I called MS Support and used one of my free Windows Defender support requests
to report this issue. The result was an embarassing display of Microsoft's
support policies. After explaining the situation to the technical support
representative, the following is what was deduced by their department:
1. There are no knowledge base articles on the subject. I knew this of
course because I already checked.
2. There are no messages in the forums about the subject except my own. I
knew this also. Yet, they still suggested I try to resolve the issue through
the forums because they didn't have anything in their database on the subject.
3. They went so far as to confirm the issue as a bug, but they don't have an
"escalation policy in place" to notify the product development team. I was
given an e-mail address that was supposed to eventually get routed to one of
the teams, but all messages to that address bounce. After reconfirming the
address with support, it was deduced that it is no longer active. Support
declined to follow up to obtain the new address.
4. It was suggested that I sign up for Live OneCare because that support
group might be able to do more. So basically, I should pay Microsoft $50 for
the chance that I *might* be able to escalate through that channel. No thank
you.
The representative I spoke with was very polite and professional, so that
was appreciated. However, ultimately she and her management chose to hide
behind policy and perceived job roles rather than making an effort to bring
this defect to the attention of the appropriate parties. I find this very
disappointing and embarassing for Microsoft, particularly when the issue
deals with reporting a defect in one of their security products.
So in the end I was told, yes it's a defect in the software, but we don't
have a policy in place to notify the development teams of defects other than
the forums. That's why I'm back here, trying to raise awareness now of a
defect in Windows Defender, Windows Firewall, and apparently, the support
policies for those products.
I will summarize once again the issues below in the hopes that a member of
one of the product development teams sees this one day.
Windows Defender
---------------------
Issue #1: Partitions mounted as NTFS junctions only (no drive letters
assigned) do not show up in the custom scan list in the final release. They
did in Beta 2, and when I put it back on it works, so this is a defect
introducted in the final release.
Issue #2: When custom scanning any drive in Windows Defender, including C: I
get an error message "0x80508019: The file or drive you are trying to scan
does not exist on this computer. Choose another file or drive, and then scan
your computer again." I am fairly certain this is actually related to a bug
that I reported during Beta 1 that was resolved for Beta 2. Windows Defender
uses an alternate means of scanning registry hives. My registry hive is on a
partition that I've mounted as an NTFS junction to C:\Documents and Settings.
This allows me to keep the standard path while still having the files
physically located on a separate partition (for backup and other purposes).
Having my profile and registry hive on the separate partition is what seems
to cause this issue. Windows Defender is actually failing because it is
unable to scan the registry hive of my profile. Again, I had a similar issue
in Beta 1, it was fixed for Beta 2, and now it's back in the final release.
Windows Firewall
--------------------
Issue #1: Windows Firewall will not let you add programs to the exclusion
list unless they are on a partition with a drive letter assigned. I have
mounted a partition to C:\Program Files. This allows me to keep the standard
C:\Program Files path while still having all of my applications physically
located on a separate partition. Unless I also assign a drive letter to the
partition, Windows Firewall will not let me select an application for
exclusion under the NTFS junction.
Microsoft Support
--------------------
Issue #1: There is no escalation policy for application defects.
Issue #2: There is no standard online means for reporting application
defects. Some products benefit from Microsoft Connect, which is a step in the
right direction, but the product coverage on that site is still very small.
Issue #3: Staff is not able to identify shortcomings in policies and work
through a problem in spite of standard procedures not being in place. It is
very much a case of the mentality, "That's not my job, that's not what we do."
In conclusion, I realize that none of the application issues are so critical
as to represent a security risk other than perhaps the fact that the Windows
Defender issue is a blocking one. This means no anti-spyware from Microsoft
for me, even under Vista. The firewall issue I can work around, and there are
also third-party alternatives for that as well. I think the support issues,
however, will probably plague a larger number of users than just myself. And,
I know if I were a member of one of the development teams for those products,
I'd be very upset to learn defects weren't being escalated. If job roles are
the issue here, then I'd like to point out, it's typically development that
decides defect priority, not technical support.