Default Actions

[ralph]

In Windows Defender, Tools > Options there is a sction labeled "default
actions. They apparently relate to items which are classified by WD as low,
medium of high alert items (but not unclassified or severe). If I don't
configure them, they all state: Default action (definition based). I don;t
understand what happens if I don't configure them. Need a short tutorial.
thanks.....ralph

 

[Guest]

A rose is a rose is a rose. Low is Low. Medium is Medium and HIgh is High.
Don't start throwing in Severe. As a rule of thumb, Low means Ignore.
Medium is ignore or remove, and High is remove. Did you catch the lack of
quarantine? If you let WD take default actions, it is going to remove your
malware without quarantine! I don't trust any anti-malware program that
much. That is why I leave the check box empty - apply default actions after
a scan. I like to apply my own personal actons. Make your own choice!

 

[Alan D]

If you let WD take default actions, it is going to remove your
malware without quarantine! I don't trust any anti-malware program that
much. That is why I leave the check box empty - apply default actions
after
a scan.

I didn't think it was quite so black and white, Mr Cat. For example, one
could tick the 'default actions' box, and then set each of the 'low',
'medium' and 'high' options to 'quarantine'. That way, Defender would
presumably automatically quarantine anything it found - wouldn't it?

(Assuming, of course, which I now have some reason to doubt after the events
described in my nearby thread, that it ever does actually detect anything!)

 

[Guest]

My experience is mostly from the Beta days, but it is basically what I have
said. Yes you could modify the defaults to quarantine for unattended
operation. But again, I don't use WD to fix malware problems.

 

[ralph]

I am still uncertain about the meaning of default actions in WD.
1: Am I correct in thinking that if I uncheck in Options "Apply default
actions to items detected during a scan", WD will ask me what action I wish
it to take when it detects any malware duting either a manual or real time
scan?
2: However if I do check the box, WD will take the action I have specified
in the Default actions (ignore, remove or quarantine), at least for high,
medium and low alert items, without first asking permission.
3: What does WD do for "not yet classified" and "severe" alert items if I
have checked the "Apply default actions to items detected during a scan"
box?
4: Finally, what does WD do if I have checked the "Apply default actions to
items detected during a scan" box, but have left the Default actions as
"Default action (definition based)".
thanks....ralph

 

[Guest]

Hi Ralph. I wasn't trying to be flippant with my first reply. The WD
options can be confusing and I was emphasizing not to read any hidden
meanings in the options. To simplify things break WD down into a scanner
component and a real-time component. The help link which also talks about
Severe and not yet classified just adds to the confusion, so just think of
Severe as High and not yet classified as belonging to the real-time
component. I already covered Low, Medium and High. The apply default
actions box is only appropriate when you are initiating an automatic
(scheduled) scan. The important thing to understand is that when you check
the box to apply default actions, potential malware could be deleted with no
quarantine. That is a key point. Kazaa users who have had their entire
download libraries removed by WD know what I am talking about. I'll now try
to address your questions:

(1) Yes, if you leave the box unchecked WD will ask you what actions to take
even for example if the scan completed hours earlier. The real-time
component is not involved in the automatic or manual scan.

(2) Yes, for an automatic scan. For a manual scan the option doesn't apply;
WD will ask you what to do after the scan completes.

(3) Treat Severe as High with Remove. Not yet classified pertains to
real-time protection. Software Explorer also displays not yet classified
components.

(4) As indicated in my first reply, the general rule of thumb is Ignore for
Low, Ignore or Remove for Medium, and Remove for High. Again, no quarantine
will occur if you use the defaults.

Allowed items and items excluded from scanning will override the above
rules. Items can only be added to Allowed Items as a result of a scan, i.e.
real-time protection can not be used to put items in Allowed Items.

WD real-time alerts offer fewer options, e.g., Permit or Deny, Allow or
Remove All. These alerts are triggered by "not yet classified" programs in
Run Keys, shortcuts to malware in the Startup folder, port usage, changes to
the Hosts file, changes to the system registry, attempts to load/run malware,
etc. An important consideration is that WD still does not know about many
commonly used programs and will consider them to be "not yet classified".
This is a major shortcoming of the product, but it is improving with time.

Please feel free to ask any additional questions. Just hope I adequately
answered yours. If I did make some technical errors, I'm sure others in this
newsgroup will correct me.