What the hell, windows defender?

[hat]

Many have, myself included. It is ignored because miners are often bundled with malware.

My report got a nice "won't fix/not an issue" tag.

Which is fine for 99% of consumers honestly. The issue is Windows Defender not STAYING OFF.

Exactly. You want to include WD by default, and also have it enabled by default? Fine, that works for most users. You want to detect miners as malware? Also fine, they are malware for most users, and those that are using them legitimately also know that it can be added to exclusions anyway. Someone disabled WD (in the group policy editor, no less) and also chooses not to run any other AV software, so you bring it back from the dead? Not fine, quit screwing with me.

By the way, I repeatedly mention the group policy editor for two reasons. First and foremost, because it's the way I disabled WD. Secondly, because it's a bit unusual, isn't it? Maybe not for users like us on this forum, but for people in general. How many people out there even know about gpedit.msc? First off, I would suspect most people are probably running Windows 10 Home, which doesn't even have the group policy editor. Secondly, for those that are using the group policy editor, those people should be advanced users who know what they're doing. You don't accidentally wander into the group policy editor and fuck shit up. Why would you mess with those settings, or, in this case, ignore them? I think WD should have a simple on/off switch that either turns it ON or OFF, forever, until changed again by the user, but barring that, there's at least a weird roundabout way to disable it by accessing the group policy editor, which is for advanced users who know what they're doing, on the non-standard (professional) version of Windows... why would you mess with that?

Being optimistic, I can only hope this was some sort of bug that resulted from the nasty rollover that occurs when you install/upgrade one instance of Windows on top of another. As we know, at least in the past, this process is not perfect, and a clean, fresh installation has always been recommended, just to prevent, or cure, weird things that can happen. Being realistic, when Microsoft literally forces this process twice a year with these feature updates, those things shouldn't happen. That means I'd have to perform a clean reinstallation Windows from scratch twice a year, just to prevent any fuckery that might occur due to these crappy rollover upgrades. Being, erm, the guy who uses my own personal computer, Microsoft really annoys me the way they try to force their way on you. Windows Update has gone to hell, between forcing updates (you can only delay them for so long), forcing ALL updates (you can no longer pick and choose which updates you do and do not want), and even forcing driver updates, which have been known to mess with computers by installing some crappy driver that was worse than the one that was already installed. For that last one, there is a setting, in a strange place, that's supposed to prevent driver updates, but that's also been reported to, well, not work. On top of that, you never know when something you changed might suddenly be reset without your knowledge.

At least all Windows 8 had was a crappy UI that could be fixed by installing a simple utility...

 

[Bill_Bright]

No, never claimed my miner disabled WD, nor did RTB suggest that. He was saying probably none of your machines have mining applications installed, and you have purposely disabled WD on them.

It is true, none my own personal machines have mining apps on them. But as an IT tech/consultant, and the family/friend/neighborhood "go-to" computer guy, I am no stranger to mining and crypto-currancy systems.

My reply was referring to the fact I saw "none" of the issues on any of my systems you had on yours. Neither did any of the users of the dozens of other computers I am responsible for. None that run with alternative anti-malware solutions suddenly had WD enabled after installing those (or any) updates. And some of those users run mining programs. None of the computers had UAC settings changed. None of my computers had my custom settings revert back to the default settings. Nor did I receive any reports from any of my clients, friends, family complaining some Windows Update changed their custom settings back to the defaults. That was my point.

And for the record, while I may not always hear from friends, family, and neighbors, most of my business clients always call us for problems because we are already contractually obligated to support those systems. Full disclosure - none of those contracted systems run mining programs, all run WD or an alternative solution.

Which is fine for 99% of consumers honestly.
The issue is Windows Defender not STAYING OFF.

I don't think any company, regardless their product or services, should be so harshly bashed for not supporting the extreme 1% fringe portion of their customers - especially when they are erring on the side of increased security.

Absolutely if you have an alternative anti-malware solution installed (and you have not instructed that solution keep Windows Defender active), then Windows should honor your choice and not enable Windows Defender when any new Windows Update is installed. No argument from me on that whatsoever!

BUT, if you disabled Windows Defender and you have no alternative real-time anti-malware solution installed and running, IMO Microsoft is doing the right thing to enable Windows Defender again. Why? Because without some anti-malware solution running, if you connect to a network that has Internet access you are not just a threat to yourself, you are a threat to me, my family and the rest of society too. Whether you choose to believe it or not.

*****

To report any file/program to Microsoft you suspect might be malicious, or that you believe was incorrectly tagged by Windows Defender as malicious, see Submit a file for malware analysis.

 

[R-T-B]

I don't think any company, regardless their product or services, should be so harshly bashed for not supporting the extreme 1% fringe portion of their customers - especially when they are erring on the side of increased security.

When it ships mandatory installed with an OS, I can't say I agree with that logic.

It's simple. The toggle should work.

Of course I recognize your point that whining about it here does nothing for anyone Bill. And thats a fair point. MS does not monitor "Techpowerup" nor can they be expected to.

Rather than complain, I'd suggest following Bill's link and submitting as many reports as issues you encounter.

 

[CrAsHnBuRnXp]

Laughable at best.

I disagree. Every iteration of Windows has always had better security than the previous. Win10 is no different.

I see entirely too many threads around here with users having problems just like @hat is right now, and people end up going on tirades saying "oh this sucks because of this" or "this is better becaues of that" and the threads turn into debates rather than helping the poster with their issue.

 

[trparky]

BUT, if you disabled Windows Defender and you have no alternative real-time anti-malware solution installed and running, IMO Microsoft is doing the right thing to enable Windows Defender again. Why? Because without some anti-malware solution running, if you connect to a network that has Internet access you are not just a threat to yourself, you are a threat to me, my family and the rest of society too. Whether you choose to believe it or not.

Yep, I agree with you on that one. If you have no anti-malware software installed and you've turned off Windows Defender you are a threat to the whole public Internet. This goes for not installing patches as well, if you haven't installed patches then your ISP should turn your Internet off until you have done so.

 

[dozenfury]

A different take on my Windows Defender frustrations. I haven't had issues with it re-enabling itself as long as I have other AV software running which is always a good idea.

My issue is just that so many third-party AV programs are bloatware now. I just want simple AV that is better than Windows Defender (better detections, fewer false positives, lower resource usage), not AV with all the bloat they tend to include nowadays like web browser plugins, password storage, registry cleanup, recycle bin shredding, firewall, cloud storage, etc. It seems like any one of them I try ends up being about 90% marketing for other security products in their suite, even if you've purchased the AV product. I don't want or need a complete giant security suite that will slow down my pc and cause all kinds of odd issues with apps and games for me to troubleshoot, and that pings me constantly to buy and add more security modules. It's surprisingly difficult lately to find just a strong basic AV alternative without all the fluff.

 

[eidairaman1]

A different take on my Windows Defender frustrations. I haven't had issues with it re-enabling itself as long as I have other AV software running which is always a good idea.

My issue is just that so many third-party AV programs are bloatware now. I just want simple AV that is better than Windows Defender (better detections, fewer false positives, lower resource usage), not AV with all the bloat they tend to include nowadays like web browser plugins, password storage, registry cleanup, recycle bin shredding, firewall, cloud storage, etc. It seems like any one of them I try ends up being about 90% marketing for other security products in their suite, even if you've purchased the AV product. I don't want or need a complete giant security suite that will slow down my pc and cause all kinds of odd issues with apps and games for me to troubleshoot, and that pings me constantly to buy and add more security modules. It's surprisingly difficult lately to find just a strong basic AV alternative without all the fluff.

Avast you could turn off certain modules

 

[dorsetknob]

This goes for not installing patches as well, if you haven't installed patches then your ISP should turn your Internet off until you have done so.

Wow and HOW do you install patches and critical updates if your ISP turns off your Internet.
More to the point How is your ISP going to know if you have or not "Hack into your System and Spy on You???"

 

[Bill_Bright]

When it ships mandatory installed with an OS, I can't say I agree with that logic.

I don't know what you are saying there. But when you have over a billion customers, it is not reasonable to expect they can keep them all happy all the time. What is reasonable is expecting included security to be enabled. For the old timers out there, you may remember all the grief and bashings Microsoft took when they first included Windows Firewall (Internet Connection Firewall) with XP - but it was disabled by default which made no sense at all - and the bashers went wild!

So in SP2, it was enabled by default. Then it was bashed for not being two-way. Then they were bashed for years for not being secure even though it was the badguys to blame. Now MS is being bashed for including security. They can't win! So they would much rather be bashed for including security than leaving it out. And I agree with that. Some may see it as "tough love" or "tough parenting". Maybe it is. Oh well!

But to reiterate, I agree 100%, if you are using an alternative solution, WD should stay off. Period. But if you are not using an alternative solution and disabled WD, you are a potential threat to the rest of us, so I don't fault Microsoft if they enable it again with these big creator updates.

Of course I recognize your point that whining about it here does nothing for anyone Bill. And thats a fair point. MS does not monitor "Techpowerup" nor can they be expected to.

Rather than complain, I'd suggest following Bill's link and submitting as many reports as issues you encounter.

And it works too - at least it appears to work. I have had two programs over the years falsely tagged by WD. The first was the WinAero Tweaker when it first came out several years ago. The other was one of my most favorite little programs, Pandorian for Pandora (highly recommended if you like Pandora and listen to it on your computer). Shortly after reporting them as false positives to Microsoft, WD stopped tagging them as malicious. I can only assume it is be me and possibly others reported them to MS.

My issue is just that so many third-party AV programs are bloatware now.
...not AV with all the bloat they tend to include nowadays like web browser plugins, password storage, registry cleanup, recycle bin shredding, firewall, cloud storage, etc. It seems like any one of them I try ends up being about 90% marketing for other security products in their suite, even if you've purchased the AV product. I don't want or need a complete giant security suite that will slow down my pc and cause all kinds of odd issues with apps and games for me to troubleshoot, and that pings me constantly to buy and add more security modules. It's surprisingly difficult lately to find just a strong basic AV alternative without all the fluff.

This is something I have been trying to point out several times.

All alternative antimalware solutions depend on revenue to survive. So how do they do that? They use ads. They [often aggressively] promote their "premium" versions. And they add all sorts of extras to [supposedly] make them better and to stand out in the crowd. Microsoft makes no money from private and SOHO users. So they don't need to put those "incentives" in there.

Avast you could turn off certain modules

True and that's a good thing but turning off is not the same thing as not being there in the first place. And of course, Avast wants its "free" antivirus users to "upgrade" to their very expensive $60, $80 and $120 products - and that's per year prices!

if you haven't installed patches then your ISP should turn your Internet off until you have done so.

I missed this earlier but I agree with dorsetknob. That makes no sense. How are you going to download the patches if your ISP blocks your Internet access.

But worse, ISPs already are much greater threats to our privacy than Microsoft ever will be because our ISPs already know our real names, real addresses, actual locations and our billing information. I don't want them snooping around inside my computers too. No way!

 

[R-T-B]

you are a potential threat to the rest of us

Most maybe. But I haven't used an AV solution or antimalware solution in years, nor has my pc been infected in any form for a very large number of years.

I will acknowledge I am not most users. But I am very adverse to forcing an AV solution on anyone for the "common good." It's my PC dagnabit.

They can't win!

All we are asking is that documented group policy settings stay at their boolean values.

Don't worry Bill, I am not an agent of the malware empire.

 

[trparky]

HOW do you install patches and critical updates if your ISP turns off your Internet.

Only allow access to Microsoft-related sites until the patches are installed.

 

[dorsetknob]

There are probably more ISP Supplied Modem/Routers out there with vulnerability/Backdoors than AV unprotected computers

"Does your ISP Update your Modem/Router (BACK DOOR)"
In Many Cases its part of the Terms of Service that they Can Update Their modem Router Remotly and as such you cannot block that with out breaching your terms of Service

Only allow access to Microsoft-related sites until the patches are installed.

" I Suspect your on a leg pull" (or pulling something).

you might not be aware but other non Microsoft software can and is vulnerable

 

[trparky]

I haven't used an AV solution or antimalware solution in years, nor has my pc been infected in any form for a large number of years.

That you know of. How can you be certain of that?

 

[Bill_Bright]

Most maybe. But I haven't used an AV solution or antimalware solution in years, nor has my pc been infected in any form for a very large number of years.

And how would you know if you don't use an antimalware solution? That's part of the problem. A lot of malware does no damage at all to the host computer. It may sit dormant for very long period of time until triggered by some event. Or it may be used just to distribute spam or malware in small bits to remain undetected, or partake in DDoS attacks on others - all without the user being aware.

I don't do not believe, and certainly will not assume any of us on this site are smarter than the smartest bad guys.

There are probably more ISP Supplied Modem/Routers out there with vulnerability/Backdoors than AV unprotected computers

"Does your ISP Update your Modem/Router (BACK DOOR)"
In Many Cases its part of the Terms of Service that they Can Update Their modem Router Remotly and as such you cannot block that with out breaching your terms of Service

Not only that, many use your wireless access to create free hotspots for their other customers as they travel near your vicinity. Supposedly their access is totally isolated from your access, and their bandwidth usage does not affect yours. But my fear is a clever bad guy will figure out how to bridge that gap and gain access to your network.

 

[R-T-B]

Does your ISP Update your Modem/Router (BACK DOOR)"
In Many Cases its part of the Terms of Service that they Can Update Their modem Router Remotly and as such you cannot block that with out breaching your terms of Service

If you mess with a cable modems firmware in the USA, it's cable fraud.

Why?

A.)Consumers can't be trusted to keep shit up to date (neither can cable companies really, but meh...)

b.) Cable DOCSIS speeds are stored in the firmware. You being able to flash that = No QOS on the local internet segment, at all.

To butcher quote the Incredibles:

"When everybody is fast, nobody is..."

That you know of. How can you be certain of that?

I can be very certain. I didn't just analyze a rootkit and disect it in the other thread for lack of knowledge.

But the main telltale sign is my world class firewall that tells me pretty much anything going in or out that I want to know about.

 

[dorsetknob]

Security


ISP popped router ports, saving customers the trouble of making themselves hackable
SingTel then left them open for a while, because ... well there's no excuse is there?

By Richard Chirgwin 29 May 2018 at 02:08

22 SHARE ▼

Singaporean broadband users were left vulnerable to attackers after their ISP opened remote access ports on their modems and forgot to close them.

The discovery was made by NewSky Security researcher Ankit Anubhav, who used Shodan to scan for SingTel routers open on port 10,000 – the default Network Data Management Protocol TCP/UDP port.

Anubhav said the scan yielded 975 devices that had port 10,000 open with no protection, as a result of a fault-finding exercise gone wrong (that number is only those found on the scan).

When NewSky alerted Singapore's CERT, and that body took the issue to SingTel, Anubhav said the root cause was that SingTel enabled port 10,000 to troubleshoot a problem with the SingTel-branded routers (the “Wi-Fi Gigabit Router” is supplied by Arcadyan).
http://www.theregister.co.uk/2018/05/29/singtel_left_home_router_ports_open/

 

[Bill_Bright]

If you mess with a cable modems firmware in the USA, it's cable fraud.

Umm no. Not really.

If you modify a cable modem to uncap bandwidth (increase your bandwidth beyond your contract or service agreement), or to gain Internet access for free, that is "theft of services" and is fraud. But other changes that don't affect your service you can do - at least with your own personal modem, not an ISP provided modem.

Edit comment: corrected "modem" reference.

 

[theFOoL]

Like what I use to do. Back when Modems were just Modems and not a 2N1 I would make our network faster. Miss those days

 

[R-T-B]

Umm no. Not really.

If you modify a cable modem to uncap bandwidth (increase your bandwidth beyond your contract or service agreement), or to gain Internet access for free, that is "theft of services" and is fraud. But other changes that don't affect your service you can do - at least with your own personal router, not an ISP provided modem.

Point me to one cable modem that lets you flash your own firmware.

I never mentioned routers.

Router modem combos don't count either, as the router has seperate firmware from the modem.

 

[Bill_Bright]

I never mentioned routers.

Sorry, I meant modem. Correct in post.

Point me to one cable modem that lets you flash your own firmware.

Not the point.

You said it is "fraud" to mess with them. It's not. What is fraud is stealing service, or increasing your bandwidth beyond contract/service agreement.

 

[R-T-B]

You said it is "fraud" to mess with them. It's not. What is fraud is stealing service, or increasing your bandwidth beyond contract/service agreement.

My point is that the way DOCSIS works is that the firmware can't be consumer territory. It would be absolute mayhem if it was. For this reason, they literally don't even allow you to flash it from anything but WAN side. Whether or not it's legal to flash new firmware, it's going to be illegal because somehow you've ended up on the wan side to be flashing it in the first place, thus violating the cable companies infrastructure.

Unless I guess, you've provided you're own infrastructure, but that's unlikely.

Any other circumstance is purely imaginary at this point in time, but I do see the distinction. If a new tech came along that allowed consumer flashing, there certainly isn't a DIRECT law against it.

 

[Arctucas]

So, a while back I disabled windows defender via gpedit. Come to find out it's running again, and telling me my miner is a "severe" threat, despite still being disabled in gpedit. There's a few new entries related to windows defender in gpedit that didn't used to be there before. I'm guessing this happened during the big spring update. UAC keeps becoming re-enabled somehow, as well. For now I have a shitty registry key that's supposed to disable windows defender instead, hopefully it works.

Damn, Microsoft. They were pushing users to upgrade to 10 so hard, even resorting to plain trickery to get it on as many machines as possible. Now not only is it doing hardcore data mining in the background, but it's changing settings all on its own to whatever Microsoft wants. One step closer to pushing me to Ubuntu or something. I'd already be there if I didn't think it would be an arduous task learning how to computer all over again while simultaneously breaking a lot of games, which is mostly what I use this computer for...

Bill Gates needs to go back to Microsoft just so he can kick all the guys responsible for w10 squarely in the nuts. /rant

Big Brother knows what is best for you, why do you resist?

 

[HTC]

Has anyone considered reporting the windows update itself as malware?

- installs (turns on) unwanted programs
- messes with OS configuration

Doesn't this qualify?

Serious question ...

 

[hat]

BUT, if you disabled Windows Defender and you have no alternative real-time anti-malware solution installed and running, IMO Microsoft is doing the right thing to enable Windows Defender again. Why? Because without some anti-malware solution running, if you connect to a network that has Internet access you are not just a threat to yourself, you are a threat to me, my family and the rest of society too. Whether you choose to believe it or not

I think that's stretching it a bit. I am fully aware that running a system with NO antivirus is... less secure than running one. However, I made a personal choice on my personal computer not to run one, because I believe that I'm capable of keeping my system clean without an AV (barring a targeted attack directly at me of some sort) by avoiding the things that would give me a virus in the first place, and because I'm tired of having to tell antivirus software that my miners are OK every time it updates, or I download an updated version of that software, or other potential false positives.

...But to say that makes me a threat not only to myself (okay, I've admitted it's not the most secure way to run my machine), but to the rest of society? I'm not running a bank here, man... that's like saying the guy who drops a goldfish in the water is a threat when the water is already filled with piranhas. That said, I'm confident in my own system. I do all sorts of online banking and shopping and that sort of thing here, so I wouldn't be so daft as to "piss in the wind". Now if I disabled every protection imaginable, intentionally loaded my system with every malware under the sun, and then attempted to infect others with it, then you could say I'm a threat...

That said, up until the point where I am doing something illegal and/or harmful with my machine, what gives Microsoft or anybody else the right to go around messing with my stuff? On means on, off means off. If you had a light in your house that you turned off, and later found that it turned itself on again, either with the switch still in the off position, or magically in the on position again, there would be a problem, wouldn't there?

 

[trparky]

But to say that makes me a threat not only to myself (okay, I've admitted it's not the most secure way to run my machine), but to the rest of society?

But you forget that you are not just one person here, you are part of a much larger globally accessible network. All it takes is one person to get infected and the next thing you know, you have a global pandemic on your hands with thousands if not millions of PCs infected. We have seen it with real viruses or bacteria in the real world, all it takes is someone to get a new strain of something and we have a pandemic on our hands.

what gives Microsoft or anybody else the right to go around messing with my stuff?

If it means the difference between taking your freedom away and having a global pandemic on our hands with huge gigantic DDoS attacks, I will side with what is best for the many vs. what's best for the few. Better to have one person who's pissed off than the whole stinkin' world pissed off because their PCs are infected from here to next Tuesday.