Defender Beta2 Feedback from a multiple network admin

[Rob Sitze]

Some early feedback for the MS Spyware team from my initial testing today.

1) Bring back the tray icon as an option. It should include a context menu with the option exposed for Administrators only to disable/enable all real time protection. This toggle should not be visible to non-admins. Defender interferes with some legitimate third party app installations. (QuickBooks Enterprise 2006 for example.) Admins should be able to disable, then re-enable without having to stop the "MsMpEng.exe" service from the management console.

2) Fix the Allow Always option for Users in the Administrators Group that are not the original system Administrator. Right now the only options shown are Allow or Block. Applications that have no known status get alerted on every reboot.

3) Allow admins to add startup applications to the Allowed list manually. The only way now to add anything to your white list is to wait for the process of starting an application or adding an app to the registry RUN or Startup areas to be enabled and then responding to the following alert. See #2, even that is currently not working.

4) Are there plans to add remote management in some form? I would like to see a module for the (Local) General or (Network) Domain Policy Editors so we can pre-define white and black-listed apps for our networks, as well as settings for scheduled updates/scanning and Real Time modules that can be active or not.

~~~~~~
Rob Sitze
networkdefend dot com

 

[Rob Sitze]

I found the method to disarm real time protection, but it is highly non-intuitive.

Simply closing Defender leaves the service active. You need to run Windows Defender from the Start.Programs menu, then select the little down arrow to the right of the "?" Help button, and select "Exit Windows Defender," then click "Yes" to the popup dialog warning you that all protection will cease.


-
Some early feedback for the MS Spyware team from my initial testing today.

1) Bring back the tray icon as an option. It should include a context menu with the option exposed for Administrators only to disable/enable all real time protection. This toggle should not be visible to non-admins. Defender interferes with some legitimate third party app installations. (QuickBooks Enterprise 2006 for example.) Admins should be able to disable, then re-enable without having to stop the "MsMpEng.exe" service from the management console.

2) Fix the Allow Always option for Users in the Administrators Group that are not the original system Administrator. Right now the only options shown are Allow or Block. Applications that have no known status get alerted on every reboot.

3) Allow admins to add startup applications to the Allowed list manually. The only way now to add anything to your white list is to wait for the process of starting an application or adding an app to the registry RUN or Startup areas to be enabled and then responding to the following alert. See #2, even that is currently not working.

4) Are there plans to add remote management in some form? I would like to see a module for the (Local) General or (Network) Domain Policy Editors so we can pre-define white and black-listed apps for our networks, as well as settings for scheduled updates/scanning and Real Time modules that can be active or not.

~~~~~~
Rob Sitze
networkdefend dot com

 

[Guest]

I agree with rob, the sys tray icon is comforting, without it you need to go
look for the required services. A spyware app could potentially kill the
defender service..and how would you ever know yoiu weren't protected? Seems
like a grave misjudgement to me.

"Understanding real-time spyware protection options" is hard to understand.
Where have the options to choose which protection methods to enable and
disable gone? I want to turn of user shell folder protection!!

 

[Ravi [MSFT]]

Thanks for the feedback Rob. Some responses....

1) Bring back the tray icon as an option.

We already have a workitem to bring it back, but only if the admin
explicitly chooses. The default will be what you see today.

It should include a context menu with the option exposed for Administrators
only to disable/enable all real time protection.

The option is there. Tools -> General Settings -> Real-time protection
options -> Uncheck "Turn on real-time protection".

Allow admins to add startup applications to the Allowed list manually.

You could accomplish this in a diffrent way using Tools -> General
Settings -> Advanced Options. "Add" any items into the do not scan the
following files or paths list

4) Are there plans to add remote management in some form? I would like to
see a module for the (Local) General or (Network) Domain Policy Editors so
we can pre-define white and black-listed apps for our networks, as well as
settings for scheduled updates/scanning and Real Time modules that can be
active or not.

Windows defender is a consumer version and is not intended for remote admin
scenarios. I guess you will see these features in Microsoft Client
Protection Suite...

2) Fix the Allow Always option for Users in the Administrators Group that
are not the original system Administrator. Right now the only options
shown are Allow or Block. Applications that have no known status get
alerted on every reboot

Not sure i understand your scenario. Can you please beak it down into
pieces/step-by-step?

Ravi Sathanur [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


I found the method to disarm real time protection, but it is highly
non-intuitive.

Simply closing Defender leaves the service active. You need to run Windows
Defender from the Start.Programs menu, then select the little down arrow to
the right of the "?" Help button, and select "Exit Windows Defender," then
click "Yes" to the popup dialog warning you that all protection will cease.


-
Some early feedback for the MS Spyware team from my initial testing today.

1) Bring back the tray icon as an option. It should include a context menu
with the option exposed for Administrators only to disable/enable all real
time protection. This toggle should not be visible to non-admins. Defender
interferes with some legitimate third party app installations. (QuickBooks
Enterprise 2006 for example.) Admins should be able to disable, then
re-enable without having to stop the "MsMpEng.exe" service from the
management console.

2) Fix the Allow Always option for Users in the Administrators Group that
are not the original system Administrator. Right now the only options shown
are Allow or Block. Applications that have no known status get alerted on
every reboot.

3) Allow admins to add startup applications to the Allowed list manually.
The only way now to add anything to your white list is to wait for the
process of starting an application or adding an app to the registry RUN or
Startup areas to be enabled and then responding to the following alert. See
#2, even that is currently not working.

4) Are there plans to add remote management in some form? I would like to
see a module for the (Local) General or (Network) Domain Policy Editors so
we can pre-define white and black-listed apps for our networks, as well as
settings for scheduled updates/scanning and Real Time modules that can be
active or not.

~~~~~~
Rob Sitze
networkdefend dot com