do Defenders HISTORY work ??

  • Thread starter Thread starter fox
  • Start date Start date
F

fox

Hi
I have had one notification (down right on the screen) from Defender saying
something about a allowed changes - but when I went into Defenders History to see
what that was about the History was empty.
 
History only includes actions taken as a result of a scan, I believe, but
I'm not sure about what happens with known spyware spotted by real-time
protection.

Check the System event log, though:

Start, run, eventvwr.msc <enter>

Click on System, then in View, Filter, and hit the dropdown box for
"source." Set source to "windefend."

That will let you scroll up and down through all Windows Defender related
events--look for yellow-triangles.
 
All the real time alerts that come in the ballon in the system tray AND that
require as action by the user do show up in Defender's History. For example:
host file changes, unclassified programs running (e.g. McAfee stuff), new
driver changes, etc. They are all there in my History, if I have acted to
allow or block.
--
Old Rebel: Too Old to Rebel; Too Young to just take it!


Bill Sanderson said:
History only includes actions taken as a result of a scan, I believe, but
I'm not sure about what happens with known spyware spotted by real-time
protection.

Check the System event log, though:

Start, run, eventvwr.msc <enter>

Click on System, then in View, Filter, and hit the dropdown box for
"source." Set source to "windefend."

That will let you scroll up and down through all Windows Defender related
events--look for yellow-triangles.

--
Click to expand...
 
Thanks--I've got that wrong then--sorry about that. I guess this system is
just a little too sheltered--I don't get those alerts, and thus didn't have
any of that in the History.

--

Old Rebel said:
All the real time alerts that come in the ballon in the system tray AND
that
require as action by the user do show up in Defender's History. For
example:
host file changes, unclassified programs running (e.g. McAfee stuff), new
driver changes, etc. They are all there in my History, if I have acted to
allow or block.
Click to expand...
 
I have a similar problem in that Defender scan has never found malware on my
PC and I don't know how it will function when it does find something. I also
don't know how well it identifies what it finds or where I can access
Knowledge base info about the detected item using Defender's terminology for
it. I'm sure its not missing anything because none of my other security does
either. (I'm like a country boy with a gun cabinet full of guns he seldom
gets to use.)
 
I work with about 4 dozen machines in 3 small offices, and some individuals.
Of all those machines, there are two, in a sub-tenant of one of those
offices, that see regular and substantial spyware issues. Windows Defender
has done a great job in that office, but isn't perfect yet--one of the
machines is pronounced clean, but clearly has something still in place, I
suspect the spyaxe family.

--
 
Have you tried the revised Spyaxe/Spyfalcon removal procedures suggested by
bleepingcomputer? Apparently, it requires most special tools to deal with
the new Spyfalcon discovered on March 8th, although there's probably even a
newer one out there already.

http://www.bleepingcomputer.com/forums/topic43659.html

Of course there's also the old smitfraud procedures:
http://www.bleepingcomputer.com/forums/topic17258.html

I know you've probably seen these and you have the knowledge to use other
tools also. I'm hoping someone will make note of the links for their own use
before they need it. I've got so many bookmarks to things like this - I need
to delete some old ones to make room for the new ones!!!
http://wiki.castlecops.com/Malware_Removal:_SpyAxe_Removal
 
When Defender finds malware, does Defender provide any links to knowledge
base articles about that specific malware? If not, wouldn't it be good if it
did?
 
Hi Old Rebel

More bookmarks/favorites ;)

This one is new and really ugly with a rootkit.

http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure

Winfixer and Errorsafe are detected with WDs RTP protection.
Errorsafe I have tested myself. WD missed Spyfalcon but probably
catches it now.

But this new Winfixer variant is something special........... ;(

This URL is also good to see all of these pests:

http://www.malwarecomplaints.info/viewforum.php?f=4&sid=ca744ecc6457610812b5bd72e48f3c8b


regards
plun
 
Thanks plun. I knew about the site, but i did not know they provided links to
removal. I guess I need to study further.
 
I can't tell what their intentions are about this. I saw your post about
this, but I don't have a good answer, so I left it alone. I believe that in
some cases--trojans, for example, I have seen links to Microsoft's virus
info database, as referenced by OneCare--and sometimes those links have
excellent information. However, I may be confusing OneCare with Windows
Defender.

--
 
Hi

We are deep in a thread now so I also post this one:
http://amaena.com/security/?aid=fromhome&lid=redir

Really Ugly, Close with "X" if you starts anything !

I sincerely hope that WD also catches these...........

This is difficult.... I know the adress but MS wants
malware files within a report, should I infest my own PC ;) or
try to report this adress ?

regards
plun
 
No thanks, plun. i can see that following you around would be like going
hunting with Dick Chaney. Come to the Palmetto state sometime and I will take
you snipe hunting. LOL
 
Windows Defender Live (Beta), help needed from Microsoft.
Except for the new download Signature Version 1.14.1314.1, all previous
versions have fallen into a loop to High Priority Definition Update
1.14.1314.1 for Beta Windows Defender (KB915597). The users of the Windows
OneCare Live (Beta) have downloaded automatically the file in excess of 54
times, as per the Update History, with no positive results. Previous results
of the Windows Defender (Beta) Definition Updates that worked are:
1.13.1276.3, 1.13.1272.4, 1.13.1276.16, 1.13.1282.6 and 1.13.1386.1 with KB
892519, 892519, 892519, 915597 and 915597 respectively. The loop failure
started when trying to update to 1.13.1288.5 and 1.13.1314.1 both with
KB915597, from older Signature Versions. Worst of all, no removal of the
Defender beta is possible nor installation of the newer 1314 version ontop of
the other.
Microsoft, please read also the many complains in the Discussion Groups Home
 
Hi Plun,

installed the antivirus program of that site! ;)
WD and Trend alerts and blocks some items.

The program give a lot falls positives, you understand! ;)
Did a uninstall, remove the dir by hand, did a regclean and then did a
fullscan with WD, and Trend AS,
WD found nothing, Trend AS found:

Started Scanning
Programs in Memory
Finished Scanning
IE Plugins: Found '{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}' in
'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
Windows Shell Settings: Found 'ShellExtension' in
'SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ShellExtension'
Program Startup Areas: Found 'WinAntiVirusPro2006' in
'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'fat.exe' in
'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
Started Backup
Finished Backup
Started Cleaning
UnregisterDll - Using Regsvr32.exe.
Cmd='C:\WINDOWS2\system32\regsvr32.exe /u /s "C:\Program
Files\WinAntiVirus Pro 2006\winpgi.dll"'
IE Plugins: Cleaned '{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}' in
'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
Windows Shell Settings: Cleaned 'ShellExtension' in
'SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ShellExtension'
Program Startup Areas: Cleaned 'WinAntiVirusPro2006' in
'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Cleaned 'fat.exe' in
'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
Finished Cleaning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in
'CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Found '' in
'SOFTWARE\Classes\CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Found '' in
'CLSID\{F1F6A820-2355-11CF-9D53-00AA003C9CB6}'
Windows Registry: Found '' in
'Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Found '' in
'Interface\{4D6CC9B0-DF77-11CF-8E74-00A0C90F26F8}'
Windows Registry: Found '' in
'TypeLib\{27395F88-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Found '' in
'SOFTWARE\Classes\CLSID\{F1F6A820-2355-11CF-9D53-00AA003C9CB6}'
Windows Registry: Found '' in
'SOFTWARE\Classes\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Found '' in
'SOFTWARE\Classes\Interface\{4D6CC9B0-DF77-11CF-8E74-00A0C90F26F8}'
Windows Registry: Found '' in
'SOFTWARE\Classes\TypeLib\{27395F88-0C0C-101B-A3C9-08002B2F49FB}'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Windows Registry: Cleaned '' in
'CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Cleaned '' in
'SOFTWARE\Classes\CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Cleaned '' in
'CLSID\{F1F6A820-2355-11CF-9D53-00AA003C9CB6}'
Windows Registry: Cleaned '' in
'Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Cleaned '' in
'Interface\{4D6CC9B0-DF77-11CF-8E74-00A0C90F26F8}'
Windows Registry: Cleaned '' in
'TypeLib\{27395F88-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Cleaned '' in
'SOFTWARE\Classes\CLSID\{F1F6A820-2355-11CF-9D53-00AA003C9CB6}'
Windows Registry: Cleaned '' in
'SOFTWARE\Classes\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}'
Windows Registry: Cleaned '' in
'SOFTWARE\Classes\Interface\{4D6CC9B0-DF77-11CF-8E74-00A0C90F26F8}'
Windows Registry: Cleaned '' in
'SOFTWARE\Classes\TypeLib\{27395F88-0C0C-101B-A3C9-08002B2F49FB}'
Finished Cleaning
So WD did not found a thing and Trend AS found alot.

Regards >*< TOM *<

plun schreef:
 
Hi Tom

Well....... ;)

Check this also, Blacklight rootkit check and maybe a Vundofix.
http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure

I haven´t tested if it comes with WinAntivirus or if the bad guys
using a trojan for Rootkit/Vundo infests.

Nevertheless these apps must be detected and MS must sue the people
behind it beacuse they are using MS signs and fraud users.

But we have the classic problem again that this page is spread from
prOn, gambling, p2p, warez sites som maybe this is a punishment......

Internet is a nice place...;)

regards
plun
 
Plun - I assume you saw my post about new submission addresses to send "bad
stuff" to microsoft, in .announcements? They're interested in URL's like
this, for sure.

One question some folks ask is about whether Microsoft shares the stuff it
gets via this route. The answer is that they do--they have several
established industry-sharing mechanisms--primarily for antivirus issues, but
increasingly for spyware as well--and samples do get shared if they are new.

--
 
Hi Bill

MS must probably change it....... all major vendors
now have problem beacuse all of them using "dead ends" for reports.

It was probably much easier with old fashion virus to have some
traps out in Internet.....

If MS malware people doesn´t know about amaena.com
they must be totally isolated from the real world ;)

But amaena.com punish user which visiting p2p, crackz, warez and porn
and therefore it maybe ins´t in MS interrest to detect......

http://www.malwarecomplaints.info/index.php?sid=24726a59730978934769fcc0f458cbfb

MS go and get them..............

Spyfalcon for example is not detected within latest defs..... ;(

My TrendMicro PC Cillin detects more then WD just now.....

regards
plun
 
Back
Top