[HN Gopher] Windows Defender is enough, if you harden it ___________________________________________________________________ Windows Defender is enough, if you harden it Author : h0ek Score : 219 points Date : 2022-03-06 19:37 UTC (3 hours ago) (HTM) web link (0ut3r.space) (TXT) w3m dump (0ut3r.space) | thrower123 wrote: | I haven't had a virus problem since the days of Windows 2000. | | I've had an incredible number of problems caused by antivirus | software interfering with legitimate software. | encryptluks2 wrote: | None that you know of. I think virus creators have probably | adapted from breaking things to silently collect information. | seanw444 wrote: | Word. Silent data farming is certainly worth more in the long | run than ransomware encrypting the whole disk of some John | Doe. | bartimus wrote: | But wouldn't those infections be detected eventually? They | would need to update/hide their "solution" every time A/V | software comes with updates to detect them. It would be too | late already. | tupac_speedrap wrote: | They already have, most AV software nowadays is adware. If | you are lucky they'll just slurp your data and maybe get you | to install Chrome or some other random piece of software but | some are even using your PC to mine cryptocurrency nowadays. | veganhouseDJ wrote: | heavyset_go wrote: | It's the first thing I disable in VMs because of what a resource | hog it is. | giantg2 wrote: | Natsu wrote: | I don't like the idea of an internet permit, but I do agree | with the idea that users should be taught internet safety. | About 20 years ago I volunteered at the library and taught such | a class, but only recently have I seen such classes as part of | workplace training. It should probably be something that is | taught in schools, as well. Or maybe it is covered now and I | just don't know? | giantg2 wrote: | It was loosely covered in school when I went. We had some | basic stuff even in middle school (20+ years ago) about use | anti-virus, don't click links from unknown sources, etc. If | schools aren't teaching the basics, then that could be a big | security hole for the district. At the least, it reduces the | protection of defense in depth and forces the school to | wholly rely on systems to protect the network, when users are | often the "in". | vore wrote: | I think because your original post was a wildly off-topic | nitpick of what the article is talking about as a whole. | giantg2 wrote: | I don't think it's really a nitpick to point out factual | inaccuracy. That happens all the time on here and is a | feature of an audience committed to truth. | | As a secondary point, do you think the author's use of | licensing examples was on-topic? I don't see them go into any | detail licensing, and it has little to nothing to do with the | topic of hardening Defender. | | That said, yes, I do see that my initial comment was lacking | the context later added in the edit. | damagednoob wrote: | > "If you want to shoot a gun, you need to get a permit." | | > Not in the US, | | This statement seems to lack nuance and could be the reason for | the downvotes. | | > Federal law does not require individuals to obtain a license | or permit to purchase a firearm. Several states, however, have | permit-to-purchase laws that function similarly to universal | background check laws. | | https://www.rand.org/research/gun-policy/analysis/license-to... | charcircuit wrote: | Your link is about purchasing a firearm which is different | than just using one. | giantg2 wrote: | That's about purchasing. Not just shooting or even ownership. | | For example, you can move into NJ with existing firearms that | you own (complying with the general laws about legality, | locks, etc) without the need to request a permit to purchase. | vosper wrote: | I downvoted you, here's why: | | I think it's clear the author isn't proposing that people | should be licensed to use the internet. It's at most an aside, | and not the topic of the article. | | The observation that one of his analogies doesn't apply in one | country (pretty sure not the one the author lives in) doesn't | really contribute anything IMO, and certainly we won't change | anyone's mind about US gun law by another comment thread. I'd | rather just not open that box. | giantg2 wrote: | They brought it up, not me. If the content doesn't contribute | anything, then why did they include it? Which country does it | apply in that you need a permit just to _shoot_ a gun? | skissane wrote: | > Which country does it apply in that you need a permit | just to _shoot_ a gun? | | In Australia - for a civilian to shoot a gun, _somebody_ | needs to have a license. If you want to buy a gun - or even | receive one as a gift - you need to apply to the police for | a license. | | Now, it is possible to go to a shooting range, and pay to | use their gun on their premises without personally having | license. However, even in that case, the range still needs | to have a license - indeed, not an ordinary gun license, a | special type of gun license which allows them to offer this | service to the general public. In my state (New South | Wales), the member of the public must show photo ID and | fill out a government form called a P650 [0] [1] with | invasive personal questions (such as if you have ever | attempted suicide or self-harm, have received treatment for | alcoholism, drug dependence or mental illness, etc). Lying | on the form is a crime (although given the form is not sent | to the police, only retained by the range, it may be hard | to detect). If you answer "Yes" to any of those invasive | personal questions, you are not allowed to shoot, unless | the range makes a special application to the police for an | exemption in your individual case, and the police decide to | grant it. | | So, effectively, _all_ civilian gun use requires a permit | in my state of Australia - if not your own, then that of | the shooting range, and even that case is highly regulated. | | [0] https://www.police.nsw.gov.au/online_services/firearms/ | clubs... | | [1] http://stmarysindoorshootingcentre.com.au/admin/_files/ | pages... | benbristow wrote: | One problem with Windows Defender I believe is that if you were a | malware author the first AV you'd want to try and bypass is | Windows Defender as it's the default which is used on most | Windows PCs for your 'MVP'. | | Bypassing other AVs would really be a 'nice to have' | staticassertion wrote: | Malware authors have tooling to run their payloads across | _many_ vendors all at once. I 'm sure Defender is on the | shortlist, but it probably doesn't matter much. | | Further, AV is inherently a "catches known threats" technology, | as much as any AV may pretend otherwise. Some people will | always get owned but by virtue of those users' AV picking up | samples the sample will eventually make it to various AVs. | | If your goal is to avoid AV bypasses, I'd suggest changing your | goals. Instead, treat AV as it is - a technology for finding | known bad things. If you want to avoid unknown bad things you | need to take another approach. | sumthinprofound wrote: | My firm belief is the that hardware vendors do end users a | disservice by preloading 3rd party anti-virus software that | expires ans requires payment after a period of time for virus | signature updates. Typically this 3rd party software disables | Defender, so once the pre-installed AV trial runs out, the user | is exposed. | Nextgrid wrote: | > do end users a disservice by preloading 3rd party anti-virus | software | | There's a reason they're paid for doing so. If it was | beneficial they'd do it for free. | sumthinprofound wrote: | Agreed. Additionally I I think it may look more impressive to | novice buyers when the product lists a bunch of free (albeit | worthless) software included in their purchase. | 9wzYQbTYsAIc wrote: | For sure, at a minimum the only reason to be doing that is to | put food on their table. | | I'm sure that there are other reasons - do you have any in | mind? | mojzu wrote: | Definitely, getting rid of them pretty much requires an OS | reinstall too which is incredibly annoying when it feels like | I've had to waste an hour or so of my time so that the hardware | vendor could make an extra buck. I occasionally get batches to | do at work and I advocate against buying from vendors that do | this kind of thing (for the little good it does, since they all | seem to these days) | NelsonMinar wrote: | I've found that the shovelware uninstalls pretty easily in a | new PC, at least McAfee, Norton, and Avast. No need to | reinstall the OS, just run the AV product's uninstaller and | it appears to be gone. I haven't done careful forensics to | see what little bits it has left behind but whatever they are | don't seem harmful. | | Still hate the shovelware. If it were a good product I would | choose to install it. | sumthinprofound wrote: | My first steps with a new personal computer is to boot to | thumb drive, format the disk and install what I believe to be | a clean copy of windows. | | In a business environment I've always been an advocate of | staging one machine taking a drive image and using that image | to clone the rest. Resolved so many issues if the end-user | mucks up their machines so bad you just reflash the drive | image and send them on their way. | mojzu wrote: | Have the options for making and installing images on | windows improved? I've looked into some a while in the past | for work but they always seemed to come with enough caveats | that they wouldn't quite work for our case. E.g. very few | of the machines have the same hardware configuration, and | outside of a few bits of common software each department | has its own unique software requirements and variation | within departments | nazgulsenpai wrote: | Yes, since Windows 8 it's improved dramatically. I've | taken hard drives from a desktop that failed and booted | said hard drive in a USB enclosure on a laptop (very | dissimilar hardware, obviously) and after a few minutes | of Updating Device Configuration, Windows boots. | Godel_unicode wrote: | To really answer this you need to separate OS image | deployment from software install; put out a common base | with essentially just management, security, and | observability tooling in place. Then use a package | management tool to roll out your LoB software. Bonus | points for making that self-service so users can do it | themselves. | | Given how many devices use out of the box drivers, | combined with the amount of drivers distributed with | Windows update, that part of the story has gotten much | better as well. | sumthinprofound wrote: | I have run into that and in my experience it doesn't make | sense to have dozens of different images for all the | different variations. However, after getting a baseline | image, one of my employees created multiple batch files | (one for each department) that is run to do a silent | install of department specific software. | dvh wrote: | When I bought my last laptop it had Windows S mode and no crap | whatsoever, it was vanilla windows. I'm not sure if there is | some OEM agreement not to install crapware on windows S mode, | does anybody knows? You can then switch off S mode off and it | will became normal, clean windows. | hackerfromthefu wrote: | I'm not sure about S mode, but theres a program called | Microsoft 'Signature' that means any Signature machine you | buy has only windows and essential drivers/control apps, no | extra adware or funded programs such as the time limited | anti-virus and extra jank. That's one possible explanation | for getting a vanilla windows. | | Sadly that's discontinued now as Windows descends further | into consumer abuse and anti-features. | https://www.howtogeek.com/402888/looking-for-a-microsoft- | sig... | tjoff wrote: | The end user was never even considered. | | But surely windows will activate defender? Since any AV must | register in windows and considering that MS isn't exactly known | for respecting user wishes I'd expect defender to start up the | same nanosecond any other AV stops. | | Though I'd never out myself in a position to test that. | sumthinprofound wrote: | It has been my experience while fixing family members | computers that unless you uninstall the third-party antivirus | software Windows Defender doesn't kick in. If I recall | correctly there was an instance where I tried to switch from | third-party to Defender (without uninstalling 3rd party) it | would not let me stating that AV was managed by group policy | (? I forget the exact phrasing) and I had to uninstall the | other antivirus software first. | tsujamin wrote: | From memory and vague experience, if Defender detects another | registered AV product it disables its engine. Techniques used | by non OEM AV's to get the telemetry and visibility they need | to make decisions probably aren't "safe" when another non- | cooperative AV is installed | ec109685 wrote: | Feels like one obvious step would be to make running as a non- | admin user easier. Ended up giving up with kids computer given so | much required admin password and no way (even through changing | program's options) to actually run a single program with true | admin access. Also no way to say, "always allow" some action with | some program. | jrm4 wrote: | I understand that many of you aren't in a position to bargain or | move the needle here, but _no_ claims of safety made by Microsoft | should ever be taken seriously, ever. Not until a serious mea | culpa on the _extreme_ harm they 've caused in this space. | Tempest1981 wrote: | I wonder what the performance impact of these changes is. There | must be a reason they are disabled by default. | proactivesvcs wrote: | I'd be more concerned of what sort of undocumented behaviour | now occurs from a result of these changes, and whether any of | the features/options will be available tomorrow. | joe-collins wrote: | > Sometimes it is easier to break a person than their computer | security. Then even the most expensive solution will not help. | | > Run this bat file! | munchler wrote: | That's where I stopped reading as well. There wasn't even an | attempt to explain what the batch file does. | edfletcher_t137 wrote: | Came here to say just to say all of this. 100%. | | Also this is another direct quote from the article: | | > Reading some comments on random websites I guess you don't | even need a brain. | | Coupled with the "just run this" batch file with no | explanation... huge facepalm. | Godel_unicode wrote: | There's only one reference to a bat file in the article that | I saw, but that bat file is named "gpedit-enable.bat" and is | at the end of a paragraph describing how that is for enabling | the local group policy editor on home editions of Windows. | That script itself is also quite clear with it's use of `rem` | to explain what's happening. Perhaps read it again... | | "Local Group Policy Editor is available only in | pro/enterprise edition, but you can add it to the Home | version of Windows too." | jeroenhd wrote: | Weirdly enough, most of the batch file is actually writing a | VBS script to run the calling file as an admin. | | The last two lines are what actually enable the policy editor | (by installing the Windows feature through DISM, the normal | way). Still better than no batch file, but an explanation would | indeed be nice. | inglor wrote: | Hey, sorry for all the name changes of Microsoft Defender. I work | at MSec (Microsoft's security org). | | We ended up absorbing and acquiring a few companies to provide a | better offering and a lot of re-branding happened. For example | Security Center's old portal for active threat protection, | automatic remediation, incident investigation etc is all now | absorbed into (the better) security.microsoft.com which is (to my | understanding, just an engineer) the current and last (for the | foreseeable future) rebrand. The team I work at started as one | person working on the frontend for MDE (Microsoft Defender for | Endpoint) and now has hundreds of people working on the security | portal across India, Israel and the US (as well as a few other | smaller sites contributing). | | Also, as an engineer I have to say the offering is good. The | anti-virus and the telemetry is worked on by some really smart | people. Client information is sacred, logging into production | takes multiple audits and PII is scrubbed (heavily) any time logs | are needed. We still have a lot of room to improve but I am | confident in Microsoft both delivering a good product and acting | in good faith (and there is a clear business incentive in the | enterprise security space to do so rather than benevolence). | Beldin wrote: | > _sorry for all the name changes_ | | As long as you guys are not going the route of google's | approach to messaging, I'm sure we will forgive you. Nor the | route of an NFC pay/wallet/money app that... | | You know what? Just don't do the thing where you launch | products to consumers so that someone achieves a promotion | internally, and then abandon the product. | | Frankly, MS has a long history of backwards compatibility, so | signs are already positive. | alibert wrote: | Hello, | | Anything being worked on the IO performance side of Defender? | I'm still using a paid third party AV for this sole reason. The | impact is so huge with NPM packages as an example... | bob1029 wrote: | IO impact is why I disable it on all my dev machines. | | Microsoft really needs to make this easier to turn off too. | Right now, I have to use an undisclosed privilege escalation | hack-around to force things my way. | ChuckNorris89 wrote: | _> I'm still using a paid third party AV for this sole | reason._ | | Would you mind naming it? AFAIK most third party anti-malware | solutions act like rootkits, possibly introducing new attack | vectors, or have become basically ad-ware and malware | themselves trying yo bait you in various subscriptions. | alibert wrote: | I'm using Nod32 from Eset for almost a decade now. | | All AV somehow have to hook into low level system calls so | can't really avoid the kernel driver. Nonetheless, nod32 | has been an install and forget AV with no interruption nor | bait/nag screen at all. It's a no bullshit AV and it does | well. | | I supposedly get the same protection as Defender (according | to various AV tests review) and most importantly I get the | IO performance back. | cptskippy wrote: | I've been forced to use a number of products over the years | at work from Trend Micro to McAfee. They all need curated | exclusion lists and we have to ask developers to put all | source controlled files under an excluded path common for all | devs. | | McAfee is by far the worst offender IMO when it comes to file | IO. We eventually dropped it in part to it's insistence on | locking files in App Data which is a common scratch space for | almost every Windows App. | nix23 wrote: | inglor wrote: | The inability to simply "see client data" even if you go | through multiple bastions did kind of surprise me. I worked | at several startups before Microsoft where just asking the | client for permission was considered OK. | | This certainly makes debugging production issues much much | much harder - there are certain environments whose data you | simply can't access (either as a user or as an administrator) | and you have to rely on telemetry (much of which you can't | gather since it can possibly be used for PII - this is all an | audited process) to debug issues (attaching a debugger is | also prohibited since you can read data that way and the port | is closed). | | Instead of trusting me - think of the corporate incentive to | do well here. Consider how much it would cost a company like | Microsoft if employees were exposed to confidential customer | data (our customers can work with medical data, so a fairly | expensive legal nightmare) vs. what the company gains | (engineers have a slightly easier time debugging). At | Microsoft scale I guess it simply makes sense to be super | strict about this. | ChuckNorris89 wrote: | _> Instead of trusting me - think of the corporate | incentive to do well here._ | | Unfortunately, when it comes to anything Microsoft related, | due diligence research and logical thinking is rarely | employed by the HN crowd, and instead replaced with anger | and FUD. I've lost count of the amount of comments saying | Microsoft is forcing TPM to spy on us. | | Not saying that the alphabet agencies or nation states | couldn't misuse Microsoft's reach to get more private | customer data, but that would apply to all US based | corporations, not just Microsoft. And since AFAIK, | Microsoft seems to never have been hacked for its | customers' data to be leaked like it happened to Sony and | Facebook, it seems they're doing a good job so far of | keeping the amateur bad actors out and their customers | safe. | | So thanks for commenting and sharing inside infos, as some | big companies ban their employees from doing the same. | nix23 wrote: | >but that would apply to all US based corporations | | Thanks, no one said otherwise....but then it's no a | quality standard per se ;) | BiteCode_dev wrote: | > Instead of trusting me - think of the corporate incentive | to do well here. Consider how much it would cost a company | like Microsoft if employees were exposed to confidential | customer data (our customers can work with medical data, so | a fairly expensive legal nightmare) | | The last 3 decades of big players misbehaving taught us | they usually get a slap on the wrist for pretty much | everything at worst, and a fine of half the money they made | from the feature at best. | | I'm not sold. | nix23 wrote: | So true, maybe i am an old grumpy guy, but at least i | learned something from the past. | | Not sold too ;) | nix23 wrote: | Look, it really was not a personal attack on Microsoft | engineers, but the plain and simple reality that Microsoft | is a US Corporation and Azure falls under the "Cloud-Act" | says everything, the fact that engineers don't have access | to customer data is probably just to prevent leaks. And i | bet Microsoft makes more than 99.9% compared to others to | protect customer data...but then, no one can proof it. | flower-giraffe wrote: | > Microsoft both delivering a good product and acting in good | faith | | I'm going to call you out on that. Microsoft lost my trust to | act in good faith with personal data when they started | capturing my private OS user input (e.g. the history from | Windows R (run) and forced me to link it to my personal | identity. | TedShiller wrote: | Microsoft lost my trust in the 1990's. Never been happier | without them since. | tempnow987 wrote: | What does this mean - can you link to something. | | If they are doing a keystroke logger (ie, capturing typed | private user data) where are they logging this keystroke log | too? Or is the run command history sent up? | | Are you talking about folks with Send my activity history to | microsoft checked? | | I have a script that sets default privacy preferences to my | own preference when I start using a machine, you might | consider that. | flower-giraffe wrote: | > I have a script that sets default privacy preferences | | Then you will probably notice that you no longer have a | history for Win+R run history. | | It's not unique to Windows to mine user input but it's more | recent than for example the search in iOS and less obvious | than Google search. | | I believed that the "personal" in Personal Computer meant | that it belonged to me, and that used to be true. We are | sliding down the slippery slope of allowing the software | vendors to own our devices. | | I think the staring point with Windows was product | activation in XP, and that was quite legitimately intended | to stop software licence abuse. I am still comfortable | paying for closed source software but Microsoft seem to | have given up on that business model. | gruez wrote: | >when they started capturing my private OS user input (e.g. | the history from Windows R (run) and forced me to link it to | my personal identity. | | Source? Searching for "windows run dialog telemetry" on | google turns up this thread | https://news.ycombinator.com/item?id=28598474, which has | multiple people saying they can't reproduce it, and the | author retracting the post: | https://news.ycombinator.com/item?id=28608540 | flower-giraffe wrote: | I observed first hand that disabling sending telemetry also | disabled the history for win+r. | | It's also quite easy to observe that when you type anything | into the start search interface you are steered or | defaulted to searching Microsoft internet services. | gruez wrote: | > I observed first hand that disabling sending telemetry | also disabled the history for win+r. | | 1. Okay, but how's that relevant to my original question? | Is the history being broken supposed to be smoking gun | evidence that windows is sending your "history from | Windows R (run)" to microsoft? | | 2. I just tried and failed[1] to reproduce this on a VM | with a fresh install of Windows 10 Enterprise LTSC 2019 | with "telemetry disabled". There isn't an universal | standard for "telemetry disabled", but at the very least | I have the "Allow Telemetry" and various search related | group policies activated. I suspect what's happening is | that you ran one of those "disable telemetry scripts", | and that unintentionally broke it. | | [1] https://i.imgur.com/WkbnBlM.png | | >It's also quite easy to observe that when you type | anything into the start search interface you are steered | or defaulted to searching Microsoft internet services. | | but we were talking about the run (windows-R) dialog, not | the start menu? | melony wrote: | Does Microsoft offer favourable treatment or withhold patches | when it comes to state level APTs? Can we trust Microsoft to be | neutral and offer security patches in a timely manner and | defend the interests of their consumer customers above all? | With the whole conflict in Europe, the issue of state level | adversaries is raring its head again. | inglor wrote: | Not the opinion of my employer but: no. | | A state level attacker can likely acquire 0-day exploits that | are not patched and bypass defenses. | | Microsoft's offering does some really cool stuff like: | | - Automatically detecting anomalous behavior in the network | and isolating suspected devices/ips/machines/programs. | | - Have real time security engineers constantly monitoring | your network and hunting attackers and suspicious activity. | | - Tools that automatically isolate possible attackers and | help measure the impact of attacks. | | > Can we trust Microsoft to be neutral and offer security | patches in a timely manner | | Yes, that for sure. Once an exploit is discovered it is | typically very quickly identified. A lot of the times | security patches don't come from Microsoft though - if you | consider something like Log4Shell (the Log4J vulnerability) | for example. | | > defend the interests of their consumer customers above all? | | I'm... not sure about "above all" since I am not sure what | "all" is but if the implication is that Microsoft won't patch | a security flaw for a state level APT then "yes". At least - | if it ever happened it happened _way_ above my pay grade and | if employees would learn of it there would be outrage. | | > With the whole conflict in Europe, the issue of state level | adversaries is raring its head again. | | I think state level actors have consistently been a problem. | | Note again as already mentioned none of this represents the | opinion of my employer, just my thoughts. | chungy wrote: | > Hey, sorry for all the name changes of Microsoft Defender. | | Let's be fair, naming is not a strength of Microsoft. It seems | that every product other than Windows and Office is renamed | every couple of weeks; and even in those two examples, | explosions of SKUs manages to muddle the waters just as well | (Apple's "Choose a Vista" was very much on-point, even if you | preferred Windows over Mac). | matthewfcarlson wrote: | When I was at microsoft, I campaigned hard that we should | name windows releases after dog breeds. Apple did big cats, | who wouldn't love to download windows 10 golden retriever? No | one wants windows 10 fall 2021 update for creators. | _AzMoo wrote: | As an avid Apple user, I can't stand their naming | conventions. I don't have any idea if High Sierra came | before or after Mojave, or if Lion was before or after | Mountain Lion. I would much prefer version numbers/years. | d110af5ccf wrote: | Yup, I also hate this in the Linux world. Debian | Bullseye? Ubuntu Focal? WTF? Ubuntu 20.04LTS thank you | very much please cease and desist with the "cute" names | that force me to consult a chart every time I encounter | them. | | iPhone 10, Galaxy S7, RX470, such product names are | significantly easier to keep track of. | hexane360 wrote: | Debian, Ubuntu, and Android names are all alphabetical, | so you can tell which versions are newer and older. | That's all version numbers are really useful for anyways. | spsful wrote: | But they do? Each version of macOS is numbered. We're on | macOS 12 right now. | gruez wrote: | That doesn't help when people like to refer to the | version by its name only, omitting the number, which | forces you to do a lookup against wikipedia or whatever. | itslennysfault wrote: | Honestly, I had no idea. I recently had to have my MBP | repaired (new logic board... as always). So, I got it | back with the latest OS (Monterey). I needed to download | some software that was for specific versions of MacOS, | and I honestly didn't even know there was a OS 12. I | thought I was still on "OSX". | | If it wasn't "Monterey" and was just MacOS 12 there | would've been no confusion. I feel like it's always an | exercise of looking up the code name to find the version | whenever someone is like "Yeah, I'm on Big Sur" .... ok | one sec, let me google what that even means. | NikolaNovak wrote: | Does anybody know which cat came before another though? | | Numbers are best. Years are fine. Names are... Cute but | Impractical. | zeven7 wrote: | Android alphabetical names seem fine. | d110af5ccf wrote: | TIL that they're alphabetical. I always hated them before | just now but I guess that's slightly more tolerable. | Really though, please just stick to numbers if you ever | have to name a product lineup. It's immediately obvious | to anyone that Firefox 77 came after Firefox 76. | bartread wrote: | Naming _and_ version numbers together. I still can 't get my | head around the series of organisational perversions that | would be required to go through that whole period (lasting | years) of .NET/.NET Core/.NET Standard/crazy | versioning/divergence and convergence malarkey. This all | appears to be on a more sane course now but it's taken far | too long. | d110af5ccf wrote: | I still don't fully understand which parts of the various | .NET frameworks I can safely use with a fully FOSS stack on | an arbitrary Linux distro or a Mac or whatever and which | parts are effectively limited to Windows. The entire thing | is incredibly confusing. | breakingcups wrote: | Ahem.. Looking at you Visual Studio 2005 Team System, I mean | Visual Studio Team System 2008... I mean Team Foundation | Server, no wait Visual Studio Team Services.. So sorry, Azure | DevOps, obviously. | bonergarage wrote: | I think Github Azure Edition, is what you're looking for | agys wrote: | Yet, in a moment of poetry and perfect copy-writing one of | the most beautiful names for a piece of software is born: | Word. | | ...and "Windows" as well. | no_time wrote: | Saying "Client information is sacred" and stealing executables | off all windows machines with the automatic sample submission | on by default does not go well together. | nix23 wrote: | That's normal and even kaspersky does it...but you can easily | deactivate it, so your proprietary exe is not published ;) | | PS: And that function makes sense for "the public" don't you | think? | no_time wrote: | >even kaspersky does it | | Thats an awfully low standard to set don't you think? | | I don't think it makes sense for the public. Stealing files | from unsuspecting users without as much as a popup saying | "hey, we just snatched this file without you knowing this | is even a possibility" is just sad. | | EDIT: i just realized you are being ironic | omegalulw wrote: | That's whataboutism. I absolutely do not want Microsoft | grabbing stuff from my PC without asking me, it's so | insidious. And then they put the switches to turn these off | behind so many loops and registry flags that's it's a | nightmare to turn this crap off. | hackerfromthefu wrote: | While it has been normalized, the ops point is correct that | the lip service to client data being sacred, does not match | the actions of uploading clients data! | tpmx wrote: | It would be awesome if you reviewed the blog post's | (https://0ut3r.space/2022/03/06/windows-defender/) | recommendations for accuracy/meaningfulness/etc. | inglor wrote: | I am not an expert - just a user and an engineer working on | this. I'm happy to ask one of our PMs to review it they know | and understand the product a lot better than I do. | | From reading the article everything "sounded right" but | that's hardly an educated opinion since I only worked on | _some_ parts of the product. | | Actually - I think I'll ask our red team or security guid - | that's also probably a good source. | pstuart wrote: | That would be a great Tell HN post. | huhtenberg wrote: | It would, but realistically there's no way it's gonna | happen. | zeeZ wrote: | The naming and, from what I've gathered, recent changes are a | mess. | | Recently I looked at M365 business premium and thought that | would only include Defender for O365 (why not M365?) and | require a separate subscription for Defender for Endpoint, but | now it looks like Defender for Business is included. | jmrm wrote: | As a "family SysAdmin" I'm pretty happy about how good Windows | Defender and MRT updates works. | | Aside from clearly aimed ransomeware, today's pretty difficult to | have virus problems in Windows. Most of the time I have to repair | any Windows machine is due to a driver install problem (specially | sound cards) or a system update problem. | 4oo4 wrote: | I think most antivirus is security theater at this point, unless | you're using endpoint security like CrowdStrike Falcon, Palo Alto | Cortex, Carbon Black, etc. Which, I think only sell to B2B and | not consumer. | qxmat wrote: | Last year I tried to source an on-demand AV scanner because | we'd exhausted what clamav was capable of (it non- | deterministically craps out after 2Gb and can't scan binaries). | If I couldn't find a suitable drop-in replacement I was going | recommend an enterprise work-flow scanning solution that had | AWS cloud integration (i.e. automatically move objects through | ingress/output/quarantine S3 buckets or some kind of API we | could hook to tag objects with a 'passed' label). | | My requirements were simple: it had to run in our cloud (AWS, | eu-west-2) because of PII concerns, preferably | "serverless"/ephemeral and we needed to scan assets our data | analysts would use in their day to day operations (tiny files, | massive files - a bit of everything). | | After a several time consuming days I had to give up because I | found nothing. The Internet has become a mirage of av/malware | scanning solutions that no longer exist (one of our guys | reported that Sophos had a CLI tool - savscan - but when I | looked it appeared to be discontinued). Almost every major | vendor I came across offered an end-point product that ran on | their cloud or had moved out of the malware/virus scanning | market in favour of a DPI firewall. I was hampered by a lack of | product documentation/feature comparison tables on the | "enterprise" vendor marketing websites and sad "cloudification" | of stacks that really ought to have a CLI binary. | huhtenberg wrote: | > _CrowdStrike Falcon, Palo Alto Cortex, Carbon Black_ | | These have absolutely massive issues with false positives that | take ages to resolve even if reported. | allo37 wrote: | I don't know if this is still relevant, but around 2007 or so a | buddy and I found the source code for a "research" keylogger | trojan online. We compiled and ran it for kicks, and sure | enough Avira (which I was using at the time, or was it still | called AntiVir?), picked it up almost instantly. We swapped the | order of a couple of instructions, recompiled, and glory be: | Avira didn't flag it anymore! | | Since then I just find the least obtrusive AV and just try to | avoid clicking on anything suspicious, because I'm convinced | they all offer "meh" protection at best. | _dain_ wrote: | Was it ever not security theatre? | peanut_worm wrote: | Malware was definitely a lot more prevalent back in the day | and you couldn't do everything on the internet back then so | you had to download a lot more random programs off the | internet. | | I think they definitely had a purpose a long time ago but | probably not for the past 15 years. | 4oo4 wrote: | You're definitely right about that. I think it's from the XP | days, but I remember reading about antivirus vendors creating | their own security holes and vulnerabilities, where running | antivirus software made your computer less secure than | without it. And then when Microsoft wanted to create fixes to | prevent said vulnerabilities from being exploitable, the | antivirus vendors actually threatened to sue them to avoid | putting in the engineering work to fix their shitty code. | | EDIT: In many cases, these security changes | meant deep architectural changes were required to third party | solutions. And most ecosystem vendors were not incented to | invest heavily in their legacy apps. Some of these solutions | took the unorthodox approach of modifying data structures and | even instructions in the kernel in order to implement their | functionality, bypassing APIs and multiprocessor locks, often | causing havoc. At one point, something like 70% of all | Windows "blue screens" were caused by these third party | drivers and their unwillingness to use supported APIs to | implement their functionality. Antivirus vendors were | notorious for using this approach. In my role as | head of Microsoft security, I personally spent years | explaining to antivirus vendors why we would no longer allow | them to "patch" kernel instructions and data structures in | memory, why this was a security risk, and why they needed to | use approved APIs going forward, that we would no longer | support their legacy apps with deep hooks in the Windows | kernel -- the same approach that hackers were using to attack | consumer systems. Our "friends", the antivirus vendors, | threatened to sue us in return, claiming we were blocking | their livelihood and abusing our monopoly power! With friends | like that, who needs enemies? They just wanted their old | solutions to keep working even if that meant reducing the | security of our mutual customers -- the very thing they were | supposed to be improving. | | https://blog.usejournal.com/what-really-happened-with- | vista-... | mise_en_place wrote: | These are also annoying because they hijack/MITM SSL certs and | change the certificate chain with their invalid root CA. It's | security through obscurity. | inglor wrote: | Microsoft _does_ provide a bunch of the enterprise security | features other vendors provide in its home anti-virus offering. | | Microsoft is also the biggest vendor of enterprise endpoint | security solutions - that is Microsoft Defender and products | like "Palo Alto Cortex" compete. However, the home offering of | Defender _is_ quite different in terms of usage from the | enterprise version and so is the amount of instrumentation. | fernandotakai wrote: | >CrowdStrike Falcon | | for the first time, i have a machine with this installed and | holy damn... it's so bad. it uses 30~50% cpu all the time + | tons of IO. how can people just accept software that just | degrades your machine for small gains on security? | 4oo4 wrote: | Really? That's interesting. We deployed this a few months ago | this where I work and haven't encountered any performance | issues like this. But we have had the fun of encountering | BSODs when some of our end users try to use Excel. | fernandotakai wrote: | right now, just browsing web using hn, | com.crowdstrike.falcon.Agent is using 10% cpu -- this is on | an intel macbook pro 16". | | when i try to use docker, tmux within a terminal, it gets | even worse -- i've seen it using 60% cpu + io. | 4oo4 wrote: | That might be the difference, my work is a 100% Windows | shop, so that's why we haven't seen it. That really sucks | though. | ch0I9daAiO wrote: | What sensor version are you running? 6.33 iirc has an | issue and you'll need to upgrade to 6.34. . If you have | access to the support page inside the Falcon platform, | run the script they have for collecting system info and | submit a case to support. (not affiliated with CS, I came | across a similar high CPU usage and middlemanned the | comms between our Mac admin and CS). | swasheck wrote: | have had the exact same negative experience with this as | well. imagine a hellscape with crowdstrike falcon, defender, | and beyond trust all running on the same machines. | hughrr wrote: | Thanks for this reference. I was told I'm having this rolled | out onto the infra I'm using. I have added this to the | growing list of reasons to quit. | trifit wrote: | Most people don't even download an antivirus so this is a good | walkthrough. | fuzzy2 wrote: | My only grief with Windows Defender is its resource use. My | Windows 10 computer booted 26 hours ago. Windows Defender is | using 2186 MiB of RAM. I don't think that's appropriate, even if | I have 32 GiB in total. | | With Office 365 ATP, things get even slower, too, which is not so | great on my work device. | | Detection rate is one thing. Performance is another. Both are | important. | jeroenhd wrote: | I've never had RAM issues with Defender but I have noticed that | I/O suffers terribly when Defender is enabled. Twenty second | installs take five minutes, and don't you even dare try running | a `yarn install` because Defender WILL scan each and every file | of your 65535 dependencies and it WILL NOT use more than a | single core it seems. | | Whenever I see a machine that's slow or sluggish during | operation but reports that only 60% of it's resources are used, | Windows Defender is usually the culprit. I've nerfed Windows | Defender for performance reasons to the point that I wonder why | I even bother anymore. | toast0 wrote: | > because Defender WILL scan each and every file of your | 65535 dependencies and it WILL NOT use more than a single | core it seems. | | Does yarn use more than a single core? I've seen some | analysis articles that a major root cause of the slowdowns | here are that the scanning API is hooked into file close and | scanning takes time, so if you have a straightforward open | file, write to file, close file, repeat single threaded | process, your throughput gets really limited. I don't think | there's a Windows API for asynchronous close, but if you send | the handle to a thread (pool?), that will get you much better | results. | jeroenhd wrote: | I wouldn't know, to be honest. It's not just a yarn | problem, though. Anything operating on lots of tiny files | (from IDEs to git to setup executables) gets bogged down to | Windows Defender in strange ways. | | None of the resources in task manager (or the resource | manager thing) will show anything being capped so it's hard | to troubleshoot what system Defender stresses so much. | toast0 wrote: | > None of the resources in task manager (or the resource | manager thing) will show anything being capped so it's | hard to troubleshoot what system Defender stresses so | much. | | Yeah, task manger is missing the most useful feature of | FreeBSD top, the state column that lets you know what the | process was doing at the sample time. If you saw your | installer was always in state close handle, you'd have a | good guess. But it's a straight forward throughput | problem; if it takes 1 ms to scan a file, and there's no | concurrency or pipelining, then you're limited to 1000 | files per second. If you can thread pool closing, you get | a lot more throughput. Unfortunately, everything that | runs on windows and expects to close lots of files needs | to manage a threadpool to close, but usually developers | don't get to pick their platform, their users pick. | EMM_386 wrote: | > Windows Defender is using 2186 MiB of RAM. I don't think | that's appropriate. | | These memory-type debates come up time and time again. Keep in | mind I'm a programmer from the DOS days, note my user name on | when this was an important issue. We had to cram every byte. | | These programs will use idle RAM as they see necessary to be | performant. If you aren't using the RAM, why not actually use | it for what it's for? | | Are you under memory pressure? How many GB of RAM do you | currently have and how often are you capping it out? Try seeing | what happens when you are at your GB RAM cap. | | "I don't think that's appropriate" is highly subjective and it | depends on what it does, and what you are currently doing. | beagle3 wrote: | Where's the setting where one decides between file system | cache, anti-virus, swap space, and other uses? | | If there was one, it would be fine. | TameAntelope wrote: | Why are you trying to manage it? Let the OS do its thing, | it's really good at memory management. | gruez wrote: | AFAIK the OS file cache doesn't get counted towards the | process's memory usage, so if windows defender is showing | up as using 2GB of memory, it really is using 2GB of | memory for the app itself. | omegalulw wrote: | He is saying that many programs are written to use "free | RAM", ergo unless defender is still using 2GB ram when your | PC is at your RAM limit you don't have a problem. Every OS | does it, let your OS manage RAM. | gruez wrote: | >Every OS does it, let your OS manage RAM. | | Unlike linux[1], windows task manager correctly shows | "cached" ram as "free" ram. Therefore it's highly | unlikely that the memory usage is from the OS caching | mechanism. | | As for the actual behavior of using free ram, what | happens if there are two apps that try to use the same | behavior? ie. you have windows defender and a DBMS | installed, both of them try to use up all the free ram. | In this situation, what makes you think the behavior of | "using all the available free RAM" behavior of windows | defender wouldn't push out the "using all the available | free RAM" behavior of the DMBS", leading to worse | performance? | | [1] https://www.linuxatemyram.com/ | fuzzy2 wrote: | Sure maybe the memory is freed (or paged out) as pressure | rises. The former is however not guaranteed in any way and | requires that Windows Defender (or whatever other | application) actively monitor the memory situation, taking | appropriate action as it changes. | | That's something I'd expect a database to do. A virus | scanner? Not so much. | swasheck wrote: | every new dotnet package, powershell module, go module, | container image, etc that i pull and want to start using | results in about 10 minutes of complete system | unavailability due to defender going off the rails with ram | and cpu consumption. it used to be i'd have to wait for the | compiler to build, now i have to wait for defender to | defend. | Comevius wrote: | I have to say I never used an antivirus software before except I | guess the built-in one in Windows. | | I think sandboxes are better for software you don't trust. I | imagine antivirus heuristics are only useful against a handful of | common threats, if at all. | alwaysanon wrote: | The performance and battery life impacts of Windows Defender | though make it just not worth it for me though. I had a few | months where I went back to Linux on my ThinkPad (unfortunately | with an nvidia gpu - whose Linux drivers I think caused half my | troubles) and it was soo much more performant - but it had enough | various annoyances where I went back to Windows 11 and WSL2. | | The idea that pushed me over the edge to try it again was that, | this time, I'd try disabling Defender (as I was 1/2 convinced the | Linux performance boost was not having AV) and keep a fresh/clean | install strictly limited to Chrome (now that I had gotten used to | just using the web versions of everything), VS Code, WSL2 and | that's it. Basically what I'd been doing with Linux. And so far | that's been great - better performance, runs cooler and quieter, | longer battery life etc. than I ever used to have with Windows. | | Knowing I don't have Defender I am even more careful about what I | download (these days almost nothing - especially on the Windows | side rather than the WSL2 Ubuntu dev side) and about ensuring | everything is patched. But it is such a game-changer I am not | going back... | caymanjim wrote: | How are people even getting viruses? I've been using Windows to | varying degrees since the 1980s, and I've never once in my life | gotten a virus. I never used any antivirus software. I let | Windows do whatever it does by default, but it never flags | anything. Are people picking up viruses from pirated games or | something? | elorant wrote: | You, and me, and everyone else in here are not the average | user. The average user clicks and opens files all the time. | 0xbadc0de5 wrote: | Defender has been the only worthwhile Windows AV solution for | years. All others have been at best, on-par and at worst, net- | negative (opening vulnerabilities that would not otherwise | exist). | 323 wrote: | Windows Defender doesn't have heuristics/behaviour based | detection. | | For example, if you write a simple keylogger using the Windows | API in C++/Python/..., compile it and run it, an antivirus like | BitDefender will block it by default. It's up to you then to | allow it or not. | | So it can sometimes detect and block unknown malware, a thing | that Windows Defender can't. So for some people it might make | sense to have a more "strict" antivirus. | fletchern wrote: | > _Windows Defender doesn 't have heuristics/behaviour based | detection._ | | Yes it does, in fact mpengine has a built-in JIT compiler for | converting executables that it's scanning into safely-runnable | executable code within its sandbox environment (done for | performance reasons, rather than simply emulating them). | mrits wrote: | Well that isn't true. | AussieWog93 wrote: | I can say for certain that my software has been picked up by | Defender's heuristics, and fixed within a matter of hours when | I flagged it as a false positive. | | Kaspersky, on the other hand, still refuses to even look at any | executable larger than 50MB. | unnouinceput wrote: | 1st - that "heuristic" used by BitDefender or other AV | solutions are simply scanning the .exe for those APi calls. | This is easy to overcome by simply encrypting with even a | simple XOR and dynamically loading said API's for keylogging (I | suspect you are referring to SetWindowsHookEx - the most used | API loggers, malware or not). | | 2nd - BitDefender is a Romanian AV, but people forget that | Windows Defender is Romanian too, at its heart, the formerly | RAV (Reliable AntiVirus) that Microsoft acquired it in the | ancient times of early 00's. See: | https://en.wikipedia.org/wiki/GeCAD_Software and | https://www.networkworld.com/article/2334189/microsoft-to-bu... | | 3rd - BitDefender is the most hog resource AV. Also the most | annoying. And it behaves like is the only application you are | need it, constantly begging attention. I worked at a company | who had it as license, I hated every day there only because of | it. Windows Defender on the other hand is so quiet that I | always forget is running. | | My 2 cents. | 9wzYQbTYsAIc wrote: | So true. Windows Defender has a ton of neat advanced features and | you don't have to worry about keeping up with some other vendor | of security software, either. | kubb wrote: | So the default settings are not secure and I need to go 10 levels | deep in gpedit.msc to enable the security features? | | What? | Godel_unicode wrote: | All client security products are making tradeoffs between | keeping the user safe and requiring them to read and understand | configuration settings in their security products. The options | recommended here fall into either the "this will break some | legitimate stuff" bucket or the "this potentially uploads a lot | of user data to the cloud". I agree with them being off by | default; if you understand and can handle it, you can turn them | on. If gpedit is scary, you should leave them alone. ___________________________________________________________________ (page generated 2022-03-06 23:00 UTC)