[HN Gopher] Windows Defender is enough, if you harden it
___________________________________________________________________
Windows Defender is enough, if you harden it
Author : h0ek
Score : 219 points
Date : 2022-03-06 19:37 UTC (3 hours ago)
(HTM) web link (0ut3r.space)
(TXT) w3m dump (0ut3r.space)
| thrower123 wrote:
| I haven't had a virus problem since the days of Windows 2000.
|
| I've had an incredible number of problems caused by antivirus
| software interfering with legitimate software.
| encryptluks2 wrote:
| None that you know of. I think virus creators have probably
| adapted from breaking things to silently collect information.
| seanw444 wrote:
| Word. Silent data farming is certainly worth more in the long
| run than ransomware encrypting the whole disk of some John
| Doe.
| bartimus wrote:
| But wouldn't those infections be detected eventually? They
| would need to update/hide their "solution" every time A/V
| software comes with updates to detect them. It would be too
| late already.
| tupac_speedrap wrote:
| They already have, most AV software nowadays is adware. If
| you are lucky they'll just slurp your data and maybe get you
| to install Chrome or some other random piece of software but
| some are even using your PC to mine cryptocurrency nowadays.
| veganhouseDJ wrote:
| heavyset_go wrote:
| It's the first thing I disable in VMs because of what a resource
| hog it is.
| giantg2 wrote:
| Natsu wrote:
| I don't like the idea of an internet permit, but I do agree
| with the idea that users should be taught internet safety.
| About 20 years ago I volunteered at the library and taught such
| a class, but only recently have I seen such classes as part of
| workplace training. It should probably be something that is
| taught in schools, as well. Or maybe it is covered now and I
| just don't know?
| giantg2 wrote:
| It was loosely covered in school when I went. We had some
| basic stuff even in middle school (20+ years ago) about use
| anti-virus, don't click links from unknown sources, etc. If
| schools aren't teaching the basics, then that could be a big
| security hole for the district. At the least, it reduces the
| protection of defense in depth and forces the school to
| wholly rely on systems to protect the network, when users are
| often the "in".
| vore wrote:
| I think because your original post was a wildly off-topic
| nitpick of what the article is talking about as a whole.
| giantg2 wrote:
| I don't think it's really a nitpick to point out factual
| inaccuracy. That happens all the time on here and is a
| feature of an audience committed to truth.
|
| As a secondary point, do you think the author's use of
| licensing examples was on-topic? I don't see them go into any
| detail licensing, and it has little to nothing to do with the
| topic of hardening Defender.
|
| That said, yes, I do see that my initial comment was lacking
| the context later added in the edit.
| damagednoob wrote:
| > "If you want to shoot a gun, you need to get a permit."
|
| > Not in the US,
|
| This statement seems to lack nuance and could be the reason for
| the downvotes.
|
| > Federal law does not require individuals to obtain a license
| or permit to purchase a firearm. Several states, however, have
| permit-to-purchase laws that function similarly to universal
| background check laws.
|
| https://www.rand.org/research/gun-policy/analysis/license-to...
| charcircuit wrote:
| Your link is about purchasing a firearm which is different
| than just using one.
| giantg2 wrote:
| That's about purchasing. Not just shooting or even ownership.
|
| For example, you can move into NJ with existing firearms that
| you own (complying with the general laws about legality,
| locks, etc) without the need to request a permit to purchase.
| vosper wrote:
| I downvoted you, here's why:
|
| I think it's clear the author isn't proposing that people
| should be licensed to use the internet. It's at most an aside,
| and not the topic of the article.
|
| The observation that one of his analogies doesn't apply in one
| country (pretty sure not the one the author lives in) doesn't
| really contribute anything IMO, and certainly we won't change
| anyone's mind about US gun law by another comment thread. I'd
| rather just not open that box.
| giantg2 wrote:
| They brought it up, not me. If the content doesn't contribute
| anything, then why did they include it? Which country does it
| apply in that you need a permit just to _shoot_ a gun?
| skissane wrote:
| > Which country does it apply in that you need a permit
| just to _shoot_ a gun?
|
| In Australia - for a civilian to shoot a gun, _somebody_
| needs to have a license. If you want to buy a gun - or even
| receive one as a gift - you need to apply to the police for
| a license.
|
| Now, it is possible to go to a shooting range, and pay to
| use their gun on their premises without personally having
| license. However, even in that case, the range still needs
| to have a license - indeed, not an ordinary gun license, a
| special type of gun license which allows them to offer this
| service to the general public. In my state (New South
| Wales), the member of the public must show photo ID and
| fill out a government form called a P650 [0] [1] with
| invasive personal questions (such as if you have ever
| attempted suicide or self-harm, have received treatment for
| alcoholism, drug dependence or mental illness, etc). Lying
| on the form is a crime (although given the form is not sent
| to the police, only retained by the range, it may be hard
| to detect). If you answer "Yes" to any of those invasive
| personal questions, you are not allowed to shoot, unless
| the range makes a special application to the police for an
| exemption in your individual case, and the police decide to
| grant it.
|
| So, effectively, _all_ civilian gun use requires a permit
| in my state of Australia - if not your own, then that of
| the shooting range, and even that case is highly regulated.
|
| [0] https://www.police.nsw.gov.au/online_services/firearms/
| clubs...
|
| [1] http://stmarysindoorshootingcentre.com.au/admin/_files/
| pages...
| benbristow wrote:
| One problem with Windows Defender I believe is that if you were a
| malware author the first AV you'd want to try and bypass is
| Windows Defender as it's the default which is used on most
| Windows PCs for your 'MVP'.
|
| Bypassing other AVs would really be a 'nice to have'
| staticassertion wrote:
| Malware authors have tooling to run their payloads across
| _many_ vendors all at once. I 'm sure Defender is on the
| shortlist, but it probably doesn't matter much.
|
| Further, AV is inherently a "catches known threats" technology,
| as much as any AV may pretend otherwise. Some people will
| always get owned but by virtue of those users' AV picking up
| samples the sample will eventually make it to various AVs.
|
| If your goal is to avoid AV bypasses, I'd suggest changing your
| goals. Instead, treat AV as it is - a technology for finding
| known bad things. If you want to avoid unknown bad things you
| need to take another approach.
| sumthinprofound wrote:
| My firm belief is the that hardware vendors do end users a
| disservice by preloading 3rd party anti-virus software that
| expires ans requires payment after a period of time for virus
| signature updates. Typically this 3rd party software disables
| Defender, so once the pre-installed AV trial runs out, the user
| is exposed.
| Nextgrid wrote:
| > do end users a disservice by preloading 3rd party anti-virus
| software
|
| There's a reason they're paid for doing so. If it was
| beneficial they'd do it for free.
| sumthinprofound wrote:
| Agreed. Additionally I I think it may look more impressive to
| novice buyers when the product lists a bunch of free (albeit
| worthless) software included in their purchase.
| 9wzYQbTYsAIc wrote:
| For sure, at a minimum the only reason to be doing that is to
| put food on their table.
|
| I'm sure that there are other reasons - do you have any in
| mind?
| mojzu wrote:
| Definitely, getting rid of them pretty much requires an OS
| reinstall too which is incredibly annoying when it feels like
| I've had to waste an hour or so of my time so that the hardware
| vendor could make an extra buck. I occasionally get batches to
| do at work and I advocate against buying from vendors that do
| this kind of thing (for the little good it does, since they all
| seem to these days)
| NelsonMinar wrote:
| I've found that the shovelware uninstalls pretty easily in a
| new PC, at least McAfee, Norton, and Avast. No need to
| reinstall the OS, just run the AV product's uninstaller and
| it appears to be gone. I haven't done careful forensics to
| see what little bits it has left behind but whatever they are
| don't seem harmful.
|
| Still hate the shovelware. If it were a good product I would
| choose to install it.
| sumthinprofound wrote:
| My first steps with a new personal computer is to boot to
| thumb drive, format the disk and install what I believe to be
| a clean copy of windows.
|
| In a business environment I've always been an advocate of
| staging one machine taking a drive image and using that image
| to clone the rest. Resolved so many issues if the end-user
| mucks up their machines so bad you just reflash the drive
| image and send them on their way.
| mojzu wrote:
| Have the options for making and installing images on
| windows improved? I've looked into some a while in the past
| for work but they always seemed to come with enough caveats
| that they wouldn't quite work for our case. E.g. very few
| of the machines have the same hardware configuration, and
| outside of a few bits of common software each department
| has its own unique software requirements and variation
| within departments
| nazgulsenpai wrote:
| Yes, since Windows 8 it's improved dramatically. I've
| taken hard drives from a desktop that failed and booted
| said hard drive in a USB enclosure on a laptop (very
| dissimilar hardware, obviously) and after a few minutes
| of Updating Device Configuration, Windows boots.
| Godel_unicode wrote:
| To really answer this you need to separate OS image
| deployment from software install; put out a common base
| with essentially just management, security, and
| observability tooling in place. Then use a package
| management tool to roll out your LoB software. Bonus
| points for making that self-service so users can do it
| themselves.
|
| Given how many devices use out of the box drivers,
| combined with the amount of drivers distributed with
| Windows update, that part of the story has gotten much
| better as well.
| sumthinprofound wrote:
| I have run into that and in my experience it doesn't make
| sense to have dozens of different images for all the
| different variations. However, after getting a baseline
| image, one of my employees created multiple batch files
| (one for each department) that is run to do a silent
| install of department specific software.
| dvh wrote:
| When I bought my last laptop it had Windows S mode and no crap
| whatsoever, it was vanilla windows. I'm not sure if there is
| some OEM agreement not to install crapware on windows S mode,
| does anybody knows? You can then switch off S mode off and it
| will became normal, clean windows.
| hackerfromthefu wrote:
| I'm not sure about S mode, but theres a program called
| Microsoft 'Signature' that means any Signature machine you
| buy has only windows and essential drivers/control apps, no
| extra adware or funded programs such as the time limited
| anti-virus and extra jank. That's one possible explanation
| for getting a vanilla windows.
|
| Sadly that's discontinued now as Windows descends further
| into consumer abuse and anti-features.
| https://www.howtogeek.com/402888/looking-for-a-microsoft-
| sig...
| tjoff wrote:
| The end user was never even considered.
|
| But surely windows will activate defender? Since any AV must
| register in windows and considering that MS isn't exactly known
| for respecting user wishes I'd expect defender to start up the
| same nanosecond any other AV stops.
|
| Though I'd never out myself in a position to test that.
| sumthinprofound wrote:
| It has been my experience while fixing family members
| computers that unless you uninstall the third-party antivirus
| software Windows Defender doesn't kick in. If I recall
| correctly there was an instance where I tried to switch from
| third-party to Defender (without uninstalling 3rd party) it
| would not let me stating that AV was managed by group policy
| (? I forget the exact phrasing) and I had to uninstall the
| other antivirus software first.
| tsujamin wrote:
| From memory and vague experience, if Defender detects another
| registered AV product it disables its engine. Techniques used
| by non OEM AV's to get the telemetry and visibility they need
| to make decisions probably aren't "safe" when another non-
| cooperative AV is installed
| ec109685 wrote:
| Feels like one obvious step would be to make running as a non-
| admin user easier. Ended up giving up with kids computer given so
| much required admin password and no way (even through changing
| program's options) to actually run a single program with true
| admin access. Also no way to say, "always allow" some action with
| some program.
| jrm4 wrote:
| I understand that many of you aren't in a position to bargain or
| move the needle here, but _no_ claims of safety made by Microsoft
| should ever be taken seriously, ever. Not until a serious mea
| culpa on the _extreme_ harm they 've caused in this space.
| Tempest1981 wrote:
| I wonder what the performance impact of these changes is. There
| must be a reason they are disabled by default.
| proactivesvcs wrote:
| I'd be more concerned of what sort of undocumented behaviour
| now occurs from a result of these changes, and whether any of
| the features/options will be available tomorrow.
| joe-collins wrote:
| > Sometimes it is easier to break a person than their computer
| security. Then even the most expensive solution will not help.
|
| > Run this bat file!
| munchler wrote:
| That's where I stopped reading as well. There wasn't even an
| attempt to explain what the batch file does.
| edfletcher_t137 wrote:
| Came here to say just to say all of this. 100%.
|
| Also this is another direct quote from the article:
|
| > Reading some comments on random websites I guess you don't
| even need a brain.
|
| Coupled with the "just run this" batch file with no
| explanation... huge facepalm.
| Godel_unicode wrote:
| There's only one reference to a bat file in the article that
| I saw, but that bat file is named "gpedit-enable.bat" and is
| at the end of a paragraph describing how that is for enabling
| the local group policy editor on home editions of Windows.
| That script itself is also quite clear with it's use of `rem`
| to explain what's happening. Perhaps read it again...
|
| "Local Group Policy Editor is available only in
| pro/enterprise edition, but you can add it to the Home
| version of Windows too."
| jeroenhd wrote:
| Weirdly enough, most of the batch file is actually writing a
| VBS script to run the calling file as an admin.
|
| The last two lines are what actually enable the policy editor
| (by installing the Windows feature through DISM, the normal
| way). Still better than no batch file, but an explanation would
| indeed be nice.
| inglor wrote:
| Hey, sorry for all the name changes of Microsoft Defender. I work
| at MSec (Microsoft's security org).
|
| We ended up absorbing and acquiring a few companies to provide a
| better offering and a lot of re-branding happened. For example
| Security Center's old portal for active threat protection,
| automatic remediation, incident investigation etc is all now
| absorbed into (the better) security.microsoft.com which is (to my
| understanding, just an engineer) the current and last (for the
| foreseeable future) rebrand. The team I work at started as one
| person working on the frontend for MDE (Microsoft Defender for
| Endpoint) and now has hundreds of people working on the security
| portal across India, Israel and the US (as well as a few other
| smaller sites contributing).
|
| Also, as an engineer I have to say the offering is good. The
| anti-virus and the telemetry is worked on by some really smart
| people. Client information is sacred, logging into production
| takes multiple audits and PII is scrubbed (heavily) any time logs
| are needed. We still have a lot of room to improve but I am
| confident in Microsoft both delivering a good product and acting
| in good faith (and there is a clear business incentive in the
| enterprise security space to do so rather than benevolence).
| Beldin wrote:
| > _sorry for all the name changes_
|
| As long as you guys are not going the route of google's
| approach to messaging, I'm sure we will forgive you. Nor the
| route of an NFC pay/wallet/money app that...
|
| You know what? Just don't do the thing where you launch
| products to consumers so that someone achieves a promotion
| internally, and then abandon the product.
|
| Frankly, MS has a long history of backwards compatibility, so
| signs are already positive.
| alibert wrote:
| Hello,
|
| Anything being worked on the IO performance side of Defender?
| I'm still using a paid third party AV for this sole reason. The
| impact is so huge with NPM packages as an example...
| bob1029 wrote:
| IO impact is why I disable it on all my dev machines.
|
| Microsoft really needs to make this easier to turn off too.
| Right now, I have to use an undisclosed privilege escalation
| hack-around to force things my way.
| ChuckNorris89 wrote:
| _> I'm still using a paid third party AV for this sole
| reason._
|
| Would you mind naming it? AFAIK most third party anti-malware
| solutions act like rootkits, possibly introducing new attack
| vectors, or have become basically ad-ware and malware
| themselves trying yo bait you in various subscriptions.
| alibert wrote:
| I'm using Nod32 from Eset for almost a decade now.
|
| All AV somehow have to hook into low level system calls so
| can't really avoid the kernel driver. Nonetheless, nod32
| has been an install and forget AV with no interruption nor
| bait/nag screen at all. It's a no bullshit AV and it does
| well.
|
| I supposedly get the same protection as Defender (according
| to various AV tests review) and most importantly I get the
| IO performance back.
| cptskippy wrote:
| I've been forced to use a number of products over the years
| at work from Trend Micro to McAfee. They all need curated
| exclusion lists and we have to ask developers to put all
| source controlled files under an excluded path common for all
| devs.
|
| McAfee is by far the worst offender IMO when it comes to file
| IO. We eventually dropped it in part to it's insistence on
| locking files in App Data which is a common scratch space for
| almost every Windows App.
| nix23 wrote:
| inglor wrote:
| The inability to simply "see client data" even if you go
| through multiple bastions did kind of surprise me. I worked
| at several startups before Microsoft where just asking the
| client for permission was considered OK.
|
| This certainly makes debugging production issues much much
| much harder - there are certain environments whose data you
| simply can't access (either as a user or as an administrator)
| and you have to rely on telemetry (much of which you can't
| gather since it can possibly be used for PII - this is all an
| audited process) to debug issues (attaching a debugger is
| also prohibited since you can read data that way and the port
| is closed).
|
| Instead of trusting me - think of the corporate incentive to
| do well here. Consider how much it would cost a company like
| Microsoft if employees were exposed to confidential customer
| data (our customers can work with medical data, so a fairly
| expensive legal nightmare) vs. what the company gains
| (engineers have a slightly easier time debugging). At
| Microsoft scale I guess it simply makes sense to be super
| strict about this.
| ChuckNorris89 wrote:
| _> Instead of trusting me - think of the corporate
| incentive to do well here._
|
| Unfortunately, when it comes to anything Microsoft related,
| due diligence research and logical thinking is rarely
| employed by the HN crowd, and instead replaced with anger
| and FUD. I've lost count of the amount of comments saying
| Microsoft is forcing TPM to spy on us.
|
| Not saying that the alphabet agencies or nation states
| couldn't misuse Microsoft's reach to get more private
| customer data, but that would apply to all US based
| corporations, not just Microsoft. And since AFAIK,
| Microsoft seems to never have been hacked for its
| customers' data to be leaked like it happened to Sony and
| Facebook, it seems they're doing a good job so far of
| keeping the amateur bad actors out and their customers
| safe.
|
| So thanks for commenting and sharing inside infos, as some
| big companies ban their employees from doing the same.
| nix23 wrote:
| >but that would apply to all US based corporations
|
| Thanks, no one said otherwise....but then it's no a
| quality standard per se ;)
| BiteCode_dev wrote:
| > Instead of trusting me - think of the corporate incentive
| to do well here. Consider how much it would cost a company
| like Microsoft if employees were exposed to confidential
| customer data (our customers can work with medical data, so
| a fairly expensive legal nightmare)
|
| The last 3 decades of big players misbehaving taught us
| they usually get a slap on the wrist for pretty much
| everything at worst, and a fine of half the money they made
| from the feature at best.
|
| I'm not sold.
| nix23 wrote:
| So true, maybe i am an old grumpy guy, but at least i
| learned something from the past.
|
| Not sold too ;)
| nix23 wrote:
| Look, it really was not a personal attack on Microsoft
| engineers, but the plain and simple reality that Microsoft
| is a US Corporation and Azure falls under the "Cloud-Act"
| says everything, the fact that engineers don't have access
| to customer data is probably just to prevent leaks. And i
| bet Microsoft makes more than 99.9% compared to others to
| protect customer data...but then, no one can proof it.
| flower-giraffe wrote:
| > Microsoft both delivering a good product and acting in good
| faith
|
| I'm going to call you out on that. Microsoft lost my trust to
| act in good faith with personal data when they started
| capturing my private OS user input (e.g. the history from
| Windows R (run) and forced me to link it to my personal
| identity.
| TedShiller wrote:
| Microsoft lost my trust in the 1990's. Never been happier
| without them since.
| tempnow987 wrote:
| What does this mean - can you link to something.
|
| If they are doing a keystroke logger (ie, capturing typed
| private user data) where are they logging this keystroke log
| too? Or is the run command history sent up?
|
| Are you talking about folks with Send my activity history to
| microsoft checked?
|
| I have a script that sets default privacy preferences to my
| own preference when I start using a machine, you might
| consider that.
| flower-giraffe wrote:
| > I have a script that sets default privacy preferences
|
| Then you will probably notice that you no longer have a
| history for Win+R run history.
|
| It's not unique to Windows to mine user input but it's more
| recent than for example the search in iOS and less obvious
| than Google search.
|
| I believed that the "personal" in Personal Computer meant
| that it belonged to me, and that used to be true. We are
| sliding down the slippery slope of allowing the software
| vendors to own our devices.
|
| I think the staring point with Windows was product
| activation in XP, and that was quite legitimately intended
| to stop software licence abuse. I am still comfortable
| paying for closed source software but Microsoft seem to
| have given up on that business model.
| gruez wrote:
| >when they started capturing my private OS user input (e.g.
| the history from Windows R (run) and forced me to link it to
| my personal identity.
|
| Source? Searching for "windows run dialog telemetry" on
| google turns up this thread
| https://news.ycombinator.com/item?id=28598474, which has
| multiple people saying they can't reproduce it, and the
| author retracting the post:
| https://news.ycombinator.com/item?id=28608540
| flower-giraffe wrote:
| I observed first hand that disabling sending telemetry also
| disabled the history for win+r.
|
| It's also quite easy to observe that when you type anything
| into the start search interface you are steered or
| defaulted to searching Microsoft internet services.
| gruez wrote:
| > I observed first hand that disabling sending telemetry
| also disabled the history for win+r.
|
| 1. Okay, but how's that relevant to my original question?
| Is the history being broken supposed to be smoking gun
| evidence that windows is sending your "history from
| Windows R (run)" to microsoft?
|
| 2. I just tried and failed[1] to reproduce this on a VM
| with a fresh install of Windows 10 Enterprise LTSC 2019
| with "telemetry disabled". There isn't an universal
| standard for "telemetry disabled", but at the very least
| I have the "Allow Telemetry" and various search related
| group policies activated. I suspect what's happening is
| that you ran one of those "disable telemetry scripts",
| and that unintentionally broke it.
|
| [1] https://i.imgur.com/WkbnBlM.png
|
| >It's also quite easy to observe that when you type
| anything into the start search interface you are steered
| or defaulted to searching Microsoft internet services.
|
| but we were talking about the run (windows-R) dialog, not
| the start menu?
| melony wrote:
| Does Microsoft offer favourable treatment or withhold patches
| when it comes to state level APTs? Can we trust Microsoft to be
| neutral and offer security patches in a timely manner and
| defend the interests of their consumer customers above all?
| With the whole conflict in Europe, the issue of state level
| adversaries is raring its head again.
| inglor wrote:
| Not the opinion of my employer but: no.
|
| A state level attacker can likely acquire 0-day exploits that
| are not patched and bypass defenses.
|
| Microsoft's offering does some really cool stuff like:
|
| - Automatically detecting anomalous behavior in the network
| and isolating suspected devices/ips/machines/programs.
|
| - Have real time security engineers constantly monitoring
| your network and hunting attackers and suspicious activity.
|
| - Tools that automatically isolate possible attackers and
| help measure the impact of attacks.
|
| > Can we trust Microsoft to be neutral and offer security
| patches in a timely manner
|
| Yes, that for sure. Once an exploit is discovered it is
| typically very quickly identified. A lot of the times
| security patches don't come from Microsoft though - if you
| consider something like Log4Shell (the Log4J vulnerability)
| for example.
|
| > defend the interests of their consumer customers above all?
|
| I'm... not sure about "above all" since I am not sure what
| "all" is but if the implication is that Microsoft won't patch
| a security flaw for a state level APT then "yes". At least -
| if it ever happened it happened _way_ above my pay grade and
| if employees would learn of it there would be outrage.
|
| > With the whole conflict in Europe, the issue of state level
| adversaries is raring its head again.
|
| I think state level actors have consistently been a problem.
|
| Note again as already mentioned none of this represents the
| opinion of my employer, just my thoughts.
| chungy wrote:
| > Hey, sorry for all the name changes of Microsoft Defender.
|
| Let's be fair, naming is not a strength of Microsoft. It seems
| that every product other than Windows and Office is renamed
| every couple of weeks; and even in those two examples,
| explosions of SKUs manages to muddle the waters just as well
| (Apple's "Choose a Vista" was very much on-point, even if you
| preferred Windows over Mac).
| matthewfcarlson wrote:
| When I was at microsoft, I campaigned hard that we should
| name windows releases after dog breeds. Apple did big cats,
| who wouldn't love to download windows 10 golden retriever? No
| one wants windows 10 fall 2021 update for creators.
| _AzMoo wrote:
| As an avid Apple user, I can't stand their naming
| conventions. I don't have any idea if High Sierra came
| before or after Mojave, or if Lion was before or after
| Mountain Lion. I would much prefer version numbers/years.
| d110af5ccf wrote:
| Yup, I also hate this in the Linux world. Debian
| Bullseye? Ubuntu Focal? WTF? Ubuntu 20.04LTS thank you
| very much please cease and desist with the "cute" names
| that force me to consult a chart every time I encounter
| them.
|
| iPhone 10, Galaxy S7, RX470, such product names are
| significantly easier to keep track of.
| hexane360 wrote:
| Debian, Ubuntu, and Android names are all alphabetical,
| so you can tell which versions are newer and older.
| That's all version numbers are really useful for anyways.
| spsful wrote:
| But they do? Each version of macOS is numbered. We're on
| macOS 12 right now.
| gruez wrote:
| That doesn't help when people like to refer to the
| version by its name only, omitting the number, which
| forces you to do a lookup against wikipedia or whatever.
| itslennysfault wrote:
| Honestly, I had no idea. I recently had to have my MBP
| repaired (new logic board... as always). So, I got it
| back with the latest OS (Monterey). I needed to download
| some software that was for specific versions of MacOS,
| and I honestly didn't even know there was a OS 12. I
| thought I was still on "OSX".
|
| If it wasn't "Monterey" and was just MacOS 12 there
| would've been no confusion. I feel like it's always an
| exercise of looking up the code name to find the version
| whenever someone is like "Yeah, I'm on Big Sur" .... ok
| one sec, let me google what that even means.
| NikolaNovak wrote:
| Does anybody know which cat came before another though?
|
| Numbers are best. Years are fine. Names are... Cute but
| Impractical.
| zeven7 wrote:
| Android alphabetical names seem fine.
| d110af5ccf wrote:
| TIL that they're alphabetical. I always hated them before
| just now but I guess that's slightly more tolerable.
| Really though, please just stick to numbers if you ever
| have to name a product lineup. It's immediately obvious
| to anyone that Firefox 77 came after Firefox 76.
| bartread wrote:
| Naming _and_ version numbers together. I still can 't get my
| head around the series of organisational perversions that
| would be required to go through that whole period (lasting
| years) of .NET/.NET Core/.NET Standard/crazy
| versioning/divergence and convergence malarkey. This all
| appears to be on a more sane course now but it's taken far
| too long.
| d110af5ccf wrote:
| I still don't fully understand which parts of the various
| .NET frameworks I can safely use with a fully FOSS stack on
| an arbitrary Linux distro or a Mac or whatever and which
| parts are effectively limited to Windows. The entire thing
| is incredibly confusing.
| breakingcups wrote:
| Ahem.. Looking at you Visual Studio 2005 Team System, I mean
| Visual Studio Team System 2008... I mean Team Foundation
| Server, no wait Visual Studio Team Services.. So sorry, Azure
| DevOps, obviously.
| bonergarage wrote:
| I think Github Azure Edition, is what you're looking for
| agys wrote:
| Yet, in a moment of poetry and perfect copy-writing one of
| the most beautiful names for a piece of software is born:
| Word.
|
| ...and "Windows" as well.
| no_time wrote:
| Saying "Client information is sacred" and stealing executables
| off all windows machines with the automatic sample submission
| on by default does not go well together.
| nix23 wrote:
| That's normal and even kaspersky does it...but you can easily
| deactivate it, so your proprietary exe is not published ;)
|
| PS: And that function makes sense for "the public" don't you
| think?
| no_time wrote:
| >even kaspersky does it
|
| Thats an awfully low standard to set don't you think?
|
| I don't think it makes sense for the public. Stealing files
| from unsuspecting users without as much as a popup saying
| "hey, we just snatched this file without you knowing this
| is even a possibility" is just sad.
|
| EDIT: i just realized you are being ironic
| omegalulw wrote:
| That's whataboutism. I absolutely do not want Microsoft
| grabbing stuff from my PC without asking me, it's so
| insidious. And then they put the switches to turn these off
| behind so many loops and registry flags that's it's a
| nightmare to turn this crap off.
| hackerfromthefu wrote:
| While it has been normalized, the ops point is correct that
| the lip service to client data being sacred, does not match
| the actions of uploading clients data!
| tpmx wrote:
| It would be awesome if you reviewed the blog post's
| (https://0ut3r.space/2022/03/06/windows-defender/)
| recommendations for accuracy/meaningfulness/etc.
| inglor wrote:
| I am not an expert - just a user and an engineer working on
| this. I'm happy to ask one of our PMs to review it they know
| and understand the product a lot better than I do.
|
| From reading the article everything "sounded right" but
| that's hardly an educated opinion since I only worked on
| _some_ parts of the product.
|
| Actually - I think I'll ask our red team or security guid -
| that's also probably a good source.
| pstuart wrote:
| That would be a great Tell HN post.
| huhtenberg wrote:
| It would, but realistically there's no way it's gonna
| happen.
| zeeZ wrote:
| The naming and, from what I've gathered, recent changes are a
| mess.
|
| Recently I looked at M365 business premium and thought that
| would only include Defender for O365 (why not M365?) and
| require a separate subscription for Defender for Endpoint, but
| now it looks like Defender for Business is included.
| jmrm wrote:
| As a "family SysAdmin" I'm pretty happy about how good Windows
| Defender and MRT updates works.
|
| Aside from clearly aimed ransomeware, today's pretty difficult to
| have virus problems in Windows. Most of the time I have to repair
| any Windows machine is due to a driver install problem (specially
| sound cards) or a system update problem.
| 4oo4 wrote:
| I think most antivirus is security theater at this point, unless
| you're using endpoint security like CrowdStrike Falcon, Palo Alto
| Cortex, Carbon Black, etc. Which, I think only sell to B2B and
| not consumer.
| qxmat wrote:
| Last year I tried to source an on-demand AV scanner because
| we'd exhausted what clamav was capable of (it non-
| deterministically craps out after 2Gb and can't scan binaries).
| If I couldn't find a suitable drop-in replacement I was going
| recommend an enterprise work-flow scanning solution that had
| AWS cloud integration (i.e. automatically move objects through
| ingress/output/quarantine S3 buckets or some kind of API we
| could hook to tag objects with a 'passed' label).
|
| My requirements were simple: it had to run in our cloud (AWS,
| eu-west-2) because of PII concerns, preferably
| "serverless"/ephemeral and we needed to scan assets our data
| analysts would use in their day to day operations (tiny files,
| massive files - a bit of everything).
|
| After a several time consuming days I had to give up because I
| found nothing. The Internet has become a mirage of av/malware
| scanning solutions that no longer exist (one of our guys
| reported that Sophos had a CLI tool - savscan - but when I
| looked it appeared to be discontinued). Almost every major
| vendor I came across offered an end-point product that ran on
| their cloud or had moved out of the malware/virus scanning
| market in favour of a DPI firewall. I was hampered by a lack of
| product documentation/feature comparison tables on the
| "enterprise" vendor marketing websites and sad "cloudification"
| of stacks that really ought to have a CLI binary.
| huhtenberg wrote:
| > _CrowdStrike Falcon, Palo Alto Cortex, Carbon Black_
|
| These have absolutely massive issues with false positives that
| take ages to resolve even if reported.
| allo37 wrote:
| I don't know if this is still relevant, but around 2007 or so a
| buddy and I found the source code for a "research" keylogger
| trojan online. We compiled and ran it for kicks, and sure
| enough Avira (which I was using at the time, or was it still
| called AntiVir?), picked it up almost instantly. We swapped the
| order of a couple of instructions, recompiled, and glory be:
| Avira didn't flag it anymore!
|
| Since then I just find the least obtrusive AV and just try to
| avoid clicking on anything suspicious, because I'm convinced
| they all offer "meh" protection at best.
| _dain_ wrote:
| Was it ever not security theatre?
| peanut_worm wrote:
| Malware was definitely a lot more prevalent back in the day
| and you couldn't do everything on the internet back then so
| you had to download a lot more random programs off the
| internet.
|
| I think they definitely had a purpose a long time ago but
| probably not for the past 15 years.
| 4oo4 wrote:
| You're definitely right about that. I think it's from the XP
| days, but I remember reading about antivirus vendors creating
| their own security holes and vulnerabilities, where running
| antivirus software made your computer less secure than
| without it. And then when Microsoft wanted to create fixes to
| prevent said vulnerabilities from being exploitable, the
| antivirus vendors actually threatened to sue them to avoid
| putting in the engineering work to fix their shitty code.
|
| EDIT: In many cases, these security changes
| meant deep architectural changes were required to third party
| solutions. And most ecosystem vendors were not incented to
| invest heavily in their legacy apps. Some of these solutions
| took the unorthodox approach of modifying data structures and
| even instructions in the kernel in order to implement their
| functionality, bypassing APIs and multiprocessor locks, often
| causing havoc. At one point, something like 70% of all
| Windows "blue screens" were caused by these third party
| drivers and their unwillingness to use supported APIs to
| implement their functionality. Antivirus vendors were
| notorious for using this approach. In my role as
| head of Microsoft security, I personally spent years
| explaining to antivirus vendors why we would no longer allow
| them to "patch" kernel instructions and data structures in
| memory, why this was a security risk, and why they needed to
| use approved APIs going forward, that we would no longer
| support their legacy apps with deep hooks in the Windows
| kernel -- the same approach that hackers were using to attack
| consumer systems. Our "friends", the antivirus vendors,
| threatened to sue us in return, claiming we were blocking
| their livelihood and abusing our monopoly power! With friends
| like that, who needs enemies? They just wanted their old
| solutions to keep working even if that meant reducing the
| security of our mutual customers -- the very thing they were
| supposed to be improving.
|
| https://blog.usejournal.com/what-really-happened-with-
| vista-...
| mise_en_place wrote:
| These are also annoying because they hijack/MITM SSL certs and
| change the certificate chain with their invalid root CA. It's
| security through obscurity.
| inglor wrote:
| Microsoft _does_ provide a bunch of the enterprise security
| features other vendors provide in its home anti-virus offering.
|
| Microsoft is also the biggest vendor of enterprise endpoint
| security solutions - that is Microsoft Defender and products
| like "Palo Alto Cortex" compete. However, the home offering of
| Defender _is_ quite different in terms of usage from the
| enterprise version and so is the amount of instrumentation.
| fernandotakai wrote:
| >CrowdStrike Falcon
|
| for the first time, i have a machine with this installed and
| holy damn... it's so bad. it uses 30~50% cpu all the time +
| tons of IO. how can people just accept software that just
| degrades your machine for small gains on security?
| 4oo4 wrote:
| Really? That's interesting. We deployed this a few months ago
| this where I work and haven't encountered any performance
| issues like this. But we have had the fun of encountering
| BSODs when some of our end users try to use Excel.
| fernandotakai wrote:
| right now, just browsing web using hn,
| com.crowdstrike.falcon.Agent is using 10% cpu -- this is on
| an intel macbook pro 16".
|
| when i try to use docker, tmux within a terminal, it gets
| even worse -- i've seen it using 60% cpu + io.
| 4oo4 wrote:
| That might be the difference, my work is a 100% Windows
| shop, so that's why we haven't seen it. That really sucks
| though.
| ch0I9daAiO wrote:
| What sensor version are you running? 6.33 iirc has an
| issue and you'll need to upgrade to 6.34. . If you have
| access to the support page inside the Falcon platform,
| run the script they have for collecting system info and
| submit a case to support. (not affiliated with CS, I came
| across a similar high CPU usage and middlemanned the
| comms between our Mac admin and CS).
| swasheck wrote:
| have had the exact same negative experience with this as
| well. imagine a hellscape with crowdstrike falcon, defender,
| and beyond trust all running on the same machines.
| hughrr wrote:
| Thanks for this reference. I was told I'm having this rolled
| out onto the infra I'm using. I have added this to the
| growing list of reasons to quit.
| trifit wrote:
| Most people don't even download an antivirus so this is a good
| walkthrough.
| fuzzy2 wrote:
| My only grief with Windows Defender is its resource use. My
| Windows 10 computer booted 26 hours ago. Windows Defender is
| using 2186 MiB of RAM. I don't think that's appropriate, even if
| I have 32 GiB in total.
|
| With Office 365 ATP, things get even slower, too, which is not so
| great on my work device.
|
| Detection rate is one thing. Performance is another. Both are
| important.
| jeroenhd wrote:
| I've never had RAM issues with Defender but I have noticed that
| I/O suffers terribly when Defender is enabled. Twenty second
| installs take five minutes, and don't you even dare try running
| a `yarn install` because Defender WILL scan each and every file
| of your 65535 dependencies and it WILL NOT use more than a
| single core it seems.
|
| Whenever I see a machine that's slow or sluggish during
| operation but reports that only 60% of it's resources are used,
| Windows Defender is usually the culprit. I've nerfed Windows
| Defender for performance reasons to the point that I wonder why
| I even bother anymore.
| toast0 wrote:
| > because Defender WILL scan each and every file of your
| 65535 dependencies and it WILL NOT use more than a single
| core it seems.
|
| Does yarn use more than a single core? I've seen some
| analysis articles that a major root cause of the slowdowns
| here are that the scanning API is hooked into file close and
| scanning takes time, so if you have a straightforward open
| file, write to file, close file, repeat single threaded
| process, your throughput gets really limited. I don't think
| there's a Windows API for asynchronous close, but if you send
| the handle to a thread (pool?), that will get you much better
| results.
| jeroenhd wrote:
| I wouldn't know, to be honest. It's not just a yarn
| problem, though. Anything operating on lots of tiny files
| (from IDEs to git to setup executables) gets bogged down to
| Windows Defender in strange ways.
|
| None of the resources in task manager (or the resource
| manager thing) will show anything being capped so it's hard
| to troubleshoot what system Defender stresses so much.
| toast0 wrote:
| > None of the resources in task manager (or the resource
| manager thing) will show anything being capped so it's
| hard to troubleshoot what system Defender stresses so
| much.
|
| Yeah, task manger is missing the most useful feature of
| FreeBSD top, the state column that lets you know what the
| process was doing at the sample time. If you saw your
| installer was always in state close handle, you'd have a
| good guess. But it's a straight forward throughput
| problem; if it takes 1 ms to scan a file, and there's no
| concurrency or pipelining, then you're limited to 1000
| files per second. If you can thread pool closing, you get
| a lot more throughput. Unfortunately, everything that
| runs on windows and expects to close lots of files needs
| to manage a threadpool to close, but usually developers
| don't get to pick their platform, their users pick.
| EMM_386 wrote:
| > Windows Defender is using 2186 MiB of RAM. I don't think
| that's appropriate.
|
| These memory-type debates come up time and time again. Keep in
| mind I'm a programmer from the DOS days, note my user name on
| when this was an important issue. We had to cram every byte.
|
| These programs will use idle RAM as they see necessary to be
| performant. If you aren't using the RAM, why not actually use
| it for what it's for?
|
| Are you under memory pressure? How many GB of RAM do you
| currently have and how often are you capping it out? Try seeing
| what happens when you are at your GB RAM cap.
|
| "I don't think that's appropriate" is highly subjective and it
| depends on what it does, and what you are currently doing.
| beagle3 wrote:
| Where's the setting where one decides between file system
| cache, anti-virus, swap space, and other uses?
|
| If there was one, it would be fine.
| TameAntelope wrote:
| Why are you trying to manage it? Let the OS do its thing,
| it's really good at memory management.
| gruez wrote:
| AFAIK the OS file cache doesn't get counted towards the
| process's memory usage, so if windows defender is showing
| up as using 2GB of memory, it really is using 2GB of
| memory for the app itself.
| omegalulw wrote:
| He is saying that many programs are written to use "free
| RAM", ergo unless defender is still using 2GB ram when your
| PC is at your RAM limit you don't have a problem. Every OS
| does it, let your OS manage RAM.
| gruez wrote:
| >Every OS does it, let your OS manage RAM.
|
| Unlike linux[1], windows task manager correctly shows
| "cached" ram as "free" ram. Therefore it's highly
| unlikely that the memory usage is from the OS caching
| mechanism.
|
| As for the actual behavior of using free ram, what
| happens if there are two apps that try to use the same
| behavior? ie. you have windows defender and a DBMS
| installed, both of them try to use up all the free ram.
| In this situation, what makes you think the behavior of
| "using all the available free RAM" behavior of windows
| defender wouldn't push out the "using all the available
| free RAM" behavior of the DMBS", leading to worse
| performance?
|
| [1] https://www.linuxatemyram.com/
| fuzzy2 wrote:
| Sure maybe the memory is freed (or paged out) as pressure
| rises. The former is however not guaranteed in any way and
| requires that Windows Defender (or whatever other
| application) actively monitor the memory situation, taking
| appropriate action as it changes.
|
| That's something I'd expect a database to do. A virus
| scanner? Not so much.
| swasheck wrote:
| every new dotnet package, powershell module, go module,
| container image, etc that i pull and want to start using
| results in about 10 minutes of complete system
| unavailability due to defender going off the rails with ram
| and cpu consumption. it used to be i'd have to wait for the
| compiler to build, now i have to wait for defender to
| defend.
| Comevius wrote:
| I have to say I never used an antivirus software before except I
| guess the built-in one in Windows.
|
| I think sandboxes are better for software you don't trust. I
| imagine antivirus heuristics are only useful against a handful of
| common threats, if at all.
| alwaysanon wrote:
| The performance and battery life impacts of Windows Defender
| though make it just not worth it for me though. I had a few
| months where I went back to Linux on my ThinkPad (unfortunately
| with an nvidia gpu - whose Linux drivers I think caused half my
| troubles) and it was soo much more performant - but it had enough
| various annoyances where I went back to Windows 11 and WSL2.
|
| The idea that pushed me over the edge to try it again was that,
| this time, I'd try disabling Defender (as I was 1/2 convinced the
| Linux performance boost was not having AV) and keep a fresh/clean
| install strictly limited to Chrome (now that I had gotten used to
| just using the web versions of everything), VS Code, WSL2 and
| that's it. Basically what I'd been doing with Linux. And so far
| that's been great - better performance, runs cooler and quieter,
| longer battery life etc. than I ever used to have with Windows.
|
| Knowing I don't have Defender I am even more careful about what I
| download (these days almost nothing - especially on the Windows
| side rather than the WSL2 Ubuntu dev side) and about ensuring
| everything is patched. But it is such a game-changer I am not
| going back...
| caymanjim wrote:
| How are people even getting viruses? I've been using Windows to
| varying degrees since the 1980s, and I've never once in my life
| gotten a virus. I never used any antivirus software. I let
| Windows do whatever it does by default, but it never flags
| anything. Are people picking up viruses from pirated games or
| something?
| elorant wrote:
| You, and me, and everyone else in here are not the average
| user. The average user clicks and opens files all the time.
| 0xbadc0de5 wrote:
| Defender has been the only worthwhile Windows AV solution for
| years. All others have been at best, on-par and at worst, net-
| negative (opening vulnerabilities that would not otherwise
| exist).
| 323 wrote:
| Windows Defender doesn't have heuristics/behaviour based
| detection.
|
| For example, if you write a simple keylogger using the Windows
| API in C++/Python/..., compile it and run it, an antivirus like
| BitDefender will block it by default. It's up to you then to
| allow it or not.
|
| So it can sometimes detect and block unknown malware, a thing
| that Windows Defender can't. So for some people it might make
| sense to have a more "strict" antivirus.
| fletchern wrote:
| > _Windows Defender doesn 't have heuristics/behaviour based
| detection._
|
| Yes it does, in fact mpengine has a built-in JIT compiler for
| converting executables that it's scanning into safely-runnable
| executable code within its sandbox environment (done for
| performance reasons, rather than simply emulating them).
| mrits wrote:
| Well that isn't true.
| AussieWog93 wrote:
| I can say for certain that my software has been picked up by
| Defender's heuristics, and fixed within a matter of hours when
| I flagged it as a false positive.
|
| Kaspersky, on the other hand, still refuses to even look at any
| executable larger than 50MB.
| unnouinceput wrote:
| 1st - that "heuristic" used by BitDefender or other AV
| solutions are simply scanning the .exe for those APi calls.
| This is easy to overcome by simply encrypting with even a
| simple XOR and dynamically loading said API's for keylogging (I
| suspect you are referring to SetWindowsHookEx - the most used
| API loggers, malware or not).
|
| 2nd - BitDefender is a Romanian AV, but people forget that
| Windows Defender is Romanian too, at its heart, the formerly
| RAV (Reliable AntiVirus) that Microsoft acquired it in the
| ancient times of early 00's. See:
| https://en.wikipedia.org/wiki/GeCAD_Software and
| https://www.networkworld.com/article/2334189/microsoft-to-bu...
|
| 3rd - BitDefender is the most hog resource AV. Also the most
| annoying. And it behaves like is the only application you are
| need it, constantly begging attention. I worked at a company
| who had it as license, I hated every day there only because of
| it. Windows Defender on the other hand is so quiet that I
| always forget is running.
|
| My 2 cents.
| 9wzYQbTYsAIc wrote:
| So true. Windows Defender has a ton of neat advanced features and
| you don't have to worry about keeping up with some other vendor
| of security software, either.
| kubb wrote:
| So the default settings are not secure and I need to go 10 levels
| deep in gpedit.msc to enable the security features?
|
| What?
| Godel_unicode wrote:
| All client security products are making tradeoffs between
| keeping the user safe and requiring them to read and understand
| configuration settings in their security products. The options
| recommended here fall into either the "this will break some
| legitimate stuff" bucket or the "this potentially uploads a lot
| of user data to the cloud". I agree with them being off by
| default; if you understand and can handle it, you can turn them
| on. If gpedit is scary, you should leave them alone.
___________________________________________________________________
(page generated 2022-03-06 23:00 UTC)