Defender B2 - Not respecting "DISABLE" for startup program

[Guest]

Loaded and began using B2 today. I decided to check to see if a BUG in MSAS
(B1) had been resolved. To my dismay I find that not only has it not been
resolved (it was a known issue), it's been made worse!

Specifically, in Beta 1, if a program attempts to add itself to the startup
(RUN) registry, MSAS would prompt to allow or not. You could check the box
to prevent it, but it would allow it anyway.

In B2 (Defender) it now allows it automatically (though it will notify you)
and then going into Explorer and selecting DISABLE has no effect.
Specifically, the application change will be allowed again.

To test this behavior: Open the RUN key and remove the QuickTime Boot Task
from the startup registry. Go to www.apple.com and visit the quicktime tab.
Quicktime will automatically be added back to your startup registry (you will
be notified depending on your settings). Now, open defender, use the
Tools/Explorer option to browse the startup programs. Select the Apple
Quicktime startup task. Select DISABLE. Notice that "Allow" is still listed
as the classification. Next, select REMOVE. This will remove it from the
registry. Now go back to the apple website, select Quicktime and notice that
Quicktime will be allowed back into the registry.

What's the purpose of the DISABLE button?? Am I totally missing something?

 

[Ravi [MSFT]]

We know that Quicktime adds itself back into the run keys everytime its run.
This version of defender will not be able to recognize that a new run key
entry is something that you already disabled/removed and take that action
automatically everytime that entry tries to get back in. Sorry.

--
Ravi Sathanur [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

[Cal]

Wow, isn't that a bad thing? Please tell me that in the next
version (since this version apparently can't do anything about
it) this issue will be overcome.

--


-callahan

We know that Quicktime adds itself back into the run keys everytime its run.
This version of defender will not be able to recognize that a new run key
entry is something that you already disabled/removed and take that action
automatically everytime that entry tries to get back in. Sorry.

--
Ravi Sathanur [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Loaded and began using B2 today. I decided to check to see if a BUG in
MSAS
(B1) had been resolved. To my dismay I find that not only has it not been
resolved (it was a known issue), it's been made worse!

Specifically, in Beta 1, if a program attempts to add itself to the
startup
(RUN) registry, MSAS would prompt to allow or not. You could check the
box
to prevent it, but it would allow it anyway.

In B2 (Defender) it now allows it automatically (though it will notify
you)
and then going into Explorer and selecting DISABLE has no effect.
Specifically, the application change will be allowed again.

To test this behavior: Open the RUN key and remove the QuickTime Boot
Task
from the startup registry. Go to www.apple.com and visit the quicktime
tab.
Quicktime will automatically be added back to your startup registry (you
will
be notified depending on your settings). Now, open defender, use the
Tools/Explorer option to browse the startup programs. Select the Apple
Quicktime startup task. Select DISABLE. Notice that "Allow" is still
listed
as the classification. Next, select REMOVE. This will remove it from
the
registry. Now go back to the apple website, select Quicktime and notice
that
Quicktime will be allowed back into the registry.

What's the purpose of the DISABLE button?? Am I totally missing
something?