This post is more than 5 years old
11 Posts
0
5542
Windows Defender.
Hi guys. I am back, at least with one more 5 in my user ID.
Joe since you used Win Def. I think these questions are for you. Anyone feel free to answer them too.
I have been trying out Win Def for the past month or so since my Spy Sweeper license expired. Now I have a few thing I could not find in the help guide.
1.) What is the "Default Actions" for alerts? I can pick from Ignore, Remove, or Quarantine, but nowhere I can set it to ASK and that is what I would like to have.
2.) I have in "Software Explorer" several programs as "Not Yet Classified", even Win Patrol that is a known program is not recognized. Is this normal? When does Win Def reclassify them as "Permited", the other only classification I have for the programs running in my PC?
3.) What about Microsoft SpyNet? Is it a good idea to join it? I joined the advanced membership, and I have not received the first alert yet or nothing. Not even when I used one of my programs that are not "yet Classified" so I do not get it.
Thank you in advanced.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
1
May 28th, 2011 14:00
Hernan,
I'm writing this from (and checking things out) on a WinXP SP3 version of Defender... I believe some options might be different on Vista and/or WIn7 --- so keep this in mind.
1) You can simply leave the High/Medium/Low Alert items on "Default action (definition-based)". These determine what you want Defender to SUGGEST to you in its DISPLAY (aka "ASK") "when items with these alert levels are detected".
Trying to be more precise, Defender will indeed ASK you what you want it to do when it finds "questionable" items. While ASKING you, it will also offer its SUGGESTION about how it believes you should proceed. You can then accept its suggestion, or choose to override it.
For HIGH RISK items, it will suggest you remove the item immediately.
For MEDIUM RISK items, "Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software".
For LOW RISK items, "This software is typically benign when it runs on your computer, unless it was installed without your knowledge. If you're not sure whether to allow it, review the alert details or check to see if you recognize and trust the publisher of the software".
By changing from "Default action (definition-based)" to any of the alternative choices (Ignore/Remove/Quarantine), that should only affect the SUGGESTION that Defender will offer you when it ASKS. As an extreme (BAD) example, if you set HIGH RISK items to "Ignore", then upon finding a high risk item, rather than suggesting you delete (or at the very least, quarantine) it, it will instead follow your instructions, and only suggest you ignore it.
So I have... and suggest you... simply allow it to display the defaults... for what it suggests you do.
Note: If you have enabled the automatic scan option, I would UNcheck the box marked "Apply default actions to items detected during a scan". Leaving it checked would have it automatically remove a "high risk" item --- even if it later turns out to be a F/P. By UNchecking, it will display the item, with its "recommendation" that you remove it --- but allowing YOU the ultimate decision as to how to proceed (e.g., you can ignore it if you believe it's an F/P, until you have time to investigate and confirm your suspicions).
2) Yes, UNfortunately, it is NORMAL for Defender to classify some "well-known" programs, including WinPatrol, as "Not yet classified". It's been doing that for as long as I remember, and so I don't expect things to change at this point. On my system, the following are also "not yet classified":
Cyberlink PowerCinema DVD Launcher
two of my Intel Wireless-Adapter applications
a 3rd-party time-clock synchronization
And "Adobe Reader's Speed Launcher" is classified as "in progress" ---- whatever THAT means!
Bottom line, it's normal. Nothing to do, nothing to worry about.
3) for SpyNet, yes, I would join it at the advanced level. By doing so, you're giving Microsoft permission to learn about the spyware problems (if any) encountered on your computer. Consequently, they are maintaining the largest such database in the world. Unfortunately, I have never seen an update notice from them... and can't possibly explain why they haven't classified a program as popular as WinPatrol. regardless, I'm willing to share such information with them.
See more here: http://en.community.dell.com/support-forums/virus-spyware/f/3522/p/19168512/19291498.aspx#19291498
In particular, I'm quoting Joe53's entry there:
One benefit of joining SpyNet is that knowing how other Windows Defender users chose to respond to a program may help you decide how to do so. It can also provide Microsoft with useful data that can improve the software.
I must confess I too was initially reluctant to use SpyNet, because of privacy concerns. I saw this from Bill Castner, whose advice I've always trusted:
"Defender benefits from the feedback of 100s of millions of computers: scanned monthly by the Malicious Software Removal Tool (MSRT) (700 million every Month), by OneCare installations, and by Forefront installations, as well as others running Windows Defender (~ 35 million computers) who participate in SpyNet. This means that alone of the anti-malware utilities, Windows Defender has the largest base of actual incident as well as heuristically determined anomalies on which to develop its definition and other updates. There is not a competitive product that can match the reporting base of Defender."
============================
For more information on Defender, see http://naut.homestead.com/files/Free/castner.html
Iroc95555
11 Posts
0
May 28th, 2011 15:00
:emotion-2:He, he, he:emotion-2:
For a moment there I thought my new account was bocthed also. Huis It was me. I forgot to add the last 5 to my user:emotion-4:
David. I run XP Pro Spk3, sorry I have not done my sig yet.
Ok I read in the help guide what the alert categories meant, but it did not say what the default action did. So I will leave them like you said. Default (ASK). I did unchecked apply default for the scan. I do not like to quarantine anything before I have time to find out what it is, much less to remove it.
It is wierd to have well known programs classify as unknown. In progress means that Win Def is still looking for it. Given time (few seconds) Win Def will permit them or just tell you that they are not yet classified, well at least in my PC and my programs.
Programs not yet classified in my machine:
Tripp Lite Power Alert.
My Creative software and even my Sigmatel Audio driver
a bunch of host processes win32
and believe it or not Explorer.exe:emotion-7:
Me too had some thoughts about joining SpyNet, but since it is Microsoft and I am using a Microsoft OS what the heck. It is like the surgeon who operated in you and then you are going to be ashamed if he sees you nake it.
Thank you David and have a great weekend. It is Indy 500 tomorrow, isn´t it.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
May 28th, 2011 16:00
Yes, tomorrow is the Indy 500. Depending on what else I'm doing at the time, I may or may not watch (parts of) it. But I do hope to hear Jim Nabors singing "Back Home Again In Indiana" (assuming he's healthy enough to be there).