Is Defender ready for prime time?

[David Sherman]

Is Defender ready for prime time?

My answer is no.

On Wednesday night, I got hit with 3 viruses at same time via java
script. The script immediately shut down and rebooted by machine.
Machine is Windows XP fully patched. I am running Symantec Anti-virus
fully updated.
The virus were:
Backdoor.Trojan
Trojan.ByteVerify
W32.conyscpa.g @ mm or Krepper

Several files were dropped in c:\windows\system32 folder. These files
were "allowed" to run by defender. The files include sqcobub.exe and
lffafmon.exe. Even the Description of these items stated " This
program has potentially unwanted behavior." If the behavior is
"potential unwanted", why does defender "allow" this program to run?


There is no way to change the behavior from allowed to "not allowed"
status.

Since I was running the default settings when Defender was installed,
I was never"notified" of the problems.

If you look at Software Explorer, there is "no way" to change the "not
classified" status to an "enable status". Why?

Thanks

 

[Bill Sanderson MVP]

What version(s) of Java are installed? (best advice is that unless you know
a particular version is required for some app you depend on, uninstall all
old versions and keep only the very latest from java.com.

I'm startled that Symantec let this stuff through--any thoughts about why
that happened?

Windows Defender is not an antivirus--you need an up to date antivirus
running in addition.

Windows Defender won't stop or alarm for something which is not yet voted
"bad" via Spynet, or already in the definitions. We've seen lots of
examples of "unknowns" which are normal drivers and utilities. In your
case, they are definitely bad--but perhaps in the virus category, rather
than spyware--I'm not perfectly clear how this distinction is made, myself

The language used to describe something that is seen by the agents, but is
not yet classified--is uniform--it always describes it as potentially
bad--this is a little like police profiling--if the code is attaching itself
in a risky place, it gets id'd as risky--Windows Defender has no way to
analyze on the fly what it is really going to do.

 

[David Sherman]

Java 1.50_06-b05
version of defender 1.14.1361.6

If Defender makes an item as potential bad, why does it allow that
object to run?

Why can't I copy that information that defender shows me to this
message?

If a startup item is marked "not yet classified", how do I get it
classified?

If the default settings don't alert me of the danger, what good is
defender?

The viruses can through a Java script, which isn't really defended
against. Maybe Microsoft should do this also.

 

[Richard Urban]

Seems like Symantec Anti-virus isn't ready for prime time yet either, and
they do not consider themselves a "beta" !!!

--
Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

 

[David Sherman]

I am running the Corporate version. I had 2003, 2004, 2005 on this
machine. It was crashing weekly. I guess I will try Avast again.