My firm belief is the that hardware vendors do end users a disservice by preloading 3rd party anti-virus software that expires ans requires payment after a period of time for virus signature updates. Typically this 3rd party software disables Defender, so once the pre-installed AV trial runs out, the user is exposed.
But surely windows will activate defender? Since any AV must register in windows and considering that MS isn't exactly known for respecting user wishes I'd expect defender to start up the same nanosecond any other AV stops.
Though I'd never out myself in a position to test that.
It has been my experience while fixing family members computers that unless you uninstall the third-party antivirus software Windows Defender doesn't kick in. If I recall correctly there was an instance where I tried to switch from third-party to Defender (without uninstalling 3rd party) it would not let me stating that AV was managed by group policy (? I forget the exact phrasing) and I had to uninstall the other antivirus software first.
From memory and vague experience, if Defender detects another registered AV product it disables its engine. Techniques used by non OEM AV's to get the telemetry and visibility they need to make decisions probably aren't "safe" when another non-cooperative AV is installed
Agreed. Additionally I I think it may look more impressive to novice buyers when the product lists a bunch of free (albeit worthless) software included in their purchase.
Hardware vendors know their buyers are too poor to afford a MacBook, and therefore load their overpriced plastic junk with enough offerings that they make massive profits. Dell and hp rely heavily upon their users not understanding tech and will sell a laptop with a 5400rpm drive that does not function. They are meant to be sued by the FTC but consumer protection in the U.S. has been bought out.
>Typically this 3rd party software disables Defender
I run Glasswire [1] which started as a detailed bandwidth monitor but now has a firewall feature that sits on top of Defender and works with the rules list so not trying to replace anything.
Its simple and adds the biggest win in this article's list of recommendations imho which is Block on Fist Sight. In addition to asking, Glasswire also checks every new or updated network service requestor's VirusTotal score. No Group Policy or PowerShell magic required.
I think GlassWire's bandwidth monitor is great, but don't think their firewall feature is equivalent to "Block on First Sight."
Taking a quick look MAPS block at first sight, it appears to look at both the executable file and non-portable executable files such as JS, VBS, or macros, then stop execution, however it isn't clear if this also includes things such as dll files or the python script being executed by python.exe.
The firewall feature of GlassWire, or any application level firewall will only block traffic for your typical, well behaved programs, to save some bandwidth, and possibly block some telemetry if the program isn't too mischievous. This is because GlassWire doesn't stop the program, and can't tell if you're the one running the executable or another application is running it programmatically, so if EvilApp.exe notices it can't connect to the internet, it could just use something innocent you've allowed such as Firefox or python to send/receive data on its behalf (or just do that from the start).
This is why it's still important to check the bandwidth of programs you trust for abnormalities, even if you've only allowed trusted programs and block everything else, and why it's so important to keep programs up to date and only run stuff you don't fully trust in a sandbox (since I doubt MAPS block on first sight is perfect either).
Thanks for that clarification & I agree the best solution is always going to be keeping a close eye on your top talkers and understanding what the normal baseline should look like.
Definitely, getting rid of them pretty much requires an OS reinstall too which is incredibly annoying when it feels like I've had to waste an hour or so of my time so that the hardware vendor could make an extra buck. I occasionally get batches to do at work and I advocate against buying from vendors that do this kind of thing (for the little good it does, since they all seem to these days)
My first steps with a new personal computer is to boot to thumb drive, format the disk and install what I believe to be a clean copy of windows.
In a business environment I've always been an advocate of staging one machine taking a drive image and using that image to clone the rest. Resolved so many issues if the end-user mucks up their machines so bad you just reflash the drive image and send them on their way.
Have the options for making and installing images on windows improved? I've looked into some a while in the past for work but they always seemed to come with enough caveats that they wouldn't quite work for our case. E.g. very few of the machines have the same hardware configuration, and outside of a few bits of common software each department has its own unique software requirements and variation within departments
To really answer this you need to separate OS image deployment from software install; put out a common base with essentially just management, security, and observability tooling in place. Then use a package management tool to roll out your LoB software. Bonus points for making that self-service so users can do it themselves.
Given how many devices use out of the box drivers, combined with the amount of drivers distributed with Windows update, that part of the story has gotten much better as well.
At work, we use SCCM to do this. You just plug the PC on the network, PXE boot, and it does its thing. You can also create a USB drive installs the same image. It then proceeds to install the third-party software via SCCM, too, so you don't need to upgrade the installation image every time a new app version is released.
One caveat is that SCCM is not free, and we have a dedicated guy managing it. Not sure how much work that entails (he's not full-time), I rarely if ever touch our Windows environment (I'm running Linux on my own machine).
Yes, since Windows 8 it's improved dramatically. I've taken hard drives from a desktop that failed and booted said hard drive in a USB enclosure on a laptop (very dissimilar hardware, obviously) and after a few minutes of Updating Device Configuration, Windows boots.
I have run into that and in my experience it doesn't make sense to have dozens of different images for all the different variations. However, after getting a baseline image, one of my employees created multiple batch files (one for each department) that is run to do a silent install of department specific software.
Yes with Windows 10 you are able to refresh the image deleting all files and software (or only software) from within the settings app.
Also there are features that allow downloading the install image from Microsoft servers similar to what Apple has had for years. But this might be a enterprise customers only feature.
I've found that the shovelware uninstalls pretty easily in a new PC, at least McAfee, Norton, and Avast. No need to reinstall the OS, just run the AV product's uninstaller and it appears to be gone. I haven't done careful forensics to see what little bits it has left behind but whatever they are don't seem harmful.
Still hate the shovelware. If it were a good product I would choose to install it.
When I bought my last laptop it had Windows S mode and no crap whatsoever, it was vanilla windows. I'm not sure if there is some OEM agreement not to install crapware on windows S mode, does anybody knows? You can then switch off S mode off and it will became normal, clean windows.
I'm not sure about S mode, but theres a program called Microsoft 'Signature' that means any Signature machine you buy has only windows and essential drivers/control apps, no extra adware or funded programs such as the time limited anti-virus and extra jank. That's one possible explanation for getting a vanilla windows.
Pretty much all AV software, including Defender, does not care about false positives unless it's software from a big company so leaving users without warnings based on shitty heuristics is a positive thing in my book.
