WD heuristic detection

[Anonymous Bob]

I just told someone that the highest level of heuristic detection was only
available if you join SpyNet at the advanced level. I got that impression
from the write up under Click Tools | SpyNet.

Is there no heuristic detection unless you join SpyNet at the advanced
level?

Bob Vanderveen

 

[Bill Sanderson MVP]

I don't think this is correct, based on my reading, but let me find an
actual Windows Defender install to quote properly:

" You are alerted so that you can take action when Windows Defender detects
software or changes made by software that has not yet been analyzed for
risks."

I think that's the operable part of the "advanced" paragraph.

So--how does this related to Tools Options, Choose if Windows Defender
should notify you about:

Software that has not yet been classified for risks (hmm--classified
vx analyzed)
Changes made to your computer by software that is permitted to run.

I can recall folks suggesting that there was some interlock between Advanced
Spynet membership and these Options settings--but that sure isn't mentioned
in either the help for the product or the Spynet writeups--so I am inclined
not to believe it.

Here's my understanding: Joining Spynet involves sending data to
Microsoft--the kinds of data are laid out clearly in the privacy statement
found here:

http://www.microsoft.com/athome/security/spyware/software/privacypolicy.mspx

This has a lot of technical content in addition to statements about where
data is stored and legalities--its worth reading.

The distinction between basic Spynet membership and Advanced relates solely
to the amount and type of information sent. Advanced membership may
occasionally send personally identifying information, which Microsoft
contractually agrees not to use and to hold confidential.

If you join Spynet, you may receive information when looking at the screen
Windows Defender displays when asking you to choose an action with regard to
a piece of software which has not yet been classified (or analyzed, or
something...) I really can't recall having seen such feedback--but I have
no doubt whatsoever that feeding the information to Microsoft is of benefit
to all of us--and you can read some of the results of that in the annual
security reports that provide statistics partly based on that information.

I don't see the word heuristic used anywhere in the Microsoft help or
descriptive information.

I think that Windows Defender provides the same level of protection to all
users. If you choose Spynet membership you add value for all of us in the
data you provide. And, you may receive information in return--relating to
the collective judgements made by other spynet members about something you
are seeing that has not yet been classified.

So--I think not. If your thought were correct, Microsoft would be
witholding a level of protection and granting it only if the user agrees to
give up possible pii. That just isn't a stance they would take, in my
opinion.




--

 

[Robinb]

that is why i feel the help files need a rewrite for the "average" user
because it is confusing and frustrating and only someone who is an IT person
can figure it out or us who have beta tested it and from posting in here we
all figured it out together.
robin

 

[Joe Faulhaber[MSFT]]

Hi all,

Heuristic detections are NOT a function of SpyNet membership - these
detections are governed by their own checkbox in Tools->Options only.
Detections by heuristics are displayed as threats, not unknowns. I can see
your point, it gets confusing as to what's going on with the language used,
however.

There is a single interlock between SpyNet membership and functionality -
the notification for software not classified for risks is turned on when you
join Advanced SpyNet, but you can turn this checkbox off and remain in
Advanced SpyNet.

Advanced SpyNet membership is pretty much just like Bill says - there's a
bunch of legal text in there, but some of the highlights of the additional
information sent to SpyNet for Advanced users is data on what IP
addresses/ports a process connects to, which modules an exe loads or which
exes load a DLL, and data on potential rootkits. SpyNet focuses on
exectuable files and applications, not on you or your data.

Hope this helps,
Joe

 

[Anonymous Bob]

Hi all,

Heuristic detections are NOT a function of SpyNet membership - these
detections are governed by their own checkbox in Tools->Options only.
Detections by heuristics are displayed as threats, not unknowns. I can see
your point, it gets confusing as to what's going on with the language used,
however.

There is a single interlock between SpyNet membership and functionality -
the notification for software not classified for risks is turned on when you
join Advanced SpyNet, but you can turn this checkbox off and remain in
Advanced SpyNet.

Advanced SpyNet membership is pretty much just like Bill says - there's a
bunch of legal text in there, but some of the highlights of the additional
information sent to SpyNet for Advanced users is data on what IP
addresses/ports a process connects to, which modules an exe loads or which
exes load a DLL, and data on potential rootkits. SpyNet focuses on
exectuable files and applications, not on you or your data.

Hope this helps,
Joe

Much appreciated, Joe.
Thank you.

Bob Vanderveen

 

[Bill Sanderson MVP]

Thanks!