restore points by defender

[Guest]

the restore point made by defender , 2 a day minimum , 1 a starting up and 1
after scanning , are they made by design to do so or is it a new bug ?

 

[Guest]

I would like to know the answer to that also. I just checked my restore
points and it made 6 yesterday and 2 already today. I don't know if that is a
good thing or not, but is it supposed to do it that often? And if so, why? At
least it automatically updated without a problem this tjme. Hurrrah for that!!

 

[Guest]

I think that a restore point because new definitions are installed is already
too much ... imagine a restore point at every run of WD!

 

[Guest]

a solution to this issue is to turn off the real-time protection off defender
, then there are no restore points created by defender anymore.

 

[Guest]

I want the real-time protection on, in the meantime I can live with these too
many restore points.

 

[Joe Faulhaber[MSFT]]

Sorry for our slow response on this issue.

We're working on a KB on how to turn this off, but here's the quick
rundown...

Build 1347 creates a restore point for every cleaning operation. We believe
this is a good thing, however, the implementation makes taking "Allow"
actions on unknown detections a cleaning operation. We clearly need to
change this behavior in the future.. This "feature" is probably what you're
seeing if you have many restore points created by WD. So if you have
notifications on for "Software that has not yet been classified for risks",
you're likely to get a bunch of restore points that aren't particularly
useful.

By unselecting this option, or by just not taking action on unknowns, you
can work around the spurious restore points and keep the RTP protection
active until we document how to turn these restore points off.

Thanks for your reports, and for trying Windows Defender,
Joe

"Gianni1962 Piacenza Italy"

 

[Guest]

Keep the RTP of WD on.

When you do a maintence (each day , weekly, or whenever) run:
My computer, right click, Properties, Disk-Maintenance, run,
other options, check delete old restore points (one recent checkpoint
remªins).

I hope this post is helpful, let us know how it works ºut.
Еиçеl

 

[Guest]

thats not working for me , because the interaction with the symantec resource
protection , wich youre team is also investigating (bill sanderson knows it )
,
because off that interaction ,defender can not allow norton 2006 and so i
think ther only option is turning off real-time defender or symantec resource
protection
but wich ?
i think defenders protection...

 

[John Allen]

I have "Software that has not yet been classified for risks" switched
off but stll get Defender restore points. It produces one "Windows
Defender checkpoint" the first time the computer starts for the day.

No checkpoints prior to 14 April
I upgraded to current version on 14th April - 2 checkpoints
15th - 1 checkpoint
16th - ""
17th - ""
18th - ""
19th - 7 checkpoints (sigs were updated to current this day - 4
checkpoints prior to sig update, 3 following sig update)
20th - 3 checkpoints

Events for 19th were as follows - seems that a checkpoint was produced
for each one.

8:01:50 AM
Windows Defender Real-Time Protection agent has detected spyware or
other potentially unwanted software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {CE7E1AE3-75B1-42AA-A0B5-BBBCF82E4706}
User: JOHN-NAD648S2RH\John
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found:
driverxHelp20;file:C:\WINDOWS\system32\Drivers\PxHelp20.sys
Alert Type: Unknown
Detection Type:


8:02:07 AM
Windows Defender Real-Time Protection agent has taken action to
protect this machine from spyware or other potentially unwanted
software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {CE7E1AE3-75B1-42AA-A0B5-BBBCF82E4706}
User: JOHN-NAD648S2RH\John
Name: Unknown
ID:
Severity ID:
Category ID:
Alert Type: Unknown
Action: Ignore

2:58:45 PM
Windows Defender Configuration has changed. If this is an unexpected
event you should review the settings as this may be the result of
malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\ASSignatureVersion = 1.14.1396.12
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\ASSignatureVersion = 1.14.1402.2

2:58:45 PM
Windows Defender Configuration has changed. If this is an unexpected
event you should review the settings as this may be the result of
malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\EngineVersion = 1.1.1303.0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\EngineVersion = 1.1.1372.0

2:58:45 PM
Windows Defender Configuration has changed. If this is an unexpected
event you should review the settings as this may be the result of
malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\SignatureLocation = C:\Documents and Settings\All
Users\Application Data\Microsoft\Windows Defender\Definition
Updates\{85F4B4A3-C330-450E-88DC-0A04249CA8FB}
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\SignatureLocation = C:\Documents and Settings\All
Users\Application Data\Microsoft\Windows Defender\Definition
Updates\{3A52D1BF-D596-423B-B333-DB312E6427BA}


2:58:45 PM
Windows Defender engine version has been updated.
Current Engine Version: 1.1.1372.0
Previous Engine Version: 1.1.1303.0
Update Source: Scheduled
User: NT AUTHORITY\SYSTEM

2:58:45 PM
Windows Defender signature version has been updated.
Current Signature Version: 1.14.1402.2
Previous Signature Version: 1.14.1396.12
Update Source: Scheduled
Signature Type: AntiSpyware
Update Type: Full
User: NT AUTHORITY\SYSTEM
Current Engine Version: 1.1.1372.0
Previous Engine Version: 1.1.1303.0


John Allen

 

[Guest]

We are relying on Symantec for AntiVirus protection, and are using
ewido antimalware as an on demand scanner in order to get a
second opinion. We are (were?) hoping to use the WD for
RTP. In what might be called a self-defeating attempt, several
colleauges has already turned of the RTP on WD, and some have
been asking to have WD removed from their machines.

It appears as if that MS does not only subscribe to the Mushroom
Protocol but it also appears if that MS thinks that the superious restore
points created by WD are not a bug, and that they are a feature.

After the latest signature update some of the superious restore
points are gone. Neverthless, a restore point is created every time
WD is started which usually happens when a machine is started.
It can also happen if a user exits WD for some reason and it is
started again.

How about a decent fix of the bug. Instead of a lame attempt to
get rid of this annoying bug (feature?).

 

[Guest]

That's NOT a fix for a crappy bug!

Users want Restore Points kept for useful checkpoints and at frequent
intervals, but not every couple of hours as WD is doing.