Defender alerts at Amazon.com???!!!

[Guest]

Here's the scenario:

I'm browsing Amazon.com, and find a CD track for which I want to hear a
sample. I click the sample button to play it using Media Payer (9).

Defender promptly goes nuts. Bombards me with a heap of information, none of
which I understand, about changes made to my firewall [the new configuration
being 1245:UDP:*Enabled: WindowsMedia Format SDK (wmplayer.exe)], and demands
to be told whether to allow or block this action.

In the dialogue box that appears there seem to be two almost identical
events listed (the only difference is the stated port number), one of which
has been already allowed by Defender, it seems. I decide to block the other
one.

Defender goes nuts again and grinds to a halt with the error message
Ox80501001.

I start up Defender again, which tells me there's a problem and I must do a
scan. I do one. It tells me everything is OK.

I go back to Amazon.com, and try to play a sample again. And the whole damn
rigmarole begins again. I give the whole thing up as a bad job and check
Defender's history log. Here, I find Defender preening itself for having made
four different successful (!!!!) interventions, two 'allow's (about which I
wasn't consulted) and two 'block's (which had both actually failed with an
error message, though this was not recorded in the log).

Conclusions:
1. I don't believe Amazon.com was doing anything malign to my system, even
though Defender thought it was.
2. Defender's intervention was totally useless to me. I understood almost
nothing of what it was telling me. I was completely incapable of making any
decision on the basis of what Defender told me. Even if I had been the victim
of something malignant, Defender's response was of no use to me.
3. When I actually told Defender to block, it failed to do so and reported
an error instead, but still smugly recorded the action as successful in the
history log. This beggars belief. Has anyone tested Defender with a lie
detector?

Can anyone tell me, please, in plain English, what this unnecessary Defender
fuss was really all about?

 

[Bill Sanderson MVP]

Hmm--well, I can tell you that when I try the same operation on Vista with
Media Player 11, I don't get a peep out of Defender, but that may not be
helpful--will keep testing, but I've lost contact with an office where I
have a wider range of versions to test with, for the moment.

 

[Steve Dodson [MSFT]]

Please send me a comment through my blog with the exact spynet settings,
defender, definition, and engine version, and the URL from amazon.com you
are using so I can attempt a repro.

-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod





This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Here's the scenario:

I'm browsing Amazon.com, and find a CD track for which I want to hear a
sample. I click the sample button to play it using Media Payer (9).

Defender promptly goes nuts. Bombards me with a heap of information, none
of
which I understand, about changes made to my firewall [the new
configuration
being 1245:UDP:*Enabled: WindowsMedia Format SDK (wmplayer.exe)], and
demands
to be told whether to allow or block this action.

In the dialogue box that appears there seem to be two almost identical
events listed (the only difference is the stated port number), one of
which
has been already allowed by Defender, it seems. I decide to block the
other
one.

Defender goes nuts again and grinds to a halt with the error message
Ox80501001.

I start up Defender again, which tells me there's a problem and I must do
a
scan. I do one. It tells me everything is OK.

I go back to Amazon.com, and try to play a sample again. And the whole
damn
rigmarole begins again. I give the whole thing up as a bad job and check
Defender's history log. Here, I find Defender preening itself for having
made
four different successful (!!!!) interventions, two 'allow's (about which
I
wasn't consulted) and two 'block's (which had both actually failed with an
error message, though this was not recorded in the log).

Conclusions:
1. I don't believe Amazon.com was doing anything malign to my system, even
though Defender thought it was.
2. Defender's intervention was totally useless to me. I understood almost
nothing of what it was telling me. I was completely incapable of making
any
decision on the basis of what Defender told me. Even if I had been the
victim
of something malignant, Defender's response was of no use to me.
3. When I actually told Defender to block, it failed to do so and reported
an error instead, but still smugly recorded the action as successful in
the
history log. This beggars belief. Has anyone tested Defender with a lie
detector?

Can anyone tell me, please, in plain English, what this unnecessary
Defender
fuss was really all about?

 

[Guest]

Please send me a comment through my blog with the exact spynet settings,
defender, definition, and engine version, and the URL from amazon.com you
are using so I can attempt a repro.

Thanks Steve - I've done that.
Alan

 

[Guest]

Just following on... trying to understand this morning what WD was trying to
tell me last night when it said this:

changes made to my firewall
1245:UDP:*Enabled: WindowsMedia Format SDK (wmplayer.exe)]

Was wmplayer.exe telling Windows firewall to open port 1245? Is that what
this message means? During the mayhem, ports 1224, 1245, 1245 and 1246 were
all involved, two being allowed by WD automatically, and two blocked by me.

(I went to the Shields-Up! website this morning and got it to test those 4
ports, and they all gained a stealth rating. But is that irrelevant, after
the event?)

 

[plun]

Was wmplayer.exe telling Windows firewall to open port 1245? Is that what

this message means? During the mayhem, ports 1224, 1245, 1245 and 1246 were
all involved, two being allowed by WD automatically, and two blocked by me.

(I went to the Shields-Up! website this morning and got it to test those 4
ports, and they all gained a stealth rating. But is that irrelevant, after
the event?)

Hi

I believe this is "bad logic" with WD beacuse of streaming mechanisms
and UDP.

You can easily watch what happens with TCP view during a streming
session.

http://www.sysinternals.com/Utilities/TcpView.html

More facts:
http://en.wikipedia.org/wiki/Streaming_media

(download everything from Sysinternals, MS bought this company and
all great tools are probably gone soon)
http://www.sysinternals.com/Utilities.html


regards
plun

 

[Guest]

I believe this is "bad logic" with WD beacuse of streaming mechanisms
and UDP.
You can easily watch what happens with TCP view during a streming
session.
http://www.sysinternals.com/Utilities/TcpView.html

Thanks Plun, but I don't think I have the basic knowledge necessary to
understand any of this. And really, that is the most worrying aspect of this
whole episode. I think my limited knowledge and understanding is typical of
millions of users - perhaps a bit better than average. The false alert in
itself doesn't bother me much. What is dismaying is the sheer
incomprehensibility of the alert that Defender gave me in this situation.

Now my understanding of the Defender philosophy is that, like the Windows
firewall, it is aimed at the non-specialist, bog-standard user. Great. That's
a noble aim. I want that. But if a sympathetic, interested, and
partly-informed non-specialist like myself is left bewildered by the
screenful of incomprehensible computerspeak that constitutes a defender alert
(to the extent of being unable to make a decision that Defender requires me
to make), then I'd say that Defender is still a long way wide of the mark
it's trying to hit. I'm not talking here about the adequacy of its coding. I
can't assess that. But I CAN assess the adequacy of its communication skills
when it tries to tell me something in a crisis; and in their present form
they are worse than useless.

Please note, Microsoft. This is a very, very serious failing.

 

[robin]

Hia Alan
I just tried to reproduce what you said here by going to amazon.com on one
of my computers running xp pro sp2 and using windows media player 10- not 9.
Windows Defender did nothing- no bubbles, no popups- nada.
My other two computers are in the middle of backups but tomorrow I will try
it on them and see what happens.

robin

 

[Robin]

ok i just tried it again (my other computer just finished its backup) and no
problems when trying to listen to a specific song on amazon.com. WD did not
popup screaming anything.
robin

Hia Alan
I just tried to reproduce what you said here by going to amazon.com on one
of my computers running xp pro sp2 and using windows media player 10- not
9. Windows Defender did nothing- no bubbles, no popups- nada.
My other two computers are in the middle of backups but tomorrow I will
try it on them and see what happens.

robin

Here's the scenario:

I'm browsing Amazon.com, and find a CD track for which I want to hear a
sample. I click the sample button to play it using Media Payer (9).

Defender promptly goes nuts. Bombards me with a heap of information, none
of
which I understand, about changes made to my firewall [the new
configuration
being 1245:UDP:*Enabled: WindowsMedia Format SDK (wmplayer.exe)], and
demands
to be told whether to allow or block this action.

In the dialogue box that appears there seem to be two almost identical
events listed (the only difference is the stated port number), one of
which
has been already allowed by Defender, it seems. I decide to block the
other
one.

Defender goes nuts again and grinds to a halt with the error message
Ox80501001.

I start up Defender again, which tells me there's a problem and I must do
a
scan. I do one. It tells me everything is OK.

I go back to Amazon.com, and try to play a sample again. And the whole
damn
rigmarole begins again. I give the whole thing up as a bad job and check
Defender's history log. Here, I find Defender preening itself for having
made
four different successful (!!!!) interventions, two 'allow's (about which
I
wasn't consulted) and two 'block's (which had both actually failed with
an
error message, though this was not recorded in the log).

Conclusions:
1. I don't believe Amazon.com was doing anything malign to my system,
even
though Defender thought it was.
2. Defender's intervention was totally useless to me. I understood almost
nothing of what it was telling me. I was completely incapable of making
any
decision on the basis of what Defender told me. Even if I had been the
victim
of something malignant, Defender's response was of no use to me.
3. When I actually told Defender to block, it failed to do so and
reported
an error instead, but still smugly recorded the action as successful in
the
history log. This beggars belief. Has anyone tested Defender with a lie
detector?

Can anyone tell me, please, in plain English, what this unnecessary
Defender
fuss was really all about?

 

[Guest]

ok i just tried it again (my other computer just finished its backup) and no
problems when trying to listen to a specific song on amazon.com. WD did not
popup screaming anything.

Thanks for trying this Robin. Two thoughts occur to me:
1) I'm using the Windows firewall, so maybe there's some particular
interaction between it and Defender that generated the problem?
2) Maybe I should upgrade to Media Player 10 and see if it still happens.
(There was no problem if I opted to use Real Player instead.)

 

[Guest]

Hi there. I've "the same" difficulties with WD when using Mediaplayer 10
while watching videoclips on the MicroSoft site!! Not always, but somewhat
more then sometimes. If the videoclip DOES start, I BLOCK the changes in WD
since the clip is playing!. Sometimes a ERROR occurs in WD stating that the
blocking has gone wrong, maybe a bug?, but it then advices to do a quick
scan. After the quick scan has run, the blocking result has been performed.
When the videoclip does NOT start, I BLOCK the event in WD, since I do not
know what WD means with the Windows Firewall ports. I can live with this
bug(?) in WD, it happens to little to make a fuss about it and the clips are
also available on Quicktime and other sites. BUT, MS has to do some more
programming in WD! I have a firewall on my Alcatel Speedtouch ADSL
router/modem, XP firewall is on, NIS2005 is on, popupblockers from SP2 &
Google and NIS2005(NOT the ADVERT blocker!)are on. I have a Dutch XP PC
complete up-to-date with updates, no problems at all. WD has always run
great, with very very llittle and small errors, but the errors while playing
or downloading music/videos are somewhat familiar to me. Lets wait on the
explanation from an expert concerning the WD firewall changes when playing or
downloading clips/music! Jan vd Eeden - The Netherlands-