> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
Now I see why. Thanks for incorporating the feedback! It had a positive impact for me coming later to this article.
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/pics/p...
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...
[Edit - could be Capture The Flag?]
How do you update that afterwards?
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
For anyone saying these aren't targets, no they are probably already hacked. These are the things that keep the national security folks up at night knowing an adversary has them already backdoored and set up for take down. Moreover if they execute on that they would go for maximum damage first to either create chaos, or prevent the system from being repaired easily.
Your thought process is not correct.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.
Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.
Even so I think the potential applications of this tech layer are just starting.
Then it hit me: the only thing keeping a rogue website from sweeping your entire life is a browser's permissions popup.
But all of that growth and integration comes with these vulnerabilities, and so the cyber and DLP control aspect of web browsers is a very important one.
If this resonates with you, i invite you to check out my company’s project BrowserBox on GitHub
It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.
How did you install those - downloaded via another system? Because with that old system, you are missing ssl certificates (Firefox and Chrome bring their own).
…either that or the machine cheated and updated root CAs in the background (which isn’t Windows Update-controlled anymore).
But this isn't about the binaries. It's where definitions and configuration are stored. It's C:\ProgramData, not C:\Program Files.
The system also can't object too severely. Third party endpoint protection exists.
much to everyone's dismay. :/
With Linux, there's often a good clean way to do a thing, and then there are weird hacks.
On Windows, it often starts with weird hacks, as Microsoft is further enclosing its ecosystem.
(I use Windows mostly for gaming and VR, and still have to constantly fiddle with the system to keep it working on a basic level, sad face emoji. Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.)
Dios Mio, get mpv, enable gpu-hq
Honestly I've never thought about that before.
Linux distro devs, working for free, pushing excellent product can't compare with these clowns in high-paying jobs at Microsoft, pretending they're working.
I start with Tiny11 first though these days, then run that to get rid of the last few bits.
any control you think you have over windows is imaginary.
(I think you need to disable Tamper Protection first, otherwise you later get a threat detected of “WinDefendDisable”, but if you allow/unquarantine it doesn’t auto-enable again)
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
Somehow when I hear 'Windows' I only think of desktop use, not servers.
I found one such switch: Install Linux
I miss Seoul.
<3
I understand and mostly support the idea of mandatory AV for the people who can barely handle the concept of a file system.
There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Giving users choice is the best option. Certainly, make it very hard to disable the AV. But, don't make me go dig through DMCA'd repos and dark corners of the internet (!) to find a way to properly disable this bullshit.
Until they've had a couple drinks. Might still need a more sophisticated fake than that, but they exist. I'm with you on the disabling part though: I think Apple gets it right with SIP, it takes a reboot in recovery mode to disable it temporarily and a single command while in recovery mode to make it permanent.
I've been using computers for 40 years, have never installed and have always disabled malware scanners, and never had a virus. Maybe I'm special. But I'm not that special. There are 3 billion Android uses in the world, almost all of them don't have malware scanners, and almost all of them have never been infected by a malware. Ditto iPhone users.
To be fair, I haven't used Windows for the latter 1/2 of that 40 years. So maybe it's only Windows users who need to go around x-raying all data storages.
All Google Play Protect does is compare the installed apps on your device to a list of known bad ones, and uninstalls any Google doesn't like. For the most part all it's doing is looking for apps you've installed that Google later deemed bad and removed from the app store. That's a slight exaggeration, but not a big one. The performance impact is what you would expect from that description - almost none.
A windows virus scanner tries to get itself involved in most mouse clicks. Open an email - it's reading it over your shoulder. View a web page - it's looking at it too. Copy a file from USB - it's inspecting every byte. Every time you write a file, it's sniffing over the new contents. The performance impact is what you would expect from that description, ranging from noticeable to crippling in the worst cases. When it does find a virus it can't "just uninstall it". It may well have replaced parts of Windows itself.
Google Play protect is all you need when you design an OS with security in mind. The situation on Windows is where you end up when focus on delivered features, security be damned.
It’s not a very high bar: I have not seen it find anything in a long time, neither on my machines, nor on the ones I inspected after they had been owned.
- Antivirus software is malware
- We have to disable Windows Updates because I didn’t like them 30 years ago
- Windows Defender hogs resources, laptop reviews showing Windows systems getting 10 hours of web browsing battery life are lying, Windows Defender actually ruins the performance of your computer
- It’s better to complain constantly about Windows and spend hours disabling functionality rather than switch to Linux
I’m just waiting for “Windows sucks I’m thinking about switching to Linux but never end up doing it” and I’ll have a bingo!
Without adding an exception to Windows defender, that software is unusably slow. Once the exception is added (or defender is turned off) the software is nice and fast again.
It also sounds like you wrote bad software that didn’t consider the architecture of the parent OS.
If Windows won't allow use of the filesystem as a database or cannot heuristically detect when a folder is being used as a store of data, Windows is wrong, not the developer.
Amusingly Microsoft ships exclusions for their own software, and states "Opting out of automatic exclusions might adversely impact performance, or result in data corruption. Automatic server role exclusions are optimized for Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025."
https://learn.microsoft.com/en-us/defender-endpoint/configur...
I guess Nintendo is wrong for not giving you a file system at all on the Game Boy. The analogy may be extreme but that’s part of the point here: who are we to dictate Microsoft’s design goals and choice of compromises?
It’s really not Microsoft’s fault if their product doesn’t meet the specific needs of someone’s specific software use case.
I do agree that my first suggestion is the more sensible one, but my second one was more of a philosophical point. Windows has been the same old Windows for a long time and developers that don’t understand its limitations and requirements for deploying applications are more in the wrong than Microsoft in this scenario.
If Microsoft felt like the best design decision was to remove windows defender and that there was no negative impact to doing so they would have done it by now.
The Nintendo/Game Boy analogy doesn’t hold water. Nintendo doesn’t give you a filesystem on the Game Boy, but it certainly doesn’t stop you from implementing one yourself. Nintendo doesn’t include a filesystem because that’s not part of the Game Boy’s platform model; it’s a console with fundamentally different goals and constraints. If you require a virtual filesystem to load assets for your game, Nintendo _will not_ slow your cartridge ROM down.
Windows, on the other hand, has always shipped with a general-purpose filesystem and encourages developers to use it for data persistence, caching, configuration, and more. In fact, the Win32 API is deeply file-centric. Even the OS has its own hidden virtual filesystem.
Windows is a Unix-inspired CP/M derivative, and both lineages are strongly file-based. In fact, when Windows tried to replace the filesystem with a database in Longhorn, they failed spectacularly, and only a few pieces of that design are left today. What still exists, however, is a filesystem optimized for storing files.
Suggesting that developers are "in the wrong" for relying on the filesystem on an OS that has always promoted it is like blaming drivers for expecting roads to be usable. We’ve been building software on Windows that reads and writes files for decades, with Microsoft’s full blessing.
If Defender or related tooling starts punishing valid, decades-old patterns like using a folder as a key-value store, that’s not a failure of developers to "understand Windows". It’s a regression in the OS, or at least a poor balance of heuristics.
We absolutely should question Microsoft’s design goals if they break longstanding, legitimate use cases without offering workable alternatives. Being dominant doesn’t make them immune to critique, especially when their changes have real-world consequences for maintainable, cross-platform software using well-established techniques.
I assume you either don’t really know what you’re talking about, or are arguing in bad faith.
Oh, and people develop software for a living and sometimes that involves making sure the software works on Windows. Not everyone complaining is using Windows by choice.
Exceptions are valid when scoped to a container where you reasonably expect to be the sole user of the data therein and it contains no executable code.
There are definitely times when I wish I could disable it outright. Often someone will want my help reviving an old computer or laptop and it'll have to sit for a day in a loop of windows update fighting windows defender for resources with neither of them making much headway before one or the other will finish enough to let the other run for a bit.
In what universe is windows defender “resource-crippling?” There are windows laptops that will sip battery for an entire workday plus extra hours while running defender the entire time. So clearly it’s not “resource-crippling” if it can run on a laptop with a single digit wattage power draw.
And then we’ve got the “I need to control my system I’m too smart for antivirus” folks all over this thread.
Well, if you’re so smart why are you using a consumer OS designed for idiots?
(I like OP’s tongue-in-cheek work and post a whole lot better than the neckbeard army describing how Windows is broken and totally doesn’t work and how we have to disable updates and antivirus because we are power users I guess so we just do that for no reason)
This one? Not all of us want to throw perfectly usable hardware in the e-waste pile. Windows 10 was perfectly fine on my old Haswell miniPC, save for Defender wasting CPU cycles and IO doing..."checks".
We are in the “Windows users complain endlessly and refuse to switch to Linux” bingo card right now. Windows has been this way since before you bought that mini PC.
Exactly. It's the same legacy scan every fucking thing you open AV architecture.
Back in the day of spinning disks it probably wouldn't have been too noticeable for the AV to marshal scanning to its usermode service and the filesystem to pull the data from cache for the original request afterwards. However now that we have 10GB/s+ capable SSDs the factor of slowdown is exponentially larger.
I can run ripgrep on a massive directory, make myself a cup of tea and return to it still searching for matches versus being done in < 10 seconds with defender disabled.
For 98% of systems, there is probably no reason to scan every file on opening it. If people have enabled that setting, or left that default on, then that's their problem; it's not Windows Defender's fault.
My current AV dashboards are screaming at me that I'm only 35% protected. That's because I've exercised a lot of prudence in enabling paranoid settings, based on my rather limited and simplistic threat modeling. Installing AV software comes with the understanding that it can steal resources, but they nearly always have plenty of settings that can be disabled and win back your system responsiveness.
I am beginning to believe that commenters giving bingo-card winnings are not the brightest bulbs in the Windows MCSE pool, honestly. I can relate: Linux and Unix admin in general is far more intuitive and comfortable for me, so I have generally stayed on that side of things, but knowing how to properly set up Windows is an indispensable life skill for anyone.
There is no such setting for Defender. The file scanning is either on or defender is completely off. To even access some of the better stuff like ASR rules (that are disabled by default) you need third-party software or pay for their enterprise offering.
Consumer Defender literally has like 4 toggles in total. It's a dumbed down and extremely permissive AV because it runs on every Windows machine.
In any universe where you do a lot of small file IO. I'm not saying that other AV isn't far worse, but on access/write/delete AV massively kills performance when you do anything that creates/deletes tons of small files.
i do not care for anyone baby sitting me telling me that netcat.exe is a no no
Simple as that.
Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems? What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
>Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems?
This at least is "you, affecting others". But the obvious immediate response is that such things done via the network can be mitigated or blocked at the network layer, and indeed must be anyway since attackers are doing such things from across the world 24/7 regardless. I'd fully support ISPs having to throttle or even potentially block-until-fixed any customers who participate in active network attacks, and other parts of the internet throttling or black listing ISPs that refused to cooperate. But making someone deal with the consequences of their choices is no reason to deny them the choices in the first place, given that most of those making such choices are not, in fact, actually going to end up doing any of what you listed.
>What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
Here (and seriously ZOMG THINK OF THE CHILDREN, lol really? on HN, in 2025?) you veer off into personal consequences to the person making the choice, as opposed to them being part of an attack on others. This is just saying "there could be risks to you if you mess it up!" which is a complete non-statement.
>And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
Um. Hello? Why is corporate IT allowing you to BYOD to a special privileged location on the corporate network without even so much as any sort of management agreement or contractual responsibilities? At this point you've veered off the road of reality. Because in actual reality you don't own hardware in special privileged locations or at least don't have full choice over it by your own agreement. And if that's not the case hooboy is there a kind of a lot of other fundamental issues there. That's not an argument for a blanket universal policy.
Oh, you chose to buy new shoes even though they were too tight which distracted you for 1 sec in your car on the way home, due to the discomfort, so you hit someone and they died.
Clearly people can not be trusted to buy their own shoes!
If you are an EDR vendor, this is an obfuscated API call that EDR vendors can use to suppress or disable the Windows Firewall. CrowdStrike for example, can do either I believe, use Windows Firewall or use their implementation.
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
Or you could even make a non-macro version (but then you need to think of variable names for each defer):
auto defer_uninitialise = do_defer([](){CoUninitialize();}); #define defer(body) DeferHolder COMMON_CAT(_defer_instance, __LINE__) {([&]()->void body)};
defer({
function body here;
});
scope_exit{[&]{ ... } }; defer->void { CoUninitialize(); };
auto _defer_instance_1234 = Defer{} % [&]()->void { CoUninitialize(); };
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
DEFER([&]()->void { CoUninitialize(); });
DEFER({ CoUninitialize(); });But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
Yes, exactly. The destructor is allowed to have some visible side effect such as closing a file handle or unlocking a mutex that could violate the assumption of the code in that block. (Even just freeing some memory could be an issue for code in the block.) It is guaranteed that the destructor is closed at the end of the block, and that all the destructors called in that way happen in reverse order to the order of their corresponding constructors.
Is there any reason to use operator% instead of a normal method call? Except possibly looking cool, which doesn't seem useful given that the call is hidden away in a macro anyway.
If you don't mind that, I said that you can "simplify the implementation" - what I meant was, as you say, you don't need the overloaded Defer::operator% (or indeed the Defer class at all). Instead you could do:
template <typename Callable>
DeferHolder<Callable> _get_defer_holder(Callable&& cb) {
return DeferHolder<Callable>{std::forward<Callable>(cb)};
}
#define DEFER(my_lambda) auto COMMON_CAT(_defer_instance_, __LINE__) = _get_defer_holder(my_lambda)
Would it have looked any less cursed if it just read `defer { CoUninitialize(); };`?
Agreed that the simplest "fix" would be to just rename the macro to be all-caps.
Yes, agreed.
> Would it have looked any less cursed if it just read `defer { CoUninitialize(); };`?
It's subjective but personally I still hate it.
> Agreed that the simplest "fix" would be to just rename the macro to be all-caps.
Actually I think the bigger part of my suggestion is switching from an object-like macro to a function-like macro [1], which makes it all a bit less magical.
[1] https://stackoverflow.com/questions/36126687/function-like-m...
I think the "best" approach here would be to make it a function-like macro, and also change the name to all caps.
(Also, I tend to agree that `defer { ... };` is still cursed -- it requires the trailing semicolon, which further breaks the illusion of a keyword that takes a block scope.)
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
I personally don't find it that cursed, but for many old C++ heads this may be an overwhelming smell - adding a class to implement what should be a language feature may tweak some folks' ideology a bit too far.
D (for example) has the concept of statements that trigger at end of scope built into the language.
TL;DR, not AI
The code defers a function call until the point in time that an object goes out of scope. The implementation uses C macros to create a more succinct syntax that omits parts of the necessary C lambda/unnamed function definition and to create a unique variable name for managing the deferred function call. However, the resulting syntax eschews the common convention of using UPPER CASE to denote C macros, and instead appears similar at first glance to a function call from an object pointer.
This can cause confusion if one is not familiar with this pattern and expects macros to be communicated differently. Some commenters say this is common enough, or useful enough to them, to be considered almost idiomatic in some contexts.
For technical explanation, https://news.ycombinator.com/item?id=43959403#43960905 provides a useful breakdown of how the macro works.
Seems like they don't want to bother with emulation when many of the challenges are not compatible with their main computer.
WSC stands for Windows Security Center.
I had to look it up as well
It’s in the article
Or, to avoid making that choice at all, just don't use Windows.
Keeping this saved in case I return to a crappy windows env.
What about UTM? Also Parallels recently added initial support for Intel VMs as well.
Maybe command line Linux would be acceptably slow, but anything with a GUI isn't.
You can run arm64 Windows pretty well, but that's not x86 Windows and won't help with reverse engineering an x86 system component.
I set up a windows arm inside an UTM VM as a test, then installed visual studio (not code!) which is an x86 application and it was pretty much usable.
The codebase i was working on was complaining about missing some OpenGL parts so I stopped and haven't investigated further (I have x86 boxes for working on it). But depending on your requirements the above setup may be just fine(tm).
I'm not sure if performance characteristics are part of what the OP considers "sane", but if it is, I get the position.
learned a lot of interesting thing, namely there is an undocumented messaging underlying the RPC in windows: https://csandker.io/2022/05/24/Offensive-Windows-IPC-3-ALPC....
I got really, really confused after that statement, because I don't understand what "the antivirus I was using" means and why they would have a reason to send the author a DMCA.
I think it means the author reverse-engineered another antivirus and put parts of it in their open-source project. But it could also mean other things. Skimming I see a heading with "Impersonating WinDefend".
So is the jist that the author somehow broke some kind of copyright law?
From the paragraph directly before the one you quoted:
The way how my project worked is that it was using a thirdparty code from some already existing antivirus and forced that av to register the antivirus in WSC.
AtomicByte•2d ago