MS Windows Defender and DeCSS(arch13.com) |
MS Windows Defender and DeCSS(arch13.com) |
There's a hidden feature in Defender, that will delight any user : it can turn your 15" MacBook Pro into a full breakfast machine. Want pancakes ? Start a zoom call.
While you wait for your favorite video conference app to start, don't hope to finish your docker pull/save/build in less than 30 times its usual time. Your laptop I/O will be so cripled that you might get better bandwith with a floppy disk drive (I'm exagerating a bit, but that's how it feels to go from 120MB/s to 4MB/s on a SSD).
Our Mac IT is completely powerless. I never thought I would ever regret getting rid of Symantec. I was wrong.
To not interfere with the user there allegedly is a group policy setting to limit the CPU usage and it is set to 15%. The thing is, it simply does not work. Every week my fans spin up to max, Defender hogs all my CPU cores, 25% of my GPU according to the Task Manager. Even typing becomes laggy.
The only way to stop it is to open Task Scheduler and end the scheduled task from there.
When looking in Task Manager before, it seemed that Symantec used more CPU than even Visual Studio and related processes.
A common practice is to exclude both the whole repo and the compiler from Defender.
The tradeoff is not worth it, in my professional opinion.
Two worst offenders are:
- Antivirus: Just hogs memory, the scan runs "throughout the day" and I've had to resort to using scripts to shut the thing down just so my code will compile.
- Other annoying features: Lets make you stare at a dayglow green wallpaper and give you no way to change it to something that doesn't offend your eyes, lets place a bunch of icons on your dock and desktop that you can't get rid of, just bookmarks to common apps. Lets also make a popup show up on your laptop every day to remind you that you need to upgrade to OneDrive but forget to give me the permission to actually upgrade so this message repeats itself and fails every time..
endrant.
It's a scourge.
FWIW I installed and ran qBitTorrent recently and it didn't complain.
Probably because you are closer to a "typical" kind of user who doesn't use "hack tools" (which some people like me use for absolutely legal and benevolent purposes "hacking" their own PC, e.g. to backup the passwords and e-mail records saved on it). By the way it also is very important to distinguish between a legitimate hack tool and an infected hack tool and I am not sure they do.
> I installed and ran qBitTorrent recently and it didn't complain.
They just added a slightly old version to their threats database and didn't add the most recent version there yet.
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...
https://www.reddit.com/r/qBittorrent/comments/lwqjm9/qbitbor...
In general, the desktop antivirus space in 2021 is a mess. Because of the sheer number of malware, and some obfuscation techniques used by some of it, antivirus software has to use very broad regular expressions for describing the malware, counterbalanced by huge whitelists of known mainstream software.
If you don't qualify as a "mainstream software vendor", simply building a random piece of code into an exe file will get you about 10% chance of getting flagged by one of the "heuristic engines" if you upload it to VirusTotal.
You can contact the A/V vendor and they will usually add it to the whitelist, but it only lasts until the next rebuild. Or you can rebuild it a couple of times with different optimization levels, and the detection sometimes goes away.
"Setting a Windows Defender exception to the folder does not prevent the quarantine from occurring. I re-ran this test three times trying exceptions and even the entire NAS drive as on the excluded list."
Windows Defender is overriding the user whitelist?
I fear the day when I try to play media I legally own from another region and can't play it because of region blocking and can't circumvent it because my "defense" software prevents me.
Another thing that scares me: services requiring said kinds of software. The mobile world is somewhat like this already and it is basically what bars users from using their mobile phones as full blown computers even though said phone are powerful enough for that.
There's nothing to stop you from booting into another OS and deleting the files implementing the harmful functionality. If there are checks for the presence of these files in other parts of the OS, you can remove them.
IMO it's a very dangerous attitude when people consider software immutable. You can achieve a lot by modifying software made by other people.
Encrypted disks with TPM-stored keys will certainly prevent unauthorised modification to a filesystem
> hardware allows booting arbitrary code
And this particular cat is already out of the bag with Win 11 REQUIRING TPM support with verified boot.
The war against general-purpose computing is in the final stages, and the garden-keepers have already won for almost everything that matters. Yes, you can still source open hardware and they will not fight against technical elites - a minority - but for the vast majority of users, it's over because they LIKE the closed apps holding data hostage.
After spending all that time working on it, I was hoping that I could just compile to the various OS/architectures and distribute that, but once someone tried using it I quickly found out that as soon as you downloaded my program, Windows Defender would flag it as malware and quarantine it. Even the builds in my project workspace that I compiled myself would get flagged/quarantined once it caught them.
I tried doing some research and it seems to just be a regular thing with Go apps because I think the runtime code would be common across malware written in Go, so basically all Go programs are automatically assumed to be malware by Windows unless you buy a cert and/or get enough people using it.
Or maybe this is more common than just Go programs. I've never really done anything like this before. But I ended up just abandoning attempting to release it properly and left the source code up on Github so if someone wants to compile it themselves they can. But the whole experience was a bit discouraging. It seems like there's really no cheap/easy way to distribute software. Webapps require hosting, and native code is assumed to be malware by default.
aggressively scan every .jar, but totally ignores .net executables
no wonder they do something similar with go executables, it's easy to recognize them after all
Then again, AVs detecting things as innocent as freshly-compiled "Hello World" programs is not new, and certainly makes one wonder just what exactly they are trying to detect.
Reminds me of the famous Earworm https://www.youtube.com/watch?v=-JlxuQ7tPgQ
* See for instance documentation on Microsoft Defender ATP EDR in Block Mode
Defender ATP telemetry also sends much more home than the customer can ever see. They claim to anonymize it but anyone who works in security for a living knows just how much story you can tell with relatively little data.
I've been running Linux KDE dual booting for a year or so, and I've have touched Windows in (uptime...) - 22 days or so.
With Windows 11 coming bundled with Teams, and other "stuff" from Windows 10 including it becoming an 'internet first OS (x)' I'm getting stuff I don't want or need.
(x) although it's documented on the interwebs how to circumvent the dark pattern UI dialogs to turn stuff off.
Sounds like how I ended up on Linux full time. I dual booted for a while before I one day realized I hadn't booted into Windows for months. At that point I saw no valid reason to keep my Windows partition at all and just put in the effort to get my last few "Windowsy" activities switched over to Linux applications (mostly gaming and graphics related stuff).
On DeCSS, that made me nostalgic ahout DVDCSS and cracking a DVD movie in "just" 20 minutes with MPlayer. The key was cached, luckily.
Defender on personal systems owned & maintained by a knowledgeable power user, maybe less useful.
Still, Defender ATP in the corporate environment is so much, much more than just an anti-virus scanner. There its primary functionality is EDR first, anti-virus distant second. And it works phenomenally.
There is also a setting to permanently disable automatic sample reporting. I enabled that on all my Windows machines after the first time I caught Defender exfiltrating sensitive files like places.sqlite database out of my FF profile directory.
I spent a weekend on it last year and couldn't figure it out. Best I could surmise is that I need to wipe my hard drive and install a sketchy copy of "mad max edition" windows 10 enterprise, which I would have to download on TPB or some other Warez site.
Did a complete reinstall without installing any scene software and the problem was solved. Just because people haven't taken the time to properly investigate the security of cracks and keygens doesn't mean that they don't contain actual trojans.
OP Here. That lasted 3 days and then the file got blacklisted again as a generic definition.
Whitelists and exceptions in MS Defender still do not work. It ignores them and yeets the file anyway.
Glupteba!ml looks like a randomly generated thing, but I’m sure it’s not.
[0] https://security.stackexchange.com/questions/97856/can-simpl...
Us power users can always just configure the exception list.
[1]: https://docs.microsoft.com/en-us/security-updates/SecurityBu...
Let alone documents with macros...
Having said that, I wouldn't want to be one of those having to implement detection logics because the malware jungle is so creative that it's pretty much an impossible job they have to do.
I don’t think that antivirus is helpful in 2021. I think the most important thing you can do is make sure you are all patched and do not run as administrator.
Antivirus is likely to be unable to catch the really bad stuff, and it actually increases your attack surface. In addition, you pay a performance tax all the time. IMO, just not worth it.
Why do they have to use regular expressions?
It's really amazing the attitude Microsoft takes regarding hardware that isn't theirs, including the nonconsensual forced autoupdate.
In my opinion, Windows Defender is still the best antivirus software for consumers. That's not a compliment to Windows Defender, that's an insult to antivirus companies all over the world.
the only real cosmetic change i can see is for instance on the virus & threat protection page in windows 10, it says in red at the top of the window:
Your Virus & threat protection is managed by your organization.
It's tamper protection, you can disable it. (I hate it too.)
It slows down literally everything you do with your computer in the best case. In the worst case it breaks things and is itself an exploitation avenue. Mostly it just isn't actually very good at its job and malware defeats it regularly.
This is a bad tradeoff and other mitigation strategies make more sense in every scenario I can conceive of.
And yeah they do boot from a readonly C: with some magic to make it appear writable per session. But re-infection is quick, especially when you have extra writable data partitions.
Happily, the worm detected Avast and shut it down regularly and that's how I 4h later found out I had behaved like a regular user instead of a power one.
AV helps: 1) People do stupid things 2) defense in depth
The truth is that even really good technologists sometimes make mistakes. My insurance agent's email got hacked recently. I was in the process of renewing a policy, so opened the link to a phishing site and entered credentials. Oops. Thankfully I immediately noticed and changed the password (+ had two factor on.) Had that been an attached PDF instead I probably would have opened it.
At this point, consumer/end machine AV is a bit like vaccinations for diseases that are largely under control- attacks aren't spreading because the there are many protections in place, but if the unprotected population rises (especially in high value targets like developers) than the attacks will increase.
Configure AV? Sure. In fact just last week or so I had to validate that a server level product was really scanning user uploaded files correctly, so I had purposefully download known bad file (The sample file from EICAR) https://www.eicar.org/?page_id=3950). Getting defender setup so I could handle that file was annoying but manageable. I've also disabled real time scanning of certain applications and processes for performance reasons.
However, would I run without it on at all? Nope- I'm pretty good driver, but I still wear my seatbelt.
https://github.com/AveYo/LeanAndMean
If you can run as TrustedInstaller, it becomes feasible to rip all of this kind of bullshit out.
Just got my latest patched Win10 Pro copy running totally free of defender. Service is properly stopped. I was able to stop it like you would any other with TI privileges. Local admin just gets denied.
https://itty.bitty.site/#Disable_Real_Time_Protection_Perman...
I'm not sure whether or not it works on non-pro versions of Windows.
https://www.pcgamer.com/permanently-disabling-windows-10s-bu...
How long is "temporary"?
> Not sure why you’d want to disable virus protection
Because Microsoft's implementation drags ass when fighting with one of Microsoft's other terrible messes - visual studio.
Also. It's my fucking computer.
It was absolutely necessary on my 2015-era laptop, especially in the era of WSL1 where every Linux-side file operation caused a Defender operation - made a huge difference running test suites, git operations and so on.
I've tried to leave it on my new laptop (esp on WSL2 where Defender doesn't get a look-in) but I can _smell_ when it's slowing me down.
That's even more restricted than PCRE regex. (Which is often a good thing, but not sure about here.)
My wife has a brand new corp issued Carbon X1 and I can hear it routinely spin fans 100% because of Norton FuckYourCPUandIO (tm) software doing nothing of use besides inducing anger.
On the other hand, it might seem useless because malware creators know it's there. Basically all functional pieces of malware have to go through VirusTotal otherwise they won't be effective. But if all orgs dump antivirus software it would be a bit like giving up MMR vaccination in children.
By device management policy I am locked out from entering my Apple ID information again. Great success.
May I ask why you use qbit?
https://www.tenforums.com/tutorials/32236-enable-disable-mic...
Very similar experience here, coupled with windows defender randomly switching itself back on and quaranteening half my (completely benign) development folder.
The last time it did that I spent an entire afternoon trying to get it disabled and get my files back onto the machine with only limited success.
I think it may be a windows home vs windows professional thing.
But rather than wrestle with it further I just gave up. Only thing I had left that really needed windows was word and excel which ironically actually now work better and crash less on the mac mini than they ever did on windows.
In which case Im more glad i didnt waste money on the professional version, than I am sorry you would prefer my personal experience be kept quiet.
If any manufacturer starts selling chips where you can read the key, it will be disallowed by Microsoft.
Then all they need to do is require that ISPs only allow packets to be sent by computers that have passed a Measured/Trusted Boot check, and suddenly all online activity is restricted to "approved" computers, running code from "approved" app stores.
"One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them."
Nothing absolute, mainly a long series of annoying hurdles - including the constant barrage of updates.
The heuristics are much more complex than that, cf. spamassassin rules.
However, wouldn’t this kind of heuristic be extremely simple to counter by obfuscating the machine code, e.g. by inserting complex noops and using threaded subroutines which individually look innocuous? Or, are this kind of techniques looking at known syscall patterns or something like that, and ignoring the general program flow?
To me, regex doesn’t seem applicable to static analysis of machine code, but what do I know :)
Also, you can convert your PNG images to Farbleld (+.gz | +.xz) without losing quality.
And the farbleld image format it's more difficult to exploit.
(At least, I'm assuming the question here is "What should Windows Defender do?" I agree that the answer to "What should OpenBSD's built-in antivirus do?" is "Literally not even exist," which it already does.)
Notice that I didn't mention "country" anywhere. There's no country restriction.
> or rather a single key, held by the government, which signs the list of approved manufacturer keys
Hum, no. The single key is held by Microsoft.
And yeah, that's basically what the Trusted Computing Consortium was designing at the early 00. But people pushed back enough that they stopped publishing public documents and delayed the implementation. We are just getting there.
The technology may not care about countries, but countries care about technology. If (or rather when) a government passes a law limiting internet access to approved operating systems and hardware, the ISPs in that country will logically have to listen for signed updates to the whitelist.
In practice the list might be very short, containing just intermediate keys representing Microsoft, Apple, Google, a few commercially-backed Linux distros, and the CPUs that support them (with the necessary TPMs). The intermediate keyholders would have the responsibility to revoke approval of versions / model numbers that have known vulnerabilities which allow arbitrary user-controlled code to run.
What would proper training achieve to solve GGP's problem of his machine becoming unusable every week?
1) Malware doesn't care. It is happy to eat the user's personal data or anything they have access to on the network.
2) The OS is easily replicable if it gets damaged or destroyed thanks to imaging.
3) Whitelisting applications is a bitch to implement properly and causes a lot of friction for users.
4) There is one PC per user, so there's absolutely no reason to protect the PC from it's user.
Absolutely true...aka "i know computers since the C64 nothing bad will ever come from my machine...bumm ransomware...but my Antivirus never said anything"
Basically, when MS started requiring Secure Boot on Windows computers, there were a few anti-trust actions against then that looked at this action. So they back-pedaled and required that people should be able to disable Secure Boot on x86 and amd64 computers. They also created a 3rd party certification program, that those distros one buys could pay for and get signed.
But make no mistake, MS completely control the specs of any PC available to you, and will not miss a chance to remove the support for 3rd party OSes.
What am I missing? This is an actual, emotionless, genuine question? Always looking to find new ways to procrastinate by trying out new tools ;)
If you’re developing for the Linux kernel, I bet you’re missing out on some stuff.
If you’re building web, it doesn’t matter. If you’re building docker images, you can do it on Windows/Mac, but there’s just better performance on Linux if you’re ever debugging speed.
Java? Doesn’t matter either.
It's not better than Linux for any language, but it comes really close for the IDE oriented ones.
It wasn't too bad though honestly.
I ended up swapping to debian after my workplace rolled out some insane MDM policies / forced application installs. It is much nicer to dev in *nix
When I boot up my Windows install for the first time in months and it wants to waste ten, twenty minutes of my time installing updates and not letting me use my computer, I just don't bother next time. When I play a game, and Windows wants to pester me in the background to reboot for updates, it makes me wish I hadn't bothered. If a game or application doesn't work on Linux, I just don't use it. It's not worth the time.
Developing in JavaScript and dealing with node_modules/node_modules/node_... is platform agnostic problem I think ;)
EDIT: What I like about developing on Windows is it's stability (update restarts notwithstanding). I've had Linux desktops fuck themselves up on more than one occasion. Not that I don't like Linux but...
I don't know if it was because the good IDE sellers went bankrupt or if it's the change that caused their failure, but it isn't anymore.
About the dependency tracking, Windows isn't good for dealing with lots of files. It's performance isn't great (but improved a lot recently), it has locking and time based inconsistencies, and it brings a load of helper tools (like anti-virus) that will assist you in destroying your file hierarchy. The same applies for holding a VCS repository.
About stability, you are the first person ever that I see claiming to prefer Windows instead of Linux for it. It's such an alien idea that I wonder what non-usual stuff you do with your computers.
Again, genuine question, what instability do you imply there is in the Windows environment? Since Win 10 I don't recall ever being fucked by updates (again, not including mandatory restarts).
What I don't like about Windows is the configuration. On Linux I can just copy over the configs and scripts from another system and that's usually that. On Windows, out of necessity, I've made a lengthy checklist of things I need to do on a new Windows machine in order to set it up to my needs. It's a pain, but once that's done I rarely have to fidget with it.
I think that my preferences have to do with getting older. When I started I happily spent days configuring Linux Desktop, compiling Gentoo with just the right flags and didn't get so upset when apt-get dist-upgrade fucked up my system. Now, I just don't care that much. I just want things to work so I can do work I want.
Just one thing to be extra clear about - I use Windows as a daily driver desktop. I'd never ever use Windows as a server, ever. I've had that experience once, in college, and I'll never ever make that mistake again ;)
And this is just lacking in the basics department. We're not even talking about Windows coping very badly with development workloads like reading/writing many small files (which is a design flaw in the NT kernel and will not be fixed, ever).
Of course, if you don't use any of Microsoft's stuff, there really isn't anything wrong per se, just annoyances (slowness, spying and other user-hostile behavior from the OS); IntelliJ is IntelliJ, Linux or Windows matters very little if you live inside it.
Edit: It shouldn't be a surprise that Visual Studio is essentially abandoned by Microsoft. Do you abandon good things? You don't.
Not the kernel, but ntfs.sys. It is a design limitation of NTFS and was a tradeoff for something else. At the time NTFS was designed, high frequency reading and writing to small files was not at all common.
This does not exist on FAT/32/64 partitions, though there is always a per-file overhead on any filesystem, and FAT filesystems have their own problems.
IO performance tools don't seem to test reading and writing to a large number of small files; they tend to want a single large file and they test performance to and from that file. That's by design, and that means those tools don't find filesystem design limitations, or allow you to measure certain types of performance on a per-filesystem basis.
> Edit: It shouldn't be a surprise that Visual Studio is essentially abandoned by Microsoft.
Again, not true.
No one can know everything that MS is doing, of course, but the number of people who think they do is quite high. I am not referring to the person who made the comment I am replying to, by the way. Generally I just see a lot of things about MS or MS tools that are stated as fact and are entirely incorrect.
And frankly VS Studio UX is not horrendous. Modern UX is horrendous, give me deep menus and toolbars any day of the week.
As for I/O, I've worked on large git repositories (aka tons of small files) on Windows with no issue. In a Dropbox-synced folder no less.
On my experience, Windows 10 is even a regression over 7. There have been too many updates that fucked up computers at random (looks like MS is rolling updates slowly nowadays, so not everybody gets the broken ones), and the system likes to break at random by itself.
In comparison, the last time I remember reinstalling Linux due to a software mess-up is about a decade ago, when a dual-booting computer got a Windows virus that messed with the entire disk. I have many more Linux computers than Windows, and yet, those only need any attention when some hardware breaks.
Now, onto Linux, most recent example. I had a throwaway Thinkpad with Ubuntu on it. Had to go through an unusual setup because I wanted RAID and FDE so had to do a server install and then install Gnome. This might have contributed to the problems but still. The networking didn't work because Gnome used one thing and the server install used another. Then the desktop stopped (!) working after some time, randomly. What I mean is icons still showed up but couldn't be clicked or altered from the desktop. Kinda bizzare.
Again, can't stress this enough - my gripes are with Linux Desktop. On the server it's been rock solid ever since I started using it more than a decade ago and it's been a very pleasant experience. And I do understand that Windows Updates can fuck up a server setup, sure.
Anyhow, this has been a pleasant chat, man!
> Again, not true. No one can know everything that MS is doing, ...
You're right of course - there is a number of releases yet to come. What I meant is that the focus is elsewhere (VS Code) and that the platform isn't going anywhere.
[1] In the design of typical unixen the file system is central and the kernel does a lot (central VFS, kernel resolves paths to inodes by itself if cached, in Linux the FS can even tell the kernel the extents of an inode to delegate that IO entirely etc.), while the NT design is a "generic tree of objects" (combined with "every action is an IRP, which can traverse any number of filters and such") where file systems are nothing really special; file system stuff is the file system's problem.