Defender Versions Question

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

OK - so now I have:

Windows Defender Version 1.1.1347.0
Engine Version 1.1.1372.0
Definition Version 1.14.1402.2

Are these the correct latest versions?

If they are, why does my Windows Install Cleanup show

Windows Defender 1.1.1347.6
Windows Defender Signatures 1.20.1402.2
?????????????????????????????????????????????
 
If MS doesn`t know. How can you expect our one and only BILL to know? :)

I wonder if MS practices the MUSHROOM management protocol with its users?
i.e. `feed your them with a load of s..t and keep them in the dark.`

Stu
 
I expect Microsoft does know--they don't spend time spoon-feeding me with
arcane bits of information, though.

I really don't know why the cleanup tool reports slightly different
versioning info than the app itself. It always has though--there've been a
number of threads about the differences in the def versions--and maybe even
an MS response. This is the first one that involves a difference in the APP
version, though, as far as I recall.

--
 
Thats a great shame BILL - they should. You provide us with great knowledge
and wisdom and for that we - THANK YOU :)

Stu
 
Hi Bill,

My take on why the Windows Installer Cleanup Utility reports the Version as 1.1.1347.6
instead of 1.1.1347.0 is because the Setup MSI package for Windows Defender "266e6.msi"
writes Version 1.1.1347.6 to the Registry at the following two addresses:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\92EC7D2BA416CCA4B8EF00E93B2A449C\InstallProperties

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}

Both Keys carry the same "DisplayName" and "DisplayVersion" values:

DisplayName = Windows Defender
DisplayVersion = 1.1.1347.6

So if one goes to the Control Panel and opens up Add||Remove Software and highlights
Windows Defender, then clicks on the Phrase"Click here for support information" one
is presented with Version 1.1.1347.6 in the Dialog box.

Likewise, if one runs the Windows Installer Cleanup Utility. MsiZap.exe searches the
two Registry Keys shown above for Product Information to display in it's interface, and
what it finds in the Registry for Windows Defender is version 1.1.1347.6 and not 1.1.1347.0.

That would explain the mechanics of why the Cleanup Utility and ADD||Remove both show
Release 6 instead of Release Zero(0), but not the reasoning behind writing release 6 to the
registry and displaying release Zero(0) in the Help||About in Defenders UI.

LOL...I hope I don't fall under the category of "spoon-feeding me with arcane bits of information"
with this bit of arcane information I've supplied. But you'll have to admit it's at least puzzling;)

Donald Anadell
 
Donald's on the right track here...

We had to rev our setup a few times, but the underlying product binaries
stayed the same. The revs were almost all due to our efforts to provide
localized versions of WD, which we're still working on. The localized
versions of the beta for those of you running German or Japanese Windows
will have setup version > .6.

Back to the original question - 1347.0 is the correct WD version, the 1372
engine is current (with archive cleaning, very exciting!).

Regards,
Joe
 
Donald, thanks for posting this - mine are exactly the same - in Registry,
Add/Delete, and Windows Installer Cleanup. This helped me shed a little
light on what was happening. Thanks, appreciate your help.
 
Joe,
Care to elaborate on exactly what "archive cleaning" means within the WD
context? I know Mike Treit referred to "planning some changes to improve
the experience" when malicious files are discovered inside an archive, but
this is the first I've seen anyone refer to archive cleaning using the
1.1.1372.0 Engine.
 
Thanks--no--I enjoy hearing about this kind of investigation in detail. I
s'pose it could be that the version display within the program has a bug!

Thanks!
 
Joe Faulhaber said:
Back to the original question - 1347.0 is the correct WD version, the 1372
engine is current (with archive cleaning, very exciting!).
Click to expand...

Indeed that is exciting--I get very little chance to actually see cleaning
with WD, and have been trying to spot whether this had changed by the
messages here--and had not yet spotted that change. Thanks--I'll look
forward to finding some infected machines to go run full scans on.
 
This should be exciting--I'm tempted to go out and grab some malware to
test, but I'm short of time--I'm trying to complete some budget work for my
church (our initial attempt is $30,000 out of balance!) and I need to travel
to a family funeral this weekend about 300 miles away. So--I won't get much
chance to look into this stuff 'til sometime next week-of the 50 or so
machines I work with regularly, only two have ever seen any significant
spyware--and I've got them clean at this point, so I need some new
customers.

--
 
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the threat was
deleted completely, but the history will say the action was quarantine, and
the quarantine package will be in the quarantine view in the UI.

After 30 days, quarantined items age out.

I think this is a great solution to a thorny problem - but your feedback
would be appreciated, as usual.

Regards,
Joe
 
Joe;
Any insight into v1.14.1402.2 generating excessive "Defender
Checkpoint"'s in System Restore? It's just started that with this newest
release.
Joe Faulhaber said:
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the threat was
deleted completely, but the history will say the action was quarantine,
and the quarantine package will be in the quarantine view in the UI.

After 30 days, quarantined items age out.

I think this is a great solution to a thorny problem - but your feedback
would be appreciated, as usual.

Regards,
Joe


Bill Sanderson MVP said:
This should be exciting--I'm tempted to go out and grab some malware to
test, but I'm short of time--I'm trying to complete some budget work for
my church (our initial attempt is $30,000 out of balance!) and I need to
travel to a family funeral this weekend about 300 miles away. So--I
won't get much chance to look into this stuff 'til sometime next week-of
the 50 or so machines I work with regularly, only two have ever seen any
significant spyware--and I've got them clean at this point, so I need
some new customers.

--

Dave M said:
Joe,
Care to elaborate on exactly what "archive cleaning" means within the WD
context? I know Mike Treit referred to "planning some changes to
improve the experience" when malicious files are discovered inside an
archive, but this is the first I've seen anyone refer to archive
cleaning using the 1.1.1372.0 Engine.
--

Regards, Dave


Joe Faulhaber[MSFT] wrote:
Donald's on the right track here...

We had to rev our setup a few times, but the underlying product
binaries
stayed the same. The revs were almost all due to our efforts to
provide
localized versions of WD, which we're still working on. The localized
versions of the beta for those of you running German or Japanese
Windows
will have setup version > .6.

Back to the original question - 1347.0 is the correct WD version, the
1372
engine is current (with archive cleaning, very exciting!).

Regards,
Joe
Click to expand...
Click to expand...
Click to expand...
 
OK - this is definitely thorny--I've thought about it before..

Let me try to "see" what the flow would be for two or three hypothetical
situations.

1) My "backup of aunt mary's old win95 machine" that has the only PDF copy
of her last will and testament, with newdotnet in there for spice. This is
a zip, or maybe qic or .bkf file.

So--I install Windows Defender, and, being anal, I set scheduled scans to do
a full scan, since I can't tell what might be lying around that none of my
previous dozen or two antispyware apps have missed. Fortunately, Aunt
Mary had only a 4 gig drive, and didn't have much data, so her file is 48
megs.

I've left settings at their default, so Windows Defender is set to take the
default action on a scheduled scan.
Scan is set for 11, and I'm still up, but by midnight the scan has hit
999,999 objects (I have a lot of .ISO files)--and I go off to bed.

Next morning--let's see if I can get this right--I should see an alert from
Windows Defender's icon in the system tray, and when I click and open that,
am I recalling it will take me to the history page--to show me the scan
results, essentially? This sounds perfect--It show's me that "Aunt Marys
backup.zip" was quarantined for newdotnet, and I say "oops--I really need
that--better get it back from quarantine." Retrieval from quarantine works,
and I'm in good shape.

Hmm --what additional actions do I take--I don't want to "always allow"
newdotnet. I could exclude the zip file from scanning (?) Am I back to
digging through System Events to find the path and file within the zip, and
removing that from the zip, to keep this from repeating?

Suppose I say--OK--that's fine, Aunt Mary's backup really isn't something I
plan on looking at soon, and it will be safe in quarantine, why don't I just
leave it there? Is it obvious in the quarantine UI that items age out?
This isn't something I'd heard before.

So--for that scenario, I'm doing a lot of nitpicking, but I think I like
this just fine.

Scenario 2 - pure malware--there's a .exe package lying around somewhere
that is an executable zip of some spyware--probably came attached to an
email message, and I saved it to try out the new game or whatever, and then
forgot about it.

Again--it only gets caught on a fullscan, but it does, and I see it in the
history, and say--yeah--I never used that "rogerrabbit.exe" anyway, and know
I know it was a baddy--lesson learned, thank you Windows Defender, and maybe
I'll visit quarantine and delete it just to keep from being tempted.

I like that just fine too.

Scenario 3--I've just installed Windows Defender, it updated, and is running
a quickscan. At the end of the quickscan it has detected some spyware on my
system--including something in an exe like the previous scenario. I think
in 99% of cases, the archive detections are only happening on full scans,
but it is probably possible for something that is "live" to have a zip
archive as part of it's backstop mechanisms to reinstall, or for such a zip
to be in a location which a quickscan would hit. I'm shocked at the long
list of stuff detected and removed, and when I go to quarantine, igfqwlx.exe
from the Temporary Internet Files is nothing I know I need, so I go one
about my business, grateful to Windows Defender for having saved my butt,
and the file ages out of quarantine and goes away and I never have to think
about it again.

OK - final nits: Really - the only thing I see here is the need to be sure
the users know that quarantine ages out--I've never seen this in another
antivirus quarantine. I'm assuming that if the archive is too big, we'll
get an error message of some sort?

I'm sure there are some good corner cases I've missed here, so I hope all
the other lurkers here have thought this through from scratch without being
biased by my thinking, and will chime in!

I like it!


Joe Faulhaber said:
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the threat was
deleted completely, but the history will say the action was quarantine,
and the quarantine package will be in the quarantine view in the UI.

After 30 days, quarantined items age out.

I think this is a great solution to a thorny problem - but your feedback
would be appreciated, as usual.

Regards,
Joe


Bill Sanderson MVP said:
This should be exciting--I'm tempted to go out and grab some malware to
test, but I'm short of time--I'm trying to complete some budget work for
my church (our initial attempt is $30,000 out of balance!) and I need to
travel to a family funeral this weekend about 300 miles away. So--I
won't get much chance to look into this stuff 'til sometime next week-of
the 50 or so machines I work with regularly, only two have ever seen any
significant spyware--and I've got them clean at this point, so I need
some new customers.

--

Dave M said:
Joe,
Care to elaborate on exactly what "archive cleaning" means within the WD
context? I know Mike Treit referred to "planning some changes to
improve the experience" when malicious files are discovered inside an
archive, but this is the first I've seen anyone refer to archive
cleaning using the 1.1.1372.0 Engine.
--

Regards, Dave


Joe Faulhaber[MSFT] wrote:
Donald's on the right track here...

We had to rev our setup a few times, but the underlying product
binaries
stayed the same. The revs were almost all due to our efforts to
provide
localized versions of WD, which we're still working on. The localized
versions of the beta for those of you running German or Japanese
Windows
will have setup version > .6.

Back to the original question - 1347.0 is the correct WD version, the
1372
engine is current (with archive cleaning, very exciting!).

Regards,
Joe
Click to expand...
Click to expand...
Click to expand...
 
Good feedback, Bill.

I opened a bug for the quarntine retention thing - that indeed needs to be
documented in the product.
For archvies over 50MB, the experience will be like before - the 0x80508026
error be displayed.

Regards,
Joe


Bill Sanderson MVP said:
OK - this is definitely thorny--I've thought about it before..

Let me try to "see" what the flow would be for two or three hypothetical
situations.

1) My "backup of aunt mary's old win95 machine" that has the only PDF copy
of her last will and testament, with newdotnet in there for spice. This
is a zip, or maybe qic or .bkf file.

So--I install Windows Defender, and, being anal, I set scheduled scans to
do a full scan, since I can't tell what might be lying around that none of
my previous dozen or two antispyware apps have missed. Fortunately,
Aunt Mary had only a 4 gig drive, and didn't have much data, so her file
is 48 megs.

I've left settings at their default, so Windows Defender is set to take
the default action on a scheduled scan.
Scan is set for 11, and I'm still up, but by midnight the scan has hit
999,999 objects (I have a lot of .ISO files)--and I go off to bed.

Next morning--let's see if I can get this right--I should see an alert
from Windows Defender's icon in the system tray, and when I click and open
that, am I recalling it will take me to the history page--to show me the
scan results, essentially? This sounds perfect--It show's me that "Aunt
Marys backup.zip" was quarantined for newdotnet, and I say "oops--I really
need that--better get it back from quarantine." Retrieval from quarantine
works, and I'm in good shape.

Hmm --what additional actions do I take--I don't want to "always allow"
newdotnet. I could exclude the zip file from scanning (?) Am I back to
digging through System Events to find the path and file within the zip,
and removing that from the zip, to keep this from repeating?

Suppose I say--OK--that's fine, Aunt Mary's backup really isn't something
I plan on looking at soon, and it will be safe in quarantine, why don't I
just leave it there? Is it obvious in the quarantine UI that items age
out? This isn't something I'd heard before.

So--for that scenario, I'm doing a lot of nitpicking, but I think I like
this just fine.

Scenario 2 - pure malware--there's a .exe package lying around somewhere
that is an executable zip of some spyware--probably came attached to an
email message, and I saved it to try out the new game or whatever, and
then forgot about it.

Again--it only gets caught on a fullscan, but it does, and I see it in the
history, and say--yeah--I never used that "rogerrabbit.exe" anyway, and
know I know it was a baddy--lesson learned, thank you Windows Defender,
and maybe I'll visit quarantine and delete it just to keep from being
tempted.

I like that just fine too.

Scenario 3--I've just installed Windows Defender, it updated, and is
running a quickscan. At the end of the quickscan it has detected some
spyware on my system--including something in an exe like the previous
scenario. I think in 99% of cases, the archive detections are only
happening on full scans, but it is probably possible for something that is
"live" to have a zip archive as part of it's backstop mechanisms to
reinstall, or for such a zip to be in a location which a quickscan would
hit. I'm shocked at the long list of stuff detected and removed, and when
I go to quarantine, igfqwlx.exe from the Temporary Internet Files is
nothing I know I need, so I go one about my business, grateful to Windows
Defender for having saved my butt, and the file ages out of quarantine and
goes away and I never have to think about it again.

OK - final nits: Really - the only thing I see here is the need to be
sure the users know that quarantine ages out--I've never seen this in
another antivirus quarantine. I'm assuming that if the archive is too
big, we'll get an error message of some sort?

I'm sure there are some good corner cases I've missed here, so I hope all
the other lurkers here have thought this through from scratch without
being biased by my thinking, and will chime in!

I like it!


Joe Faulhaber said:
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the threat
was deleted completely, but the history will say the action was
quarantine, and the quarantine package will be in the quarantine view in
the UI.

After 30 days, quarantined items age out.

I think this is a great solution to a thorny problem - but your feedback
would be appreciated, as usual.

Regards,
Joe


Bill Sanderson MVP said:
This should be exciting--I'm tempted to go out and grab some malware to
test, but I'm short of time--I'm trying to complete some budget work for
my church (our initial attempt is $30,000 out of balance!) and I need to
travel to a family funeral this weekend about 300 miles away. So--I
won't get much chance to look into this stuff 'til sometime next
week-of the 50 or so machines I work with regularly, only two have ever
seen any significant spyware--and I've got them clean at this point, so
I need some new customers.

--

Joe,
Care to elaborate on exactly what "archive cleaning" means within the
WD context? I know Mike Treit referred to "planning some changes to
improve the experience" when malicious files are discovered inside an
archive, but this is the first I've seen anyone refer to archive
cleaning using the 1.1.1372.0 Engine.
--

Regards, Dave


Joe Faulhaber[MSFT] wrote:
Donald's on the right track here...

We had to rev our setup a few times, but the underlying product
binaries
stayed the same. The revs were almost all due to our efforts to
provide
localized versions of WD, which we're still working on. The localized
versions of the beta for those of you running German or Japanese
Windows
will have setup version > .6.

Back to the original question - 1347.0 is the correct WD version, the
1372
engine is current (with archive cleaning, very exciting!).

Regards,
Joe
Click to expand...
Click to expand...
Click to expand...
 
Hi Bill

Great !!!

regards
plun
(lurking around)

PS DVD burners are cheap nowadys and perhaps some users needs to
learn how to burn a backup......... DS

PSS But the SR "bug" is not so good..... I always minimize my SR to
around 1 GB and 7-8 RPs....... and thats the last three days WD triggs.
DSS

OK - this is definitely thorny--I've thought about it before..

Let me try to "see" what the flow would be for two or three hypothetical
situations.

1) My "backup of aunt mary's old win95 machine" that has the only PDF copy of
her last will and testament, with newdotnet in there for spice. This is a
zip, or maybe qic or .bkf file.

So--I install Windows Defender, and, being anal, I set scheduled scans to do
a full scan, since I can't tell what might be lying around that none of my
previous dozen or two antispyware apps have missed. Fortunately, Aunt Mary
had only a 4 gig drive, and didn't have much data, so her file is 48 megs.

I've left settings at their default, so Windows Defender is set to take the
default action on a scheduled scan.
Scan is set for 11, and I'm still up, but by midnight the scan has hit
999,999 objects (I have a lot of .ISO files)--and I go off to bed.

Next morning--let's see if I can get this right--I should see an alert from
Windows Defender's icon in the system tray, and when I click and open that,
am I recalling it will take me to the history page--to show me the scan
results, essentially? This sounds perfect--It show's me that "Aunt Marys
backup.zip" was quarantined for newdotnet, and I say "oops--I really need
that--better get it back from quarantine." Retrieval from quarantine works,
and I'm in good shape.

Hmm --what additional actions do I take--I don't want to "always allow"
newdotnet. I could exclude the zip file from scanning (?) Am I back to
digging through System Events to find the path and file within the zip, and
removing that from the zip, to keep this from repeating?

Suppose I say--OK--that's fine, Aunt Mary's backup really isn't something I
plan on looking at soon, and it will be safe in quarantine, why don't I just
leave it there? Is it obvious in the quarantine UI that items age out? This
isn't something I'd heard before.

So--for that scenario, I'm doing a lot of nitpicking, but I think I like this
just fine.

Scenario 2 - pure malware--there's a .exe package lying around somewhere that
is an executable zip of some spyware--probably came attached to an email
message, and I saved it to try out the new game or whatever, and then forgot
about it.

Again--it only gets caught on a fullscan, but it does, and I see it in the
history, and say--yeah--I never used that "rogerrabbit.exe" anyway, and know
I know it was a baddy--lesson learned, thank you Windows Defender, and maybe
I'll visit quarantine and delete it just to keep from being tempted.

I like that just fine too.

Scenario 3--I've just installed Windows Defender, it updated, and is running
a quickscan. At the end of the quickscan it has detected some spyware on my
system--including something in an exe like the previous scenario. I think in
99% of cases, the archive detections are only happening on full scans, but it
is probably possible for something that is "live" to have a zip archive as
part of it's backstop mechanisms to reinstall, or for such a zip to be in a
location which a quickscan would hit. I'm shocked at the long list of stuff
detected and removed, and when I go to quarantine, igfqwlx.exe from the
Temporary Internet Files is nothing I know I need, so I go one about my
business, grateful to Windows Defender for having saved my butt, and the file
ages out of quarantine and goes away and I never have to think about it
again.

OK - final nits: Really - the only thing I see here is the need to be sure
the users know that quarantine ages out--I've never seen this in another
antivirus quarantine. I'm assuming that if the archive is too big, we'll get
an error message of some sort?

I'm sure there are some good corner cases I've missed here, so I hope all the
other lurkers here have thought this through from scratch without being
biased by my thinking, and will chime in!

I like it!


Joe Faulhaber said:
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the threat was
deleted completely, but the history will say the action was quarantine, and
the quarantine package will be in the quarantine view in the UI.

After 30 days, quarantined items age out.

I think this is a great solution to a thorny problem - but your feedback
would be appreciated, as usual.

Regards,
Joe


Bill Sanderson MVP said:
This should be exciting--I'm tempted to go out and grab some malware to
test, but I'm short of time--I'm trying to complete some budget work for
my church (our initial attempt is $30,000 out of balance!) and I need to
travel to a family funeral this weekend about 300 miles away. So--I won't
get much chance to look into this stuff 'til sometime next week-of the 50
or so machines I work with regularly, only two have ever seen any
significant spyware--and I've got them clean at this point, so I need some
new customers.

--

Joe,
Care to elaborate on exactly what "archive cleaning" means within the WD
context? I know Mike Treit referred to "planning some changes to improve
the experience" when malicious files are discovered inside an archive,
but this is the first I've seen anyone refer to archive cleaning using
the 1.1.1372.0 Engine.
--

Regards, Dave


Joe Faulhaber[MSFT] wrote:
Donald's on the right track here...

We had to rev our setup a few times, but the underlying product binaries
stayed the same. The revs were almost all due to our efforts to provide
localized versions of WD, which we're still working on. The localized
versions of the beta for those of you running German or Japanese Windows
will have setup version > .6.

Back to the original question - 1347.0 is the correct WD version, the
1372
engine is current (with archive cleaning, very exciting!).

Regards,
Joe
Click to expand...
Click to expand...
Click to expand...
 
Glad it helped. Hmm--I'm sure hoping that OneCare's quarantine doesn't age
in a similar fashion, because I believe that it is going to contain some
mail-store related files, and I've already got at least three angry
Thunderbird users in one of my clients who feel that OneCare has done in
their mail stores.

I think I know where to ask this question--just thinking out loud!

--

Joe Faulhaber said:
Good feedback, Bill.

I opened a bug for the quarntine retention thing - that indeed needs to be
documented in the product.
For archvies over 50MB, the experience will be like before - the
0x80508026 error be displayed.

Regards,
Joe


Bill Sanderson MVP said:
OK - this is definitely thorny--I've thought about it before..

Let me try to "see" what the flow would be for two or three hypothetical
situations.

1) My "backup of aunt mary's old win95 machine" that has the only PDF
copy of her last will and testament, with newdotnet in there for spice.
This is a zip, or maybe qic or .bkf file.

So--I install Windows Defender, and, being anal, I set scheduled scans to
do a full scan, since I can't tell what might be lying around that none
of my previous dozen or two antispyware apps have missed. Fortunately,
Aunt Mary had only a 4 gig drive, and didn't have much data, so her file
is 48 megs.

I've left settings at their default, so Windows Defender is set to take
the default action on a scheduled scan.
Scan is set for 11, and I'm still up, but by midnight the scan has hit
999,999 objects (I have a lot of .ISO files)--and I go off to bed.

Next morning--let's see if I can get this right--I should see an alert
from Windows Defender's icon in the system tray, and when I click and
open that, am I recalling it will take me to the history page--to show me
the scan results, essentially? This sounds perfect--It show's me that
"Aunt Marys backup.zip" was quarantined for newdotnet, and I say "oops--I
really need that--better get it back from quarantine." Retrieval from
quarantine works, and I'm in good shape.

Hmm --what additional actions do I take--I don't want to "always allow"
newdotnet. I could exclude the zip file from scanning (?) Am I back to
digging through System Events to find the path and file within the zip,
and removing that from the zip, to keep this from repeating?

Suppose I say--OK--that's fine, Aunt Mary's backup really isn't something
I plan on looking at soon, and it will be safe in quarantine, why don't I
just leave it there? Is it obvious in the quarantine UI that items age
out? This isn't something I'd heard before.

So--for that scenario, I'm doing a lot of nitpicking, but I think I like
this just fine.

Scenario 2 - pure malware--there's a .exe package lying around somewhere
that is an executable zip of some spyware--probably came attached to an
email message, and I saved it to try out the new game or whatever, and
then forgot about it.

Again--it only gets caught on a fullscan, but it does, and I see it in
the history, and say--yeah--I never used that "rogerrabbit.exe" anyway,
and know I know it was a baddy--lesson learned, thank you Windows
Defender, and maybe I'll visit quarantine and delete it just to keep from
being tempted.

I like that just fine too.

Scenario 3--I've just installed Windows Defender, it updated, and is
running a quickscan. At the end of the quickscan it has detected some
spyware on my system--including something in an exe like the previous
scenario. I think in 99% of cases, the archive detections are only
happening on full scans, but it is probably possible for something that
is "live" to have a zip archive as part of it's backstop mechanisms to
reinstall, or for such a zip to be in a location which a quickscan would
hit. I'm shocked at the long list of stuff detected and removed, and
when I go to quarantine, igfqwlx.exe from the Temporary Internet Files is
nothing I know I need, so I go one about my business, grateful to Windows
Defender for having saved my butt, and the file ages out of quarantine
and goes away and I never have to think about it again.

OK - final nits: Really - the only thing I see here is the need to be
sure the users know that quarantine ages out--I've never seen this in
another antivirus quarantine. I'm assuming that if the archive is too
big, we'll get an error message of some sort?

I'm sure there are some good corner cases I've missed here, so I hope all
the other lurkers here have thought this through from scratch without
being biased by my thinking, and will chime in!

I like it!


Joe Faulhaber said:
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the threat
was deleted completely, but the history will say the action was
quarantine, and the quarantine package will be in the quarantine view in
the UI.

After 30 days, quarantined items age out.

I think this is a great solution to a thorny problem - but your feedback
would be appreciated, as usual.

Regards,
Joe


This should be exciting--I'm tempted to go out and grab some malware to
test, but I'm short of time--I'm trying to complete some budget work
for my church (our initial attempt is $30,000 out of balance!) and I
need to travel to a family funeral this weekend about 300 miles away.
So--I won't get much chance to look into this stuff 'til sometime next
week-of the 50 or so machines I work with regularly, only two have ever
seen any significant spyware--and I've got them clean at this point, so
I need some new customers.

--

Joe,
Care to elaborate on exactly what "archive cleaning" means within the
WD context? I know Mike Treit referred to "planning some changes to
improve the experience" when malicious files are discovered inside an
archive, but this is the first I've seen anyone refer to archive
cleaning using the 1.1.1372.0 Engine.
--

Regards, Dave


Joe Faulhaber[MSFT] wrote:
Donald's on the right track here...

We had to rev our setup a few times, but the underlying product
binaries
stayed the same. The revs were almost all due to our efforts to
provide
localized versions of WD, which we're still working on. The
localized
versions of the beta for those of you running German or Japanese
Windows
will have setup version > .6.

Back to the original question - 1347.0 is the correct WD version, the
1372
engine is current (with archive cleaning, very exciting!).

Regards,
Joe
Click to expand...
Click to expand...
Click to expand...
 
Back
Top