« BackMicrosoft didn't sandbox Windows Defender, so I did (2017)blog.trailofbits.comSubmitted by LorenDB 4 hours ago
  • Animats 13 minutes ago

    So did Microsoft ever fix this?

    Hostile code scanners need to look at a lot, but they don't need permission to write much. If sandboxed that way, attacks aimed at the code scanner don't do much.

    • seanw444 8 minutes ago

      I just sandbox Windows itself. My only complaint is that I can't play some online games.

      • dang 36 minutes ago

        Discussed at the time:

        Microsoft didn’t sandbox Windows Defender, so I did - https://news.ycombinator.com/item?id=14909759 - Aug 2017 (43 comments)

        • Eisenstein an hour ago

          Now please tell me how to remove Defender.

          • xeeeeeeeeeeenu an hour ago

            You can reliably disable it with Group Policy Editor. At least on Win10, not sure about Win11.

            • andrewxdiamond an hour ago

              I have to ask what motivates that. Defender has been extremely unproblematic and pretty good as far as MS software goes, for my experience at least.

              • maccard 12 minutes ago

                I see about a 100x slowdown on some applications[0] and IO heavy operations with defender in win11. It's unbelieveable how slow it is. I was a huge proponent of it in Win10, but I'm finding it hard to do so now.

                [0] The software I'm using does a scan over a few hundred thousand files to read file headers. Without windows defender it takes about 30 seconds, but with defender it takes about 300.

                • tredre3 23 minutes ago

                  Defender slows down build times significantly.

                  You can set exclusions of course, but it does get tedious because every time you have a new project you need to add exclusions for its folder and the toolchain. Then every time a toolchain is updated (eg .../gcc/11.5 changes to gcc/11.5.2 you have to enter the 20 new exe exclusions and of course windows won't let you mass delete the old ones so it's click->confirm->click->confirm x50).

                  I might not do it myself but I can see why someone would just say "enough is enough".

                • Eisenstein 14 minutes ago

                  It adds a non trivial amount of time for each file access.

                • nyanpasu64 an hour ago

                  I've gotten it to work on Windows 10 by booting into live Linux and renaming the Windows Defender folder in Program Files. No clue if it would work on 11.

                  • 0cf8612b2e1e 12 minutes ago

                    I am surprised that ever worked. I was confident Win10 did verification that system files were in place and matched a hash or some other integrity mechanism.

                  • IntelMiner an hour ago

                    Removing core parts of Windows is not a good idea

                    • MengerSponge an hour ago

                      "Erase disk and install Ubuntu"

                      https://ubuntu.com/tutorials/install-ubuntu-desktop#6-type-o...

                      • CoastalCoder 37 minutes ago

                        And then Clippy sneaks up behind you, and whispers menacingly in your ear, "It looks like you're installing an operating system."