News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Defender not having a good week

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – Defender not having a good week

    Viewing 5 reply threads
    • Author
      Posts
      • #2288479 Reply
        Susan Bradley
        AskWoody MVP

        So the other day we had folks reporting issues with Defender and Western Digital drivers. Today Citrix Broker service was flagged as malicious and wel
        [See the full post at: Patch Lady – Defender not having a good week]

        Susan Bradley Patch Lady

        4 users thanked author for this post.
      • #2288535 Reply
        anonymous
        Guest

        In addition to the issue reported here, MS Security Essentials recently (ca.~July 28) began to quarantine MVPS HOSTS file and other customized HOSTS files derived from MVPS HOSTS. Perhaps because on about half of my 27 endpoints on my home network had been using MS’s Security Essentials w/o issue for years either I did not configure more verbose warnings or could set and forget, but it was not until I saw strange behavior for expected HOSTS file changes and nothing happened that I looked farther and found ALL of my customized files had been silently removed, then unable to edit. I had to painfully on each endpoint allow this file by wildcard which I hated doing punching holes in a security layer but I’d rather have the HOSTS file under MY control containing what I want instead of MS.  Of course I also use DNS blackholing but like the belt and suspenders especially for portable endpoints not always on my DNS. On one hand good for MS doing some recon on modified HOSTS files which could be a result of malicious actors, but bad because this changed what was in my experience years of consistent behavior and did so w/o any notification unless you looked on each asset for what was in quarantine AFTER the fact and unexpected behavior resulted. Taking several rounds of 20 questions to “allow” but still finding the HOSTS file on some endpoints again quarantined,  finally resorting to wild carding the file finished off making the decision to dump MS Security Essentials on those computers it had previously not caused problems.

        With over 20 years experience in a scientific computing environment managing thousands of Windows computers for scientific work on a government network and also on my home network now that I am retired, consistent computing platforms that can be predictably managed support the mission. Inconsistent behavior especially because of unannounced/untested changes made by the OS (or other software) vendor and even back-doored in do the bad guys work for them and break things. Disgusted with this mess and glad to be retired but more than a little annoyed the shell game continues. Stop it!

        3 users thanked author for this post.
      • #2288593 Reply
        woody
        Da Boss

        It looks like both bugs have been patched with Antivirus Definition 1.321.1341.0  and platform 4.18.2008.4  (is it out yet?) but man alive… who in the world is testing this stuff?

        • This reply was modified 1 month, 1 week ago by woody.
        • #2288624 Reply
          bbearren
          AskWoody MVP

          … who in the world is testing this stuff?

          How would you propose that Microsoft (or anyone, for that matter) check patch/update compatibility for the myriad combinations of hardware and software complicated by platform fragmentation caused by selective patching?

          Pondering the permutations/combinations alone would make one’s head swim. Trying to simulate all of them, even with VM’s, …

          Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
          "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
          "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

          • #2288658 Reply
            Alex5723
            AskWoody Plus

            That’s is the purpose of alpha and beta testing by Microsoft’s groupies.

      • #2288617 Reply
        anonymous
        Guest

        Glad I’ve kept my newest laptop(Windows 10 1909/Home) offline even though updates are set to pause until Sept 2020 on that laptop. So Windows Defender still gets its updates regardless and my laptop is using a WD M.2/NVM but I’m reading that it’s WD external drive related.

        So how manageable is Defender’s updating for maybe switching that to manual only if any issues pop up that need to be avoided and I’m just going to use the backup laptops(Mint 19.3) online as that’s what I use for daily internet anyways and keep the newest laptop’s wear and tear to a minimum unless needed. I’ve got to get that WD M.2/NVM replaced with a Samsung variant that has more capacity as the WD M.2/NVM appears to have had some unrelated issues with Linux as well and I’m getting ready to do a 10/Mint dual boot configuration shortly on the new laptop.

      • #2288670 Reply
        geekdom
        AskWoody Plus

        Antimalware Client Version: 4.18.2007.8
        Engine Version: 1.1.17300.4
        Antivirus Version: 1.321.1402.0
        Antispyware Version: 1.321.1402.0

        No Windows Defender errors.

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
        online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
        TargetReleaseVersion=1909
        WUMgr
      • #2288749 Reply
        Speccy
        AskWoody Lounger

        Same as geekdom here (Win10Pro v1909 x64 Build 18363.959 (Baseline) / 18363.1016 (Beta Testing)),

        Antimalware Client Version: 4.18.2007.8
        Engine Version: 1.1.17300.4
        Antivirus Version: 1.321.1424.0
        Antispyware Version: 1.321.1424.0

        No Windows Defender errors.

        That new 4.18.2008.4 platform that Susan and others are talking about is likely a BETA being pushed through whatever preview/fast ring/insider initiatives are currently happening. It may or may not be the next engine to supersede the current one (4.18.2007.8).

        IMHO, hacking the Registry (by adding a few REG_DWORD keys) to “flag” the system as a candidate to automatically get a BETA engine to auto-install might not be the smartest move. I would just wait a few more days… When the next engine is “ready” it will be made available through the Catalog, at the usual location:
        https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623

        Ironically, the supporting KB article at
        https://support.microsoft.com/en-us/help/4052623
        is also slightly behind: it is still referring the previous engine (4.18.2005.5, made available at the Catalog on June 3rd, 2020).

        Regarding Redmond’s decision to began flagging some customized HOSTS files as “malicious” one may workaround the “issue” by manually defining an explicit exclusion rule:
        WindowsDefender-hosts_exclusionRule
        (it may also be viable doing that for multiple endpoints, through a script that ‘reg add”s the rule – although it is a bit tricky as it involves dealing with ownership and permissions, etc)

        Note however that, because this rule would also allow malware to silently add malicious entries as well, the HOSTS file should always be closely monitored for any unexpected changes.

        Attachments:
    Viewing 5 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – Defender not having a good week

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.