Announcement

Collapse
No announcement yet.

Windows Defender?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows Defender?

    All,
    Even though the Exclusions are set for the drive my app copies an update exe from the Antimalware Service Executable still scans the file as it is copied using > 50% CPU cycles. Not sure if I should name the exe as a nonmalignant type like ".dat". Anyone else experience this issue? ".DLL", ".TXT", ".XML", ".MP3", ".RTF" are not considered malignant so they copy very quickly. I'm wondering whether the scan is determined by whether the file name includes ".EXE" or is it more invasive and looking at the binary data to determine if the file is an EXE no matter the file name. I'd like to know this beforehand so I don't waste time making a programming change.

  • #2
    ANSWER:
    I changed update exe name to "something.dat" and got the same reaction from Windows Defender. Apparently WD looks under the hood when the OS copies a file. I'll try a different extension but likely I'll get the same results.

    Comment


    • #3
      Jim
      Perhaps you should purchase and install a new AV , try Webroot which can protect your computers with Internet security, antispyware
      and Anti virus and firewall. When you installed Webroot, the Windows Defender WD is automatically disabled.
      Unlike WD, Webroot will not simply flag your exe or dll files as viruses as it uses a cloud based scanner to check these files.

      WD is an incompetent AV and can cause you lots of problems later on.

      Comment


      • #4
        Isn't a scanner that can not be fooled by a name change a good thing?

        How often do you copy exe files? Seems to me that the time to scan is an investment in something nasty not sneaking in.

        Cheers,
        Dale

        Comment


        • #5
          Ann and Dale,
          Thanks for the responses. Yes, Antimalware scanners are a good thing to have. I'd like to think though that when I set my Exclusions that the scanner would abide by my wishes. I'm thinking it is a temporary phenomenon until WD grows up. ? Dale, I recompile as many as 10 times an hour but I do not always send an update to the server app unless I am targeting development on just that portion of the app. Client/Server apps are a pain.

          Interesting thing to note is that it scans the new file twice based on what shows up in Task Manager.

          Scans A and B:
          A) While the file is being copied. This one is not a problem.
          B) After the file was copied. This one is the problem because it lingers and appears to block UDP network traffic as well.
          Last edited by Jim Fritts; 15 Jul 2019, 11:34 AM.

          Comment


          • #6
            WD is an incompetent AV and can cause you lots of problems later on.
            Hi Anne

            Can you point to some credible source for this comment. I would say that if you use Windows 10, WD is just about the best you can get.

            Comment


            • #7
              There is no source, as Windows Defender is (meanwhile) a very decent AV: https://www.av-test.org/en/antivirus...r-4.18-191415/

              I wonder when regular forum visitors finally learn to take Anne's comments with a grain of salt, to say the least ...

              Comment


              • #8
                Waste salt??????
                Dale

                Comment


                • #9
                  Originally posted by Dale Yarker View Post
                  Waste salt??????

                  Comment


                  • #10
                    The thing I would take with a grain of salt is that ANY AV scanner is 100% reliable. I have Malware bytes set up purely as scan on demand and it seems to do the job but there is no substitute for not downloading garbage and not letting an email client run anything. There is an endless supply of nasties coming in as email and unreliable web sites that try and pass junk to you and no AV scanner will protect you from all of it. Don't download garbage and don't open unknown emails. A development machine should not have auto scanning enabled, my own view is I don't build big computers to waste processing power on garbage scanners.
                    hutch at movsd dot com
                    The MASM Forum

                    www.masm32.com

                    Comment


                    • #11
                      For a long time I was pretty certain that my brain's a better scanner than all AV packages out there, because I work in IT as a sysadmin and deal with all that stuff each day. That perception changed a couple of years ago, though. And that's because I do work in IT. The amount of articles I read about how a certain piece of malware works (a big shout-out goes to Ars Technica here, because of their detailed but nonetheless understandable articles) made me realize that even I with my pretty decent IT knowledge/background am no longer able to spot malware myself. E.g. have a look at PowerShell Empire, a malware kit completely based on PowerShell. Or an analysis of Emotet. Disregard the obvious infection vector being an Office document. That's just one way to fool the stupid.

                      Also, a new crop of malware is on the rise: fileless malware. Making it even harder to detect with just Brain v1. And that's where AV comes into play for me, but keeping in mind what Steve wrote (where 'is' obviously should read 'isn't'):

                      The thing I would take with a grain of salt is that ANY AV scanner isn't 100% reliable.

                      Comment


                      • #12
                        Fascinating Knuth! Thanks for bringing that to our attention.

                        Comment


                        • #13
                          Retracted

                          Comment


                          • #14
                            Best practice to always work as a user and have a different admin login when needed. I've seen big damage done by admins that think they should have omni power on the networks they administer.

                            Comment


                            • #15
                              Good advice, Carlo.

                              And with the ease of right-click -> "Run as administrator" there's little excuse*) not to do so. Bonus points (for programmers): you'll avoid bugs that way stemming from your application trying to "touch" off limit areas of Windows for normal users, that an account with administrative privileges gets away with.

                              *) One might run into situations where e.g. network shares aren't available. I personally run a machine that's not even part of the (Windows) domain that I'm an admin of. Which makes it difficult to to use my domain admin account for certain tasks, e.g. running MMC and trying to add a snapin, say "Services" with the source pointing to another computer in that domain. But there's a way around that, courtesy of https://blogs.technet.microsoft.com/...threat-models/, which also explains the pitfalls of this method:
                              Code:
                              runas /netonly /user:domain\admin-user "mmc.exe c:\windows\system32\services.msc"

                              Comment

                              Working...
                              X