How to turn off 3-day-alert?

[Guest]

My Defender always warns me to scan my system, because " U haven't scanned
system for three days". Defender is a liar. I
I've scheduled it to a daily, quick scan - which has been and is performed
regularly and in order.
Despite it a yellow exclamation mark can be seen on the tray - icon.
How to turn this disturbing alert off?
Thanx for Your answer!

 

[Bill Sanderson MVP]

What is the version of Windows Defender?

Please go to Help, about, and post the topmost of the three version numbers
there.

In general, if you are on the latest version (1347 at this writing)--I would
recommend running an update install--start, control panel, add or remove
programs, Windows Defender, change, update.

 

[Guest]

What is the version of Windows Defender?

Please go to Help, about, and post the topmost of the three version numbers
there.

In general, if you are on the latest version (1347 at this writing)--I would
recommend running an update install--start, control panel, add or remove
programs, Windows Defender, change, update.

--




Hi Bill, good to c U again!

Mine is as fresh as it could be, like:

Windows Defender Version: 1.1.1347.0
Engine Version: 1.1.1508.0
Definition Version: 1.14.1532.14
Is it a minor bug, or sg? Also it always notifies me: ther's a change in a
known application, MpCmdRun.exe...Is it some kind of commandline part?

 

[Bill Sanderson MVP]

I'd do the repair--something is wrong--the scheduled scan completions aren't
getting back to the program apparently.

The mpcmdrun message relates to the re-scheduling of the scheduled scan,
which is done by the command-line app mpcmdrun. You'll see this message if
the non-default setting to "notify me of changes made to the system by
applications that are allowed to run" is checked off in options.

A number of folks have commented about this particular message. It seems to
me that somehow exempting Windows Defender changes from a choice which is
meant to warn you about changes to applications on your machine lessens
security, rather than increases it. I'm quite satisfied with knowing the
reason behind this message, myself.


--

 

[Guest]

Bill,
Are you saying that the "latest greatest" should not be giving the three day
warning any more? I had not heard this. If this is the case, I am happy
about it.

?
Tim

 

[Bill Sanderson MVP]

Here's what I was thinking. There was a bug in some previous beta2 version
such that even if the scheduled scan was set to weekly, you'd get a 3-day
nag. That was fixed in a later UI version--probably long before the current
version.

So--that was probably muddled thinking on my part.

If you are on daily scheduled scans, I believe the 3 day nag is still there.
If you are on a weekly or longer schedule, I thought this was not there.

What's your experience?
--

 

[Guest]

Here's what I was thinking. There was a bug in some previous beta2 version
such that even if the scheduled scan was set to weekly, you'd get a 3-day
nag. That was fixed in a later UI version--probably long before the current
version.

So--that was probably muddled thinking on my part.

If you are on daily scheduled scans, I believe the 3 day nag is still there.
If you are on a weekly or longer schedule, I thought this was not there.

What's your experience?
--




Bill, Thanx for Your time and contribution.

I 've done the update-procedure as recommended - apparently time's 2 short
to get the consequencies. In the meantime, I 'll reschedule my settings to
weekly full system scan. We'll see how it works...
On the other hand , checking this "changes made....which is allowed to
run"really works. WDef now generally produces 1 SR-point (still called
Windows Defender Checkpoint).
As for the registry hack I've got some real bad experiences. MsMpEng.exe
kept running (even when WindowsDefender was shut down), eating 40-80 % CPU,
ventillation at maximum capacity on my laptop...MpCmdRun was also in heayvy
action...
So I cleared that very Dword registry entry, and symptoms ceased at once.
U want me to update U on WD nagging or not nagging 3-day scan-alerts?

 

[Bill Sanderson MVP]

--

..

U want me to update U on WD nagging or not nagging 3-day scan-alerts?

Sure--if it is still 3-day nagging when the scan is weekly, that's a bug, I
think.

 

[Guest]

Hi Bill,
My experience is I don't have auto scanning enabled at all. I run a manual
scan once every three days just to stop that annoying reminder from popping
up.

I use Defender for its RTP/resident properties. I use Ad-AwareSE, SpyBot
S&D, and Yahoo AntiSpy for On Demand Scans. As the Beta2 is much more flaky
than the Beta1 I really am not sure how much I want to trust it to do Full
Scans as these are covered by the more established and stable products. I
practice very safe browsing so I feel this works for me. Three reactive
Programs, which are stable, and one proactive program, Defender, to try to
catch "it" at the front door.

What is your opinion of using SpyBot S&Ds Teatimer and BHO functions in
conjunction with Defender. I thought you were only supposed to use one RTP
at a time. I asked this in a recent post but the response was not very
helpful, just a bunch of links I already knew about that did not address the
question of "WINDOWS DEFENDER" and Tea Timer and/or the BHO. Do YOU use them
in conjunction with Defender? WOULD YOU recommend it as a safe/stable
combination? I would really like your opinion.

Oh, back to the original train of thought. So if I don't have an Auto Scan
set will I get bugged after three days? I'm going on vacation soon and would
like it if the other user of the machine did not have to be annoyed.

Thanks in advance,
?
Tim
Geek w/o Portfolio

 

[Guest]

A number of folks have commented about this particular message. It seems to
me that somehow exempting Windows Defender changes from a choice which is
meant to warn you about changes to applications on your machine lessens
security, rather than increases it. I'm quite satisfied with knowing the
reason behind this message, myself.

Well, look at it a different way, Bill. I get that message every startup and
I ignore it. But suppose I acquired a malware infection that really DID make
a change to Defender. I'd simply ignore it. If Defender goes on crying 'wolf'
when there isn't a wolf around, day after day ... how are we to know when
there really is one?

 

[Bill Sanderson MVP]

--

Well, look at it a different way, Bill. I get that message every startup
and
I ignore it. But suppose I acquired a malware infection that really DID
make
a change to Defender. I'd simply ignore it. If Defender goes on crying
'wolf'
when there isn't a wolf around, day after day ... how are we to know when
there really is one?

Thanks - that's certainly a fair way to think about it as well. One way to
remove the prompt is to uncheck the option, but I'm with you in feeling that
this is a useful option at times, as long as the user is reasonably
knowledgable and remembers that the option is on--i.e. recalls why they are
seeing those messages.

There are actually a number of settings changes which Windows Defender logs
to the event log but doesn't directly alert about--and those logs can be
reviewed to check whether those changes are expected.

Clearly there's a balance here. Thanks for the discussion--and I'll leave
it to the Microsoft folks reading to make a determination about whether
they've reached the right point on that balance or not.

 

[Bill Sanderson MVP]

I don't know the answer about whether/when the user will get reminded, if no
scheduled scan is enabled.

My guess/hope is that it might be some reasonably long time--like a couple
of weeks--but I don't have any machines with that configuration, and I
haven't intentionally tried to test it. Sorry I can't say anything more
useful.

I don't have direct experience about the mix of real-time protection
products you mention. I removed Spybot Search & Destroy from my system some
time back because it identified the definition update mechanism of my
then-current antivirus product as spyware, and suggested that I remove it
(it was a proprietary implementation of Backweb.) I didn't think this was a
good idea, but the Spybot support folks weren't very sympathetic at the
time.

I believe that tea-timer has sonetimes caused some issues that have been
perplexing to deal with here because it hasn't been clear that it was
involved--i.e. the post didn't mention it.

The release notes for Windows Defender don't mention conflicts with other
antispyware apps--the only note I recall is the suggestion to turn off
real-time protection from antivirus apps during the installation process.

So--I wouldn't worry about this--but if issues arise, you should remember to
post that tea-timer is involved, and perhaps test by turning that off to see
whether things change.

--

 

[Guest]

Bill and Alan,

Though there are good arguments for both viewpoint here, I think we're
overlooking one thing, the fact that Alan only enabled the display of
"changes made ... for software that is allowed to run' in order to supress
the associated System Restore Points, which were a greater concern for him.

I believe the setting is perfectly appropriate and any change that isn't
consistent, such as arbitrarily supressing one or two items because they are
frequent, will simply lead to more confusion in the long run.

In this case it's the excessive Restore Points which is the issue and either
needs to be 'fixed' or given an additional choice within the Options.

Bitman

 

[Bill Sanderson MVP]

I'd definitely overlooked that. I'm not sure I've been completely
consistent, but the supported way to remove the excessive restore points is
the registry edit process.

Unfortunately, the KB article detailing this process is not yet publicly
available, so the only source for the procedure is posts in these groups,
and it isn't a simple process--not something for the novice to attempt.

We've heard from Joe Faulhaber that this issue is being addressed. I expect
to see new code with that fix at some point, but I can't predict when.
--

 

[Larry]

Last Monday morning I changed my WD by checking the "Changes made to your
computer by software that is allowed to run". I expected to get a lot of
alerts about minor changes. In the subsequent week, I have received no
alerts for system changes, BUT my typical eight to twelve daily WD system
restore checkpoints have completely stopped. Boy, that's the best of both
worlds.
Larry

 

[Guest]

Tim,

As a member of the Spybot Search & Destroy forums Advisor group, I've seen
many with Spybot S&D and Defender co-existing, including myself. Though there
are no direct conflicts to my knowledge, the advice that only one program
providing real-time protection should be enabled is becoming common.

The reason is less related to direct programming conflicts, though they
could occur, than to the confusion created when more than one program alerts
for the same detection simultaneously. For example, if a registry entry
change is detected by both, if you answer to Deny or Block in one
application, you should answer with Accept or Allow in the other. This seems
counter-intuitive, since the gut level response would be to block with both.
However, if you attempt to Deny/Block with both, the second application will
usually fail, since the first application has already performed the deletion
of the registry entry, so it's no longer there to delete. How gracefully the
application deals with this is related to its own design, but it's confusing
to most people.

Though the above related to Teatimer functions, the protection provided by
the SDHelper 'Bad Download Blocker' Browser Helper Object DLL has even more
inter-relationships. Since it extends Internet Explorer to watch for known
bad downloads of ActiveX and block them before they can be saved to disk,
it's performing the same function as portions of the 'Internet Explorer File
Download Prompt' included in Win XP SP2. With Internet Explorer 7, the
ActiveX abilities are being enhanced with 'ActiveX Opt-In', which reduces a
computer’s attack surface by turning off access to most ActiveX controls by
default. Defender includes a real-time agent for Internet Explorer Downloads,
which monitors files and programs that are designed to work with Internet
Explorer, such as ActiveX controls and software installation programs.

As you can see, there is already equivalent protection with IE 6 and
Defender, more with IE 7 and SDHelper.dll appears to be a dirrect overlapping
protection to what Defender provides. Such overlap may not be truly additive,
however, since it depends how the two applications interact (who wins) when
something is detected, good or bad.

As you can see from this brief (yea, right!) explanation, the potential for
interaction is obvious, but the possible results aren't since only a true
understanding of both program's design can insure they co-exist properly.

Both Patrick Kolla, Spybot S&D's developer, and Microsoft have independantly
stated that their programs should co-exist and they will work to insure that
they continue this way. However, I personally don't feel that it's reasonable
to expect that there will never be problems, nor do I wish to spend my time
debugging this relationship. So I have chosen to follow the now popular
advice to operate the real-time protection of only one anti-spyware, along
with one antivirus which is a long-standing recommendation.

As someone who uses both programs and tries to post an even handed response
to questions relating to both programs, I hope my analysis and experiences
are some help to your decision.

Bitman

 

[Larry]

FWIW, I've been using Spybot Search and Destroy, with both SD Helper and
TeaTimer, and have never observed any conflicts or problems with WD (unless
that's the reason I was getting approximately 10 system restore points
created daily by WD).
Larry

 

[Guest]

I believe the setting is perfectly appropriate and any change that isn't
consistent, such as arbitrarily supressing one or two items because they are
frequent, will simply lead to more confusion in the long run.

In this case it's the excessive Restore Points which is the issue and either
needs to be 'fixed' or given an additional choice within the Options.

Not quite, Bitman! Not quite!

Forget the checkpoint issue for a moment. Let's suppose I was curious to see
what events I'd be notified about, and therefore ticked the boxes to find
out. What would I find? The following:

1. Notifications about changes that Defender regularly makes to its own
configuration as a matter of course. This seems less than helpful. And my
'crying wolf' comment still holds. If Defender reports its own changes as
alerts, how are we to know when an actual malware change is made?

2. Why does Larry (see his post in this thread) NOT get these spurious
alerts at startup, even though he's ticked the box as I have.

3. Why are these alerts not logged in history just because I've chosen to be
notified about them in actual time? This is an inconsistency - not perhaps a
very important one - but one that ought to be resolved.

There are issues here over and beyond the checkpoint issue. And I think the
'crying wolf' spurious alerts constitute a really BIG issue. They would
almost certainly cause me to ignore an identical alert that was warning me of
a real infection.

 

[Guest]

Not quite, Bitman! Not quite!

Forget the checkpoint issue for a moment. Let's suppose I was curious to see
what events I'd be notified about, and therefore ticked the boxes to find
out. What would I find? The following:

1. Notifications about changes that Defender regularly makes to its own
configuration as a matter of course. This seems less than helpful. And my
'crying wolf' comment still holds. If Defender reports its own changes as
alerts, how are we to know when an actual malware change is made?

2. Why does Larry (see his post in this thread) NOT get these spurious
alerts at startup, even though he's ticked the box as I have.

3. Why are these alerts not logged in history just because I've chosen to be
notified about them in actual time? This is an inconsistency - not perhaps a
very important one - but one that ought to be resolved.

There are issues here over and beyond the checkpoint issue. And I think the
'crying wolf' spurious alerts constitute a really BIG issue. They would
almost certainly cause me to ignore an identical alert that was warning me of
a real infection.

Alan,

1. Doesn't really matter if you don't think they're helpful, that's why the
ability to suppress them exists and is even done by default, because this is
the type of thing that the average user doesn't need to see. Changing this is
simply falsifying the results, it's designed specifically to suppress the
repetative messages that would result from allowed programs, including
Defender itself, that would otherwise result in unnecessary messages being
displayed. It's doing exactly what it states and should continue to do.

2. No idea, maybe he leaves his PC on for days at a time. The message only
displays when you restart the PC.

3. Separate issue from what we were discussing here, but yes, another
question related to the triad of relationships we saw when you were testing
what affected the System Restore Points issue. Since we don't know what was
really intended, we don't know what needs fixing and what is simply there for
debugging or troubleshooting purposes during the beta. Things are often added
to beta code with the intention of removing them later before the actual
release occurs.

BTW, though the 'crying wolf' scenario is a major reason such a suppression
ability exists, if something manages to replace such a core portion of the
Defender application you're in much more trouble then whether it displays a
warning message, since it's already crippled a key component of the scanning
automation.

Bitman

 

[Guest]

BTW, though the 'crying wolf' scenario is a major reason such a suppression
ability exists, if something manages to replace such a core portion of the
Defender application you're in much more trouble then whether it displays a
warning message, since it's already crippled a key component of the scanning
automation.

Yes... but that's exactly the point I'm making. Accustomed to the regular
pop-up of Defender saying 'I've done it again!', I'd just ignore it when a
real alert comes along - while in truth, as you say, I'm in serious trouble.
Except now I'm in even more serious trouble, because I continue to think I'm
OK when I'm not.

These nuances in response may be of use to the expert, but they're of no use
to people like me. (They may be interesting, but that's a different matter.)
The millions of folks who just want to install and go really don't need to be
notified about changes that Defender makes every day to ITS OWN
configuration. They don't even need to have the option of being notified
about such inconsequential activities. All it does is muddy the water - and
by golly the water is muddy enough already.