dang
9 hours ago
Discussed at the time:
Microsoft didn’t sandbox Windows Defender, so I did - https://news.ycombinator.com/item?id=14909759 - Aug 2017 (43 comments)
Microsoft didn't sandbox Windows Defender, so I did (2017)
54 pointsposted 12 hours ago
by LorenDB29 Comments
Animats
8 hours ago
So did Microsoft ever fix this?
Hostile code scanners need to look at a lot, but they don't need permission to write much. If sandboxed that way, attacks aimed at the code scanner don't do much.
seanw444
8 hours ago
I just sandbox Windows itself. My only complaint is that I can't play some online games.
Eisenstein
10 hours ago
Now please tell me how to remove Defender.
andrewxdiamond
9 hours ago
I have to ask what motivates that. Defender has been extremely unproblematic and pretty good as far as MS software goes, for my experience at least.
maccard
8 hours ago
I see about a 100x slowdown on some applications[0] and IO heavy operations with defender in win11. It's unbelieveable how slow it is. I was a huge proponent of it in Win10, but I'm finding it hard to do so now.
[0] The software I'm using does a scan over a few hundred thousand files to read file headers. Without windows defender it takes about 30 seconds, but with defender it takes about 300.
voidwtf
6 hours ago
The answer in this scenario is to exempt that application and/or folder. Don’t throw the baby out with the bath water.
In my environment we have to add exceptions for Developers git folders for the realtime scanning for a similar reason. Apps with large numbers of small files or high frequency writes of smalls files, like temp files during the build process, need to be exempted unless you’re willing to pay the performance penalty for the security.
mananaysiempre
7 hours ago
That’s 10× though, not 100× (still a lot for something you can’t turn off). Typo?
Eisenstein
9 hours ago
It adds a non trivial amount of time for each file access.
tredre3
9 hours ago
Defender slows down build times significantly.
You can set exclusions of course, but it does get tedious because every time you have a new project you need to add exclusions for its folder and the toolchain. Then every time a toolchain is updated (eg .../gcc/11.5 changes to gcc/11.5.2 you have to enter the 20 new exe exclusions and of course windows won't let you mass delete the old ones so it's click->confirm->click->confirm x50).
I might not do it myself but I can see why someone would just say "enough is enough".
gtsteve
8 hours ago
You can use the powershell command Add-MPPreference -ExclusionPath[0] and ship a script with your app if you want. I do the same for Terraform providers - whenever a new version comes out, for a time the process can be randomly killed as I suppose a process that spawns a child process that starts talking to lots of endpoints looks somewhat suspicious.
[0] https://learn.microsoft.com/en-us/powershell/module/defender...
RockRobotRock
3 hours ago
JetBrains does it for you with one click when you create a new project.
felipelemos
9 hours ago
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
andyayers
8 hours ago
Or https://learn.microsoft.com/en-us/defender-endpoint/microsof...
(DevDrive + Defender's "performance mode")
hulitu
15 minutes ago
Boot into linux, rename defender folders.
xeeeeeeeeeeenu
9 hours ago
You can reliably disable it with Group Policy Editor. At least on Win10, not sure about Win11.
mananaysiempre
7 hours ago
On Win11, it reenables itself after a short while using a system service, in true Robin Hood & Friar Tuck malware[1] fashion.
hulitu
13 minutes ago
> You can reliably disable it with Group Policy Editor.
It does not work. You can disable _some things_ , but not the whole.
Kye
7 hours ago
That's only available on Pro.
crazysim
7 hours ago
https://gist.github.com/lelegard/8da0b20cc35708852c14fcf8996...
Just run
Get-ChildItem @( "C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package.mum", "C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package.mum" ) | ForEach-Object { dism.exe /online /norestart /add-package:"$_" }
nyanpasu64
10 hours ago
I've gotten it to work on Windows 10 by booting into live Linux and renaming the Windows Defender folder in Program Files. No clue if it would work on 11.
0cf8612b2e1e
8 hours ago
I am surprised that ever worked. I was confident Win10 did verification that system files were in place and matched a hash or some other integrity mechanism.
userbinator
6 hours ago
You can ask it to with things like SFC but fortunately it's not that locked-down yet... and of course you can always patch those checks out if the OS itself isn't running to interfere with you.
MengerSponge
9 hours ago
"Erase disk and install Ubuntu"
https://ubuntu.com/tutorials/install-ubuntu-desktop#6-type-o...
CoastalCoder
9 hours ago
And then Clippy sneaks up behind you, and whispers menacingly in your ear, "It looks like you're installing an operating system."
IntelMiner
9 hours ago
Removing core parts of Windows is not a good idea
efilife
8 hours ago
I use a custom windows build with defender removed, you can find them on any windows modding site
spikej
6 hours ago
The safer option is to build your own install media using an unattend file. Here's an unattend file generator https://schneegans.de/windows/unattend-generator/
efilife
6 hours ago
wow, I had no idea this exists. thank you very much