Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft Defender was flagging Tor browser as a trojan and removing it (deform.co)
400 points by chatmasta on Oct 2, 2023 | hide | past | favorite | 127 comments



I used to work on an anti malware team. There were two controversial issues that related to that work that I want to bring up here.

First, what is malware? It’s actually very hard to define in such a way that makes everyone happy. The line gets really blurry on the border of nuisance vs malicious, and on security tools, which might do things in the name of privacy that malicious software might do to hide its tracks.

The other issue is false positives. We tried really hard to avoid false positives; we ran tests with known good binaries to see if they were inappropriately detected, etc. We feared false positives more than false negatives.

I am sure that the MS antimalware team is having a bad day and not acting in bad faith.


I don't believe they're acting in bad faith either, and certainly nothing is being removed it from the system as the clickbait title implies. The user has the option to stop if from being removed, and the team recommends "adding Tor to Microsoft’s protection software exclusion list and restoring “tor.exe” from quarantine if Defender affected Tor’s operation". Seems perfectly reasonable to me.


I find it especially funny when anti-malware tools flag things like 4k intros or even smaller demoscene production.

The people doing that are shaving bytes, fitting music and 3D graphics in self-contained executables smaller than many HN posts. Having enough space for malware after that would be insane.

The reason these are often flagged as malware is that they are typically using runtime compression and a variety of tricks to save space, these techniques are unusual in legitimate programs and common in malware. Malware scanners could add support for the likes of crinkler and kkrunchy, but these are probably too niche to care.


While it is true those executables may be small files, that doesn't mean they can't be part of a larger malware suite, one where the vestibulk of innocent looking code is elsewhere, and the specially-packed executable contains the damning secret sauce.


They definitely could be part of malware, that's why they are flagged as such. I know the context, I know what's in the archive with it, and I am pretty sure the executable are safe, but the scanner doesn't know, and doesn't get to see the nice effects for conformation. Most people simply turn off the scanner when dealing with these files.

Scanners could discriminate. These productions are often compressed with well known packers. It would be a "simple" matter of unpacking the file and scanning the result executable, which is often just a bunch of graphics and sound calls. But that's significant work for such a niche application. These tiny packers are also way more resource hungry than their size would suggest.


> These tiny packers are also way more resource hungry than their size would suggest.

I wonder if that might also expose some attack-surface, like with "zip bombs".


How many bytes does it take to run "download X and exec it". I wouldn't think many?


>Having enough space for malware after that would be insane.

win32 shellcode for downloading the real malware could very easily fit even in a 4k intro.

https://www.exploit-db.com/exploits/13515


Can there be legal liability with anti malware? By example, could flagging some software as malware expose you to being sued for libel?


This is getting down voted and I'm not sure why. Google has flagged some of my personal domains as "deceptive login" (why: I could not fucking tell you... they give no info, and my logs show absolutely nothing going on. My best guess is I used chrome auto fill in them while testing letsencrypt staging certs after switching cert providers)

But... they are very clearly publishing info claiming my site is malicious, and it's not. It seems like a super clear case of libel, which I won't pursue because it's personal sites and I'm not losing revenue or anything, but it seems open and shut.

It's not even exempt due to general section 230 clauses. It's not user content. It's just them.


I'm not a lawyer, but my understanding of libel is that at least in the US you need an element of intent to be guilty of libel. Simply being wrong about something isn't libel unless you can prove they know it was wrong or should have known it was wrong. Unless you can show Google knows your site isn't malicious and is labeling it that way anyways, it seems more likely it would be an open and shut case in their favor. I'm also fairly confident Google's lawyers have put a fair amount of thought into this and are already prepared to demonstrate how their labeling is done in good faith, etc.

I didn't do any downvoting, but I suspect it could be a reaction to the fact that treating this as libel would make operating any security company or service effectively impossible by requiring zero false positives. That seems like an obviously unworkable standard even if getting incorrectly flagged as malicious admittedly does suck.


I've submitted more than a dozen reports to their service.

To their credit - Mozilla pulled it from their copy of the safebrowsing list and no longer reports it as malicious. Google does though.

Google also has no contact in place to appeal, and I've provided written contact information if they have any actual evidence of abuse that I can prevent.

They have had these reports for more than 10 months now, and I resubmit roughly once every week or so.


If you're up for it, have a lawyer send them a nastygram/C&D and post on HN about what happens. Many people would probably be interested.


Yes [1]. In this case, the issue was that the AM software itself contained security bugs, but depriving you of use of your computer would probably be actionable. IANAL and have no idea if you could win that.

The software does have disclaimer of warranties and limits on liability to the purchase price as part of the terms of use [2]

[1] https://www.prnewswire.com/news-releases/consumers-file-clas...

[2] https://www.microsoft.com/en-us/legal/terms-of-use [note: I am not 100% certain that this is the TOU specifically applicable to MS AM but most TOU look similar]


This would be similar to spam and blocklists. I know people have tried to sue blocklists (maps and spamhaus) but from memory they were not successful in the end. That included blocking email , sometimes with larger blocks with ip ranges not directly involved but in a similar range. Malware being flagged on an anti virus would be similar but in those case the user has an option to exclude the block. Google and Firefox block domains for phishing regularly as well.


It’s actually very hard to define in such a way that makes everyone happy.

There's an easy definition: does it give value to the user, or act against the user's interests? The former isn't, the latter is.

Of course, by that definition, Windows itself would be considered malware.

I suspect the other comment here referencing libel is why "potentially unwanted" is another category that they often use.


By your definition, any software with a bad bug is malware.

Next time you propose a definition, try to break it as an adversary as a test.


I think intent is probably implied. All software has bugs so with your assumption all software is malware.


That's way too subjective.

Here's Microsoft's definition: https://learn.microsoft.com/en-us/microsoft-365/security/int...


This comment is very much an extension of the “I could build this in a weekend” mindset.


Bad faith? Windows defender flags KMS Tools as a malware trojan.


"Staggering incompetence" is indistinguishable from "bad faith." Someone didn't do the most basic of QA:

> Microsoft Defender is detecting the latest version of Tor Browser as malware because it is using a new heuristic detection method that is designed to identify Trojans that use Tor to hide their activity. However, the heuristic method is too broad and also flags the Tor Browser itself as malware.

The lack of consideration for the impact is what makes it bad faith; they clearly didn't care to properly test it, or did and didn't care that they were also flagging the browser itself. I'm sure quite a few people thing the Tor browser doesn't have a legitimate use.


How are they supposed to discover every new binary for every application as soon as it is released, correctly classify them as known good, and add them to the QA testing, in a time frame that you would not classify as “incompetence”?

If it’s so easy that only incompetence or malice could explain it, why don’t you go work for them and fix it? I’m sure that people who have spent decades in the field would appreciate your wisdom.


It is the Tor Browser. From the official project. It lives at https://www.torproject.org/download/ - Literally the first thing you get directed to if you go to a search engine and enter something like "download tor".

This fruit could only be lower-hanging if it shipped with Windows.

If they can't be bothered to look for the single most obvious non-malicious use of the thing they are trying to detect, it says very concerning things. Things like "we beta test our file removal tool in production", except "production" is "millions of unwitting people's PCs" rather than some website.


It didn't flag older versions of the browser.


Practically everyone who uses Tor will be running the latest browser for security reasons so they didn’t test the only one that matters.


I think that you are missing something here about how the passage of time works, be used you’re dead set on pinning gross incompetence on Microsoft.


Windows collect a lot on users and what users commonly install on their machines. For this specific situation a simple script pulling from chocolatey and a warning based on a threshold (and additional warning factors based on history) would have given them a failing test for fairly low amount of effort. This kind of issue should be mostly automated rather than being manually added by QA.


This is hilarious beyond the classic "Dropbox is just NFS" post. You have zero idea what you're talking about.


>If it’s so easy that only incompetence or malice could explain it, why don’t you go work for them and fix it? I’m sure that people who have spent decades in the field would appreciate your wisdom.

Not that poster, but I'll answer your question and challenge happily.

>why don’t you go work for them and fix it?

Because it wouldn't be mine and would never be in any way, and I don't trust those businesses and the executives that end up running them, either as responsible stewards, or fundamentally speaking based on their incentive structure.

>I’m sure that people who have spent decades in the field would appreciate your wisdom.

You mean corporations/orgs, or actually people? The people almost universally do. The corps/orgs on the other hand have liberally demonstrated their appreciation by acquiring the largest shared repositories of code and craftsmanship humanity has hitherto generated, and used that corpus in order to do everything possible to decrease their reliance on hiring people they might have to actually pay, or who might tell them no when they demand someone build something unethical.

So again, comes down to trust. Pretty sure you were setting up a sarcasm burn, but I figured I'd take you at face value, and threw in rendering the elephant in the room.

I know. I'm spouting anathema to the business peeps in the room, but I'm pretty sure the makers in the room know where I'm coming from.


You are doing yourself a great disservice by drawing such strict distinctions between certain groups of people. Business people? Makers? I guarantee you that there are better “makers” than you that also at the very least have an MBA and practice that skill set daily. Your attitude points to you being, frankly, incredibly adversarial in nature, fed by what seems to me like a completely unjustified superiority complex.


Do you personally write utterly perfect code with absolutely no defects or unexpected/unintended consequences on the first try, every single time?


> I am sure that the MS antimalware team is having a bad day and not acting in bad faith.

It is not the first time they do this.


I certainly hope this is false positive rather than Microsoft considering it malware, since it obviously is not unless you live in some place like North Korean and have the NK secret police's perspective.


flagged, past tense:

https://forum.torproject.org/t/torbrowser-12-5-6-no-longer-f...

"With the latest signature database (1.397.1910.0), tor.exe is no longer considered a trojan by Windows Defender."


Just because the car eventually rolled off the pedestrian, doesn't mean there's no news story.

Reportedly, mass removal of Tor Browser happened, and damage is done: a lot of privacy/security stuff disabled, couldn't be used, some won't be reinstalled, there's extra vulnerability at reinstallation time, etc.

And the demonstration that Microsoft can easily do this is of interest to people tho don't want that kind of thing to happen, as well as to people who would like that capability.

Also, this is Microsoft actively removing a competing Web browser (after long ago being put on notice about sneakiness around competing browsers specifically).


Mass removal, but someone aware that it happened can still go in and fetch the EXEs back out of quarantine.

Which would be a good feature request for Defender, make it automatically do that in the event of a legitimate EXE whose detection status changes after it has been quarantined.


This isn't surprising, frankly. AVs have a history of accidentally removing other software. That a browser that does really sketchy things (ie: things malware does) was flagged is not news, it's just an unfortunate bug.

I see no malice here.


The news here is that Microsoft Defender have revealed that they have no adequate release testing process.

Third-party AVs are a crapfest of dark patterns and false positives and resource hogging, if you install one and it does something bad that's kind of on you.

But Windows Defender is built into the OS and enabled by default.

Tor.exe should certainly be in a list of top 1000 common software packages that any tester would want to ensure don't get flagged and quarantined/deleted in a new virus definitions database. An update candidate that went out to a fraction of a percent of installs or to Microsoft's own employees, scanned without taking action, and posted to a dashboard reviewed by the Defender team that a file called "tor.exe" would be flagged if they continued the rollout would have stopped this. I can think of a dozen ways that a testing process would catch this. The fact that it happens proves there's either a lot of incompetence, or malice that was able to subvert a testing process.


You're acting like it's really easy to avoid these problems. Something like TOR has updates over time. Unless TOR pre-submits every patch to MS before every release, there's no guaranteed way to handle it. And something like TOR can change in all sorts of ways between releases.


Or Microsoft could just poll their extremely easy to access download site (https://archive.torproject.org/tor-package-archive/torbrowse...) every hour or two to detect new versions, and then automatically add them to an exclusion list.


OK and then how long for the signature updates to proliferate to clients? This is not an easy problem. Even with your suggested solution:

1. You are up to 1-2 hours behind on every update

2. If your job fails for whatever reason you're now N hours behind until an engineer fixes it.

3. Are you going to write one of these jobs for literally every good binary?

4. What happens if TOR changes any aspect of how it's packaged? Today it's a tar, tomorrow it could be a zip.


A program that interpret (and sometimes compile and run, writing executable into random memory segmant and execute in place) random file fetched from random network location. You would definitely say it is a malware if you didn't know you are looking at a browser. The behavior of browser and malware really isn't that much different. I guess there really isn't a good way to know a browser binary is safe without manual intervention.


Not even just "software". Back in 2018 when I still used Windows, Defender one day decided to quarantine a single text file generated by my IRC client from a few years ago, containing a plaintext log of one day's posts in a channel. After some binary search I realized it was tripping on a comment containing a URL, which I guess was to some malware. I was very amused.


> really sketchy things (ie: things malware does)

It depends on how they got here, but if they literally had a heuristic to detect use of tor and didn't think about how it would affect tor.exe then that's really bad.


> And the demonstration that Microsoft can easily do this

Pretty much every platform with hash-based antivirus can do this. It's bad, but so is the fact that Tor on iPhone can't use the same browser engine and privacy patches as Android/Desktop does. The average user is far-removed from caring about their OS vendor's power, apparently.


Lack of caring… perhaps because of complexity of the situation. I would say that most users struggle to comprehend the situation and that anything done to protect them is easily marketed as a good thing. Calling it hash-based anti-virus plays well into this idea. Also, these mechanisms probably do more good than harm (at this point) but certainly have the potential for abuse by the platform owner or maligned actors that somehow seize control of it.


Oh please. No. Most users wouldn’t struggle to comprehend the situation if they actually cared to. Most people are reasonably intelligent in areas that they care about. Accept that most people just don’t care about your hobby horse, and that things you see as grossly unjust, or should I say, potentially grossly unjust, just aren’t cared about.


iOS offers this bargain: you don’t get to configure much, but as a result I’ll know where things are and when it “guesses” what it should do, it will usually be right.

Linux offers the opposite: I’ll just do what you want.

Windows has a fun alternative: you can customize things but I’ll also change things, we’ll handle conflicts by rolling the dice.


I love outrage as much as the next edgelord but a) you can turn off Windows Defender if you don’t like it, b) false positives are a fact of any antivirus program, and c) Microsoft corrected it faster than you could even post. You are failing to make it seem like Microsoft acted in bad faith here. Comparing this to running cars over people is hyperbolic.


> you can turn off Windows Defender if you don’t like it

Please tell me how, good sir. Not replace, not turn off temporarily until the next day or the next restart when it turns on again automatically. Tell me, how do I turn off Windows Defender real time protection in a way that I can turn it on when I need it and turn it off when I don't.

As far as I know, It's not possible without 3rd party tools AND in a way that will persist (even after Windows updates).


Even harder is trying to let it scan downloads but not do real-time protection. Every setting I've tried has failed and excluding drives worries me that it might do too much and hasn't consistently solved the performance either. So I still have to flick the whole thing off every once in a while (and it turns itself back on after a few hours, of course).


I had an interesting evening the other day trying to completely prevent Windows Defender from running. In the end I had to change the name of the defender executable as defined in the registry.


I didn't say it was bad faith.

Responding to the call to flag the post, I gave examples of impact, and why it's newsworthy and the post shouldn't be flagged just because Microsoft stopped the behavior after the damage had been done.


I was saying "flagged" (note the italicization of the last three letters) in comparison to the news article's use of "flags". Of course this HN post should not be flagged, and I agree that a disruptive false positive by first-party AV (which Microsoft only corrected after several days) is newsworthy.


Oh, I'm sorry, my bad.


"this is Microsoft actively removing a competing Web browser" is definitely an allegation implying more bad faith than just Windows Defender had a false positive...


I didn't say they intentionally did it. They were put on notice by top legal authorities, so should try not to even accidentally do things like that again.

That's pre-established as major industry and business news, so it's an additional reason not to flag the post.


Sorry, but even the most well-meaning of people will make mistakes, and it's clear this was an accident with no malice. No need to cast irrelevant aspersions just to grind your personal axe.


I think OP was correcting "flags" to "flagged", not saying the post should be flagged. See the italics.


I thought I removed it but it came back. How do you remove it.. asking for a friend


With Group Policies.


Great unless you happen to be using a Home edition of Windows, which doesn't have the Group Policy Editor.



Thanks for the link, looks interesting.


it is exceptionally difficult to get rid of

turning it off is temporary

if you disable the service it gets re-enabled, if you delete the service it comes back, if you delete the executable it comes back

what does seem to work is removing all permissions to it in safe mode


I hate Windows Defender, every time I roll out an update for our relatively small video game, it often ends up being flagged and removed from our players' computers, we then have to submit the file to Microsoft to get it unflagged. What's funny is that the instructions say to upload an entire package with all the files necessary to run the application, but in my experience I can file for a false positive, upload just the .exe, and get someone to unflag it the next day, it's tiresome.


And then you have to deal with all the other antivirus vendors... it's so tiresome.

See also this helpful list (getting out of date unfortunately): https://github.com/hankhank10/false-positive-malware-reporti...


Or you drop ~800$/yr on an EV codesigning cert to switch your binaries from "malware unless proven otherwise" to "harmless until proven otherwise". It's basically a protection racket.


Cost of doing business in this hell hole of a platform


I'm more worried about the fact that the antivirus industry hasn't gone the way of the dodo due to EDR systems, which emit warnings based on behavioral analysis instead of moving stuff to quarantine just because it happened to see a pattern of bytes in the binary.


I once got my own program falsely detected as virus while developing it. It was such a bizarre experience: you press "Run" in the Visual Studio, it apparently builds successfully but then it can't run because the executable does not exist. Huh?

Anyhow, it turned out that apparently my hand-coded base64-decoder was sufficiently similar to a base64-decoder used in some trojan out there (which was apparently built with the same version of MSVC): removing/sufficiently rewriting my decode_base64 function made the detection go away reliably. So yeah, I believe now that those virus signatures are quite arbitrary in nature.


> just because it happened to see a pattern of bytes in the binary

It’s bizarre. I built an app and it was flagged by numerous AVs, and many of them had a “submit false positive” thing which eventually removed them. There’s no way that involved manual review so I assume bad actors can do the same.

Apparently these misclassifications are extremely common, and affect certain devs more than others. For instance, I had a Go binary which was flagged for a certain Trojan/worm and it was apparently common with other Go projects on GitHub.


Without any knowledge of what they're really doing: automated sandbox analysis is a common tool. They could also be doing reputation analysis of the submitter.


I hate it.

My little hobby projects that I write end up getting flagged by all these ML AV systems and I don't seem to have any recourse against it as a developer.

It causes issues and general confusion by my albeit small communiy of users.


Such systems are even more useless than hash/pattern matching scanners. I've had CrowdStrike on my machines before and it would've had no qualms with me exposing root-level access over an RPC interface.


Now do sketchy things on that interface and see how long it takes for your SOC to reach out to you.


It would have no qualms but it would send the information to your security team and they might.


That'd be great if hardware vendors didn't use dirty hacks to control their devices. One of my laptops fan control software still requires an open source kernel driver that someone else once used to setup a bootkit in EFI, so now I have to run with vulnerable driver blocklist off forever.


I'm yet to try a ML based security solution (antivirus, cloud security scanner, etc...) that isn't a false positive machine gun.


That's pure marketing fluff, just like the difference between antivirus and EDR.

Heuristic detection has been a thing for literally decades, and cloud-based antivirus which uses aggregate detection has been around for almost as long. It's notable that NIST does not seem to distinguish between these and just lumps them under endpoint protection.


Windows Defender classifies some of our in house tools as viruses, because we built it into a single file exe using Nuitka.


Not saying this is the case here, but in the hands of dictatorial regimes, systems like Microsoft Defender, Play Protect, Gatekeeper, etc, can be used to expose and silence critics, dissidents, and persecuted groups.

A corporate-enforced inscrutable system that uses cryptography and OCSP to potentially remotely approve and deny what users run on their machines would be coveted by leaders who want to crackdown on their constituents.


Had a lovely experience with this a few months ago. I built a little WPF GUI as an internal tool for my company. Literally all it does is read some data from an XML file and squirt some bytes out of a serial port. I zip up a build and send it over to the production team and windows refuses to open it. It absolutely insists it's a Trojan or something. Fortunately there's an option to ignore Defender and keep doing our jobs.

I submitted the build to Microsoft for verification and it reports totally clean. Gee, thanks.

We also get Defender warnings for anything that isn't signed. We also get Defender warnings for things that are signed. Apparently we have to pay an extra couple hundred dollars a month for the "real" signing certificate. The one we already pay for apparently isn't secure enough to disable Defender warnings?

Sounds like an absolute racket to me


There are some sandbox detection's on VT as well FWIW. [1] Some companies pay to ingest data from VT. MS probably had to override the findings in Defender.

[1] - https://www.virustotal.com/gui/file/88c33af6f1963eb94683be1f...


Yesterday I helped in an 'investigation' why a remote WinSvr2012R2 VM with a public IPv4 is no longer allows logging in.

To no one's surprise it was hacked, but what was quite amusing is what the hacker wannabe installed... RDPGuard to protect 'his' machine from other hacker wannabees.

Also years ago mIRC was a popular component of the Windows 'rootkits' because it has control and communications built-in.

Yes, Tor is used by malware to securely communicate so it's no wonder it can trigger AV. Refer to [0] for details.

https://news.ycombinator.com/item?id=37740584


I use Windows 11 on all my computers here, and run the Tor browser on my desktop and my laptop, and haven't seen this. In fact, I ran the Tor browser just this morning.

I think this was, at worst, a temporary issue that was resolved.


The issue of MDE EP2 is that they roll-out signature-based definitions to all fleets of all customers with what appears to be insufficient testing.

This led to a situation where it decided to delete all of the shortcuts to apps, leading end users to believe all of their apps were removed.

If there is malware on a machine, it's already compromised and needs to be reimaged rather than selectively, haphazardly repaired through so-called "remediations". There should be no malware on a machine to begin with by disallowing running random software from untrusted sources. Signature-based anti-malware is a last line of defense, reactive security often unable to prevent a machine from being compromised as it already happened.

Another issue is that only a fraction of malware ever has signatures for them by either being too new or not widely seen.

A final problem is mis-categorizing things as "malware" when they do no harm but do things certain factions of people don't like: remote control, recover passwords, and pirate keygens.


Somewhat relatedly:

About 2 months ago, Microsoft Defender's Enterprise web filter started blocking all requests to the Brave browser domain including their search.

I've brought this up in a couple places and I've only gotten vague responses about how Brave supposedly had "malware" a couple years ago. That still does little to explain the recent addition to the blocklist, however.


Alternative source: https://www.hackread.com/microsoft-defender-tor-browser-win3...

> Microsoft Defender is detecting the latest version of Tor Browser as malware because it is using a new heuristic detection method that is designed to identify Trojans that use Tor to hide their activity. However, the heuristic method is too broad and also flags the Tor Browser itself as malware.

TLDR: Microsoft Defender is identifying any app trying to connect over Tor. The idea is malware sometimes uses Tor network to phone home, so detecting that would be a signal of potential malware.

Obviously a false positive for the Tor Browser itself.


We use Delphi at work, and virus/malware scanners flagging every Delphi exe as a threat is something that has plagued Delphi for over 20 years.

Yes malware was written in Delphi for much the same reasons regular programs were[1], but had low enough exposure that none of the major scanner developers bothered including reference exe's to avoid flagging harmless run-time library code.

[1]: https://en.wikipedia.org/wiki/Rapid_application_development


In short, "antivirus doing what antivirus has always done". Always set your AV to quarantine rather than blindly deleting data with potential infections, and review what it does, when it does it, so you can say "no, you will put this back" and you report the false positive (if your AV solution doesn't auto-submit that because it can, and it should)


That's the problem with Windows Defender - Microsoft has basically removed the ability for a normal user to configure it to quarantine instead of auto-remediate (delete).

After I caught Windows Defender uploading my places.sqlite in my FF profile "for analysis", I permanently disabled automatic sample submission, auto-remediation, etc via group policies.

I still won't use any other AV though because they are generally even worse about making decisions without user input and don't respect group policies at all unless you are an actual enterprise customer.


It's been a while since I had to deal with Defender but IIRC the "put this back" option doesn't really work. It would regularly forget exceptions and quarantine binaries again.


Yeah, exactly. This almost certainly isn't malicious, simply incompetence.

I used to be work on a remote IT administration product. To be completely fair it is a foreign systems component that updated over the Internet with a goofy looking binary if you're expecting MSVC to build everything since that code was written in Go.

On the other hand, it was signed properly, and the AV vendors couldn't give two shits about not flagging it despite their customers loudly complaining. It was really rough because when AV would flag this component, IT in a lot of cases couldn't get back in to mend the pieces left.


this is what happens when Microsoft's detections team is under pressure to constantly deliver new detections: they will just ship whatever without careful evaluation of FP/TP and broader impact


This is what's happened over and over and over, for decades, every time an AV company switched to a new heuristic engine. It has nothing to do with Microsoft being under pressure, this is literally what to expect from AV solutions on the regular. More folks knew this back when AV wasn't tightly integrated into Windows and we all ran at least two different AV applications all the time, but the "a new version is going to flag things it shouldn't" behaviour has been a given for coming up to 50 years now =)

(Which is why you set your AV to quarantine, not delete items, so you can overrule it immediately, make it put the data it flagged back where it belongs, and send a false positive report so the next update, which can be as soon as the next day, won't repeat the mistake)


I just wish we told/heared more stories about antivirus being useful. As it stands, anti-malware sounds like the worst malware on the planet.


It absolutely helps the malware magnets that manage to download malware daily and visit watering holes / phishing sites on a regular basis. There are better ways to block malware but they are higher friction and the majority of cautious people would find it too intrusive. Such as preventing downloading unless a file is in a pre-approved hash-table which is a thing I've had companies try to convince me we needed.


I suspect that the #1 benefit of antivirus is that it makes success, especially more-than-shortlived success, far more difficult for Team Evil.

(Yes, obviously it would be difficult at best to quantify that benefit.)


So go looking for it. Good news doesn't make the news, it makes people's blogs. Go google for folks talking about how they didn't get their entire network crypto-locked with bitcoin ransoms because their AV did its job.

The stories are out there, they're just not delivered to your doorstep because there's no sensationalism in them with which to sell clicks and ad impressions.


AV at it's best prevents script kiddies. It is ridiculously easy to bypass an AV. However, most of the organizations rely on EDRs, not AVs


AVs help prevent malware from scaling. Sure you can bypass an AV to hack O(10) pole, but can you bypass it to hack O(1000000) people?


The scaling problem isn’t that hard with traditional signature based AV, the upfront work is largely the same irrelevant of scale of infections.

You just keep updating your obfuscator/packer tool and constantly deploy new, undetected binaries.

There’s online “crypter” services which are quite cheap that will do this for you - give you a constant stream of new, unique, undetected versions of your malware executable.

AV is basically very good at blocking yesterdays threats - the shit it knows about.

Professional blackhats just factor constant evasion into their operating costs (which includes other costs like new C&C domains, VPS’s, buying traffic for installs. etc) anyway.


It's not hard, it just adds cost.

If the cost is more than the reward, we get less malware. This is good.


Yes, I feel one thing that often gets overlooked is MS Defender having more or less replaced the need for AVs for most people with a 'free' AV that works well (relative to other previous options) and doesn't saddle the system with all sorts of adware.

A few months ago I did some maintenance on my Dad's old laptop, found it was running one of the old spammy AVs which feel the need to install browser addons and tons of other garbage. The AV was bogging down the system hard, uninstalling it helped a lot, but then a few days later it came back begging you to reinstall it. That one left me baffled as to how anyone thought that wasn't blatant malware-style behavior intending to bypass maintenance to dupe people who are less caught up on the state of computing.


I would not want my 90 year old mother, or my technically incompetent 64 year old brother to not have an antivirus on thir computers, even if it occasionally makes mistakes.


Tried to give Windows 10 a shot a year or 2 ago but quickly went back to Linux because my dev env was much slower because defender constantly scans everything


Also because NTFS is just... slow.


NTFS isn't especially slow, the Windows filesystem layer as a whole is slow. All those layers of abstraction that allow for things like automatic security scanning of opened files don't come cheap.


Fun fact: NTFS on C: is extra slow.

A Python script creating 10000 empty files takes 1.2s on C:, but only 0.5s on D:. Both are NTFS partitions on the same SSD, both partitions are using the default settings. (but the defaults differ: on the system drive Windows enables compatibility features such as 8dot3names, on additional partitions it does not)



You could have just disabled scanning of your dev env or disabled Defender completely.


> Windows users [...] for those wanting to ensure their online privacy.

There's a bigger problem, right there.

Tor Browser running on especially untrustworthy platforms should warn the user.


Online privacy is not an absolute and I wish we'd start threat modeling instead of mindlessly calling entire platforms compromised.


I said "especially" because all the platforms have weaknesses, but some of the platforms are worse than others.


It'd be great if more enduser software recognized Windows as a trojan and removed it.


I find this amusingly coincidental the same week that I have been fighting with Microsoft Windows Defender suddenly flagging all installers made by Caphyon's Advanced Installer as trojans.


Is there an estimation what share of users was affected? I. e. how long mistaken heuristic was enabled compared to how often Defender checks heuristic updates?


Well, it is the _Microsoft_ defender after all, not the _user_ defender, isn't it?


Also, it's still not possible to just download Firefox and install without getting a "something went wrong, start over" sort of message in Windows 11, forcing you to install from their store, so they can kill it at anytime with their "oopsie" switch. How is Microsoft not being sued for that?


I have never experienced this installing Firefox. To double check I downloaded Firefox from getfirefox.com and installed it on a Windows 11 machine after reading your comment. It installed without issue.


I'm running Firefox on multiple Windows 11 installs (both at home and work), and never installed it from the store. Latest one fresh a few weeks ago using an account that hasn't had Win11 before.

Are there other things affected by this?


I'm not sure that's true, generally. I've set up Win11 several times in the past few months. My first step is always to run Edge and use that to search for and download Firefox, and I've never had problems.


I've never seen that happen. Are you sure that is a common experience?


I will admit that my go to is ninite as my only visit on edge but never had an issue installing Firefox.


it is surprising to see that people are still into windows.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: