Will they do anything about its terrible performance? According to [1] the Windows Defender causes a 5x increase of Chrome's build times and it delays a process start by 260 ms.
What measure are you using to determine the performance is terrible? As a developer, I have always had issues with Antivirus. If your compile times are crap then AV should be one of the first things you try disabling.
Hell, I've had overly aggressive AV (McAfee) locking files in temp data folders causing performance to falter in running applications (Visual Studio, Pidgin, Outlook, Office).
Do you have any numbers from other products to show this is an issue with Windows Defender's performance, and not just with the general concept of scan-on-access antivirus?
This is both pretty impressive and pretty scary. Impressive to detect new malware with such a low N. This massively changes the economics of creating malware. Scary now that pretty much any file that flags as suspicious locally can be sent to the cloud for further inspection. That would seem a no go for many corporate clients?
That was my first impression as well. As someone who likes to understand what my computer is doing I was never aware that Windows Defender was anything more than the typical definition based AV.
Does this mean that Windows Defender is now something to disable on HIPAA compliant workstations because there is a chance that Defender thinks some medical records look suspicious and it decided to upload them for analysis?
But for the home and small business this stuff is amazing. It really continues the anti-"virus" analogy by effectively creating an immune system comprised of most Windows machines.
Users concerned with privacy would not be using Windows, given all of its other known telemetry issues and malware surface. Ie it might already have uploaded whatever was sensitive, even without needing to run a malware examination on it.
It's extremely effective on win10 without creating further security issues with the cabal of AV products out there. We tell our clients save the cash, use Defender, and invest in other more effective technologies in the stack.
One thing I'm very eager to see is how Defender and Microsoft in general will interact with various third-party AV and "enterprise security" solutions which almost invariably contain rootkit-ish/malware-ish modules.
Can you explain what you mean by "fix that"? How is that helpful? I read your link and it doesn't provide any actionable items.
In any case, it doesn't "run as SYSTEM". The invoking credentials for a process are not necessarily relevant on a kernel like NT. A process can choose modify its security token after process invocation. For e.g. User mode apps, can downgrade their read/write rights, limiting them to a fixed directory, so even if they had exploitable bugs, the damage could be limited. Chrome on windows uses these same protections. I'm sure similar tech exists on competing kernels.
MsMpEng.exe AFAICT runs as a 'system protected process'. Certainly, it looks like there were severe bugs but its not clear where the bugs lie. It could be that the protection mechanism itself is flawed (which would be very bad), or maybe the way it's being used is incorrect, etc etc
You effectively have to be able to debug other processes, copy data to and from a process, and a lot of other control. What would it run as that would have all those permissions?
[+] [-] hs86|8 years ago|reply
[1] https://twitter.com/BruceDawson0xB/status/940747236614574080
[+] [-] cptskippy|8 years ago|reply
Hell, I've had overly aggressive AV (McAfee) locking files in temp data folders causing performance to falter in running applications (Visual Studio, Pidgin, Outlook, Office).
Why does the end user care about compile times?
[+] [-] nucleardog|8 years ago|reply
[+] [-] dontyouremember|8 years ago|reply
[+] [-] bitmapbrother|8 years ago|reply
[+] [-] wjnc|8 years ago|reply
[+] [-] colemannugent|8 years ago|reply
Does this mean that Windows Defender is now something to disable on HIPAA compliant workstations because there is a chance that Defender thinks some medical records look suspicious and it decided to upload them for analysis?
But for the home and small business this stuff is amazing. It really continues the anti-"virus" analogy by effectively creating an immune system comprised of most Windows machines.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] imglorp|8 years ago|reply
[+] [-] mtgx|8 years ago|reply
Just some food for thought. I never trust any "cloud-based" antivirus solution.
[+] [-] booleandilemma|8 years ago|reply
[+] [-] ganoushoreilly|8 years ago|reply
[+] [-] dfox|8 years ago|reply
[+] [-] cjsuk|8 years ago|reply
https://bugs.chromium.org/p/project-zero/issues/detail?id=12...
[+] [-] ksk|8 years ago|reply
In any case, it doesn't "run as SYSTEM". The invoking credentials for a process are not necessarily relevant on a kernel like NT. A process can choose modify its security token after process invocation. For e.g. User mode apps, can downgrade their read/write rights, limiting them to a fixed directory, so even if they had exploitable bugs, the damage could be limited. Chrome on windows uses these same protections. I'm sure similar tech exists on competing kernels.
MsMpEng.exe AFAICT runs as a 'system protected process'. Certainly, it looks like there were severe bugs but its not clear where the bugs lie. It could be that the protection mechanism itself is flawed (which would be very bad), or maybe the way it's being used is incorrect, etc etc
[+] [-] youdontknowtho|8 years ago|reply