Will they do anything about its terrible performance? According to [1] the Windows Defender causes a 5x increase of Chrome's build times and it delays a process start by 260 ms.
Do you have any numbers from other products to show this is an issue with Windows Defender's performance, and not just with the general concept of scan-on-access antivirus?
What measure are you using to determine the performance is terrible? As a developer, I have always had issues with Antivirus. If your compile times are crap then AV should be one of the first things you try disabling.
Hell, I've had overly aggressive AV (McAfee) locking files in temp data folders causing performance to falter in running applications (Visual Studio, Pidgin, Outlook, Office).
I've had the same experience, I've just taken to whitelisting all of the cache, assembly, and lib folders throughout the workflow (and processes).
Never found an AV which didn't seriously hamper build times, since building often involves a lot of process start/stops and new small files, both of which are kryptonite to AV.
MalwareBytes Enterprise recently got completely uninstalled as it was locking random files during compilation indefinitely. They have a fix but only for the consumer branch.
Can you explain what you mean by "fix that"? How is that helpful? I read your link and it doesn't provide any actionable items.
In any case, it doesn't "run as SYSTEM". The invoking credentials for a process are not necessarily relevant on a kernel like NT. A process can choose modify its security token after process invocation. For e.g. User mode apps, can downgrade their read/write rights, limiting them to a fixed directory, so even if they had exploitable bugs, the damage could be limited. Chrome on windows uses these same protections. I'm sure similar tech exists on competing kernels.
MsMpEng.exe AFAICT runs as a 'system protected process'. Certainly, it looks like there were severe bugs but its not clear where the bugs lie. It could be that the protection mechanism itself is flawed (which would be very bad), or maybe the way it's being used is incorrect, etc etc
Certain parts of an AV product need to run with the top-most privileges. But that component should be relatively lean, and quickly hand off dangerous work to lower-privilege, memory isolated, processes.
Windows Defender has a process called NScript which is a full JavaScript processing engine, running in SYSTEM. A JavaScript engine is inherently complicated enough to have bugs, and running as SYSTEM with no isolation could allow escalating a bug into a full blown code execution just by visiting a web page. None of this is theoretical, it was found and exploited May 2017 [0].
You're correct in saying that Windows does allow more nuanced token control than the full user's context, but I'm yet to read that Windows Defender actually utilises that. None of the previous bugs have been stopped by low-priv style access control, it has been a full SYSTEM leak. Do you have specific information about Windows Defender which suggests they're using voluntary revocation of token privileges?
You effectively have to be able to debug other processes, copy data to and from a process, and a lot of other control. What would it run as that would have all those permissions?
Sorry I was being rather facetious there. They have VSM available (Application Guard). This is only on Enterprise edition because you know, only enterprises need a decent threat protection model...
This is both pretty impressive and pretty scary. Impressive to detect new malware with such a low N. This massively changes the economics of creating malware. Scary now that pretty much any file that flags as suspicious locally can be sent to the cloud for further inspection. That would seem a no go for many corporate clients?
That was my first impression as well. As someone who likes to understand what my computer is doing I was never aware that Windows Defender was anything more than the typical definition based AV.
Does this mean that Windows Defender is now something to disable on HIPAA compliant workstations because there is a chance that Defender thinks some medical records look suspicious and it decided to upload them for analysis?
But for the home and small business this stuff is amazing. It really continues the anti-"virus" analogy by effectively creating an immune system comprised of most Windows machines.
all leading security vendors have cloud based solutions with some of them offering 'private-cloud' based solutions which if was the case what they should be using... I cannot fathom this sort of situation as an real 'accident' and not some other form of misinformation.
if you are not utilizing the global up-to-second cloud-herd communication and technology you are more susceptible to attacks than others that are utilizing them.
I believe the purpose of these solutions is literally economic warfare. We are making it astronomically more expensive to have successful attacks more than _once_ (_if_ security is done right) to occur by implementing cloud based automation and sharing of information.
Reality winter printed out a classified document at work, I think you're confusing her with Nghia Pho, whom appears to have been the Kaspersky leak victim.
Users concerned with privacy would not be using Windows, given all of its other known telemetry issues and malware surface. Ie it might already have uploaded whatever was sensitive, even without needing to run a malware examination on it.
Apple and Microsoft products are full prize products, so I fully trusted they don't come with crap. Unfortunately Microsoft alinated their end consumers starting in 2012 with Win8, and Windows 10 and Office365/2016 are well known spying adware ladden. It's telling that Google products, given they are ad-supported, are well behaving and good citizens (e.g. adhere the users privacy settings) while MSFT products released in 2012 (or later) are not. Do like most users stay with Win7 (supported til 2020) and Office 2010, or move away if you can. They won't change except you show them with your money.
One thing I'm very eager to see is how Defender and Microsoft in general will interact with various third-party AV and "enterprise security" solutions which almost invariably contain rootkit-ish/malware-ish modules.
It's extremely effective on win10 without creating further security issues with the cabal of AV products out there. We tell our clients save the cash, use Defender, and invest in other more effective technologies in the stack.
25 comments
[ 2.9 ms ] story [ 62.7 ms ] thread[1] https://twitter.com/BruceDawson0xB/status/940747236614574080
Hell, I've had overly aggressive AV (McAfee) locking files in temp data folders causing performance to falter in running applications (Visual Studio, Pidgin, Outlook, Office).
Why does the end user care about compile times?
Never found an AV which didn't seriously hamper build times, since building often involves a lot of process start/stops and new small files, both of which are kryptonite to AV.
MalwareBytes Enterprise recently got completely uninstalled as it was locking random files during compilation indefinitely. They have a fix but only for the consumer branch.
AFAIK. Certainly for some anti-virus software.
https://bugs.chromium.org/p/project-zero/issues/detail?id=12...
In any case, it doesn't "run as SYSTEM". The invoking credentials for a process are not necessarily relevant on a kernel like NT. A process can choose modify its security token after process invocation. For e.g. User mode apps, can downgrade their read/write rights, limiting them to a fixed directory, so even if they had exploitable bugs, the damage could be limited. Chrome on windows uses these same protections. I'm sure similar tech exists on competing kernels.
MsMpEng.exe AFAICT runs as a 'system protected process'. Certainly, it looks like there were severe bugs but its not clear where the bugs lie. It could be that the protection mechanism itself is flawed (which would be very bad), or maybe the way it's being used is incorrect, etc etc
Certain parts of an AV product need to run with the top-most privileges. But that component should be relatively lean, and quickly hand off dangerous work to lower-privilege, memory isolated, processes.
Windows Defender has a process called NScript which is a full JavaScript processing engine, running in SYSTEM. A JavaScript engine is inherently complicated enough to have bugs, and running as SYSTEM with no isolation could allow escalating a bug into a full blown code execution just by visiting a web page. None of this is theoretical, it was found and exploited May 2017 [0].
You're correct in saying that Windows does allow more nuanced token control than the full user's context, but I'm yet to read that Windows Defender actually utilises that. None of the previous bugs have been stopped by low-priv style access control, it has been a full SYSTEM leak. Do you have specific information about Windows Defender which suggests they're using voluntary revocation of token privileges?
[0] https://bugs.chromium.org/p/project-zero/issues/detail?id=12...
Sure, just dump the security token for MsMpEng.exe. Here it is: https://pastebin.com/ukMPUWA7
IntegrityLevelIndex is 01, MandatoryPolicy is 0x3 , Privs are a subset of the full list.
https://www.nirsoft.net/kernel_struct/vista/TOKEN.html
https://msdn.microsoft.com/en-us/library/windows/desktop/bb5...
https://msdn.microsoft.com/en-us/library/windows/desktop/bb3...
https://msdn.microsoft.com/en-us/library/bb625963.aspx
Does this mean that Windows Defender is now something to disable on HIPAA compliant workstations because there is a chance that Defender thinks some medical records look suspicious and it decided to upload them for analysis?
But for the home and small business this stuff is amazing. It really continues the anti-"virus" analogy by effectively creating an immune system comprised of most Windows machines.
Just some food for thought. I never trust any "cloud-based" antivirus solution.
all leading security vendors have cloud based solutions with some of them offering 'private-cloud' based solutions which if was the case what they should be using... I cannot fathom this sort of situation as an real 'accident' and not some other form of misinformation.
if you are not utilizing the global up-to-second cloud-herd communication and technology you are more susceptible to attacks than others that are utilizing them.
I believe the purpose of these solutions is literally economic warfare. We are making it astronomically more expensive to have successful attacks more than _once_ (_if_ security is done right) to occur by implementing cloud based automation and sharing of information.