Windows Defender - The worst AV ever?

Discussion in 'Windows 10' started by Windows_Addict, Feb 7, 2020.

  1. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,536
    2,093
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    30,735
    48,027
    450
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Windows_Addict

    Windows_Addict MDL Addicted

    Jul 19, 2018
    608
    1,137
    30
  4. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    30,735
    48,027
    450
    I didn't claim anything, i suggested it, the AV can be on top, but when they sell the data it can hardly be advised to use.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ipx

    ipx MDL Addicted

    May 24, 2017
    513
    425
    30
    so this :

    is hogwash right?
     
  6. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    528
    796
    30
    Scripts (example for 2004 19041):
    remove-packages.cmd
    Code:
    pushd "%~dp0"
    powershell -executionpolicy bypass -file remove-packages.ps1
    pause
    remove-packages.ps1
    Code:
    Import-Module -DisableNameChecking $PSScriptRoot\take-own.psm1
    echo "Elevated"
    do {} until (Elevate-Privileges SeTakeOwnershipPrivilege)
    $pkgs = @(
    "Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
    "Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
    "Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
    "Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
    "Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
    "Microsoft-Windows-SenseClient-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
    "Microsoft-Windows-HVSI-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
    )
    
    foreach ($pkg in $pkgs) {
      echo "Removed registry $pkg"
      Takeown-Registry ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$pkg")
      Takeown-Registry ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$pkg\Owners")
      Remove-Item -Path ("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$pkg\Owners")
      echo "Uninstall $pkg"
      Remove-WindowsPackage -Online -PackageName "$pkg" -NoRestart
    }
    take-own.psm1
    Code:
    function Takeown-Registry($key) {
        switch ($key.split('\')[0]) {
            "HKEY_LOCAL_MACHINE" {
                $reg = [Microsoft.Win32.Registry]::LocalMachine
                $key = $key.substring(19)
            }
        }
    
        $admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
        $admins = $admins.Translate([System.Security.Principal.NTAccount])
        $key = $reg.OpenSubKey($key, "ReadWriteSubTree", "TakeOwnership")
        $acl = $key.GetAccessControl()
        $acl.SetOwner($admins)
        $key.SetAccessControl($acl)
        $acl = $key.GetAccessControl()
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule($admins, "FullControl", "Allow")
        $acl.SetAccessRule($rule)
        $key.SetAccessControl($acl)
    }
    
    function Elevate-Privileges {
        param($Privilege)
        $Definition = @"
        using System;
        using System.Runtime.InteropServices;
    
        public class AdjPriv {
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
                internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
    
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
                internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
    
            [DllImport("advapi32.dll", SetLastError = true)]
                internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
    
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
                internal struct TokPriv1Luid {
                    public int Count;
                    public long Luid;
                    public int Attr;
                }
            internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
            internal const int TOKEN_QUERY = 0x00000008;
            internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
            public static bool EnablePrivilege(long processHandle, string privilege) {
                bool retVal;
                TokPriv1Luid tp;
                IntPtr hproc = new IntPtr(processHandle);
                IntPtr htok = IntPtr.Zero;
                retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
                tp.Count = 1;
                tp.Luid = 0;
                tp.Attr = SE_PRIVILEGE_ENABLED;
                retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
                retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
                return retVal;
            }
        }
    "@
        $ProcessHandle = (Get-Process -id $pid).Handle
        $type = Add-Type $definition -PassThru
        $type[0]::EnablePrivilege($processHandle, $Privilege)
    }
    
    Windows 10 2004 19041.21, current defender version, all allowed including tamper.
    Run remove-packages.cmd as admin... and after restart Windows 10 is Windows 10 without Defender.
    (Script can be shortened)
    (No exception added to Defender)
     
  7. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    30,735
    48,027
    450
    I really don't care.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. PsychedelicShaman

    PsychedelicShaman MDL Member

    Dec 4, 2017
    133
    313
    10
    The biggest issue i have with Windows Defender is that it detects way too much false positives - in fact WD detects way more false positives than actual, real threats. The second big issue is the resource usage; WD is pretty heavy on resources, even more than Bitdefender.
    Personally, i've been using ESET and Kaspersky the most since Windows XP times and those are the only two AV suites i can recommend.
     
  9. Windows_Addict

    Windows_Addict MDL Addicted

    Jul 19, 2018
    608
    1,137
    30
    Great, thanks for this, at-least they improved a bit from 1903, otherwise it would have only required this,
    Code:
    Set-MpPreference -DisableRealtimeMonitoring $true
    I wonder if same kind of tactics can be applied to other AV's as well without alert.
     
  10. oilernut

    oilernut MDL Senior Member

    Jul 8, 2007
    329
    263
    10
    What are we arguing here, do you suggest that Microsoft should rip Defender out of Windows and have no mlaware/av scanner in Windows 10?

    If there is a better AV solution out there for you, just use it.
     
  11. ipx

    ipx MDL Addicted

    May 24, 2017
    513
    425
    30
    thank you. you hit the nail on the head.
     
  12. CHEF-KOCH

    CHEF-KOCH MDL Expert

    Jan 7, 2008
    1,206
    1,177
    60
    #77 CHEF-KOCH, Feb 10, 2020
    Last edited: Feb 10, 2020

    Attached Files:

  13. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,536
    2,093
    120
    Seriously Cheffie???
    August 2018?
    A day late and a dollar short on that review..... unless that is the best you could find to post. :roflmao:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Windows_Addict

    Windows_Addict MDL Addicted

    Jul 19, 2018
    608
    1,137
    30
  15. oilernut

    oilernut MDL Senior Member

    Jul 8, 2007
    329
    263
    10