For $1,000,000 dollars...What is a Signature Default?

G

Guest

In Windows Defender -> General Settings -> Default Actions -> High, Medium,
Low Alerts. There are three choices for each of these:

1. Signature Default
2. Ignore
3. Remove

I am pretty sure I understand the Ignore and Remove choices, but what does
Signature Default mean? This is not clear, and the help instructions don't
explain this. What happens if that is the choice and an item is found? Can
you have it leave a pop up screen, like AntiSpyWare does now, requesting the
user decide what should be removed or ignored?

Mike asked about this same thing on 2-15-06, and got no replies. I gather
this is a tough question. But it is very important to our users.

Thanks
 
B

Bill Sanderson

That's why the rest of us "peers" out here are waiting for word from
Microsoft on this one. I could speculate--there are various levels of risk
in the signatures, and my guess is that for each level of risk there is a
potentially different default action. For Kazaa, for example, the default
might be quarantine. For a keylogger, the default would be remove.
However--I'm guessing. If this isn't covered in the help, we're going to
have to wait to see whether any of the Microsoft staff reading these groups
is able to enlighten us.

This is an unsupported beta product. This forum is for peer support.
There's no guarantee of an authoritative answer to any given question--price
no object.
 
M

Mike Treit [Msft]

First of all, one point of clarification: this setting simply defines the
action that is selected by default in the dropdown in the UI when you are
presented with the dialog asking you what actions you want to take. It does
not specify an action that Windows Defender will take automatically without
asking you first. Windows Defender will always ask you to make an
affirmative decision before applying actions to any threats found.

The "Signature default" option simply means that for a given threat, the
action that is selected by default in the drop-down is defined in the
signature for that threat. Typically this is based on the overall severity
(i.e., the "Alert level") of the threat.

For instance, a high severity threat will normally have a recommended action
of "Remove" and, if you have chosen the "Signature default" option, that is
what will be selected by default for that threat in the drop-down box in the
Scan Results dialog. If you have, for example, changed the default to
"Ignore" for all high severity threats, then that will be displayed instead
of the "Remove" action that is suggested in the signature definition.

Although we have the flexibility to define different recommended actions in
the signature that do not correspond directly to the "Alert level" of the
threat, for Beta 2 the breakdown is generally the following:

Threats that are "High" or "Severe" will have a recommended action of
"Remove" defined in the signature. "Remove" will be selected by default in
the Action dropdown when such a threat is found.

Threats that are "Moderate" will not have a recommended action. The dropdown
will say "Select an action" and no action will be taken until you explictly
choose one of the possible options "Ignore", "Remove", "Quarantine" or
"Always Allow"

Threats that are "Low" will have a recommended action of "Ignore" defined in
the signature. "Ignore" will be selected by default in the Action dropdown
when such a threat is found.

Typically leaving the setting at "Signature default" is a good choice, but
the setting is there so that you have the flexibility to change this
behavior if you wish.

Note that the set of actions and the behavior of the signatures may be
changed in the future, so don't consider the rules described above to be set
in stone.

Thanks

-Mike
 
P

plun

Hi Mark

- There is no definition what unwanted software or
ad/spyware is.

ASC is working with that:
http://www.antispywarecoalition.org/

This picture maybe shows what default action can be....... :)

http://www.spywarewarrior.com/pics_pub/spencer_katt-sm.gif

Beacuse of this it´s important to use at least 2 antispyware scanners
to see all threats.

Microsoft is also a commercial company with MSN and other allied.

So I recommend to at least also use Lavasofts Adaware for on demand
scans from time to time.

http://www.download.com/Ad-Aware-SE...045910.html?part=dl-ad-aware&subj=dl&tag=top5

regards
plun
 
G

Guest

You win!!! But really, thanks to everyone for those answers. It now makes
sense, although for our users we would never want to go with the "Signature
Default" as that might remove some software that we installed (i.e. VNC). As
it is now I have to pre-run Windows Defender on all my VNC-machines to get to
the part where I tell it to Always Allow VNC, and that is somewhat of a
hassle. A Signature Default action would be worse however. Thanks again for
all your help.
 
B

Bill Sanderson

I think at release time, when management templates are available, this will
all be easier.

--
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows Defender default settings question 7
What does Defender action "Clean" mean? 2
Signature Default? 2
Turn off alerts 7
Definition recommended action and another question 3
Forced to close IE when ignoring? 3
DEFENDER BETA2 "possible hosts file hijack" & Alert levels 2
Windows Defender settings... 8

Top