MSE; Does Anyone Still Use It?

This is not a bad thing IMO.

 

I've just noticed something interesting with WD on Win10. Well interesting to me, as I've only just started using WD.

The Systray icon doesn't appear after a reboot but it shows once you've opened the WD UI. I have it pinned to the Systray Task Bar. I've been using the Windows 7 Gadgets (Clock and CPU / RAM Gadgets) and I noticed that my machine was using some CPU after being idle for a few moments. Of course moving my mouse to open Task Manager stopped the process from running. But then I noticed the WD Systray icon was green and after leaving my machine idle for long enough it turned back to the white fort look again and CPU dropped to nothing. I opened WD UI and sure enough, a quick scan had just run.

I wonder why the Systray icon doesn't appear after a start / restart, only after WD UI has been opened?

 

How do you stop Windows Defender in Windows 10 permantly?

 

http://winaero.com/blog/disable-or-enable-windows-defender-in-windows-10/

 

On Windows 7 64 bit, does MSE still require Windows update service to run all the time?
If yes, subject closed.
If not, what might be the best procedure to update when I feel like it?

 

Under the Update tab, hit the Update button. Even if you don't feel like it.

An alternative is to create a basic task in Task Scheduler. I have one to check every hour. Over the past few months, I pretty much see an update every two hours. This works regardless of the update service, nor does the task conflict with it.

Instructions for the task are back some pages in this thread, I think, and one that goes into great detail over at sevenforums.

 

Me too. I dropped a shortcut to the UI exe into the Start folder. The more I use 10, the more I like 7.

 

There is a registry tweak that worked for me.

http://www.tenforums.com/tutorials/...ication-area-icon-hide-show-windows-10-a.html

 

I'm using Windows 10 Defender. It doesn't nag and it isn't false-positive-prone like all the free AVs.
If I have reservations, I use a sheep dip VM.

 

Yes, the Defender icon only stays in systray if you have had Windows Defender opened during a logon session.

If you need it permanently, you will need to pin it to taskbar.

Or use some of the reg tweaks from Tenforum, like you have done - Brink always has a quick fix ready for most things when you need them.


Reflecting a bit on this icon thing, I can definitely see why the Defender icon doesn't show up at default.
Being realistic - it's a very, very, very small subset of users, that spend time in their security's UI.

Usually it's users that has it as a hobby - to simply look at their security software.
Not saying that there's anything wrong with that. They are just not representatives for the general PC user in any way whatsoever.

Then there's another group of users that uses their security software more actively, testing and/or hunting and reporting malicious samples - but they will usually have the UI pinned to the taskbar, since that's what people do with whatever programs they frequently use.

Finally the remaining 99,99% of the PC users in the world - those that uses their PC for work and entertainment.
These users have no use for a security UI that are constantly on "speed-dial".
They are much better served with security that are built into the OS, that are silently evaluating all actions and whenever a piece of malicious code are spotted - then Windows Defender are handling the protection, fully automated.
The end-user just see a small notification stating : "Malware detected. Windows Defender is taking actions to clean detected malware".
And that's it - they can continue with their work. Perfect!

I recon some users want the Defender icon visible as a comforting reassurance - to just know it's there.
But honestly, all a user really needs are to have a calming notification in case a malicious action are being nuked or a warning in case something is wrong.
Both are default behavior in Windows 10.

Other then that, there's not much need to check in on the security. A well-designed product can take care of itself.


A similar suggestion that pops up every now and then, are for right click context menu to do scans.

Not sure why.

Windows Defender already monitors all files on every access, and it will take action on malicious files during download, save, copy, move, archive, execute and tons of other actions.

I have noticed that just me wanting to hash a group of files are enough for Windows Defender to spot a malicious file.

The other day I hotswapped a harddisk, marked a group of folders on it, did a right click and choose to calculate a combined checksum - in less then a second, Windows Defender spotted a nasty .exe hidden among the many files and took care of it. Fully automatic.

Furthermore - Windows 10 are context aware and Windows Defender will engage deeper analysis according to this.
This alone are among the most brilliant features of Windows 10.

So to me, a right-click scan are just asking the OS to do the same work twice.

 

Precisely. It doesn't nag.
That alone is worth a million.

For some strange reason most third-party AVs has this idea that end-users are thrilled to pretend to be Sherlock Holmes and that their main reason for buying a PC are so they can interact with their AV all day long instead of working ??

There's no gain in this from a protection point of view. It's done simply because third-party AVs needs to bee in the users face constantly - what the advertising industry are calling "product placement".

They throw info-prompts, info-boxes and info-slides in your face constantly.
Ads, "informative" news, warnings and all kind of nonsense.

It's one of the two main reasons I hear, when people are dumping third-party AVs and switching to Defender.
People are sick and tired of getting interrupted and ripped out of their workflow, with ads, prompts and "news" about how the IT-world are doomed only to be saved by this or that vendor.

 

Yep! Like most of my commonly used programs, WD is pinned to my Task bar.

For me it's that I'm used to seeing Norton's green tick on its Systray icon. With WD I actually got to see it performing a quick scan which gave me a warm, fuzzy feeling of satisfaction. At least I could see what was using my CPU resources.

Opening the WD UI from the Systray icon is not user-friendly. It is twice as many clicks (2) to open the WD UI from the Systray icon as it takes if WD is pinned to the Task Bar, so I get why you say it is not an important or needed 'feature', but I still like seeing the icon.

Without putting my machine's protection to the test I'm yet to see that.

Ah, now that is an interesting point too! Perhaps it's just because I'm accustomed to having a right-click scan option I kind of feel this would be handy with WD, even if it is redundant.

 

As Defender updates virus definitions only once every 24 hours, is that enough when there are so many new updates during that period that are missed? Can I be certain, as my computer is always online when used, that I get full and up to date protection via the cloud? I know that I can always update manually but is that necessary?

 

For on-demand scanning, I use another product since WD will have already scanned it.

I posted insider feedback on the WD icon to show it or at least provide an option. I don't treat the absence of a red light as a green light; I want an actual health indicator.

I'm fine with daily updates...not much point in trying to use signatures as 0-day protection. You can use Task Scheduler to automate manual updates:

Code:

C:\Program Files\Windows Defender>MpCmdRun -SignatureUpdate
Signature update started . . .
Signature update finished. No updates needed

C:\Program Files\Windows Defender>

This does update the "last checked" time in the GUI.

 

Interestingly, Tavis Ormandy has relatively positive things to say regarding MSE/Windows Defender: https://twitter.com/taviso/status/647409908967604224

After a user had asked him if he had found any security products that were not a complete mess, stemming from Tavis' recent research of vulnerabilities in AV software.

 

Doesn't Windows Defender update according to a task in the Task Scheduler. Can this not be changed to check for updates more than once a day?
I used Windows Defender on 8.1 and I am using on 10 but it is complemented with MBAM Premium and ZAL Pro. The recent improvements in Windows Defender 10 are welcome and I am happy with it and this combination (For occasional on-demand scanning I use Hitman Pro and Emsisoft Emergency Kit).

 

No.

Wrong.

 

Thank you. I just found instructions on page 2 of this thread, and followed up on sevenforums. Maybe I'll try MSE after all. Or maybe just live without AV.

 

Windows Store apps update via Task Scheduler.

There are some tasks for Windows Defender in there too but I don't see an update one. You can always add it: "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate

 

I should have qualified that as "...every two hours, with exceptions." As I have seen several exceptions as of late.

Today is one of them. Upon taking my system out of sleep this morning, my hourly MpCmdRun scheduled task, configured to run asap if missed, updated with defs v1.207.1371.0.

More than 10 hours later at 0110 UTC, there have been no updates as verified at:
https://www.microsoft.com/security/portal/definitions/adl.aspx
"...latest definitions are 1.207.1371.0."

Unacceptable. It's not even the weekend.

According to MS, "Windows Defender relies on up-to-date definitions to determine if software that's trying to install itself or run on your computer is spyware or potentially unwanted software."

I don't know why the updates grind to a halt some times and other times nearly equal that of Bitdefender. Suffice to say I have, in almost ten years of observation, rarely seen BD miss by much more than four hours, the average being every 1.5 hours. I consider this a valid contrast in that the bdcore engine relies also on up-to-date definitions.

As smitten as I am with Defender/MSE and its new-found acclaim, both popular and editorial, I'm beginning to re-evaluate it as an AV worth regarding. Especially as I do not accept MS "Cloud-based Protection"...
MSE: Automatically send samples to help MS determine whether certain detected items are malicious.
WD: Get better, faster protection by sending MS info about potential security problems WD finds.
...as cloud-based protection.

As well, the efficacy of the Network Inspection Service (also defs reliant), process monitoring, and heuristics has yet to be documented.

Sigh.

 

Anyone familiar with Tavis Ormandy's way of writing and everybody who are familiar with his testing, will know that this is quite a token of appreciation.

As far as I'm aware, then MSE/Defender are the only ones, that he has spoken positively about.

All other security software that he has had close encounters with, has had very harsh comments about them.

 

Local signatures are a base of detections.

Anything rapidly evolving, newly spotted behaviors or first sight code - those are the cloud's responsibilities.

Thinking of local signatures as the holy grail of detection in today's age are incredibly naive.

A user would need to have a constant feed of everything available in the cloud, streamed to them 24/7 - just so they can lookup a few unknowns behaviors/files here and there that are relevant to that exact user, locally instead of in the cloud.
Do you have any idea of the required hardware and connectivity you would need to fund in order to do so ??

Everybody who has used MSE/Defender for years will have noticed the massive upgrade Microsoft has provided for the cloud backend over the last year.

Sitting and hammering the update button, just for the sake of it is pointless.

MSE / Windows Defender will evaluate all questionable actions against both local signatures as well as the cloud backend.

Since the malicious file/behavior are equally blocked, why care about where MSE/Defender got the verdict from ??

 

Well, you back me up on the points I addressed!

"Thinking of local signatures as the holy grail of detection in today's age are incredibly naive."
According to MS, "Windows Defender relies on up-to-date definitions..."
Which is exactly why I am "re-evaluat(ing) it as an AV worth regarding." I am not naive. Thanks for noticing.

"MSE / Windows Defender will evaluate all questionable actions against...local signatures"
Which yesterday clocked up to ~12 hours in arrears. Even for those totally immersed in signature naivety, this is unacceptable.

"as well as the cloud backend."
No. In several months I have yet to log a relevant packet by any MSE/Defender 7 and 10 process while downloading and/or running undetected zero days. Which is why "I do not accept MS 'Cloud-based Protection'...send samples (and) sending info...as cloud-based protection."

"A user would need to have a constant feed"
You mean like several products that've been on the market? For years? With the developers in great competition to be everything, some getting close to that goal.

"Do you have any idea of the required hardware and connectivity you would need to fund in order to do so ??"
I do. Which is why I won't be funding it. But several companies don't have a problem. Some even offer their wares for free. Like Bitdefender's cloud service and for the products that use it (Free does), it will maintain a persistent connection to a Nimbus server. I haven't used Avast in a while, but even their free version once had a nifty animated graphic depicting my computer, the cloud and their server with little packets moving back and forth. Oh, and the latest Avira Free.

"Everybody who has used MSE/Defender"
"why care about where MSE/Defender got the verdict from ??"
So everybody can be everybody.

(FYI: so far today I've had the expected update upon bringing the system out of sleep, and another an hour and half later; the remainder of the day still to be observed. And tomorrow and on. Yesterday was an exception, but one of too many I've seen over too short a period if time for a product that relies on up-to-date definitions.)