Windows Defender will start blocking and removing malware

Topic

New Reply

Okay, okay. The headlines floating around don’t say that, but I think “Defender to block malware” accurately describes Microsoft’s promised next step
[See the full post at: Windows Defender will start blocking and removing malware]

4 users thanked author for this post.

geekdom, Tiernan, AJNorth, WildBill

Reply | Quote

Replies

It means Win 8.1 & Win 10, right?

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

3 users thanked author for this post.

lurks about, FakeNinja, SueW

Reply | Quote

Maybe Norton will clean up its act…

If this doesn’t come bundled with some of Microsoft’s own special brand of coercion, it will be a good thing, and something of a surprise.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Sounds nice at first blush, but…

What if Microsoft were to use these “new rules” to classify legitimate trialware as malware?

Could something like the following be considered to be a “coercive message”?

Warning, your trial period is almost up. In order to continue using this software, please purchase a license.

I’m not accusing Microsoft of anything here, because I don’t know at all what’s up with this particular initiative other than what I’ve read here just now, but when I consider Microsoft’s motives with a skeptical mind I always wonder what they’re really trying to accomplish…

-Noel

11 users thanked author for this post.

johnf, Pepsiboy, flackcatcher, Steve, HiFlyer, Cascadian, Elly, Sessh, AJNorth, WildBill, geekdom

Reply | Quote

What happens when Defender “eats” virus checker? (There is only one true virus checker syndrome.)

What happens to ancient in-computer-years unsigned and valid software?

Will offending software be blocked from running or removed from the computer?

 

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

2 users thanked author for this post.

Elly, OscarCP

Reply | Quote

This sounds good. How many times I’ve cleaned those types of programs from “Joe User’s” computer because he doesn’t know not to pay/install them! It would certainly be to the average User’s advantage to have them blocked or automatically removed.

But I have to take this behavior with a bit of caution too.

Microsoft has already overstepped its bounds with the SmartScreen Filter on the desktop which tries to prevent you from installing legitimate programs it doesn’t recognize/like. (example, the MeetControl software I use for scoring diving meets and running the Daktronics scoreboard). How long before it starts removing any program it hasn’t “approved?”

18 users thanked author for this post.

Microfix, Pepsiboy, flackcatcher, JDeC, HiFlyer, Cascadian, Elly, OscarCP, abbodi86, Sessh, Noel Carboni, AJNorth, wdburt1, SueW, Cybertooth, WildBill, satrow, geekdom

Reply | Quote

Exactly. “This program may be dangerous.” Kind of a “so what” unless you market software as trialware (and what software would you buy if you couldn’t try it out nowadays?). Then it gets serious.

-Noel

4 users thanked author for this post.

JDeC, HiFlyer, Elly, Sessh

Reply | Quote

My exact thoughts.

I wonder if during the infamous GWX incident, it the GWX Control Panel and Never 10 would have been approved by the MS Overlords. In fact I wonder if the GWX applet itself would run afoul of the new ‘rules’.

Inquiring minds want to know…

3 users thanked author for this post.

Microfix, radosuaf, Elly

Reply | Quote

IIRC I dsabled ‘Smartscreen’ at W8.1 installation prior to connecting to the internet for updating. Never liked the way it create log files for transmtting to MS. Tin foil hat on!

Windows - commercial by definition and now function...

Reply | Quote

PKCano wrote:

Microsoft has already overstepped its bounds with the SmartScreen Filter on the desktop which tries to prevent you from installing legitimate programs it doesn’t recognize/like.

SmartScreen never totally blocks downloading or running an unknown file. There’s always a bypass method, without disabling SmartScreen, if you know how (unless disabled by an Administrator):

How to bypass SmartScreen filter and download files in IE or Edge

Windows SmartScreen filter warning messages explained

Prevent bypassing of SmartScreen filter warnings in IE or Edge browser

Windows has blocked access to this file. Unblock a File.

Reply | Quote

PKCano wrote:

Microsoft has already overstepped its bounds with the SmartScreen Filter on the desktop which tries to prevent you from installing legitimate programs it doesn’t recognize/like.

What does IE or Edge have to do with installing desktop programs?

Reply | Quote

PKCano wrote:

PKCano wrote:

Microsoft has already overstepped its bounds with the SmartScreen Filter on the desktop which tries to prevent you from installing legitimate programs it doesn’t recognize/like.

What does IE or Edge have to do with installing desktop programs?

Elsewhere in this thread you said that you had turned off SmartScreen Filter long ago in Win7. And Win7 only has SmartScreen in IE. If you’re only talking about Windows SmartScreen (in an OS you don’t use?) then it’s even easier; just click More Info then Run Anyway. It’s been that way for more than five years: Windows SmartScreen

Reply | Quote

Where in the text you quoted do you see Win7?

Reply | Quote

Credit to Lawrence Abrams & Martin Brinkman for reporting about this Defender change, as well as Woody for passing it on. Credit also to MVP’s for showing skepticism, as Microsoft rarely does things out of the goodness of their corporate ‘heart’.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

4 users thanked author for this post.

Noel Carboni, HiFlyer, Cascadian, Elly

Reply | Quote

Symantec did something similar to me, some years ago when I was a professional developer doing work for one particular client:  Norton suddenly took a dislike to my compiled/linked executables (old-style desktop applications) for a reason which they described as “embedded keylogger”.  I disputed that.  They pointed out that I (and my customer, who did trust me) could mark the installation directory as “approved”.  But I could only get the product into the installation directory if Norton hadn’t already deleted the test version from its place in the development tree.  GRRR.  Alternatively I could submit my product to Norton for whitelisting — but my product might go through several versions in a short space of time (because the user requirement changed so frequently), and I might anticipate that Norton’s procedures wouldn’t keep up with my customer’s requirements.  GRRR.  Solution: a different AV on my machine, and the customer’s installation directory flagged “approved” in Norton terms.  But several more hoops for me and my customer to jump through.

HMcF.

3 users thanked author for this post.

HiFlyer, Elly, OscarCP

Reply | Quote

Quoted from Microsoft by Martin Brinkmann (boldfacing added):

Software that coerces users may display the following characteristics, among others:

Reports errors in an exaggerated or alarming manner about the user’s system and requires the user to pay for fixing the errors or issues monetarily or by performing other actions such as taking a survey, downloading a file, signing up for a newsletter, etc.

Hmmm…

The other day I had to set a friend’s Windows 10 PC to an earlier restore point because it would not boot back up after installing Windows Updates. (The screen never got past the circling dots on the splash screen.) After System Restore at long last got things straightened out (took almost half an hour!), the OS booted up — and Windows Update was warning in red type that he needed to download the same updates in order to keep his PC “secure.”

So, does that count as coercing users?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

3 users thanked author for this post.

SueW, HiFlyer, Elly

Reply | Quote

Anything about us old Windows 7  MSE  ,Microsoft Security essentials users?   Ghacks mentions “and other  MS security products.”

2 users thanked author for this post.

Fritz, Elly

Reply | Quote

I currently have Windows 7 Professional 64bit. I have Defender Off and am using Security Essentials and Malwarebytes Premium.

Would it be of any benefit to replace Security Essentials with Defender, If I can?

1 user thanked author for this post.

AJNorth

Reply | Quote

Windows Defender is not a primary AV on Win7 – it’s not the same as on Win10. On Win10 you can use Defender as your AV. On Win7 it’s just a checker.

2 users thanked author for this post.

SueW, ChuckR

Reply | Quote

ChuckR said:
I currently have Windows 7 […] Would it be of any benefit to replace Security Essentials with Defender, If I can?

The version of Win Defender on Win 7 is limited in functionality. It only protects against spyware, adware & PUPs — but not viruses, trojans, rootkits & bootkits.

https://support.microsoft.com/en-us/help/14210/security-essentials-download
Windows Defender is also available in Windows 7. However, in Windows 7, Defender only provides protection against spyware. In Windows 8, Windows RT, Windows 8.1, Windows RT 8.1, and Windows 10, Windows Defender provides full malware protection for your PC. Malware consists of viruses, spyware, and other potentially unwanted software.

https://www.microsoft.com/en-us/safety/pc-security/windows7.aspx
Windows 7 also includes Windows Defender, software that helps protect your computer from pop-up ads, slow performance, and security threats caused by spyware and other unwanted software.

5 users thanked author for this post.

SueW, ChuckR, johnf, HiFlyer, Elly

Reply | Quote

I will give Microsoft the benefit of the doubt for now. They are going after the scam artists and that’s good. When these scumbags get caught, charged and tried, they get a slap on the wrist. This is a way of nuking them on Microsoft’s turf.

Others have already stated that Microsoft may overreach, and I think that is a high probability. I see two things to be concerned about. First, more telemetry to catch the offenders, which we may not be able to turn off. Second, no user white-listing capability.

I am not bashing Microsoft here, but this could be another crack at cranking up the Windows Store. If you want to play in their sand pit, you have to pay to play. In their announcement, they do reference that programs have to be registered with Microsoft to avoid the possibility of Defender removing them.

Improved Security is what will define 2018, so let’s see if it can be achieved without evicting the user or usurping his/her property.

6 users thanked author for this post.

SueW, AlexEiffel, HiFlyer, Cascadian, Elly, OscarCP

Reply | Quote

woody wrote:

Okay, okay. The headlines floating around don’t say that, but I think “Defender to block malware” accurately describes Microsoft’s promised next step[See the full post at: Windows Defender will start blocking and removing malware]

This is terrible news. Third-party anti-virus updates frequently cause system problems, and those third-party vendors (Trend Micro, Norton, McAfee, etc.) have some incentive to do actual quality-control and beta-testing before release and some incentive (like sales and renewals dropping after bad events) to quickly fix them. It’s become quite clear that the current entity that is Microsoft has no such incentives. So to whom would I turn when a newly aggressive Windows Defender suddenly trashed my system or software it decided, deliberately or accidentally, that I didn’t need. Not to mention that I have zero faith in Microsoft’s integrity, which means I couldn’t count on any level of honesty about what telemetry it might be sending back to Microsoft about my system. Sorry Woody, but in my opinion, anyone who thinks this is a good idea is a few pickets shy of a fence.

GaryK

3 users thanked author for this post.

Cybertooth, HiFlyer, Elly

Reply | Quote

So to whom would I turn when a newly aggressive Windows Defender suddenly trashed my system or software it decided, deliberately or accidentally, that I didn’t need.

https://distrowatch.com/

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

4 users thanked author for this post.

Cascadian, Jan K., johnf, PKCano

Reply | Quote

How would this work? Is there a way to detect automatically coercive software, or does the user decide which software is coercive and then employs some feature of, for example, Windows Defender by ticking off a box or clicking on a screen button, for the executable to be removed? Or would WD regularly access a data base of known offenders, much like anti malware software does?

That last approach would worry me, because of WD errors, or sneaky measures against competitors, may cause the detection and consequent removal of something of value to the user.

I do not have Win 10, or WD installed, but if the idea of a coercive software remover proved to be somewhat popular, particularly one that is wrapped into an application already widely used, this might be the beginning of a trend to add such things to other products of MS, or those of other companies.

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

Just so long as Windows Defender obediently shuts up and stays out of the way when there’s a third-party AV on my machine… good.

2 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

anonymous wrote:

Just so long as Windows Defender obediently shuts up and stays out of the way when there’s a third-party AV on my machine… good.

The problem would be if Windows Defender decides your third-party anti-virus software is malware and deletes or blocks the third-party anti-virus software.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

The change is going to be implemented in W10 Windows Defender and other Microsoft security products. W7 and W8.1 will see it in MSE. I do not expect it will be in MRST.

The good thing is that they did not introduce a new product baked into the OS itself. If Microsoft oversteps with WD/MSE, they can be uninstalled. There are other security programs that do as good job or better and without the seek and destroy capability in place, these programs will be safe from annihilation.

Monitoring (real time) to capture this malware and rogue messaging is going to be something to take into account. MSE can hit 50% CPU when it runs, but at least for me it only lasts a few minutes. I will not be happy if I get random spiking through out the day while it goes hunting. The worst scenario would be if MSE finds a program and uninstalls it, followed by a popup that says a restart is required to complete the changes.

4 users thanked author for this post.

Bill C., OscarCP, HiFlyer, geekdom

Reply | Quote

Please, could you explain those acronyms? You seem to be explaining something that those of us running Win 7 or 8, in particular, may need to know about.

Thanks.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

MSRT Malisicious Software Removal Tool
WD Windows Defender
MSE Microsoft Security Essentials

1 user thanked author for this post.

OscarCP

Reply | Quote

@PKCano:  I got rid of the MSE long ago.   I still receive the updates for the MSRT and WD, however never use them, so does this equate to the “user” needing to somehow get rid of these last 2 listed, or are we “stuck” in such an untenable position?  It’s enough to drive people out of their minds.    Thank you for all of the good, reliable, knowledgeable and expert information.   🙂

Reply | Quote

Use an Anti-Virus that turns off Defender.

You can choose not to doenload (hide) MSRT.

1 user thanked author for this post.

walker

Reply | Quote

@PKCano:  I not certain that my “Security Program” can turn off Defender as this is not an “Anti-virus” program.   It automatically removes anything that attempts to invade the computer.  It’s called ESET Smart Security.  It’s always stopped anything that even appears to not be legitimate (safe)  (also warns against suspicious and unsafe websites).

Thank you for the suggestions.    I will now begin to hide the Defender, as well as the MSRT too if possible.   That would cause them to be hidden and hopefully not be activated by MS.

My apologies for the redundant messages.   You do a brilliant job of helping us all out, and I sincerely appreciate it.    🙂

 

 

Reply | Quote

Windows 8.1 uses the full-power Defender like Windows 10.  MSE brings that same functionality to Windows 7.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

 
As a desktop developer for the corporate market that periodically sends updates to customers, I’m afraid that as non-Microsoft program it will have a great chance to be “mysteriously” blocked. H**l, even MS programs are sometimes killed by their updates.

Edit to remove HTML and content

Reply | Quote

Sounds good, but then were talking Microsoft here.

Reply | Quote

Sounds “just okay” on the surface but remember we are talking Satya Nadella’s vision of Microsoft here where things tend to morph to “The Dark Side” often and rapidly.  By MS’s own information about this here:

https://www.microsoft.com/en-us/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria

the first thing that should be deleted is the Edge Browser followed quickly by the W10 install itself if MS followed their own rules.

If the user can opt-out / disable / override (without going thru 10 nested setup pages to find the switch) this “protection feature” it would probably be okay.  If no user control is allowed then it’s suspect to say the least, probably worse than the Malware it tries to suppress to say the worst, and a quick slide to Microsoft taking control of what software you are allowed to run on “your computer”.  You could wake up to find that Firefox, Chrome, OpenOffice, ClassicShell, Start8 or any other app/program you like, but Microsoft doesn’t (or hasn’t been paid too) suddenly landing on MS’s “Unwanted Programs” list and “poof” it’s gone and blocked without asking.

Viper

 

8 users thanked author for this post.

SueW, Microfix, johnf, flackcatcher, Elly, lurks about, Noel Carboni, Cybertooth

Reply | Quote

Wouldn’t it be wonderful if Edge and those annoying Windows 10 updates got deleted by Windows Defender… oh, the irony! One can dream, right?

1 user thanked author for this post.

Elly

Reply | Quote

“coercive apps”  You mean like GWX?

3 users thanked author for this post.

HiFlyer, BobbyB, Elly

Reply | Quote

With apologies to The Outer Limits… 

“There is nothing wrong with your device. Do not attempt to adjust the settings. We are controlling transmission. If we wish to make it louder, we will bring up the volume. If we wish to make it softer, we will tune it to a whisper. If we wish to hear you, we will turn on your microphone. We will control the horizontal. We will control the vertical. We will control the resolution. We can roll the image, make it flutter. We can change the focus to a soft blur or sharpen it to crystal clarity. If we wish to see you, we will turn on your webcam. From now on, sit quietly and we will control and record all that you see and hear. We repeat: there is nothing wrong with your device. You are about to participate in the great Windows-as-a-Service adventure. You are about to experience the awe and mystery and complete confusion which reaches from your inner components to — the Microsoft Cloud.”

 

9 users thanked author for this post.

Bill C., OscarCP, dononline, Cascadian, AJNorth, johnf, BobbyB, Elly, Cybertooth

Reply | Quote

Hope it won’t remove Windows… lol

Reply | Quote

Coercive: ‘Using force to persuade people to do things that they are unwilling to do.‘ Source – https://dictionary.cambridge.org/dictionary/english/coercive

Hmm, that sounds a lot like Win10 updates to me!

4 users thanked author for this post.

HiFlyer, SueW, Elly, David F

Reply | Quote

I hope that MS Windows Defender will be a bit better than Malwarebytes in not flagging false positives.  I’m a fan, and long-time user, of MWB, but do get upset from time to time when it flags as malign something that clearly isn’t.

This report says that Defender will not only flag, but will also remove (quarantine?) things that it doesn’t like.

MWB got things back on an even keel after properly spoiling last Saturday, not only for themsleves, but also for thousands of vocal users.  Will MS be as quick to react?  I leave the question hanging.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

2 users thanked author for this post.

HiFlyer, Bill C.

Reply | Quote

I hope is will give the opportunity for user interaction.

I use an older version of PDFCreator v1.7.3. I have found it very useful as it allows the creation (by a print-type driver) of encrypted PDFs. Some of the download versions of 1.7.3 were tainted by what was considered malware as the installer served up ads during the initial installation.

Unfortunately, later release versions were bloaty, and lacked key functionality.

MSE used to try to remove the installer as malware until I found a clean installer version. It did not however target the actual install.

MSE also tried to remove some of my well known and regarded password recovery tools, until I whitelisted the specific files of both the 32 and X64 versions on the machine and on thumbdrives.

Reply | Quote

In my UNINFORMED opinion, I am skeptical of this. My go around with Windows Defender, Windows Firewall, and Microsoft Security Essentials has been anything but good. I used them on a now DEAD Toshiba laptop running Windows XP SP3 x32. They all let a virus through that locked things up to the point that on starting the computer it would never get past the black screen with the cursor blinking in the upper left corner. I took it to my computer guy at the time and he said “The HD is empty. It has been wiped completely clean.” He thought that I had put in a new HD that was clean, until he opened it up and saw that it was the original HD. After that, I made sure that ALL the above mentioned security stuff was turned OFF or REMOVED. Been using VIPRE Internet Security since then with no problems.

I know, this is nothing but anecdotal evidence, but it is what has worked for me.
I have not trusted Microsoft to do the right thing for a LONG time.

Dave

2 users thanked author for this post.

HiFlyer, SueW

Reply | Quote

Pepsiboy wrote:

My go around with Windows Defender, Windows Firewall, and Microsoft Security Essentials has been anything but good. I used them on a now DEAD Toshiba laptop running Windows XP SP3 x32. They all let a virus through that locked things up to the point that on starting the computer it would never get past the black screen with the cursor blinking in the upper left corner.

Sorry about your misfortune, but I have a question.  If the hard drive being mysteriously wiped was the first sign that something was wrong, how do you know that it was a virus?  It’s one possible explanation, but without having any direct evidence, there’s simply no way to establish that for sure.

Windows Firewall and Windows Defender (prior to Win 8) were not designed to stop malware, so they can’t be faulted for that.  MSE was available as an optional download for XP prior to version 4.5, so if there was malware activity on the PC, that should hopefully have stopped it, but without knowing what malware it was (if that is, in fact, what it was) and what version of the database was in use at that time, there’s no way to know whether MSE dropped the ball by not detecting something it should or whether that malware was simply unknown to MSE at that time. If it was, the question becomes one of whether MS received the malware sample and didn’t act quickly enough to get it into the database, which would again suggest it was Microsoft’s fault.  If no one had the sample yet, no other signature based antimalware would have done any better.

Signature-based antimalware programs are always going to be unable to detect new malware variants.  Unfortunately, the tools that make it easy for us to check a file for malware also make it easy for the malware authors to scan their new malware variants and make sure none will detect it.  There will be a lead time between the miscreant releasing the malware into the wild and someone discovering it and submitting it to one or more of the antimalware companies (which means they will all have it soon, as they have a sharing agreement with each other).

For protection against those kinds of malware (assuming at this point that the usual methods of not running unknown executables, etc have already failed, and the malware is running on the system), you would need an antimalware program that uses heuristic detection, or else a HIPS program that will alert on any remotely suspicious behavior.

I had the latter running when an unknown malware did a drive-by attack on my vulnerable Java plugin years ago (back when people usually had Java enabled), and the HIPS (Outpost Security Suite Pro)  detected the unknown executable running.  As I’ve written before, though, the thing had been alerting dozens of times a day for years (I had it on max paranoia mode), and even though I am more savvy about warnings than your average bear, habit took over and I hit allow… but I knew that was the wrong action almost before I clicked it; I was just unable to intervene in the force of habit in time.  The HIPS did its thing, though, and I knew there was something bad in my system.  I quickly found it using the Outpost logs and zipped it with a password (so it can pass through email gateway scanners) and sent it to several antimalware vendors.  One got back to me a couple of days later and said it was a new malware, and that it was now in the database.

Outpost Security Suite had a signature-based antimalware module, but it didn’t alert on this malware, naturally (it was unknown).

The good part about HIPS programs is that they can add an extra layer of security; the bad news is that they slow the system down and can be annoying if they prompt a lot.  If you run a lot of new programs, each one has to have every thing it does whitelisted; until then, lots of popups are likely.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Elly

Reply | Quote

Other than malware, what sorts of things could wipe a hard drive clean without user input but still allow the computer to “boot” to a blinking cursor on a black screen?

Not a hostile question, I’m genuinely curious.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Cybertooth said:
Other than malware, what sorts of things could wipe a hard drive clean without user input but still allow the computer to “boot” to a blinking cursor on a black screen?

1) It might be that the disk is not actually wiped clean, but that Win OS “forgot” where the Master Boot Record (MBR) is located. This could be due to user accidentally changing the MBR location.

For instance, the MBR on my Win OS is stored at the C: (system) partition, instead of the hidden System Reserved Partition. There was once when I was trying out something, I accidentally pressed the spacebar (instead of clicking Cancel), & this switched the boot flag to the System Reserved Partition (which does not exist on my disk). The result was that the PC was unable to boot into Win OS, hence a black screen at bootup.

So what I did was to boot (from the optical drive) into a Linux live CD, & use its GParted program to set the boot flag back to the C: (system) partition where the MBR resides. In the Linux environment, my C: partition is listed as “/dev/sda1“. Screenshot of how Gparted looks like.

2) Below is an alternate scenario of a user whose boot-first option in BIOS got switched, resulting in a black screen with blinking cursor upon bootup:

http://www.tomshardware.com/forum/327145-28-black-screen-blinking-cursor-left-help#r16453573
none2015
I had a similar issue and it was due to my boot options. I had it set to boot from disk first, then sata if disk was not inserted. Reversed the setting in bios and it corrected issue

3) Another reason for the system “forgetting” the boot location is malware that overwrites or shifts the MBR:

• Disttrack Malware Overwrites Files, Infects MBR (Trend Micro Security Intelligence Blog – 17 Aug 2012)

4) But if your disk literally got wiped clean all of a sudden, it could be due to infection by disk-wiping malware such as Shamoon & StoneDrill:

• StoneDrill Disk Wiping Malware Found Targeting European Industries (The Hacker News – 06 Mar 2017)

3 users thanked author for this post.

Cybertooth, SueW, Elly

Reply | Quote

A hardware failure within the drive, possibly (whether it be in the electronics, lost clusters in the media that happened to be in an important place… if sector 0 of a disk is unreadable, that disk is rendered useless for MBR/BIOS PCs).  Or maybe some well-meaning disk utility attempting raw disk writes glitched out at the wrong moment (even the stock disk defragmenter).

As others have noted, it’s probable that the drive was not truly wiped, in the sense of overwriting each sector of the drive and making sure it’s really and truly erased.  On a rust spinner, this takes hours.  It’s much more likely that a few bytes in the MBR or partition table were changed.  This is true even if it was a virus or other malware that caused the problem.

The point is, though, that if you don’t find the malware, it’s a mysterious failure, one whose cause is unknown.  You may suspect malware, and that would not be unreasonable, but you don’t know.  The best you could say is that the failure was due to unknown causes, with malware suspected.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Cybertooth

Reply | Quote

I have Windows 7 Pro, SP1, x64, and hope that any “defender” that might creep into my machine will not be a “coercive remover” or compulsive “warner” of possible bad things that need to be removed, because I need and do write a lot of programs that have never before existed until I create them and are, therefore, not vetted by anyone but me.

If it does, and depending on the severity of the problems it might have been caused by the intrusive interloper, the appropriate response may range from: to search and destroy the trouble-making executables, all the way to an old-fashioned law suit.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

+1.

That applies to me as well.

HMcF.

Reply | Quote

More news about Windows Defender from Windows Defender, McAfee Antivirus Move Up in Rankings: “Here’s what you probably already know: Bitdefender, Kaspersky Lab and Trend Micro topped the latest AV-Test evaluations for home antivirus programs running on Windows 10. That’s no surprise; they’ve been doing that for years. But what you might not know is that Microsoft Windows Defender has continued to make great strides — and McAfee has absolutely topped the charts after struggling for many years.”

Reply | Quote

Sorry about your misfortune, but I have a question. If the hard drive being mysteriously wiped was the first sign that something was wrong, how do you know that it was a virus? It’s one possible explanation, but without having any direct evidence, there’s simply no way to establish that for sure.

Ascaris,

As I said in my original reply, This is what I was told by my computer guy at the time. I no longer use his services. Exactly what caused the HDD to get wiped, I DON’T KNOW. It became useless, so it got scrapped out. As of the time I started using VIPRE Internet Security, no more problems like that. Anecdotal evidence. We just sucked it up and carried on.

Dave

1 user thanked author for this post.

Ascaris

Reply | Quote

Pepsiboy (Dave) said:
Exactly what caused the HDD to get wiped, I DON’T KNOW. It became useless, so it got scrapped out.

Scrapping a wiped HDD sounds drastic. Why can’t the HDD be reformatted for use again ? If the HDD got wiped by malware, formatting the entire disk with zeros at least once should get rid of the infection.

Or perhaps at that time, you were planning to upgrade to a larger/ faster HDD anyway ?

Well, just in case you happen to be unable to boot into Win OS on your HDD again, instead of sending it to IT tech, try using GParted (or similar partition software) on live CD to check if you can still “see” your HDD.

If yes, there is a possibility to restore the boot flag, or recreate the Master Boot Record — if either of these is the cause of failure to boot. Or at the very least, you can attempt to salvage & copy out your non-system data from the affected HDD.

I provided some info about booting with Linux live CD, using GParted, as well as a possible cause of sudden disk wipe in a previous comment:
https://www.askwoody.com/2018/windows-defender-will-start-blocking-and-removing-malware/#post-163825

2 users thanked author for this post.

Cybertooth, Elly

Reply | Quote

anonymous wrote:

Pepsiboy (Dave) said: Exactly what caused the HDD to get wiped, I DON’T KNOW. It became useless, so it got scrapped out.

Scrapping a wiped HDD sounds drastic. Why can’t the HDD be reformatted for use again ? If the HDD got wiped by malware, formatting the entire disk with zeros at least once should get rid of the infection. Or perhaps at that time, you were planning to upgrade to a larger/ faster HDD anyway ? Well, just in case you happen to be unable to boot into Win OS on your HDD again, instead of sending it to IT tech, try using GParted (or similar partition software) on live CD to check if you can still “see” your HDD. If yes, there is a possibility to restore the boot flag, or recreate the Master Boot Record — if either of these is the cause of failure to boot. Or at the very least, you can attempt to salvage & copy out your non-system data from the affected HDD. I provided some info about booting with Linux live CD, using GParted, as well as a possible cause of sudden disk wipe in a previous comment: https://www.askwoody.com/2018/windows-defender-will-start-blocking-and-removing-malware/#post-163825

I had no idea (at the time) that it could be salvaged. I had already upgraded to a newer machine, and the blank HDD was only  a 10gb model anyway. It is all history now, and can not be undone. As of that experience, I no longer use the built in stuff from MS. I’m VERY happy with the protection I get from VIPRE Internet Security, and will stay with them until they give me trouble. Changing to another brand of protection is WAY OFF the budget (VERY fixed income) and paying for another service just can not happen at this time. I had only paid for VIPRE for 1 year, and near the end of that year I was given an offer from them for a “Lifetime PC License” that was about the cost of 1 1/2 years of paid service. I jumped on that like a dog on a bone. Got my laptop and our desktop on that deal at the same time.  No regrets and not looking back.

Dave

2 users thanked author for this post.

HiFlyer, SueW

Reply | Quote

Is this taster of things to come?

http://community.sony.com/t5/VAIO-Upgrade-Backup-Recovery/VAIO-CARE-FILE-REMOVED-BY-WINDOWS-DEFENDER-VAIO-CARE-NO-LONGER/m-p/665424

Yep, I was affected, and wasted 30 mins to resolve it.

Not very happy about it at all.

1 user thanked author for this post.

Cascadian

Reply | Quote

And so it begins…. #163416

1 user thanked author for this post.

SueW

Reply | Quote

It was IOLO that is buried underneath VAIO Care somewhere. It was obviously fine since 2013 until yesterday evening, when Windows Defender having updated its virus definition files suddenly made CPU utilisation jump to 100%, and I was promptly notified that malware is being removed before I even had a chance to see what’s this all about.

As this whole process is very flaky and before I even got a chance to step in, whole VAIO Care became corrupt and restore from quarantine / allow options did not really work – which resulted with subsequent and sequential numerous VAIO Care services crashes – only to add to my frustration and growing anger.

The ultimate remedy was to reinstall Vaio Care – and mark these alleged IOLO malware instances as allowed.

So I’m guessing we will witness more of this in the nearest future. How about Windows Defender not liking Spybot Anti-Beacon…?

2 users thanked author for this post.

Cascadian, Elly

Reply | Quote

I turned off the SmartScreen Filter long ago in Win7 for that very reason. I use a third-party AV that turns off Defender.

But the way things are going in Win10 I suspect they will try to exclude other s/w for their built-ins (Edge, Defender, etc.) I hope the EU stops them again. The US is certainly seems incapable of doing so.

2 users thanked author for this post.

Cascadian, Elly

Reply | Quote

PKCano wrote:

And so it begins…. #163416

No; it doesn’t start until March 1st.

Reply | Quote

The Emperor has no clothes.

3 users thanked author for this post.

SueW, Cascadian, Elly

Reply | Quote

Huh?

Reply | Quote

@PKCano:  I sent another msg. and tried to trash the first one, however there was an error, so now it shows that I had a problem trashing the reply.   My apologies as I don’t know how to clean up this mess.     🙁  🙁

Reply | Quote

@walker
I can’t find any mess.
There is one reply from you in the trash. Should I leave it there or restore it?

Reply | Quote

@PKCano:  Please just leave the one in the trash.  I tried to delete it unsuccessfully.  Apologies for the additional work.  As I noted before, your outstanding knowledge, expertise, and assistance are appreciated more than words can say.  I don’t know what we would do without you and the other experts who are such a great help to us all.    🙂

Reply | Quote