Windows Defender - The worst AV ever?

You need to login to view this posts content.

 

You need to login to view this posts content.

 

.

 

I didn't claim anything, i suggested it, the AV can be on top, but when they sell the data it can hardly be advised to use.

 

.

 

Scripts (example for 2004 19041):
remove-packages.cmd

Code:

pushd "%~dp0"
powershell -executionpolicy bypass -file remove-packages.ps1
pause

remove-packages.ps1

Code:

Import-Module -DisableNameChecking $PSScriptRoot\take-own.psm1
echo "Elevated"
do {} until (Elevate-Privileges SeTakeOwnershipPrivilege)
$pkgs = @(
"Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
"Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
"Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
"Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
"Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
"Microsoft-Windows-SenseClient-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
"Microsoft-Windows-HVSI-Package~31bf3856ad364e35~amd64~~10.0.19041.1"
)

foreach ($pkg in $pkgs) {
  echo "Removed registry $pkg"
  Takeown-Registry ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$pkg")
  Takeown-Registry ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$pkg\Owners")
  Remove-Item -Path ("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$pkg\Owners")
  echo "Uninstall $pkg"
  Remove-WindowsPackage -Online -PackageName "$pkg" -NoRestart
}

take-own.psm1

Code:

function Takeown-Registry($key) {
    switch ($key.split('\')[0]) {
        "HKEY_LOCAL_MACHINE" {
            $reg = [Microsoft.Win32.Registry]::LocalMachine
            $key = $key.substring(19)
        }
    }

    $admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
    $admins = $admins.Translate([System.Security.Principal.NTAccount])
    $key = $reg.OpenSubKey($key, "ReadWriteSubTree", "TakeOwnership")
    $acl = $key.GetAccessControl()
    $acl.SetOwner($admins)
    $key.SetAccessControl($acl)
    $acl = $key.GetAccessControl()
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule($admins, "FullControl", "Allow")
    $acl.SetAccessRule($rule)
    $key.SetAccessControl($acl)
}

function Elevate-Privileges {
    param($Privilege)
    $Definition = @"
    using System;
    using System.Runtime.InteropServices;

    public class AdjPriv {
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);

        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

        [DllImport("advapi32.dll", SetLastError = true)]
            internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

        [StructLayout(LayoutKind.Sequential, Pack = 1)]
            internal struct TokPriv1Luid {
                public int Count;
                public long Luid;
                public int Attr;
            }
        internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
        internal const int TOKEN_QUERY = 0x00000008;
        internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
        public static bool EnablePrivilege(long processHandle, string privilege) {
            bool retVal;
            TokPriv1Luid tp;
            IntPtr hproc = new IntPtr(processHandle);
            IntPtr htok = IntPtr.Zero;
            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            tp.Attr = SE_PRIVILEGE_ENABLED;
            retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
            retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
            return retVal;
        }
    }
"@
    $ProcessHandle = (Get-Process -id $pid).Handle
    $type = Add-Type $definition -PassThru
    $type[0]::EnablePrivilege($processHandle, $Privilege)
}

Windows 10 2004 19041.21, current defender version, all allowed including tamper.
Run remove-packages.cmd as admin... and after restart Windows 10 is Windows 10 without Defender.
(Script can be shortened)
(No exception added to Defender)

 

I really don't care.

 

The biggest issue i have with Windows Defender is that it detects way too much false positives - in fact WD detects way more false positives than actual, real threats. The second big issue is the resource usage; WD is pretty heavy on resources, even more than Bitdefender.
Personally, i've been using ESET and Kaspersky the most since Windows XP times and those are the only two AV suites i can recommend.

 

.

 

What are we arguing here, do you suggest that Microsoft should rip Defender out of Windows and have no mlaware/av scanner in Windows 10?

If there is a better AV solution out there for you, just use it.

 

.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

Seriously Cheffie???
August 2018?
A day late and a dollar short on that review..... unless that is the best you could find to post.

 

You need to login to view this posts content.