Patch Lady – Defender not having a good week

Topic

New Reply

So the other day we had folks reporting issues with Defender and Western Digital drivers. Today Citrix Broker service was flagged as malicious and wel
[See the full post at: Patch Lady – Defender not having a good week]

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

geekdom, woody, abbodi86, Elly

Reply | Quote

Replies

In addition to the issue reported here, MS Security Essentials recently (ca.~July 28) began to quarantine MVPS HOSTS file and other customized HOSTS files derived from MVPS HOSTS. Perhaps because on about half of my 27 endpoints on my home network had been using MS’s Security Essentials w/o issue for years either I did not configure more verbose warnings or could set and forget, but it was not until I saw strange behavior for expected HOSTS file changes and nothing happened that I looked farther and found ALL of my customized files had been silently removed, then unable to edit. I had to painfully on each endpoint allow this file by wildcard which I hated doing punching holes in a security layer but I’d rather have the HOSTS file under MY control containing what I want instead of MS.  Of course I also use DNS blackholing but like the belt and suspenders especially for portable endpoints not always on my DNS. On one hand good for MS doing some recon on modified HOSTS files which could be a result of malicious actors, but bad because this changed what was in my experience years of consistent behavior and did so w/o any notification unless you looked on each asset for what was in quarantine AFTER the fact and unexpected behavior resulted. Taking several rounds of 20 questions to “allow” but still finding the HOSTS file on some endpoints again quarantined,  finally resorting to wild carding the file finished off making the decision to dump MS Security Essentials on those computers it had previously not caused problems.

With over 20 years experience in a scientific computing environment managing thousands of Windows computers for scientific work on a government network and also on my home network now that I am retired, consistent computing platforms that can be predictably managed support the mission. Inconsistent behavior especially because of unannounced/untested changes made by the OS (or other software) vendor and even back-doored in do the bad guys work for them and break things. Disgusted with this mess and glad to be retired but more than a little annoyed the shell game continues. Stop it!

3 users thanked author for this post.

RamRod, wavy, woody

Reply | Quote

[woody]

It looks like both bugs have been patched with Antivirus Definition 1.321.1341.0  and platform 4.18.2008.4  (is it out yet?) but man alive… who in the world is testing this stuff?

• This reply was modified 4 years, 9 months ago by woody.

Reply | Quote

woody wrote:

… who in the world is testing this stuff?

How would you propose that Microsoft (or anyone, for that matter) check patch/update compatibility for the myriad combinations of hardware and software complicated by platform fragmentation caused by selective patching?

Pondering the permutations/combinations alone would make one’s head swim. Trying to simulate all of them, even with VM’s, …

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

That’s is the purpose of alpha and beta testing by Microsoft’s groupies.

Reply | Quote

Glad I’ve kept my newest laptop(Windows 10 1909/Home) offline even though updates are set to pause until Sept 2020 on that laptop. So Windows Defender still gets its updates regardless and my laptop is using a WD M.2/NVM but I’m reading that it’s WD external drive related.

So how manageable is Defender’s updating for maybe switching that to manual only if any issues pop up that need to be avoided and I’m just going to use the backup laptops(Mint 19.3) online as that’s what I use for daily internet anyways and keep the newest laptop’s wear and tear to a minimum unless needed. I’ve got to get that WD M.2/NVM replaced with a Samsung variant that has more capacity as the WD M.2/NVM appears to have had some unrelated issues with Linux as well and I’m getting ready to do a 10/Mint dual boot configuration shortly on the new laptop.

Reply | Quote

Antimalware Client Version: 4.18.2007.8
Engine Version: 1.1.17300.4
Antivirus Version: 1.321.1402.0
Antispyware Version: 1.321.1402.0

No Windows Defender errors.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Same as geekdom here (Win10Pro v1909 x64 Build 18363.959 (Baseline) / 18363.1016 (Beta Testing)),

Antimalware Client Version: 4.18.2007.8
Engine Version: 1.1.17300.4
Antivirus Version: 1.321.1424.0
Antispyware Version: 1.321.1424.0

No Windows Defender errors.

That new 4.18.2008.4 platform that Susan and others are talking about is likely a BETA being pushed through whatever preview/fast ring/insider initiatives are currently happening. It may or may not be the next engine to supersede the current one (4.18.2007.8).

IMHO, hacking the Registry (by adding a few REG_DWORD keys) to “flag” the system as a candidate to automatically get a BETA engine to auto-install might not be the smartest move. I would just wait a few more days… When the next engine is “ready” it will be made available through the Catalog, at the usual location:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623

Ironically, the supporting KB article at
https://support.microsoft.com/en-us/help/4052623
is also slightly behind: it is still referring the previous engine (4.18.2005.5, made available at the Catalog on June 3rd, 2020).

Regarding Redmond’s decision to began flagging some customized HOSTS files as “malicious” one may workaround the “issue” by manually defining an explicit exclusion rule:

(it may also be viable doing that for multiple endpoints, through a script that ‘reg add”s the rule – although it is a bit tricky as it involves dealing with ownership and permissions, etc)

Note however that, because this rule would also allow malware to silently add malicious entries as well, the HOSTS file should always be closely monitored for any unexpected changes.

Reply | Quote