Hostile code scanners need to look at a lot, but they don't need permission to write much. If sandboxed that way, attacks aimed at the code scanner don't do much.
Not yet, but it is no different than SELinux or seccomp not being the default on most Linux distributions, other than Android and ChromeOS.
Now with ongoing changes due to Secure Future Initiative, it will become so, Windows is already going into app sandboxing[3], Virtualization-based Security[2], Pluton requirements[1], and plenty others[0], I would expect it to eventually be enabled by default.
I see about a 100x slowdown on some applications[0] and IO heavy operations with defender in win11. It's unbelieveable how slow it is. I was a huge proponent of it in Win10, but I'm finding it hard to do so now.
[0] The software I'm using does a scan over a few hundred thousand files to read file headers. Without windows defender it takes about 30 seconds, but with defender it takes about 300.
The answer in this scenario is to exempt that application and/or folder. Don’t throw the baby out with the bath water.
In my environment we have to add exceptions for Developers git folders for the realtime scanning for a similar reason. Apps with large numbers of small files or high frequency writes of smalls files, like temp files during the build process, need to be exempted unless you’re willing to pay the performance penalty for the security.
I don’t understand why, but I have an exemption for that folder and I’ve disabled real time scanning. It still shows the slowdown on first launch. The only thing that works is disabling windows defender entirely. I’ve been through the troubleshooting loop a few times with this.
We're seeing the same thing - our compilation times literally double because of Defender activity, you can go into resource manager and see defender using like 50% of the CPU, it takes our project from about 12 minutes for a full rebuild to 25 minutes. And the thing is - you can add whatever exceptions you want, they work for a while and then it breaks again with updates, I literally keep having to re-add and fix exceptions in Defender every month or our compilation times slow down to a crawl.
JetBrains IDEs actually tell you to exclude some directories from Defender (and will even do it for you in some instances) because of performance issues. DevDrive[1] fixes that since it's excluded from defender by default.
I'm generally in favor of Defender, but it can definitely cause performance issues, especially in relationship to other windows processes like windows update.
If you keep your system regularly updated, it's less of a problem, but I often help people who basically never update or leave their computer on long enough for Defender to do complete scans. After a certain point it basically becomes impossible to update because defender fights update and chrome and discord and etc etc etc, for access to the files and you end up with the cpu and harddrive maxed out for a couple of days before everything completes.
You can set exclusions of course, but it does get tedious because every time you have a new project you need to add exclusions for its folder and the toolchain. Then every time a toolchain is updated (eg .../gcc/11.5 changes to gcc/11.5.2 you have to enter the 20 new exe exclusions and of course windows won't let you mass delete the old ones so it's click->confirm->click->confirm x50).
I might not do it myself but I can see why someone would just say "enough is enough".
You can use the powershell command Add-MPPreference -ExclusionPath[0] and ship a script with your app if you want. I do the same for Terraform providers - whenever a new version comes out, for a time the process can be randomly killed as I suppose a process that spawns a child process that starts talking to lots of endpoints looks somewhat suspicious.
I've gotten it to work on Windows 10 by booting into live Linux and renaming the Windows Defender folder in Program Files. No clue if it would work on 11.
I am surprised that ever worked. I was confident Win10 did verification that system files were in place and matched a hash or some other integrity mechanism.
They put in a lot of effort to prevent you from deleting the main executable (you the user that is, malware can probably delete it just fine using the usual methods) however one day I discovered you can delete the .dll files from its folder and it no longer runs, and Windows does not do anything to try and fix it.
You can ask it to with things like SFC but fortunately it's not that locked-down yet... and of course you can always patch those checks out if the OS itself isn't running to interfere with you.
If you use windows server you can just type `Uninstall-WindowsFeature WindowsDefender` (or similar, that might be the wrong feature name). If you use client windows there are two options, first you can disable "anti-tamper" and then disable the defender services with the TrustedInstaller token, this takes a few tries and often does not work on modern versions of windows or while defender is running (you can do it by editing the registry from safe-mode or linux).
Another option is to enable "Smart App Control" this will permanently disable defender but you will only be able to run signed executables, and to turn it on you must have never run any unsigned executables in the past (or reformat your hard drive).
There's an app called DefenderControl that will disable it, as well, using various methods.
You can also install some other anti-virus software, but you can't make your own -- they need to be signed with a special key.
A fun bit of trivia: defender doesn't turn itself on until after the "out of box experience" is finished, under the rationale that users can't install any malware until they can use the computer. Thus you can run defender disabling scripts/programs from a customized installer without them getting nuked by defender.
Discussed at the time:
Microsoft didn’t sandbox Windows Defender, so I did - https://news.ycombinator.com/item?id=14909759 - Aug 2017 (43 comments)
So did Microsoft ever fix this?
Hostile code scanners need to look at a lot, but they don't need permission to write much. If sandboxed that way, attacks aimed at the code scanner don't do much.
Yes, but it is cool to hate M$.
https://learn.microsoft.com/en-us/defender-endpoint/sandbox-...
Nice. Is that the default yet? The article doesn't suggest there's a downside to sandboxing Defender. If so, that should be the default.
Not yet, but it is no different than SELinux or seccomp not being the default on most Linux distributions, other than Android and ChromeOS.
Now with ongoing changes due to Secure Future Initiative, it will become so, Windows is already going into app sandboxing[3], Virtualization-based Security[2], Pluton requirements[1], and plenty others[0], I would expect it to eventually be enabled by default.
[0] - https://learn.microsoft.com/en-us/windows-hardware/design/de...
[1] - https://learn.microsoft.com/en-us/windows/security/hardware-...
[2] - https://learn.microsoft.com/en-us/windows-hardware/design/de...
[3] - https://blogs.windows.com/windowsdeveloper/2023/06/14/public...
> Not yet, but it is no different than SELinux or seccomp not being the default on most Linux distributions, other than Android and ChromeOS.
default for what? a non-existent bundled anti-virus scanner?
you don't need to sandbox something that doesn't exist
selinux is enabled by default on RHEL, apparmor is on by default for ubuntu/debian (so "most" is covered)
seccomp()/unshare() are necessarily application specific but still very heavily used (Chrome, flatpak, systemd, ...)
Default security knobs.
>.....other than Android and ChromeOS.
Red-Hat has some of them turned on, not the full stuff, otherwise I would be out of work in SecDevOps security assements.
Outdated since 2018, https://learn.microsoft.com/en-us/defender-endpoint/sandbox-...
I just sandbox Windows itself. My only complaint is that I can't play some online games.
Now please tell me how to remove Defender.
"Erase disk and install Ubuntu"
https://ubuntu.com/tutorials/install-ubuntu-desktop#6-type-o...
And then Clippy sneaks up behind you, and whispers menacingly in your ear, "It looks like you're installing an operating system."
I have to ask what motivates that. Defender has been extremely unproblematic and pretty good as far as MS software goes, for my experience at least.
I see about a 100x slowdown on some applications[0] and IO heavy operations with defender in win11. It's unbelieveable how slow it is. I was a huge proponent of it in Win10, but I'm finding it hard to do so now.
[0] The software I'm using does a scan over a few hundred thousand files to read file headers. Without windows defender it takes about 30 seconds, but with defender it takes about 300.
The answer in this scenario is to exempt that application and/or folder. Don’t throw the baby out with the bath water.
In my environment we have to add exceptions for Developers git folders for the realtime scanning for a similar reason. Apps with large numbers of small files or high frequency writes of smalls files, like temp files during the build process, need to be exempted unless you’re willing to pay the performance penalty for the security.
I don’t understand why, but I have an exemption for that folder and I’ve disabled real time scanning. It still shows the slowdown on first launch. The only thing that works is disabling windows defender entirely. I’ve been through the troubleshooting loop a few times with this.
Out of curiosity, does Dev Drive do anything for you? https://learn.microsoft.com/en-us/windows/dev-drive/
I'm setting one up tomorrow.
We're seeing the same thing - our compilation times literally double because of Defender activity, you can go into resource manager and see defender using like 50% of the CPU, it takes our project from about 12 minutes for a full rebuild to 25 minutes. And the thing is - you can add whatever exceptions you want, they work for a while and then it breaks again with updates, I literally keep having to re-add and fix exceptions in Defender every month or our compilation times slow down to a crawl.
JetBrains IDEs actually tell you to exclude some directories from Defender (and will even do it for you in some instances) because of performance issues. DevDrive[1] fixes that since it's excluded from defender by default.
[1]: https://learn.microsoft.com/en-us/windows/dev-drive/
I've used Rider to add the folder as an exclusion, no dice.
I'm going to give dev drive a go, but forgive me for being sus for enabling a feature for a problem that MS seem to have caused.
That’s 10× though, not 100× (still a lot for something you can’t turn off). Typo?
Yes, typo! My bad and I can’t edit.
Use DevDrive. It was created exactly for your purpose.
The Whitelist the process.
Sorry, but wanting to disable Defender entirely for some ultra Edge Case ist Just dumb.
If you read my other reply, you'd see I have done, and it doesn't work. But, disabling defender does.
> for some ultra Edge Case ist Just dumb
By ultra edge case you mean the application that I spend as much time in as my IDE for my job?
It adds a non trivial amount of time for each file access.
I'm generally in favor of Defender, but it can definitely cause performance issues, especially in relationship to other windows processes like windows update.
If you keep your system regularly updated, it's less of a problem, but I often help people who basically never update or leave their computer on long enough for Defender to do complete scans. After a certain point it basically becomes impossible to update because defender fights update and chrome and discord and etc etc etc, for access to the files and you end up with the cpu and harddrive maxed out for a couple of days before everything completes.
Defender slows down build times significantly.
You can set exclusions of course, but it does get tedious because every time you have a new project you need to add exclusions for its folder and the toolchain. Then every time a toolchain is updated (eg .../gcc/11.5 changes to gcc/11.5.2 you have to enter the 20 new exe exclusions and of course windows won't let you mass delete the old ones so it's click->confirm->click->confirm x50).
I might not do it myself but I can see why someone would just say "enough is enough".
You can use the powershell command Add-MPPreference -ExclusionPath[0] and ship a script with your app if you want. I do the same for Terraform providers - whenever a new version comes out, for a time the process can be randomly killed as I suppose a process that spawns a child process that starts talking to lots of endpoints looks somewhat suspicious.
[0] https://learn.microsoft.com/en-us/powershell/module/defender...
In the old days at MSFT, developers had a separate HD for code and builds that was completely excluded from virus scanners.
Sometimes a big blunt hammer does the trick!
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Or https://learn.microsoft.com/en-us/defender-endpoint/microsof...
(DevDrive + Defender's "performance mode")
JetBrains does it for you with one click when you create a new project.
I've gotten it to work on Windows 10 by booting into live Linux and renaming the Windows Defender folder in Program Files. No clue if it would work on 11.
I am surprised that ever worked. I was confident Win10 did verification that system files were in place and matched a hash or some other integrity mechanism.
They put in a lot of effort to prevent you from deleting the main executable (you the user that is, malware can probably delete it just fine using the usual methods) however one day I discovered you can delete the .dll files from its folder and it no longer runs, and Windows does not do anything to try and fix it.
you can also set the permissions on it so SYSTEM can't execute it
You can ask it to with things like SFC but fortunately it's not that locked-down yet... and of course you can always patch those checks out if the OS itself isn't running to interfere with you.
If you use windows server you can just type `Uninstall-WindowsFeature WindowsDefender` (or similar, that might be the wrong feature name). If you use client windows there are two options, first you can disable "anti-tamper" and then disable the defender services with the TrustedInstaller token, this takes a few tries and often does not work on modern versions of windows or while defender is running (you can do it by editing the registry from safe-mode or linux).
Another option is to enable "Smart App Control" this will permanently disable defender but you will only be able to run signed executables, and to turn it on you must have never run any unsigned executables in the past (or reformat your hard drive).
There's an app called DefenderControl that will disable it, as well, using various methods.
You can also install some other anti-virus software, but you can't make your own -- they need to be signed with a special key.
A fun bit of trivia: defender doesn't turn itself on until after the "out of box experience" is finished, under the rationale that users can't install any malware until they can use the computer. Thus you can run defender disabling scripts/programs from a customized installer without them getting nuked by defender.
You can reliably disable it with Group Policy Editor. At least on Win10, not sure about Win11.
On Win11, it reenables itself after a short while using a system service, in true Robin Hood & Friar Tuck malware[1] fashion.
[1] https://users.cs.utah.edu/~elb/folklore/xerox.txt
> You can reliably disable it with Group Policy Editor.
It does not work. You can disable _some things_ , but not the whole.
That's only available on Pro.
https://gist.github.com/lelegard/8da0b20cc35708852c14fcf8996...
Just run
Get-ChildItem @( "C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package.mum", "C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package.mum" ) | ForEach-Object { dism.exe /online /norestart /add-package:"$_" }
Removing core parts of Windows is not a good idea
Letting them run is also not a good idea. Especially when they bring no benefit. (see ransomware for example)
I use a custom windows build with defender removed, you can find them on any windows modding site
The safer option is to build your own install media using an unattend file. Here's an unattend file generator https://schneegans.de/windows/unattend-generator/
wow, I had no idea this exists. thank you very much
Boot into linux, rename defender folders.