Back

MS Windows Defender and DeCSS

169 points12 hoursarch13.com
marcodiego3 hours ago

I fear anti-virus and firewall software may in the near future be used to guarantee DRM features.

I fear the day when I try to play media I legally own from another region and can't play it because of region blocking and can't circumvent it because my "defense" software prevents me.

Another thing that scares me: services requiring said kinds of software. The mobile world is somewhat like this already and it is basically what bars users from using their mobile phones as full blown computers even though said phone are powerful enough for that.

grishka2 hours ago

As long as the hardware allows booting arbitrary code, this kind of DRM remains technically impossible.

There's nothing to stop you from booting into another OS and deleting the files implementing the harmful functionality. If there are checks for the presence of these files in other parts of the OS, you can remove them.

IMO it's a very dangerous attitude when people consider software immutable. You can achieve a lot by modifying software made by other people.

ddalex2 hours ago

> There's nothing to stop you from booting into another OS and deleting the files implementing the harmful functionality. If there are checks for the presence of these files in other parts of the OS, you can remove them

Encrypted disks with TPM-stored keys will certainly prevent unauthorised modification to a filesystem

> hardware allows booting arbitrary code

And this particular cat is already out of the bag with Win 11 REQUIRING TPM support with verified boot.

The war against general-purpose computing is in the final stages, and the garden-keepers have already won for almost everything that matters. Yes, you can still source open hardware and they will not fight against technical elites - a minority - but for the vast majority of users, it's over because they LIKE the closed apps holding data hostage.

grishka2 hours ago

So this might be a dumb question, but what's there to prevent someone emulating a TPM? What's there to prevent someone nop'ing out the code that implements the TPM functionality in Windows? Where does the root of trust (or, rather, distrust) come from?

+2
marcosdumay1 hour ago
userbinator1 hour ago

What's there to prevent someone nop'ing out the code that implements the TPM functionality in Windows?

Nothing absolute, mainly a long series of annoying hurdles - including the constant barrage of updates.

Fiahil8 hours ago

I'm so happy to see a thread on Windows Defender, because my org recently switched antivirus software and I can't wait to tell you how bad it is !

There's a hidden feature in Defender, that will delight any user : it can turn your 15" MacBook Pro into a full breakfast machine. Want pancakes ? Start a zoom call.

While you wait for your favorite video conference app to start, don't hope to finish your docker pull/save/build in less than 30 times its usual time. Your laptop I/O will be so cripled that you might get better bandwith with a floppy disk drive (I'm exagerating a bit, but that's how it feels to go from 120MB/s to 4MB/s on a SSD).

Our Mac IT is completely powerless. I never thought I would ever regret getting rid of Symantec. I was wrong.

Flow2 hours ago

Our company just switched from Symantec to Windows Defender and so far I'm very pleased. On my Windows laptop the fans were running more or less all the time when we had Symantec. With Defender the computer is nearly dead silent.

When looking in Task Manager before, it seemed that Symantec used more CPU than even Visual Studio and related processes.

foepys7 hours ago

We are using Defender at work, too. There is a group policy that lets Defender do a full system scan once a week.

To not interfere with the user there allegedly is a group policy setting to limit the CPU usage and it is set to 15%. The thing is, it simply does not work. Every week my fans spin up to max, Defender hogs all my CPU cores, 25% of my GPU according to the Task Manager. Even typing becomes laggy.

The only way to stop it is to open Task Scheduler and end the scheduled task from there.

nix237 hours ago

Wait...your are local Admin on your machine?

tallanvor6 hours ago

Outside of highly regulated environments, technical staff usually have local admin rights. Is it a risk? Yes, although one that can be minimized. Letting people do what they need to do with minimal interference is an important part of keeping employees happy.

+1
causi2 hours ago
AnIdiotOnTheNet3 hours ago

Everyone at the company I work for has local admin on their machines. It is not the big deal people make it out to be.

1) Malware doesn't care. It is happy to eat the user's personal data or anything they have access to on the network.

2) The OS is easily replicable if it gets damaged or destroyed thanks to imaging.

3) Whitelisting applications is a bitch to implement properly and causes a lot of friction for users.

4) There is one PC per user, so there's absolutely no reason to protect the PC from it's user.

gspr6 hours ago

I'd quit my job if work didn't let me be root on my work machine.

+1
nix236 hours ago
+1
ocdtrekkie3 hours ago
leokennis20 minutes ago

My very good solution on dealing with corporate antivirus: noise cancelling headphones.

marcodiego2 hours ago

I remember a few students using windows that took a very very long time to compile anything; even smallish single-file examples. Is is possible that this slowness is caused by windows checking the binaries that were just compiled?

munchbunny2 hours ago

Not just the binaries. The source code too.

A common practice is to exclude both the whole repo and the compiler from Defender.

nix237 hours ago

Oh man....a mac with antivirus software...is your IT's mindset from the 90s?

AnIdiotOnTheNet3 hours ago

People apparently disagree, but I'm with you. The idea that antivirus software is actually a worthwhile mitigation tool is a relic from the 90s. Malware defeats antivirus all the time, and sometimes even exploits it directly. Meanwhile, aggressive antivirus software is eating a percentage of every single task you do on your computer, actively impeding your work every second of your day.

The tradeoff is not worth it, in my professional opinion.

mszcz2 hours ago

While I wholeheartedly agree with you, I think that putting the horrible piece of shit antivirus software on enterprise boxes is a cover-your-ass tactic. It's required from IT depts to be able to say they followed industry standard practices and did their due diligence to prevent threats, regardless of whether those have any useful, practical effects at all.

My wife has a brand new corp issued Carbon X1 and I can hear it routinely spin fans 100% because of Norton FuckYourCPUandIO (tm) software doing nothing of use besides inducing anger.

hdjjhhvvhga2 hours ago

Of course it's not worth it, but in many orgs it's required for compliance. It may change in the future as most people realize it's not that useful, just like NIST changed the rule about password updates.

On the other hand, it might seem useless because malware creators know it's there. Basically all functional pieces of malware have to go through VirusTotal otherwise they won't be effective. But if all orgs dump antivirus software it would be a bit like giving up MMR vaccination in children.

nix232 hours ago

Compliance for the sake of Compliance is just to protect ones ass and has nothing todo with security (aka no one gets fired for buying IBM)

astura2 hours ago

Most companies have to have Antivirus anyway, for compliance reasons.

_fat_santa2 hours ago

My company recently signed a deal with a healthcare company to do some work on their systems. I got a laptop from this company, MBP 16" so not bad. But lord oh lord are there so many things on this laptop.

Two worst offenders are:

- Antivirus: Just hogs memory, the scan runs "throughout the day" and I've had to resort to using scripts to shut the thing down just so my code will compile.

- Other annoying features: Lets make you stare at a dayglow green wallpaper and give you no way to change it to something that doesn't offend your eyes, lets place a bunch of icons on your dock and desktop that you can't get rid of, just bookmarks to common apps. Lets also make a popup show up on your laptop every day to remind you that you need to upgrade to OneDrive but forget to give me the permission to actually upgrade so this message repeats itself and fails every time..

endrant.

novok7 hours ago

You'd be surprised about how many high profile silicon valley companies use similar software such as crowdstrike or carbon black.

It's a scourge.

Macha6 hours ago

Unfortunately many big customers insist on it as part of security questionaires and depending on who audits your compliance with certain security standards, they may insist it's required too.

xmodem6 hours ago

My work mac has both Carbon Black and FireEye. It takes 30% longer to do a large build of an open source project than my personal laptopk, despite having 2 more cores and twice the RAM.

dirkf6 hours ago

We even have McAfee on our Linux machines... And yes, doing a build is impacted by this...

nix236 hours ago

Holy caracho!! I understand if you have it on a file-server (bad rep if you send a MS-Word-Macrovirus to a Customer) but on a linux build server?? That's just madness!

mavhc5 hours ago

A Mac with AntiVirus software written by Microsoft.

kmonsen7 hours ago

Google, Amazon and Facebook do that as well (at least if you include Santa as antivirus).

nix236 hours ago

No Santa is the right way to do it (whitelisting binary's), that's the opposite of an antivirus.

qwerty4561277 hours ago

MS Windows Defender is generally good (I actually prefer it and preferred its SecurityEssentials predecessor to all the other antiviruses) but seems really notorious in removing non-virus "threats". It also removes NirSoft (and some Sysinternals IIRC) utilities regularly. Yesterday, trying to download the recent version of LibreOffice, I have even found found out I have no qBitTorrent installed any more - it killed it also. I really wish I could just put a regex filter to bulk-allow some classes of "threats" ("HackTool:" and "PUA:") permanently.

1_player6 hours ago

I don't know if my installation is broken, but I haven't had Defender remove what I thought was a legitimate binary since I first installed Windows 10. Literally not one single time on half a dozen installations.

FWIW I installed and ran qBitTorrent recently and it didn't complain.

qwerty4561275 hours ago

> I haven't had Defender remove what I thought was a legitimate binary

Probably because you are closer to a "typical" kind of user who doesn't use "hack tools" (which some people like me use for absolutely legal and benevolent purposes "hacking" their own PC, e.g. to backup the passwords and e-mail records saved on it). By the way it also is very important to distinguish between a legitimate hack tool and an infected hack tool and I am not sure they do.

> I installed and ran qBitTorrent recently and it didn't complain.

They just added a slightly old version to their threats database and didn't add the most recent version there yet.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...

https://www.reddit.com/r/qBittorrent/comments/lwqjm9/qbitbor...

1_player4 hours ago

I just checked, perhaps the fact that I have "reputation-based" blocking always disabled helps, which seems to avoid that kind of false positive. I am not a fan of my OS phoning home to check every single executable I run. Either it's in the virus database, or I'm tech-savvy enough not to run any .exe I receive via e-mail.

https://www.tenforums.com/tutorials/32236-enable-disable-mic...

qwerty4561273 hours ago

I didn't even know there is such a "reputation" option. Today Windows configuration windows are way harder to find anything (what you don't already know is there/where) in than they used to be even in Windows 7, let alone XP (where everything was way more intuitive and easy to discover). As for submitting the files to Microsoft - I believe I have disabled that but in the today context I can't be sure it didn't get enabled on itself.

cm21877 hours ago

I disagree that it is good. It was good. But now it is indistinguishable from a malware. It regularly takes 100% CPU, it prevents many of my own apps from running, and if you switch off real-time protection it switches itself back on like any respectable rootkit.

unnouinceput7 hours ago

Use Deluge. The best IMO.

skeletron5 hours ago

What I really don't like about Defender and other antivirus products is they'll silently send your files to the mothership to be analyzed, without even letting you know that's happened, or any straightforward way to find out. I understand that's a large source of new malware samples for them, but it's an awful antiprivacy behavior.

npteljes4 hours ago

Another dark pattern here is that there's an option to turn this off, and I turned it off, only to be nagged weekly to turn it back on! Fuckers don't take no for an answer, until I'm nagged into clicking yes. And the UI acts like this is some security warning, with a yellow exclamation mark and everything.

trishmapow22 hours ago

In Windows Security click settings on the bottom left and then you can manage notifications.

Ashanmaril34 minutes ago

Earlier this year I spent a month or 2 working on a little Go project for a very niche little usecase (it would read a MIDI file and write it to a text file in a format that could be inserted into Super Mario World romhacks [or try to anyway])

After spending all that time working on it, I was hoping that I could just compile to the various OS/architectures and distribute that, but once someone tried using it I quickly found out that as soon as you downloaded my program, Windows Defender would flag it as malware and quarantine it. Even the builds in my project workspace that I compiled myself would get flagged/quarantined once it caught them.

I tried doing some research and it seems to just be a regular thing with Go apps because I think the runtime code would be common across malware written in Go, so basically all Go programs are automatically assumed to be malware by Windows unless you buy a cert and/or get enough people using it.

Or maybe this is more common than just Go programs. I've never really done anything like this before. But I ended up just abandoning attempting to release it properly and left the source code up on Github so if someone wants to compile it themselves they can. But the whole experience was a bit discouraging. It seems like there's really no cheap/easy way to distribute software. Webapps require hosting, and native code is assumed to be malware by default.

Shadonototro31 minutes ago

windows defender

aggressively scan every .jar, but totally ignores .net executables

no wonder they do something similar with go executables, it's easy to recognize them after all

john_moscow10 hours ago

To be fair, this does look like a false positive.

In general, the desktop antivirus space in 2021 is a mess. Because of the sheer number of malware, and some obfuscation techniques used by some of it, antivirus software has to use very broad regular expressions for describing the malware, counterbalanced by huge whitelists of known mainstream software.

If you don't qualify as a "mainstream software vendor", simply building a random piece of code into an exe file will get you about 10% chance of getting flagged by one of the "heuristic engines" if you upload it to VirusTotal.

You can contact the A/V vendor and they will usually add it to the whitelist, but it only lasts until the next rebuild. Or you can rebuild it a couple of times with different optimization levels, and the detection sometimes goes away.

howaboutnope10 hours ago

Deleting both the exe and the source code makes a false positive seem rather unlikely to me.

jcrawfordor10 hours ago

The source code in question appears to have been obfuscated (possibly just for brevity). I'd guess the Defender signature in question was written around the packer/obfuscator.

eurasiantiger7 hours ago

Wanna bet the signature is the hex key?

eru9 hours ago

> In general, the desktop antivirus space in 2021 is a mess. Because of the sheer number of malware, and some obfuscation techniques used by some of it, antivirus software has to use very broad regular expressions for describing the malware, counterbalanced by huge whitelists of known mainstream software.

Why do they have to use regular expressions?

zinekeller7 hours ago

"Regular expressions" as a concept, not PCRE regex.

icare_1er6 hours ago

The amount of false-positives with WinDef is insane, it's pretty much like any desktop link to as shared drive is considered malware right of the bat without even inspecting it.

Let alone documents with macros...

Having said that, I wouldn't want to be one of those having to implement detection logics because the malware jungle is so creative that it's pretty much an impossible job they have to do.

kwonkicker10 hours ago

I don't care how broad your definition is, it shouldn't include the mp4 files in my hard drive.

npteljes4 hours ago

How so? Everything that's interacted with by a computer can be exploited - in case of media files, here's[0] one example that gets talked about. I understand your frustration about flagging your harmless files as malicious, but it really shows just how difficult is to properly detect malware.

[0] https://security.stackexchange.com/questions/97856/can-simpl...

magicalhippo1 hour ago

I think most users would be happy to avoid getting infected via content files like videos and pictures[1][2].

Us power users can always just configure the exception list.

[1]: https://docs.microsoft.com/en-us/security-updates/SecurityBu...

[2]: https://www.kb.cert.org/vuls/id/297462

geofft10 hours ago

Er, doesn't that assume that the mp4 files on your hard drive can't genuinely be infected with viruses? Why is that assumption true?

Xylakant7 hours ago

Especially given how common media files are as an attack vector.

+1
gruez1 hour ago
integricho9 hours ago

I don't believe they use regular expressions.

pmalynin9 hours ago

Why not? I.e. is that from experience on working on anti malware remediation systems?

eurasiantiger7 hours ago

What would it match against? ASCII strings? Add a whitelisted string and make your malware pass.

The heuristics are much more complex than that, cf. spamassassin rules.

+1
pwdisswordfish87 hours ago
kmonsen6 hours ago

The thing is, malware vendors can do the same. At least for zero day attacks you just test them on the target’s antivirus to make sure it will not discover the malware.

RcouF1uZ4gsC8 hours ago

> In general, the desktop antivirus space in 2021 is a mess.

I don’t think that antivirus is helpful in 2021. I think the most important thing you can do is make sure you are all patched and do not run as administrator.

Antivirus is likely to be unable to catch the really bad stuff, and it actually increases your attack surface. In addition, you pay a performance tax all the time. IMO, just not worth it.

ooboe11 hours ago

His comment in /r/sysadmin:

"Setting a Windows Defender exception to the folder does not prevent the quarantine from occurring. I re-ran this test three times trying exceptions and even the entire NAS drive as on the excluded list."

Windows Defender is overriding the user whitelist?

hulitu8 hours ago

Microsoft knows better. We are here to protect you.

raverbashing8 hours ago

People who ignored the AV exception requested by Kaseya didn't get a surprise ransomware in their systems

dataflow9 hours ago

I wonder if it's related to the tamper protection setting? I know that setting makes it ignore other settings like group policy, though I've never seen it ignore whitelists, but maybe they've changed that?

RachelF10 hours ago

from that forum it also seems like Windows Defender is deleting a .txt file containing the source code.

ooboe10 hours ago

Yes, if true, this would invalidate the "heuristics error on exe" argument.

npteljes4 hours ago

Absolutely it does. I had one problematic file that I had to add it to the whitelist every month or so, otherwise Defender removed it. Nevermind the fact that adding it to the whitelist was a PITA, I never figured out why the setting haven't stuck; the file in question wasn't changing at all.

cesarb9 hours ago

For future reference, that comment seems to be at https://old.reddit.com/r/sysadmin/comments/oof29b/windows_de...

sneak10 hours ago

In addition, Windows also quarantines and deletes innocuous Windows activation crack tools that contain no malware whatsoever, but can be used to activate Windows independently of Microsoft.

It's really amazing the attitude Microsoft takes regarding hardware that isn't theirs, including the nonconsensual forced autoupdate.

jeroenhd2 hours ago

That's not just a Windows feature, though. My experience with _every other antivirus_ has always been that anything related to cracking or keygens is flagged as a virus.

In my opinion, Windows Defender is still the best antivirus software for consumers. That's not a compliment to Windows Defender, that's an insult to antivirus companies all over the world.

gogopuppygogo9 hours ago

I was under the impression that with Windows 10 we shifted to the product being the users data. The customers are now advertisers.

eurasiantiger7 hours ago

From what I’ve understood, that is a correct impression.

aardvarkr10 hours ago

Oh no, they’re making the world safer by encouraging the adoption of the latest security patches and bug fixes? And giving away best-in-class security software that you can disable at any time? How evil. You must really have loved the days of Norton Antivirus.

dexterhaslem7 hours ago

you may have misread the parent comment? it is deleting things completely unrelated to malware

dexterhaslem7 hours ago

ughhh this is why i ended up completely disabling it

0x_rs7 hours ago

Defender, as per Windows 10 philosophy, is extremely annoying to use with its UI and behavior that makes you feel every setting and button you press is entirely useless and nothing will change. A shame the old Security Essentials UI was removed entirely, it was the only bearable hack-y way to use it. I just disable it permanently on every machine. The anti-malware service likes to eat disk activity when you're working, and most importantly, exceptions handling is useless: I've seen it delete or quarantine (and then delete) files put into exceptions multiple times, repeatedly, as if the exception list was getting reset, or expired. This kind of software behavior is unacceptable in any way or form.

userbinator11 hours ago

It's packed, which for some reason that tends to trigger a lot of AVs... although the fact that it's a packer from roughly 2 decades ago and one that any respectable AV should be able to easily unpack by now certainly doesn't inspire confidence.

Then again, AVs detecting things as innocent as freshly-compiled "Hello World" programs is not new, and certainly makes one wonder just what exactly they are trying to detect.

RachelF11 hours ago

I wonder when Anti-Virus will start deleting files that express opinions they don't like.

Reminds me of the famous Earworm https://www.youtube.com/watch?v=-JlxuQ7tPgQ

X-Cubed10 hours ago

I get annoyed with AV when it quarantines "Potentially unwanted software" like ProduKey. While it may be able to be used maliciously, that's not why I have it installed, and I do want it on my machine.

mewse-hn9 hours ago

My win10 install recently started deleting my install of qBittorrent, which I very much want installed and use daily, as "potentially unwanted software". Exceptions kept getting ignored so just today I disabled the entire category of potentially unwanted software in win defender. It feels like they're just getting capricious in their scope for flagging things now.

Akronymus8 hours ago

I personally never really vibed with qbittorrent. Stuck with deluge for years.

May I ask why you use qbit?

selfhoster116 hours ago

That's entirely off-topic.

Santosh8310 hours ago

Do tech aware people like nearly everyone in this forum, need Defender (or another AV) to run at all? How many people here completely or partially stop it from running?

saurik9 hours ago

It was really infuriating to disable, FWIW. I spent hours fighting with it one day. The UI doesn't let you fully disable it: you have to use registry keys and the group policy editor. The end result has this hilarious property where it is flagging the fact that I disabled it as tampering that might indicate malware? I don't know if I even can disable that part... and I apparently didn't even succeed fully anyway as I now am getting occasional notifications saying Defender did a scan and I am like "as far as I can tell, Defender us fully off" :/. At least I did--as far as I have so far been able to tell--succeed in disabling the "real-time" thing that kept "quarantining" my files.

dataflow8 hours ago

> I don't know if I even can disable that part

It's tamper protection, you can disable it. (I hate it too.)

rootw0rm9 hours ago

should only take a moment in the group policy editor. you can actually filter settings by name to zero in on things quickly.

the only real cosmetic change i can see is for instance on the virus & threat protection page in windows 10, it says in red at the top of the window:

Your Virus & threat protection is managed by your organization.

DarkmSparks7 hours ago

windows defender was one of the (many) reasons I gave up on windows and replaced the last windows machine I had with a Mac Mini. (FC33 on my main)

Very similar experience here, coupled with windows defender randomly switching itself back on and quaranteening half my (completely benign) development folder.

The last time it did that I spent an entire afternoon trying to get it disabled and get my files back onto the machine with only limited success.

I think it may be a windows home vs windows professional thing.

But rather than wrestle with it further I just gave up. Only thing I had left that really needed windows was word and excel which ironically actually now work better and crash less on the mac mini than they ever did on windows.

DarkmSparks3 hours ago

I assume by the downvotes its not a home vs professional issue?

In which case Im more glad i didnt waste money on the professional version, than I am sorry you would prefer my personal experience be kept quiet.

GoblinSlayer8 hours ago

Try to uninstall it.

AnIdiotOnTheNet3 hours ago

I will contend that antivirus is a net-positive to absolutely nobody. Not technically adept users, not office workers, not grandma, nobody.

It slows down literally everything you do with your computer in the best case. In the worst case it breaks things and is itself an exploitation avenue. Mostly it just isn't actually very good at its job and malware defeats it regularly.

This is a bad tradeoff and other mitigation strategies make more sense in every scenario I can conceive of.

arthur2e52 hours ago

Oh no, it certainly helps grandmas and the one-per-classroom public computers (China, 2008-). You get all the USB sticks coming in and out, and before you know it you get that one obnoxious virus that hides all folders and replaces them with a .exe of the same name.

And yeah they do boot from a readonly C: with some magic to make it appear writable per session. But re-infection is quick, especially when you have extra writable data partitions.

throwaway17_1710 hours ago

I had to get signed permission from our IT contractors to disable it. But then again, I was trying to get a PDF of a Categorical Logic paper from an Italian university’s website and the filters kept blocking for pornography and sending emergency messages to the contractor to audit my computer.

Beldin10 hours ago

Sounds weird... Do you know to what extent those are correlated? That is: is the contractor told every time the filter thinks it has found adult entertainment? Or was your case exceptional?

hpd8 hours ago

I personally don't see a reason to have any kind of AV installed on my system(AV software is generally a performance decrease anyways). I should note that I used to work in the AV industry many years ago, so I consider my security knowledge above average and almost everything that I consider non-essential is being run inside a VM(also do RE as a hobby).

pedro24 hours ago

On one very tiring day I decided I wanted to see that stupid useless video someone had sent me, and I updated Flash to see it. It failed and I thought no more of it.

Happily, the worm detected Avast and shut it down regularly and that's how I 4h later found out I had behaved like a regular user instead of a power one.

AV helps: 1) People do stupid things 2) defense in depth

DrJokepu10 hours ago

Sadly it’s often a contractual / insurance requirement.

TedDoesntTalk10 hours ago

At home?

bathtub3659 hours ago

If anything I think it makes more sense to have higher security requirements for a computer that will be primarily used outside of a controlled corporate network.

rootw0rm9 hours ago

first thing i do for a fresh windows install: i jump in the group policy editor and disable Defender and other things. been burned way too many times. granted, some of my projects definitely raise a lot of red flags heuristically...being packed and self modifying, etc.

dexterhaslem7 hours ago

i have been using no av on my main machine for a long time. in the rare cases i was doing RE or sketchy execution, vm or dedicated offline old machine

GoblinSlayer8 hours ago

If you joined a domain, you're not alone anymore.

PostOnce10 hours ago

the "reputable source" you downloaded from can always be compromised

TazeTSchnitzel8 hours ago

Do you disassemble every EXE file before running it? Do you have an absolute protection against zero-days? (In the latter case it can't protect you against initial infection, but it will clear things up once the threat is discovered.)

ubercow134 hours ago

Do you? With sufficient expertise that would provide better protection than AV software.

SCHiM1 hour ago

A properly configured Defender ATP instance in a network is a beast to circumvent for attackers. It's a really nice piece of software as far as I'm concerned.

Defender on personal systems owned & maintained by a knowledgeable power user, maybe less useful.

Still, Defender ATP in the corporate environment is so much, much more than just an anti-virus scanner. There its primary functionality is EDR first, anti-virus distant second. And it works phenomenally.

unixhero4 hours ago

I work in Cyber Security and I would never want to run any Next Gen antivirus software (such as Defender ATP) on my private computers. For a corporation or organization that wants tight control, these are perfect products. You can go full Orwell 1984 on your org with these tools and they do provide good endpoint protection including graph and AI based (post-signature) antivirus and full Event Detection and Respond* (essentially a spy-black-box), which is great if you're a company or org. However this is a future you do not want to be part of in your private life.

* See for instance documentation on Microsoft Defender ATP EDR in Block Mode

tempfs3 hours ago

Your concerns extend to the OS itself by the way. Windows is a full blown surveillance platform now.

Defender ATP telemetry also sends much more home than the customer can ever see. They claim to anonymize it but anyone who works in security for a living knows just how much story you can tell with relatively little data.

DrBazza2 hours ago

It's things like this that are making me less and less likely to continue using Windows at home.

I've been running Linux KDE dual booting for a year or so, and I've have touched Windows in (uptime...) - 22 days or so.

With Windows 11 coming bundled with Teams, and other "stuff" from Windows 10 including it becoming an 'internet first OS (x)' I'm getting stuff I don't want or need.

(x) although it's documented on the interwebs how to circumvent the dark pattern UI dialogs to turn stuff off.

tyingq9 hours ago

Tried it. Windows Defender thinks it's "Trojan:Win32/Orsam!rfn" on my PC, which is different from "Glupteba!ml". It does let me override and keep it.

jasonjayr11 hours ago

Firefox 90.0b12 on Linux also reports that file as a virus/threat, and warns on download

bob10294 hours ago

Maybe this is a good time to ask a dumb question.... how do yall disable windows defender?

I spent a weekend on it last year and couldn't figure it out. Best I could surmise is that I need to wipe my hard drive and install a sketchy copy of "mad max edition" windows 10 enterprise, which I would have to download on TPB or some other Warez site.

Wowfunhappy3 hours ago

To turn it off permanently, there's a registry entry:

https://itty.bitty.site/#Disable_Real_Time_Protection_Perman...

I'm not sure whether or not it works on non-pro versions of Windows.

AnIdiotOnTheNet3 hours ago
colejohnson664 hours ago

Not sure why you’d want to disable virus protection, but Microsoft has a guide should you want to: https://support.microsoft.com/en-us/windows/turn-off-defende...

bob10294 hours ago

> Follow these steps to temporarily turn off real-time Microsoft Defender antivirus protection in Windows Security.

How long is "temporary"?

> Not sure why you’d want to disable virus protection

Because Microsoft's implementation drags ass when fighting with one of Microsoft's other terrible messes - visual studio.

Also. It's my fucking computer.

mattbee4 hours ago

There's a registry (or group policy?) tweak to turn it off for good.

It was absolutely necessary on my 2015-era laptop, especially in the era of WSL1 where every Linux-side file operation caused a Defender operation - made a huge difference running test suites, git operations and so on.

I've tried to leave it on my new laptop (esp on WSL2 where Defender doesn't get a look-in) but I can _smell_ when it's slowing me down.

adzm9 hours ago

Do AVs still respond to the EICAR test file?

unixhero9 hours ago

Yes

account424 hours ago

The ML antivirus detections are out of control.

anthk12 hours ago

15 years ago, often you found infected binaries on keygens and cracking tools.

On DeCSS, that made me nostalgic ahout DVDCSS and cracking a DVD movie in "just" 20 minutes with MPlayer. The key was cached, luckily.

chovybizzass11 hours ago

My coworker and i worked at PayPal back then and we both got portable hard drives and ripped DVDs we got at the local libraries during lunch time and from Netflix on PayPal computers. Good times to be had. My wife threw out our 12 dvd binders just a year or two ago once we went full IPTV.

sergiomattei8 hours ago

Ok, honest question. How do they come up with those names for the malware?

Glupteba!ml looks like a randomly generated thing, but I’m sure it’s not.

account423 hours ago

The "!ml" stands for machine learning so what else could the name be except randomly generated?

parentheses8 hours ago

He said DirectConnect!

encryptluks26 hours ago

First, you are relying on Kaspersky which I don't think is that reliable of a source anymore give what we know. Second, I can definitely say there are something up with a lot of keygens and cracks. I thought a lot of big name scene groups were reputable and there is no way that they'd sneak in a trojan, but low and behold after ignoring a few Windows Defender warnings... I could literally hear my computer randomly spinning up at random times, it would never sleep, games were choppy, etc.

Did a complete reinstall without installing any scene software and the problem was solved. Just because people haven't taken the time to properly investigate the security of cracks and keygens doesn't mean that they don't contain actual trojans.

dannyw3 hours ago

No shit, cracks and keygen are at extremely elevated risk of malware lol.

Ashanmaril12 minutes ago

I just download them for the cool music

rootw0rm9 hours ago

and this is why you use the group policy editor

MonaroVXR8 hours ago

Wait until Windows 11 comes along and has more security features enabled.