Real Time Protection - True Purpose?

[Guest]

The WD Help seems to say that real-time protection functions as an alert
mechanism. Yet when a real-time protection condition is detected, you have
the opportunity to respond allow or block. Since WD doesn't seem to do much
when you say block and doesn't seem to remember allow, I would be inclined to
agree with the WD Help. So why bother with allow or block?; you're basically
saying continue - I have been alerted. What is the true purpose of real time
protection? If the intended purpose is to alert only, then bad stuff can
install and run. It doesn't matter whether WD can remove it later because
the bad stuff could have already compromised the system. So really, how is
WD supposed to work (not speculation)?

 

[Joe Faulhaber[MSFT]]

Hi Mr Cat,

Realtime protection is pretty darn good protection from known threats -
especially those coming in through the browser. These will usually not be
able to run at all unless you OK them by selecting "Ignore". This is fine
protection, which Beta 1 didn't have. And RTP provides layers of protection
for many kinds of threats, if the threat gets by the blocking checkpoints
and starts running. Yes, this is not ideal, but far preferable to not
knowing what's running.

You're not too far off the mark, though, when we're talking about unknown
software (stuff WD doesn't identify as known good or known not good).
Taking action to block unknown software is very scary stuff - it can be
super technical, and though WD tries to give you all the information it can,
lots of software just doesn't document what it is very well. Plus, the
possibility of damaging valid software by blocking unknowns is very real.
So, WD turns alerting on unknowns off by default, though if you're in spynet
it will still collect file information on these unknown softwares so we can
analyze it.

So the purpose of RTP, as I see it, is to stop known spyware, gather info
for spynet if users opt in, and warn advanced users of what's changing.

Thanks for trying Windows Defender,
Joe

 

[Guest]

Thank you for the response. However, I think Pandora's box has been opened.
The beta testers have the impression that Allow should put an entry in the
Allow list so that subsequent detections are not flagged, akin to the Always
allow option during online scans. Other testers are using the do not scan
folder as a circumvention. I raised the issue about RTP because the WD Help
discusses why real time protection is important, but doesn't really nail down
what happens when you specify Allow or Block. I also think that the
expectation of RTP is to block the installation of unwanted software. I hope
this is true. Otherwise, RTP may be perceived as a nuisance and turned off.