software (or only software) from within the settings app.
Also there are features that allow downloading the install image from Microsoft servers similar to what Apple has had for years. But this might be a enterprise customers only feature.
I've found that the shovelware uninstalls pretty easily in a new PC, at least McAfee, Norton, and Avast. No need to reinstall the OS, just run the AV product's uninstaller and it appears to be gone. I haven't done careful forensics to see what little bits it has left behind but whatever they are don't seem harmful.
Still hate the shovelware. If it were a good product I would choose to install it.
When I bought my last laptop it had Windows S mode and no crap whatsoever, it was vanilla windows. I'm not sure if there is some OEM agreement not to install crapware on windows S mode, does anybody knows? You can then switch off S mode off and it will became normal, clean windows.
I'm not sure about S mode, but theres a program called Microsoft 'Signature' that means any Signature machine you buy has only windows and essential drivers/control apps, no extra adware or funded programs such as the time limited anti-virus and extra jank. That's one possible explanation for getting a vanilla windows.
Pretty much all AV software, including Defender, does not care about false positives unless it's software from a big company so leaving users without warnings based on shitty heuristics is a positive thing in my book.
My only grief with Windows Defender is its resource use. My Windows 10 computer booted 26 hours ago. Windows Defender is using 2186 MiB of RAM. I don’t think that’s appropriate, even if I have 32 GiB in total.
With Office 365 ATP, things get even slower, too, which is not so great on my work device.
Detection rate is one thing. Performance is another. Both are important.
> Windows Defender is using 2186 MiB of RAM. I don’t think that’s appropriate.
These memory-type debates come up time and time again. Keep in mind I'm a programmer from the DOS days, note my user name on when this was an important issue. We had to cram every byte.
These programs will use idle RAM as they see necessary to be performant. If you aren't using the RAM, why not actually use it for what it's for?
Are you under memory pressure? How many GB of RAM do you currently have and how often are you capping it out? Try seeing what happens when you are at your GB RAM cap.
"I don't think that's appropriate" is highly subjective and it depends on what it does, and what you are currently doing.
Sure maybe the memory is freed (or paged out) as pressure rises. The former is however not guaranteed in any way and requires that Windows Defender (or whatever other application) actively monitor the memory situation, taking appropriate action as it changes.
That's something I'd expect a database to do. A virus scanner? Not so much.
every new dotnet package, powershell module, go module, container image, etc that i pull and want to start using results in about 10 minutes of complete system unavailability due to defender going off the rails with ram and cpu consumption. it used to be i’d have to wait for the compiler to build, now i have to wait for defender to defend.
He is saying that many programs are written to use "free RAM", ergo unless defender is still using 2GB ram when your PC is at your RAM limit you don't have a problem. Every OS does it, let your OS manage RAM.
Unlike linux[1], windows task manager correctly shows "cached" ram as "free" ram. Therefore it's highly unlikely that the memory usage is from the OS caching mechanism.
As for the actual behavior of using free ram, what happens if there are two apps that try to use the same behavior? ie. you have windows defender and a DBMS installed, both of them try to use up all the free ram. In this situation, what makes you think the behavior of "using all the available free RAM" behavior of windows defender wouldn't push out the "using all the available free RAM" behavior of the DMBS", leading to worse performance?
Task Manager does not report memory use by the OS I/O cache, but there's no general way for it to know what portion of process memory is "necessary" versus "nice to have," so many processes have some type of internal caching (web browsers for example!) that they are able to dump but will be included in their reported memory consumption. Windows has several different layers of caching which makes this a bit complicated to generalize about, but that's sort of the point... Task Manager is not clairvoyant, and so if a process has allocated memory other than specifically through an OS caching infrastructure it reports it as memory in use. The OS caching infrastructure is not so general that it covers every need to hold some memory for performance optimization.
Windows has an infrastructure to prioritize memory availability by process, and to notify processes when there is physical memory pressure so that they can act accordingly. I'm not sure, but as a first-party component I would assume that Windows Defender uses these appropriately.
That said, like most real-time antivirus Defender does feel that it is important to complete real-time protection scans and will sometimes do so at the cost of performance. The logic here is that it is important to complete these scans even under conditions of resource pressure, otherwise malware could just do things like cause high system load before downloading a second stage in order to avoid Defender completing a real-time scan.
Unfortunately this does sometimes cause headaches, for example I saw a situation recently where someone ran a tool that opened a huge number of media files on a NAS in order to read their metadata. This resulted in Defender queuing up a real-time scan of probably over a TB over the network since it saw all of these 10GB+ files being touched, with a definite negative impact on performance. I still wouldn't give "exclude network mounts" as general advice as some people do, but that's an example of sort of a pathological case for real-time scanning where you probably want to exclude it.
The problem with this shortsightedness is that if everyone is trying to grab free ram and then drop it as soon as anyone else asks for it, you'll end up in some sort of merry-go-round of applications allocating and deallocating between each other. Or, as per Chrome, swallowing up everything and you have to figure out which tab needs to be closed.
Only the kernel should be grabbing "free" ram and allocating it for cache.
AFAIK the OS file cache doesn't get counted towards the process's memory usage, so if windows defender is showing up as using 2GB of memory, it really is using 2GB of memory for the app itself.
I have a DBMS, a browser, and an antivirus - all of which would love to have "free ram" that's not currently in use by other programs in order to speed up its own work.
How do I tell the system which of them I prefer (or some rank), instead of letting them fight it out, each of them thinking that they are the process entitled to all the perks of the currently unused memory?
Either they need the memory or they don't. If they feel like they need to store something to save on network costs then they should store it, and the OS will page it if it isn't used often.
The AV doesn't need to take "free ram" except when it tries to guess what the OS will do with disk cache. But by putting it in the AV cache it then prevents other software from using the cache.
Nothing is "fighting it out", there are internal heuristics to understand what applications need that RAM.
This is an internal OS feature of modern operating systems. If you are not capped out on RAM usage, this point is moot. If you are truly running at the RAM cap, to where the OS is paging out memory to disk and you have contention, you need more RAM.
Yes, but the context of this discussion was Q:"why is Windows Defender using 2GB of ram!?!?" A:"It only does that if no other process needs the memory". Which works fine only if there is only one distinguished process.
My point was that there isn't one distinguished process, and that thus -- as you described -- it should be left to the OS to decide and not to Windows Defender.
> "Are you under memory pressure? How many GB of RAM do you currently have and how often are you capping it out? Try seeing what happens when you are at your GB RAM cap."
Where's the explicit code in Defender which ensures it only does its' thing if the system isn't under heavy load?
Also, you do realize that if every program followed this pattern - it would cease to work?
I've never had RAM issues with Defender but I have noticed that I/O suffers terribly when Defender is enabled. Twenty second installs take five minutes, and don't you even dare try running a `yarn install` because Defender WILL scan each and every file of your 65535 dependencies and it WILL NOT use more than a single core it seems.
Whenever I see a machine that's slow or sluggish during operation but reports that only 60% of it's resources are used, Windows Defender is usually the culprit. I've nerfed Windows Defender for performance reasons to the point that I wonder why I even bother anymore.
> because Defender WILL scan each and every file of your 65535 dependencies and it WILL NOT use more than a single core it seems.
Does yarn use more than a single core? I've seen some analysis articles that a major root cause of the slowdowns here are that the scanning API is hooked into file close and scanning takes time, so if you have a straightforward open file, write to file, close file, repeat single threaded process, your throughput gets really limited. I don't think there's a Windows API for asynchronous close, but if you send the handle to a thread (pool?), that will get you much better results.
I wouldn't know, to be honest. It's not just a yarn problem, though. Anything operating on lots of tiny files (from IDEs to git to setup executables) gets bogged down to Windows Defender in strange ways.
None of the resources in task manager (or the resource manager thing) will show anything being capped so it's hard to troubleshoot what system Defender stresses so much.
> None of the resources in task manager (or the resource manager thing) will show anything being capped so it's hard to troubleshoot what system Defender stresses so much.
Yeah, task manger is missing the most useful feature of FreeBSD top, the state column that lets you know what the process was doing at the sample time. If you saw your installer was always in state close handle, you'd have a good guess. But it's a straight forward throughput problem; if it takes 1 ms to scan a file, and there's no concurrency or pipelining, then you're limited to 1000 files per second. If you can thread pool closing, you get a lot more throughput. Unfortunately, everything that runs on windows and expects to close lots of files needs to manage a threadpool to close, but usually developers don't get to pick their platform, their users pick.
I ripped out all of Windows' security features before even booting up the first time using the recovery console. It's blissful. Opening the windows security window just shows a blank white rectangle. My computer idles at 0% CPU. I never get annoying security popups, I never have to worry about Windows deciding to delete something to "protect" me. It truly makes my life much better. I wish there was just a button for it so I didn't have to go digging deep into the internals to do it. Too bad it's the norm to tell people how to run their computers these days.
I've got Windows Sandbox to try anything shady in and a decent firewall on the edge between me and the rest of the world, I generally don't worry too much.
TBH in one company we worked on Windows laptops. I was rebooting my laptop on every Friday and my friend once a month. His everyday task took much longer and laptop was slower, after reboot both was fast and fresh.
That small dumb experiment made me sure windows machines needed a regular restart.
Same with Android phones. When I set scheduled phone reboot on every Saturday evening it started to work without any issues.
(https://i1.sndcdn.com/artworks-000462382710-ibx95g-t500x500....) :D
I checked on 5 different machines, one of which is a corporate laptop, and every one showed Defender using 100-150MB memory. 3 of those machines have 64GB memory. My desktop (which has 48GB memory) has been on for a week, and is currently showing 135MB.
In my experience, Defender's resource usage is actually low by comparison to others. McAfee is the worst, by a long shot - fans spin constantly, it uses up to gigabytes or memory, and is a ludicrous CPU hog.
We setup a new lower-end AWS server for dev only and had to disable it because it was impossible to login or run SQL Server queries due to hitting quotas. Probably a bug in the implementation, but couldn't find a better fix. We do have IP whitelists on it but it still made me uneasy turning it off. Maybe this is normal though, I don't AWS much.
The performance and battery life impacts of Windows Defender make it just not worth it for me though. I had a few months where I went back to Linux on my ThinkPad (unfortunately with an nvidia gpu - whose Linux drivers I think caused half my troubles) and it was soo much more performant - but it had enough various annoyances where I just went back to Windows 11 and WSL2.
The idea that pushed me over the edge to try it again was that, this time, I'd try disabling Defender (as I was 1/2 convinced the Linux performance boost was not having AV) and keep a fresh/clean install strictly limited to Chrome (now that I had gotten used to just using the web versions of everything like Slack, Spotify, etc.), VS Code, WSL2 and that's it. Basically what I'd been doing with Linux. And so far that's been great - better performance, runs cooler and quieter, longer battery life etc. than I ever used to have with Windows. It is like a whole new machine.
Knowing I don't have Defender I am even more careful about what I download (these days almost nothing - especially on the Windows side rather than the WSL2 Ubuntu dev side) and about ensuring everything is patched. But it is such a game-changer I am not going back...
There's only one reference to a bat file in the article that I saw, but that bat file is named "gpedit-enable.bat" and is at the end of a paragraph describing how that is for enabling the local group policy editor on home editions of Windows. That script itself is also quite clear with it's use of `rem` to explain what's happening. Perhaps read it again...
"Local Group Policy Editor is available only in pro/enterprise edition, but you can add it to the Home version of Windows too."
The last two lines don't even work for me on Windows 10 Home. It looks like there's accidentally two `dir` invocations on the same line, PowerShell and Command Prompt both complain about the /B switch as if it were a missing path (I think the author meant "/b" for the bare file listing?), and the ClientExtensions and ClientTools directories don't exist for me.
Some asterisks were eaten from the file as well. Right before the .mum on each of those lines there should be a asterisk, as the goal is to glob for all the mum files related to that feature. The exact file names change depending on platform (x86 vs amd64 vs arm), and change over time due to version numbering.
Weirdly enough, most of the batch file is actually writing a VBS script to run the calling file as an admin.
The last two lines are what actually enable the policy editor (by installing the Windows feature through DISM, the normal way). Still better than no batch file, but an explanation would indeed be nice.
Defender has been the only worthwhile Windows AV solution for years. All others have been at best, on-par and at worst, net-negative (opening vulnerabilities that would not otherwise exist).
Why the convoluted scripts to get admin? Why execing file with "~3" in the name when you can use the proper one? So much needles silly steps, too little actual explaining of anything that would matter.
Also, following that will just ensure you can never download curl or nmap lol. ...i guess, maybe i got the whole thing wrong. Who knows. I don't.
Ironically, while I agree with the thrust that Windows Defender is basically good enough, I find it extremely dubious for a security-focused article to suggest that anyone should be in the habit of copy-and-pasting arbitrary inscrutable code onto their machine in the service of making it safer.
too little actual explaining of anything that would matter.
This. It reads exactly like (suboptimal) code comments or commit messages explaining what gets done but no trace of why. Why does this stuff harden defender? Why does it make Defender enough?
That script is a well known hack to get Pro/Enterprise features on Windows Home version, in this case the Group Policy Editor. Not necessary for most users.
And attack surface reduction rules (which you must configure) - which greatly reduces office worker possibility of catching some nasty stuff:
Block abuse of exploited vulnerable signed drivers
Block Adobe Reader from creating child processes
Block all Office applications from creating child processes
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block executable content from email client and webmail
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Block execution of potentially obfuscated scripts
Block JavaScript or VBScript from launching downloaded executable content
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
Block Office communication application from creating child processes
Block persistence through WMI event subscription * File and folder exclusions not supported.
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block Win32 API calls from Office macros
Use advanced protection against ransomware
This is an impossible question because of missing unfilled variables such as threat model, use case and the nature of data protected. I agree with the general sentiment.
Let's say you're a journalist at an important news org. Even for your personal devices, the builtin defender isn't enough.
There is a fundamental principle for sophisticated actors, that prevention is not enough. Your security software should do monitoring (off device) and do that very well. You are already compromised, you should be looking into the collected data to see where, when and by whom so you can do something about it. Unfortunately in the last fee years the line has been getting very blurry between sophisticated nation state actors and criminals and common criminals trying to score as much loot as possible (mostly due to being forced to use sophisticated tools and techniques because solutions like Defender have gotten very good).
You maybe an average joe and still be a target for "sophisticated" actors or you may think you are an "average joe" but your pwnage offers a strategic value to someone resourceful,
My advice is to take inventory of the data and resources you have access to and see (with help if needed) what threat model fits your use case. MS does offer a Defender ATP that's basically turning on few more switches and sending them a log of everything happening your machine.
Back tracking a bit: Defender is really good. Cloud based protection is their secret sauce, turn it on and pretend they are to be trusted with collecting random files from your PC.
Feels like one obvious step would be to make running as a non-admin user easier. Ended up giving up with kids computer given so much required admin password and no way (even through changing program’s options) to actually run a single program with true admin access. Also no way to say, “always allow” some action with some program.
What would be handy in an article like this is an explanation of why the options are turned off by default. Presumably MS didn't decide to e.g leave the Ransomware protection turned off out of spite. So presumably there is a compromise between additional protection and ... something?
The ransomware protection (Controlled Folder access) blocks write to controlled folders. The admin specifies folders to be protected, which by default includes a bunch of user profile folders like "Documents". At that point no application can write to those folders unless whitelisted.
The downside is that for a while after you enable it, you will need to keep granting applications write access to those folders, until eventually all apps that need write access have it.
In a corporate environment, IT could pre-configure the white list to include any approved applications that need write access to those folders. Most companies claim that installing unapproved software is a fireable offence, so only the execs (who are immune to such policies) and developers are likely to notice.
One problem with Windows Defender I believe is that if you were a malware author the first AV you'd want to try and bypass is Windows Defender as it's the default which is used on most Windows PCs for your 'MVP'.
Bypassing other AVs would really be a 'nice to have'
Malware authors have tooling to run their payloads across many vendors all at once. I'm sure Defender is on the shortlist, but it probably doesn't matter much.
Further, AV is inherently a "catches known threats" technology, as much as any AV may pretend otherwise. Some people will always get owned but by virtue of those users' AV picking up samples the sample will eventually make it to various AVs.
If your goal is to avoid AV bypasses, I'd suggest changing your goals. Instead, treat AV as it is - a technology for finding known bad things. If you want to avoid unknown bad things you need to take another approach.
The time where AV business was just catching signatures, is long gone.
ANYTHING that touches lsass.exe, no matter how, will trigger AV these days.
Go and try to compile your own customized version of Mimikatz, unless you are malware developer, you will not manage to get one that doesn't get flagged.
I'm aware of the fact that AVs are not just hashing binaries or whatever. I'm well aware of how AV works in general. My points all stand imo. AV is a reactive technology.
I understand that many of you aren't in a position to bargain or move the needle here, but no claims of safety made by Microsoft should ever be taken seriously, ever. Not until a serious mea culpa on the extreme harm they've caused in this space.
I have to say I never used an antivirus software before except I guess the built-in one in Windows.
I think sandboxes are better for software you don't trust. I imagine antivirus heuristics are only useful against a handful of common threats, if at all.
Created a gist as a reference with all of the powershell commands and some additional info from this thread, such as exploit protection. I'm considering a full script.
As a "family SysAdmin" I'm pretty happy about how good Windows Defender and MRT updates works.
Aside from clearly aimed ransomeware, today's pretty difficult to have virus problems in Windows. Most of the time I have to repair any Windows machine is due to a driver install problem (specially sound cards) or a system update problem.
I've never used antivirus (other than defender). AFAICT, I wasn't ever affected by a virus with one exception, the Blaster (or Sasser) worm. This was before Defender existed.
On the other hand, whenever I use a machine with an antivirus, I want to quit my job. Those things are slow. Very slow.
My work machine has a multitude of security software that I can't disable, heck, I can't even touch. Doing a pip install on a common program takes 10, 15 minutes. The same installation on my personal machine takes about one minute. The culprit? The 3 different agents that spins out of control scanning my disk.
I think most antivirus is security theater at this point, unless you're using endpoint security like CrowdStrike Falcon, Palo Alto Cortex, Carbon Black, etc. Which, I think only sell to B2B and not consumer.
for the first time, i have a machine with this installed and holy damn... it's so bad. it uses 30~50% cpu all the time + tons of IO. how can people just accept software that just degrades your machine for small gains on security?
Really? That's interesting. We deployed this a few months ago this where I work and haven't encountered any performance issues like this. But we have had the fun of encountering BSODs when some of our end users try to use Excel.
What sensor version are you running? 6.33 iirc has an issue and you'll need to upgrade to 6.34. . If you have access to the support page inside the Falcon platform, run the script they have for collecting system info and submit a case to support. (not affiliated with CS, I came across a similar high CPU usage and middlemanned the comms between our Mac admin and CS).
My heart goes out to AV/EDR developper because i really don't see how it is possible to analyze most of the code being run somewhere in realtime, without a significant toll on the machine...
have had the exact same negative experience with this as well. imagine a hellscape with crowdstrike falcon, defender, and beyond trust all running on the same machines.
I don't know if this is still relevant, but around 2007 or so a buddy and I found the source code for a "research" keylogger trojan online. We compiled and ran it for kicks, and sure enough Avira (which I was using at the time, or was it still called AntiVir?), picked it up almost instantly. We swapped the order of a couple of instructions, recompiled, and glory be: Avira didn't flag it anymore!
Since then I just find the least obtrusive AV and just try to avoid clicking on anything suspicious, because I'm convinced they all offer "meh" protection at best.
Last year I tried to source an on-demand AV scanner because we'd exhausted what clamav was capable of (it non-deterministically craps out after 2Gb and can't scan binaries). If I couldn't find a suitable drop-in replacement I was going recommend an enterprise work-flow scanning solution that had AWS cloud integration (i.e. automatically move objects through ingress/output/quarantine S3 buckets or some kind of API we could hook to tag objects with a 'passed' label).
My requirements were simple: it had to run in our cloud (AWS, eu-west-2) because of PII concerns, preferably "serverless"/ephemeral and we needed to scan assets our data analysts would use in their day to day operations (tiny files, massive files - a bit of everything).
After a several time consuming days I had to give up because I found nothing. The Internet has become a mirage of av/malware scanning solutions that no longer exist (one of our guys reported that Sophos had a CLI tool - savscan - but when I looked it appeared to be discontinued). Almost every major vendor I came across offered an end-point product that ran on their cloud or had moved out of the malware/virus scanning market in favour of a DPI firewall. I was hampered by a lack of product documentation/feature comparison tables on the "enterprise" vendor marketing websites and sad "cloudification" of stacks that really ought to have a CLI binary.
Microsoft _does_ provide a bunch of the enterprise security features other vendors provide in its home anti-virus offering.
Microsoft is also the biggest vendor of enterprise endpoint security solutions - that is Microsoft Defender and products like "Palo Alto Cortex" compete. However, the home offering of Defender _is_ quite different in terms of usage from the enterprise version and so is the amount of instrumentation.
These are also annoying because they hijack/MITM SSL certs and change the certificate chain with their invalid root CA. It’s security through obscurity.
You're definitely right about that. I think it's from the XP days, but I remember reading about antivirus vendors creating their own security holes and vulnerabilities, where running antivirus software made your computer less secure than without it. And then when Microsoft wanted to create fixes to prevent said vulnerabilities from being exploitable, the antivirus vendors actually threatened to sue them to avoid putting in the engineering work to fix their shitty code.
EDIT:
In many cases, these security changes meant deep architectural changes were required to third party solutions. And most ecosystem vendors were not incented to invest heavily in their legacy apps. Some of these solutions took the unorthodox approach of modifying data structures and even instructions in the kernel in order to implement their functionality, bypassing APIs and multiprocessor locks, often causing havoc. At one point, something like 70% of all Windows “blue screens” were caused by these third party drivers and their unwillingness to use supported APIs to implement their functionality. Antivirus vendors were notorious for using this approach.
In my role as head of Microsoft security, I personally spent years explaining to antivirus vendors why we would no longer allow them to “patch” kernel instructions and data structures in memory, why this was a security risk, and why they needed to use approved APIs going forward, that we would no longer support their legacy apps with deep hooks in the Windows kernel — the same approach that hackers were using to attack consumer systems. Our “friends”, the antivirus vendors, threatened to sue us in return, claiming we were blocking their livelihood and abusing our monopoly power! With friends like that, who needs enemies? They just wanted their old solutions to keep working even if that meant reducing the security of our mutual customers — the very thing they were supposed to be improving.
Malware was definitely a lot more prevalent back in the day and you couldn’t do everything on the internet back then so you had to download a lot more random programs off the internet.
I think they definitely had a purpose a long time ago but probably not for the past 15 years.
They already have, most AV software nowadays is adware. If you are lucky they'll just slurp your data and maybe get you to install Chrome or some other random piece of software but some are even using your PC to mine cryptocurrency nowadays.
But wouldn't those infections be detected eventually? They would need to update/hide their "solution" every time A/V software comes with updates to detect them. It would be too late already.
How are people even getting viruses? I've been using Windows to varying degrees since the 1980s, and I've never once in my life gotten a virus. I never used any antivirus software. I let Windows do whatever it does by default, but it never flags anything. Are people picking up viruses from pirated games or something?
"I've never once in my life gotten a virus. I never used any antivirus software."
This is like saying your blood pressure is fine, but you've never had it measured. :) Email and internet are still places of entry to machines. Plenty of 0-Day stuff out there your average person can stumble into.
Even the most paranoid and careful person could be pwnd by a vulnerability in their browser, network stack, GPU driver, or whatever. If you at any point open a network-connected application on a popular OS then you are at risk. It doesn't matter if you "don't click links," or "be careful what you download."
Amen to that. Plus I erred in saying 0-day. Actually, if not using any kind of AV, you're vulnerable to everything ever made if you're trusting your "intuition" alone.
Microsoft Defender and microsoft security is a unfunny long lasting joke that even beat UAC stupidity. All they do is invent new protection names and is trying to syphon all possible data from the PC it is supposedly protecting.
The copy speed of 7gbs ssd is close to 10 mbs because you getti “protected”. Do you want to get protected even more? Enable cloud protection, enable online account protection, want to submit file to our protected protection to get protected? No, oh, in this way you are not protected anymore! But you know, last 5 days of your computer idling, it was scanned 10 times and nothing found. Thats important to know. Oh wait I found a generic.generic in your old keygen music file on CD, you not protected anymore! But i will try to delete it for ever. So much defending, such protection. WOW!
All client security products are making tradeoffs between keeping the user safe and requiring them to read and understand configuration settings in their security products. The options recommended here fall into either the "this will break some legitimate stuff" bucket or the "this potentially uploads a lot of user data to the cloud". I agree with them being off by default; if you understand and can handle it, you can turn them on. If gpedit is scary, you should leave them alone.
I use my pc 12+ hours a day, haven't installed any 3rd party antivirus software since 2005, and haven't encountered a single problem, because I know what I'm doing. I think all people who read ycombinator should be able to do the same.
I haven't used an anti-virus in all of my 20+ years of computering. I've been hit with some minor infections (mostly from torrents, which I knew was not safe). But that's it.
How about a simple scheme where software producers can register their .exe with Microsoft and when I download an exe I could verify that the fingerprint of the exe is registered on the Microsoft whitelist? Or is this kind of thing already happening by the Defender?
I have never seen a message saying "Defender does not recognize this application, are you sure you want to start it?"
Also there's a lot of downloadable Open Source software where users are asked to "verify the keys". Couldn't Windows do this kind of thing automatically, or at least make it easy?
What I'm thinking of is something where Microsoft would keep a publicly visible registry of all apps that have been submitted to the registry. It would be beneficial for both software produces and Microsoft as the platform producer. The registry would run all kinds of malware checks on it, and also keep an ear out for reports of threats found.
I'd be more concerned of what sort of undocumented behaviour now occurs from a result of these changes, and whether any of the features/options will be available tomorrow.
So true. Windows Defender has a ton of neat advanced features and you don’t have to worry about keeping up with some other vendor of security software, either.
Cant agree with this, the GPU seems to be a weakness, but in light of nVidia's recent hack, I'd suggest nVidia GPU's are the weakness in windows, but I know ATI also have some weaknesses, they are like sim cards working with a mobile phone OS but also independently accessing the mobile phone hardware.
Not true. There are 0 clicks/keypress necessary viruses out there that rip right through holes in servers without the user doing anything. They're certainly not as common as the "usual" types but no one is immune and you can bet state actors have a ton of those at their disposal as do well funded black hat crime syndicates.
I think it’s clear the author isn’t proposing that people should be licensed to use the internet. It’s at most an aside, and not the topic of the article.
The observation that one of his analogies doesn’t apply in one country (pretty sure not the one the author lives in) doesn’t really contribute anything IMO, and certainly we won’t change anyone’s mind about US gun law by another comment thread. I’d rather just not open that box.
They brought it up, not me. If the content doesn't contribute anything, then why did they include it? Which country does it apply in that you need a permit just to shoot a gun?
> Which country does it apply in that you need a permit just to shoot a gun?
In Australia – for a civilian to shoot a gun, somebody needs to have a license. If you want to buy a gun – or even receive one as a gift – you need to apply to the police for a license.
Now, it is possible to go to a shooting range, and pay to use their gun on their premises without personally having license. However, even in that case, the range still needs to have a license – indeed, not an ordinary gun license, a special type of gun license which allows them to offer this service to the general public. In my state (New South Wales), the member of the public must show photo ID and fill out a government form called a P650 [0] [1] with invasive personal questions (such as if you have ever attempted suicide or self-harm, have received treatment for alcoholism, drug dependence or mental illness, etc). Lying on the form is a crime (although given the form is not sent to the police, only retained by the range, it may be hard to detect). If you answer "Yes" to any of those invasive personal questions, you are not allowed to shoot, unless the range makes a special application to the police for an exemption in your individual case, and the police decide to grant it.
So, effectively, all civilian gun use requires a permit in my state of Australia – if not your own, then that of the shooting range, and even that case is highly regulated.
Yes, someone. The claim being disputed is that the individual needs a permit, with the context being that people are required to be trained for driving a car and shooting a gun.
I don't think it's really a nitpick to point out factual inaccuracy. That happens all the time on here and is a feature of an audience committed to truth.
As a secondary point, do you think the author's use of licensing examples was on-topic? I don't see them go into any detail licensing, and it has little to nothing to do with the topic of hardening Defender.
That said, yes, I do see that my initial comment was lacking the context later added in the edit.
> "If you want to shoot a gun, you need to get a permit."
> Not in the US,
This statement seems to lack nuance and could be the reason for the downvotes.
> Federal law does not require individuals to obtain a license or permit to purchase a firearm. Several states, however, have permit-to-purchase laws that function similarly to universal background check laws.
That's about purchasing. Not just shooting or even ownership.
For example, you can move into NJ with existing firearms that you own (complying with the general laws about legality, locks, etc) without the need to request a permit to purchase.
I don't like the idea of an internet permit, but I do agree with the idea that users should be taught internet safety. About 20 years ago I volunteered at the library and taught such a class, but only recently have I seen such classes as part of workplace training. It should probably be something that is taught in schools, as well. Or maybe it is covered now and I just don't know?
It was loosely covered in school when I went. We had some basic stuff even in middle school (20+ years ago) about use anti-virus, don't click links from unknown sources, etc. If schools aren't teaching the basics, then that could be a big security hole for the district. At the least, it reduces the protection of defense in depth and forces the school to wholly rely on systems to protect the network, when users are often the "in".
Windows Defender doesn't have heuristics/behaviour based detection.
For example, if you write a simple keylogger using the Windows API in C++/Python/..., compile it and run it, an antivirus like BitDefender will block it by default. It's up to you then to allow it or not.
So it can sometimes detect and block unknown malware, a thing that Windows Defender can't. So for some people it might make sense to have a more "strict" antivirus.
> Windows Defender doesn't have heuristics/behaviour based detection.
Yes it does, in fact mpengine has a built-in JIT compiler for converting executables that it's scanning into safely-runnable executable code within its sandbox environment (done for performance reasons, rather than simply emulating them).
1st - that "heuristic" used by BitDefender or other AV solutions are simply scanning the .exe for those APi calls. This is easy to overcome by simply encrypting with even a simple XOR and dynamically loading said API's for keylogging (I suspect you are referring to SetWindowsHookEx - the most used API loggers, malware or not).
3rd - BitDefender is the most hog resource AV. Also the most annoying. And it behaves like is the only application you are need it, constantly begging attention. I worked at a company who had it as license, I hated every day there only because of it. Windows Defender on the other hand is so quiet that I always forget is running.
According to this site [1], Bitdefender is amongst the most efficient antivirus packages for passive slow-down, and I can confirm that this has been my experience running an engineering firm that uses their enterprise security product, Bitdefender GravityZone.
If you solve for efficiency (effectiveness over performance), Bitdefender has one of the highest detection rates (over 99.9%) and lowest false positive rates in the industry, making the effectiveness-performance ratio very impressive. Many other A/V packages are bigger hogs and yet detect less malware, with more false-positives.
I'll admit their interface isn't great, but they did a refresh recently in their Enterprise product and now it's much more subdued (finally). They also changed their branding from bright Red to White, so it doesn't pop in the taskbar as much as it used to.
It's worth noting that Windows Defender is amongst one of the only AVs that scores as effective as Bitdefender, but from my research it seems like Bitdefender's predictive engine is significantly better in benchmarks at fighting new/novel malware. Is it worth the approx. $100/yr? Not sure. I have considered canceling our subscription to Bitdefender and using Windows Defender, as the premium offering is already included in our Office365 licensing.. but I think that obscurity (using a non-standard security product) could be a defense in itself.
I can say for certain that my software has been picked up by Defender's heuristics, and fixed within a matter of hours when I flagged it as a false positive.
Kaspersky, on the other hand, still refuses to even look at any executable larger than 50MB.
We ended up absorbing and acquiring a few companies to provide a better offering and a lot of re-branding happened. For example Security Center's old portal for active threat protection, automatic remediation, incident investigation etc is all now absorbed into (the better) security.microsoft.com which is (to my understanding, just an engineer) the current and last (for the foreseeable future) rebrand. The team I work at started as one person working on the frontend for MDE (Microsoft Defender for Endpoint) and now has hundreds of people working on the security portal across India, Israel and the US (as well as a few other smaller sites contributing).
Also, as an engineer I have to say the offering is good. The anti-virus and the telemetry is worked on by some really smart people. Client information is sacred, logging into production takes multiple audits and PII is scrubbed (heavily) any time logs are needed. We still have a lot of room to improve but I am confident in Microsoft both delivering a good product and acting in good faith (and there is a clear business incentive in the enterprise security space to do so rather than benevolence).