Hacker News Re-Imagined

Windows Defender July Update – Deletes file from famous copyright case (DeCSS)

4 days ago

Created a post 189 points @ooboe • 1 comments

Windows Defender July Update – Deletes file from famous copyright case (DeCSS)

@MonaroVXR 4 days

Replying to @ooboe 🎙

Wait until Windows 11 comes along and has more security features enabled.

Reply


@Santosh83 4 days

Replying to @ooboe 🎙

Do tech aware people like nearly everyone in this forum, need Defender (or another AV) to run at all? How many people here completely or partially stop it from running?

Reply


@DrBazza 3 days

Replying to @ooboe 🎙

It's things like this that are making me less and less likely to continue using Windows at home.

I've been running Linux KDE dual booting for a year or so, and I've have touched Windows in (uptime...) - 22 days or so.

With Windows 11 coming bundled with Teams, and other "stuff" from Windows 10 including it becoming an 'internet first OS (x)' I'm getting stuff I don't want or need.

(x) although it's documented on the interwebs how to circumvent the dark pattern UI dialogs to turn stuff off.

Reply


@rootw0rm 4 days

Replying to @ooboe 🎙

and this is why you use the group policy editor

Reply


@parentheses 4 days

Replying to @ooboe 🎙

He said DirectConnect!

Reply


@john_moscow 4 days

Replying to @ooboe 🎙

To be fair, this does look like a false positive.

In general, the desktop antivirus space in 2021 is a mess. Because of the sheer number of malware, and some obfuscation techniques used by some of it, antivirus software has to use very broad regular expressions for describing the malware, counterbalanced by huge whitelists of known mainstream software.

If you don't qualify as a "mainstream software vendor", simply building a random piece of code into an exe file will get you about 10% chance of getting flagged by one of the "heuristic engines" if you upload it to VirusTotal.

You can contact the A/V vendor and they will usually add it to the whitelist, but it only lasts until the next rebuild. Or you can rebuild it a couple of times with different optimization levels, and the detection sometimes goes away.

Reply


@sergiomattei 4 days

Replying to @ooboe 🎙

Ok, honest question. How do they come up with those names for the malware?

Glupteba!ml looks like a randomly generated thing, but I’m sure it’s not.

Reply


@encryptluks2 4 days

Replying to @ooboe 🎙

First, you are relying on Kaspersky which I don't think is that reliable of a source anymore give what we know. Second, I can definitely say there are something up with a lot of keygens and cracks. I thought a lot of big name scene groups were reputable and there is no way that they'd sneak in a trojan, but low and behold after ignoring a few Windows Defender warnings... I could literally hear my computer randomly spinning up at random times, it would never sleep, games were choppy, etc.

Did a complete reinstall without installing any scene software and the problem was solved. Just because people haven't taken the time to properly investigate the security of cracks and keygens doesn't mean that they don't contain actual trojans.

Reply


@skeletron 4 days

Replying to @ooboe 🎙

What I really don't like about Defender and other antivirus products is they'll silently send your files to the mothership to be analyzed, without even letting you know that's happened, or any straightforward way to find out. I understand that's a large source of new malware samples for them, but it's an awful antiprivacy behavior.

Reply


@bob1029 3 days

Replying to @ooboe 🎙

Maybe this is a good time to ask a dumb question.... how do yall disable windows defender?

I spent a weekend on it last year and couldn't figure it out. Best I could surmise is that I need to wipe my hard drive and install a sketchy copy of "mad max edition" windows 10 enterprise, which I would have to download on TPB or some other Warez site.

Reply


@qwerty456127 4 days

Replying to @ooboe 🎙

MS Windows Defender is generally good (I actually prefer it and preferred its SecurityEssentials predecessor to all the other antiviruses) but seems really notorious in removing non-virus "threats". It also removes NirSoft (and some Sysinternals IIRC) utilities regularly. Yesterday, trying to download the recent version of LibreOffice, I have even found found out I have no qBitTorrent installed any more - it killed it also. I really wish I could just put a regex filter to bulk-allow some classes of "threats" ("HackTool:" and "PUA:") permanently.

Reply


@RachelF 4 days

Replying to @ooboe 🎙

I wonder when Anti-Virus will start deleting files that express opinions they don't like.

Reminds me of the famous Earworm https://www.youtube.com/watch?v=-JlxuQ7tPgQ

Reply


@anthk 4 days

Replying to @ooboe 🎙

15 years ago, often you found infected binaries on keygens and cracking tools.

On DeCSS, that made me nostalgic ahout DVDCSS and cracking a DVD movie in "just" 20 minutes with MPlayer. The key was cached, luckily.

Reply


@marcodiego 3 days

Replying to @ooboe 🎙

I fear anti-virus and firewall software may in the near future be used to guarantee DRM features.

I fear the day when I try to play media I legally own from another region and can't play it because of region blocking and can't circumvent it because my "defense" software prevents me.

Another thing that scares me: services requiring said kinds of software. The mobile world is somewhat like this already and it is basically what bars users from using their mobile phones as full blown computers even though said phone are powerful enough for that.

Reply


@alyandon 3 days

Replying to @ooboe 🎙

IIRC, there is a group policy setting called "Turn off routine remediation" to stop defender from auto-removing stuff.

There is also a setting to permanently disable automatic sample reporting. I enabled that on all my Windows machines after the first time I caught Defender exfiltrating sensitive files like places.sqlite database out of my FF profile directory.

Reply


@jasonjayr 4 days

Replying to @ooboe 🎙

Firefox 90.0b12 on Linux also reports that file as a virus/threat, and warns on download

Reply


@unixhero 3 days

Replying to @ooboe 🎙

I work in Cyber Security and I would never want to run any Next Gen antivirus software (such as Defender ATP) on my private computers. For a corporation or organization that wants tight control, these are perfect products. You can go full Orwell 1984 on your org with these tools and they do provide good endpoint protection including graph and AI based (post-signature) antivirus and full Event Detection and Respond* (essentially a spy-black-box), which is great if you're a company or org. However this is a future you do not want to be part of in your private life.

* See for instance documentation on Microsoft Defender ATP EDR in Block Mode

Reply


@adzm 4 days

Replying to @ooboe 🎙

Do AVs still respond to the EICAR test file?

Reply


@tyingq 4 days

Replying to @ooboe 🎙

Tried it. Windows Defender thinks it's "Trojan:Win32/Orsam!rfn" on my PC, which is different from "Glupteba!ml". It does let me override and keep it.

Reply


@account42 3 days

Replying to @ooboe 🎙

The ML antivirus detections are out of control.

Reply


@0x_rs 4 days

Replying to @ooboe 🎙

Defender, as per Windows 10 philosophy, is extremely annoying to use with its UI and behavior that makes you feel every setting and button you press is entirely useless and nothing will change. A shame the old Security Essentials UI was removed entirely, it was the only bearable hack-y way to use it. I just disable it permanently on every machine. The anti-malware service likes to eat disk activity when you're working, and most importantly, exceptions handling is useless: I've seen it delete or quarantine (and then delete) files put into exceptions multiple times, repeatedly, as if the exception list was getting reset, or expired. This kind of software behavior is unacceptable in any way or form.

Reply


@SCHiM 3 days

Replying to @ooboe 🎙

A properly configured Defender ATP instance in a network is a beast to circumvent for attackers. It's a really nice piece of software as far as I'm concerned.

Defender on personal systems owned & maintained by a knowledgeable power user, maybe less useful.

Still, Defender ATP in the corporate environment is so much, much more than just an anti-virus scanner. There its primary functionality is EDR first, anti-virus distant second. And it works phenomenally.

Reply


@Ashanmaril 3 days

Replying to @ooboe 🎙

Earlier this year I spent a month or 2 working on a little Go project for a very niche little usecase (it would read a MIDI file and write it to a text file in a format that could be inserted into Super Mario World romhacks [or try to anyway])

After spending all that time working on it, I was hoping that I could just compile to the various OS/architectures and distribute that, but once someone tried using it I quickly found out that as soon as you downloaded my program, Windows Defender would flag it as malware and quarantine it. Even the builds in my project workspace that I compiled myself would get flagged/quarantined once it caught them.

I tried doing some research and it seems to just be a regular thing with Go apps because I think the runtime code would be common across malware written in Go, so basically all Go programs are automatically assumed to be malware by Windows unless you buy a cert and/or get enough people using it.

Or maybe this is more common than just Go programs. I've never really done anything like this before. But I ended up just abandoning attempting to release it properly and left the source code up on Github so if someone wants to compile it themselves they can. But the whole experience was a bit discouraging. It seems like there's really no cheap/easy way to distribute software. Webapps require hosting, and native code is assumed to be malware by default.

Reply


@arch13 2 days

Replying to @ooboe 🎙

https://www.arch13.com/ms-windows-defender-decss-part-ii/

OP Here. That lasted 3 days and then the file got blacklisted again as a generic definition.

Whitelists and exceptions in MS Defender still do not work. It ignores them and yeets the file anyway.

Reply


@Fiahil 4 days

Replying to @ooboe 🎙

I'm so happy to see a thread on Windows Defender, because my org recently switched antivirus software and I can't wait to tell you how bad it is !

There's a hidden feature in Defender, that will delight any user : it can turn your 15" MacBook Pro into a full breakfast machine. Want pancakes ? Start a zoom call.

While you wait for your favorite video conference app to start, don't hope to finish your docker pull/save/build in less than 30 times its usual time. Your laptop I/O will be so cripled that you might get better bandwith with a floppy disk drive (I'm exagerating a bit, but that's how it feels to go from 120MB/s to 4MB/s on a SSD).

Our Mac IT is completely powerless. I never thought I would ever regret getting rid of Symantec. I was wrong.

Reply


@userbinator 4 days

Replying to @ooboe 🎙

It's packed, which for some reason that tends to trigger a lot of AVs... although the fact that it's a packer from roughly 2 decades ago and one that any respectable AV should be able to easily unpack by now certainly doesn't inspire confidence.

Then again, AVs detecting things as innocent as freshly-compiled "Hello World" programs is not new, and certainly makes one wonder just what exactly they are trying to detect.

Reply


@ooboe 4 days

Replying to @ooboe 🎙

His comment in /r/sysadmin:

"Setting a Windows Defender exception to the folder does not prevent the quarantine from occurring. I re-ran this test three times trying exceptions and even the entire NAS drive as on the excluded list."

Windows Defender is overriding the user whitelist?

Reply


About Us

site design / logo © 2021 Box Piper