Defender: Why can't I permanently permit an action?

[Bert Hyman]

I use a text editor (Vedit, http://www.vedit.com/) that makes a change
to the registry's "Run Once" key the first time it's run after a boot;
Defender always pops up a warning and I always permit it.

Why is there no way for me to permanently allow this operation?

Windows XP SP3
Windows Defender Version: 1.1.1593.0
Engine Version: 1.1.5005.0
Definition Version: 1.65.146.0

 

[VanguardLH]

I use a text editor (Vedit, http://www.vedit.com/) that makes a change
to the registry's "Run Once" key the first time it's run after a boot;
Defender always pops up a warning and I always permit it.

Why is there no way for me to permanently allow this operation?

Windows XP SP3
Windows Defender Version: 1.1.1593.0
Engine Version: 1.1.5005.0
Definition Version: 1.65.146.0

There is no "remember" option. When you get the prompt, you don't see a
"remember my selection" option. Defender won't remember. This severely
handicaps the HIPS function of Defender. Guess saving encrypted hashes
of files (encrypted to prevent tampering, hashes to recognize when a
file changes) is too much work or expertise for Microsoft to include in
Defender. Since they merely rolled in Defender, I doubt MSE is any
better.

In Defender you may want to disable the following options:

Choose if Windows Defender should notify you about:
|_| Software that has not yet been classified for risks
|_| Changes made to your computer by software that is permitted to run.

It takes a long time, if ever, for many non-malware programs to get on
Defender's whitelist. Until then, the unknown programs will continue
issuing alerts by Defender.

The 2nd option means you are permitting supposedly good programs to make
changes to your host. If they weren't good programs (with behaviors
that you allow), they shouldn't be on your host.

Defender is not a good HIPS security program. It's merely sufficient
for most users that don't want to understand security or bother having
to maintain it. If you want stronger HIPS (host intrustion protection
system) then you need something stronger than Defender. However, the
more security is on your host then the more impact you get on its
responsiveness and reduced stability through conflicts with other good
software or interference with its use.

 

[Bert Hyman]

In

There is no "remember" option. When you get the prompt, you don't see
a "remember my selection" option. Defender won't remember. ...

Strangely, according to the help file, there should be:

Under "How to use Windows Defender->Add or remove items from the Windows
Defender allowed list" is this:

To add an item to the allowed list

The next time Windows Defender alerts you about the software, on
the Action menu in the Alert dialog box, click Always Allow.

It's just that there's actually no "Always Allow" selection.

 

[Bill Sanderson]

If Windows Defender actively targets a program as bad, there will be an
always allow button.

If you want to demonstrate this for your own satisfaction, install a VNC
variant--I think any version should work. VNC is a useful network
administration tool which, in many versions, can also be installed in such a
way that the user is not aware that it is active. This creates a privacy
issue that Windows Defender rightly calls out. However, if you've knowingly
installed VNC and want to keep it, you can choose to allow it.

The way this works has been a source of confusion forever, I think. You can
choose to allow something that Windows Defender actively alerts as bad, You
can't choose to allow something which is not alerted as bad, or which is
simply not yet classified. And getting classified one way or another
requires many responses via Spynet over time, I suspect. Spynet DOES work,
but slowly, and in some cases--beta or outdated versions of things--it isn't
going to ever classify those.

 

[Bert Hyman]

In "Bill

If Windows Defender actively targets a program as bad, there will be
an always allow button.

But there's no "Always Allow" selection as the help file says.

And, it's not targeting it as "bad", merely suggesting that it's
something I need to look at.

My instance of RealVNC shows up in the "Allowed Items" list, but there
doesn't seem to be any way for me to add other items to that list.

As to the SpyNet reports, looking at the entries in the History list for
the Vedit editor, the "Name" and "Alert level" always show up as
"Unknown", so I don't see how that can be of any help to the "community"
in classifying this action.