> The part of the system that manages all this mess is called Windows Security Center - WSC for short.
* https://apastyle.apa.org/style-grammar-guidelines/abbreviati...
* https://www.stylemanual.gov.au/grammar-punctuation-and-conve...
* https://learn.microsoft.com/en-us/style-guide/acronyms
I do a lot of copy editing for clarity and non-native speakers so I have keep these things in mind. ¯\_(ツ)_/¯
In this post I will briefly describe the journey I went through while implementing defendnot, a tool that disables Windows Defender by using the Windows Security Center (WSC) service API directly.
Simple rule I learned on my Electronic Engineering degree (where we're guilty of many, many acronyms): When you write an acronym/initialism in a paper (or anywhere for others to read reall), assume the reader doesn't know what it stands for and include the expansion in brackets immediately after the first use.
EDIT: As my sibling comment also suggests, writing it in full the first time, and using the acronym/initialism in brackets is also acceptable.
https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/pics/p...
[Edit - could be Capture The Flag?]
How do you update that afterwards?
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.
Like leaving your door unlocked, because you live in such a sketchy neighbourhood that everyone else always locks their doors.
I'd really, really like to think most of us don't follow this terrible security practice based on a bad premise.
I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.
I would guess that keeping your browser updated is more important.
Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.
Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.
Even so I think the potential applications of this tech layer are just starting.
It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.
But this isn't about the binaries. It's where definitions and configuration are stored. It's C:\ProgramData, not C:\Program Files.
The system also can't object too severely. Third party endpoint protection exists.
With Linux, there's often a good clean way to do a thing, and then there are weird hacks.
On Windows, it often starts with weird hacks, as Microsoft is further enclosing its ecosystem.
(I use Windows mostly for gaming and VR, and still have to constantly fiddle with the system to keep it working on a basic level, sad face emoji. Who would've thunk that merely playing a 8K European documentary in VR would require configuring DirectShow filters found on GitHub.)
You should be able to make a normal mode to run full security and a gaming mode just run a semi large game,and yes, this does expose a vulnerability,but it can be easily brought back up.
Evildoers don't need to bother with this: If they have access at this point you've got other problems.
Microsoft may extend WD to detect/block this vector since it is using undocumented interfaces; Microsoft would absolutely prefer you buy more cores, and if you're not going to do that, collect some additional licensing revenue through some other way.
I found one such switch: Install Linux
I miss Seoul.
<3
I understand and mostly support the idea of mandatory AV for the people who can barely handle the concept of a file system.
There is also a class of user forged in the fires of the primordial internet who would never in a trillion years be tricked into clicking a fake explorer.exe window in their browser.
Giving users choice is the best option. Certainly, make it very hard to disable the AV. But, don't make me go dig through DMCA'd repos and dark corners of the internet (!) to find a way to properly disable this bullshit.
i do not care for anyone baby sitting me telling me that netcat.exe is a no no
Simple as that.
Perhaps your hardware, when connected to a network, has real effects on the rest of that network. What if your system joined a botnet and began DDOS activities for payment? What if your system was part of a residential proxy network, and could be rented in the grey market for any kind of use or abuse of others' systems? What if your system became a host for CSAM or copyright-violating materials, unbeknownst to you, until the authorities confiscated it?
And what if your hardware had a special privileged location on a corporate network, or you operated a VPC with some valuable assets, and that was compromised and commandeered by a state-level threat actor? Is it still "your hardware, your choice"? Or do your bad choices affect other people as well?
https://github.com/es3n1n/defendnot/blob/master/defendnot-lo...
If you're curious what's actually going on there:
https://github.com/es3n1n/defendnot/blob/master/cxx-shared/s...
I think the only bit I don't like personally is the syntax. I normally implement defer as a macro to keep things clean. If done correctly it can look like a keyword: `defer []{ something(); };`.
Or you could even make a non-macro version (but then you need to think of variable names for each defer):
auto defer_uninitialise = do_defer([](){CoUninitialize();}); defer->void { CoUninitialize(); };
auto _defer_instance_1234 = Defer{} % [&]()->void { CoUninitialize(); };
* auto means infer the type of this local variable from the expression after the =.
* Defer{} means default construct a Defer instance. Defer is an empty type, but it allows the % following it to call a specific function because...
* Defer has an overloaded operator%. It's a template function, which takes a callable object (type is the template parameter Callable) and returns a DeferHolder<Callable> instance.
* [&]()->void { /*code here*/ }; is C++ syntax for a lambda function that captures any variables it uses by address (that's the [&] bit), takes no parameters (that's the () bit) and returns nothing (that's the ->void bit). The code goes in braces.
* DeferHolder calls the function it holds when it is destroyed.
It's subjective but some (including me!) would say it's cursed because it's using a macro to make something that almost looks like C++ syntax but isn't quite. I'm pretty confident with C++ but I had no idea what was going on at first (except, "surely this is using macros somehow ... right?"). [Edit: After some thought, I think the most confusing aspect is that defer->void looks like a method call through an object pointer rather than a trailing return type.]
I'd say it would be better to just be honest about its macroness, and also just do the extra typing of the [&] each time so the syntax of the lambda is all together. (You could then also simplify the implementation.) You end up with something like this:
DEFER([&]()->void { CoUninitialize(); });
DEFER({ CoUninitialize(); });But from my understanding (or lack thereof), the `auto _defer_instance_1234 =` is never referenced post construction. Why doesn't the compiler immediately detect that this object is unused and thus optimize away the object as soon as possible? Is it always guaranteed that the destructor gets called only after the current scope exits?
Yes, exactly. The destructor is allowed to have some visible side effect such as closing a file handle or unlocking a mutex that could violate the assumption of the code in that block. (Even just freeing some memory could be an issue for code in the block.) It is guaranteed that the destructor is closed at the end of the block, and that all the destructors called in that way happen in reverse order to the order of their corresponding constructors.
Is there any reason to use operator% instead of a normal method call? Except possibly looking cool, which doesn't seem useful given that the call is hidden away in a macro anyway.
If you don't mind that, I said that you can "simplify the implementation" - what I meant was, as you say, you don't need the overloaded Defer::operator% (or indeed the Defer class at all). Instead you could do:
template <typename Callable>
DeferHolder<Callable> _get_defer_holder(Callable&& cb) {
return DeferHolder<Callable>{std::forward<Callable>(cb)};
}
#define DEFER(my_lambda) auto COMMON_CAT(_defer_instance_, __LINE__) = _get_defer_holder(my_lambda)
So you can abuse this mechanic to 'register' things to be executed at the end of the current scope, almost no matter how you exit the current scope.
I personally don't find it that cursed, but for many old C++ heads this may be an overwhelming smell - adding a class to implement what should be a language feature may tweak some folks' ideology a bit too far.
D (for example) has the concept of statements that trigger at end of scope built into the language.
WSC stands for Windows Security Center.
I had to look it up as well
It’s in the article
Or, to avoid making that choice at all, just don't use Windows.
Keeping this saved in case I return to a crappy windows env.
What about UTM? Also Parallels recently added initial support for Intel VMs as well.
AtomicByte•7h ago