Slashdot Mirror
Microsoft Admits Disabling Anti-Virus Software For Windows 10 Users (bbc.com)
An anonymous reader quotes a report from the BBC: Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company. In early June, Kaspersky Lab filed the complaint against Microsoft. The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software. Microsoft says it implemented defenses to keep Windows 10 users secure. In an extensive blog post that does not directly address Kaspersky or its claims, Microsoft says it bundles the Windows Defender Antivirus with Windows 10 to ensure that every single device is protected from viruses and malware. To combat the 300,000 new malware samples being created and spread every day, Microsoft says that it works together with external anti-virus partners. The technology giant estimates that about 95% of Windows 10 PCs were using anti-virus software that was already compatible with the latest Windows 10 Creators Update. For the applications that were not compatible, Microsoft built a feature that lets users update their PCs and then reinstall a new version of the anti-virus software. "To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating," writes Rob Lefferts, a partner director of the Windows and Devices group in enterprise and security at Microsoft.
So, apparently Microsoft is the only one who has actually figured out how to disable McAfee. They should patent that.
Breaking down yearly stats it looks like 1 million per day are actually created.
But AV only finds about 300,000 a day. And that's all of them collectively.
Not only is AV useless but also damaging as it creates never ending bloat in AV products.
soooo you claim these apps are mission critical yet they are written pre XP days and you haven't bothered to test or build new versions of them and it is MICROSOFT's fault for not supporting your 15+ year old shit.
Just how necessary is a anti-virus of any description? If Windows could make their OS as hardened as OSX or just about any flavor of Linux none of these anti-virus companies would survive anyways. What are they going to moan about then? "Your product is too secure, we are losing business?!"
I have a fifteen year old refrigerator that still works, as well as a twenty year old oven, a nine year old smart phone, an eleven year old TV, lamps that are more than thirty years old, a lawnmower that is going on twenty years old, and lots of other "shit" that is fifteen years or older that still works. Why should anyone discard functional things just because of Microsoft's say so?
Time is what keeps everything from happening all at once.
MS certainly does care about compatibility, it's why the x86 version of Windows is still produced. (You can still run 36-year-old programs just by double-clicking them on 32-bit Windows - and, of course, it still runs legacy 16-bit Windows programs too).
Your mistake was doing an in-place upgrade to Windows 10. You should have done a fresh install, then reinstalled your 31 mission critical programs thereafter.
(Disclaimer: I work in a school and have had to get all sorts of legacy stuff working under Windows 10. The only thing that wouldn't work whatsoever was an old ID badge printer which used an obscure way of interacting with its Windows 2000-era driver. The rest of the stuff, including such delights as old laser cutters connected by serial ports, works just fine. Yes, you may have to fiddle with settings and even the registry in some cases, but the vast majority of stuff out there can be made to work with little or no effort.)
Or for a non-inflammatory title: Microsoft Disables Faulty AV Software so Win10 Uses Can Safely Update To Latest OS
AV software is some of the worst crap to get foisted on Windows installations. I wish MS would just disallow it outright. But as the Kaspersky suit shows, AV vendors aren't going to let go of that teet if they find any way to avoid being forced to do so.
Microsoft does extensive testing of apps and provides shims to make sure as many legacy apps as possible work on the new OS. If your apps were developed in-house and never distributed of course Microsoft is unable to guarantee compatibility with future OS versions as they have no way of knowing what your app is like or how it was coded. It's entirely your company's responsibility.
More accurate: Microsoft admits disabling outdated incompatible AV software that was not updated in a timely manner by their vendors to support the newest version of Windows before their users upgraded. Microsoft also ensured these users would remain protected by enabling the built-in AV protection since the users were not guaranteed to have any other compatible AV software installed.
Surely even anyone here who is incapable of switching out a plug is at least capable of using an adapter?
Time is what keeps everything from happening all at once.
Because computers progress more than fireplaces?
In my recent experience all the viruses/malware that have bitten us (and have gone undetected by AV) have leveraged 1) Powershell (by running a Base-64 encoded payload) and 2) Office Macros (which end users stupidly allow)
If our admins had universal "only ever run pre-approved Powershell scripts" and "never run Office Macros" configured on our Windows machines, security incidents would probably drop by 80-90%.
I certainly wouldn't expect to use my fridge between US and Europe
Actually you'll find with a lot of modern stuff it is dual voltage. You may have to flip a switch but it'll work. Most laptop chargers, USB chargers etc don't even need that, "they just work" whether you plug them into 110V or 240V or anywhere inbetween. That's the joy of modern switch mode power supplies over legacy linear ones.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
I have a fifteen year old refrigerator that still works, as well as a twenty year old oven, a nine year old smart phone, an eleven year old TV, lamps that are more than thirty years old, a lawnmower that is going on twenty years old, and lots of other "shit" that is fifteen years or older that still works. Why should anyone discard functional things just because of Microsoft's say so?
Why are you comparing a stationary appliance without external interface to a computer program? If that's your comparison then it's worth pointing out that Windows XP still works. It didn't magically vapourise with the release of Windows Vista, 7, 8, or 10.
Now if on the other hand you have a security issue with the fact that your Windows XP machine is network based, or you have a major obsolescence issue that could take out the machine at any time, can you really say it still "just works"? If the camera on your 9 year old smartphone breaks does it still just work? What if that camera was actually "mission critical"? Do you wait until the day that it breaks to find out if you have an alternative?
Microsoft hasn't told anyone to discard anything. That is left up to people themselves. Speaking of I *had* a 15 year old fridge. I threw it away fully working for a new one that has more space and uses less than 1/4 of the electricity. Just because something still works is in itself not a reason to keep it.
So your immune system is useless because it doesn't detect all diseases? And it causes all these problems from allergies to other autoimmune diseases right up to transplant rejections. Get rid of it and tell us how much better off you're now.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"only run whitelisted programs from whitelisted directories" (combined with "no office macros") solves nearly 100%.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's the same complaints that the EU had with Internet explorer. Microsoft installs something per default. That's what bothers the courts.
Last time I checked, not a single version of Windows that I have has any Office software.
If Office macros are a particularly common infection vector, then the fault lies with the developer of Office (Microsoft), not the developer of Windows (Microsoft).
The common theme here is obvious, but what is uncommon is also important. Office macros are powerful by design. That is VBA inside, and while VBA was always easily ridiculed for performance reason and for the fact that its a BASIC, the criticism was never to my knowledge its capability. Hell VBA code can load a DLL and call its functions. Full stop.
Powershell is also designed to be powerful. Just another variation on the command-shell theme.
I really dont want the OS locking down file associations, nor do I want to be prevented in any way from installing "unapproved" software, therefore the OS isnt at fault here. Its the developer of Office for somehow making it too easy for untrusted VBA code to be executed.
"His name was James Damore."
For the 7 - 10 upgrade, it actively uninstalls programs if it's unsure about compatibility. In my case it was quite a long list including games, text editors, and other software.
It does give you a list of them afterwards though, so I guess that's nice.
Rational thought is the only true freedom
The solution is to disable macros in documents from the internet or that aren't in trusted locations, scanning macros, using protected view and a few other trust settings. Finding that perfect balance between security and functionality.
Simplify :
Windows 10 (S) is bad
Simplify again:
Windows 10 is bad
Simplify one more time:
Windows is bad. - There we are.
aaaaaaa
We could get into the much bigger flaw of your entire line of reasoning by observing that a virus scanner cannot equate to your immune system. Your immune system is composed of both offensive and defensive capabilities, proactive and reactive, layer upon layer. Your skin is part of your immune system. The closest software analogy to this is the Operating System, certainly not the lowly Virus Scanner.
Yes, your entire body is built to resist invaders just like the entire Operating System should be built to resist invaders but that's generally not what people are talking about when they say immune system. A good analogy for a virus scanner might be your white blood cells. As the OP said, get rid of your white blood cells and see how well you fare. They do cause problems in some people and are not 100% effective but generally not having them is a lot worse for most people.
and 2) Office Macros (which end users stupidly allow)
The blame is only partially on the end user. The blame is really on Microsoft for not properly sandboxing the macros. 99% of macros should only affect the spreadsheet that they are written for and never leave the program. If a macro does need to do something like save to the harddrive then Microsoft should have a really big warning and make them manually enable that functionality but affected stuff outside of the spreadsheet program should be completely disabled by default.
In order to understand why Microsoft may have logically chosen to do that for their CUSTOMERS, you would have to understand drivers. All pro-active virus scanning software sits in the driver stack. They intercept operating system calls to try to determine whether you're about to run i_h4x0r3d_j00.exe and prevent that from happening. Microsoft drivers also happen to sit in the same driver stack along with everyone else's. They all sit at a particular "altitude" in that driver stack. Some versions of software that are signed drivers that sit in this stack interfere with other drivers in that stack. Microsoft most likely proactively decided that instead of being like "I can't update X because of your crappy third party software that doesn't work right" to temporarily disable it, so they could apply the updates and then re-enable it or their product afterwards.
Now I realize that doesn't make for as sensational news story as something that implies Microsoft purposefully disabling other competitors software but it's more likely that something like what I said is the case. I hate to disappoint you. Cheers!
We'll make great pets
Times change, technology advances. And some times a manufacturer has to cut off older technology.
What we did was keep a few computers non-updated so that critical software that wouldn't work on newer OS could be run on them.
Its not always possible to have new software written. Some times the company is out of business, Some times they just won't.
As an example, I had two machines, a Mac and a Windows machine, that I kept un-updated and isolated because of video codec issues. The Mac was kept on OS9 because they wouldn't support it in anything later, and the Windows updates killed the codec. All of this was because of hissyfits between the developer and Apple/Microsoft.
Since a lot of people had used that codec, I had to find a solution. I remade our videos, but can't do that with visitors videos.
So as much as some of us like to make fun of the troglodytes that lose something because they didn't foresee that their software would become obsolete. All we have to do is remember that but for the grace of the Flying Spaghetti Monster, there go we.
Ever have to go into a meeting with the CEO or Director and tell him that you need a million to rewrite software that will allow you to continue doing something you've been doing every day for years? No gain, just do the same old thing. It's easy to sit back and make fun of folks this has happened to. Not so easy to be in their shoes.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
In an enterprise you can
Digitally sign the macro
Add the certificate to the trusted publishers
Set the machine to only run trusted content in Office.
I've helped a customer with this in the past.
As I look at my fridge compressor, oh, look, 85V-247V, 50-60Hz. That covers from Brazil to every EU country.
Is it truly unreasonable to ask your macro developers to sign code before they distribute it in your enterprise? You aren't asking them to make a pilgrimage to the oracle, you are asking them to open the document and go to Developer >> Code >> Visual Basic >> Tools >> Digital Signature >> and pick a certificate.
"It's hard" is why enterprises have huge numbers of unsigned Java apps and ActiveX controls that IT has to manually whitelist. Spend the half-hour it takes to learn to do it right and then "It's hard" isn't an excuse anymore.