Looking for clarification on concerns that were raised.

[pingu-the-penguin]

Hello, I saw these concerns in a channel I was in and wanted to ask to what extent these concerns could be valid and what advantages the specific approach that was being criticised has.

[HotCakeX]

Hi,
Anyone can create issues in this repository and I'll address them as I've always have.

I see lots of speculations in those screenshots, but what i don't see is proof of concept. If what they claim is true then where is a PoC that will reproduce the Defender behavior that they claim? so me and others can test it and then i'll adjust the policies if needed. Something like that could potentially be bug bounty worthy.

Also, each security measure can be independently applied/verified/removed. That's what the community asked for and that's how i built the new Harden System Security app. One doesn't need to apply everything in a category.

Note

Modern antivirus programs like Windows Defender can identify zip bombs and other malicious files.
https://www.microsoft.com/en-us/windows/learning-center/what-is-a-zip-bomb?msockid=18d718e511c46b0f35f90ed510436a6a

"Slowing down Defender" isn't a valid point imo. The goal is to have it scan any and all files. You don't want threat actors bypass your protection by making the malware a bit too large for you to handle or put them in nested archives that your protection just gives up on.

[pingu-the-penguin]

Hello, this was a long time ago and I just randomly remembered it now so thought I should ask. From the link you posted, will Windows Defender not detect zip-bombs unless SmartScreen is turned on?

"Slowing down Defender" isn't a valid point imo. The goal is to have it scan any and all files. You don't want threat actors bypass your protection by making the malware a bit too large for you to handle or put them in nested archives that your protection just gives up on.

This makes sense.

[HotCakeX]

Oh i see,
I think so yes, SmartScreen should be necessary. Microsoft Defender comprises several features that all work together as part of the same puzzle, creating layered defense.

About quarantined files, there is never "no chance" they could run. No one can 100% guarantee that. That's why I added that policy to make sure of it. If they don't exist on the system then there is "no chance" they can run.

the 1 day period allows for restoration of files that were accidentally marked to be quarantined.

[HotCakeX]

I'm thinking I should make the period configurable on the UI so users can enter the number of days desired for them. That's besides the fact that the policy itself is optional, just like everything else.

[pingu-the-penguin]

Oh i see, I think so yes, SmartScreen should be necessary. Microsoft Defender comprises several features that all work together as part of the same puzzle, creating layered defense.

Ah I see.

About quarantined files, there is never "no chance" they could run. No one can 100% guarantee that. That's why I added that policy to make sure of it. If they don't exist on the system then there is "no chance" they can run.

Fair enough. Wouldn't removing quarantined files put the user at risk of re-infection though?

the 1 day period allows for restoration of files that were accidentally marked to be quarantined.

Seems reasonable.

I'm thinking I should make the period configurable on the UI so users can enter the number of days desired for them. That's besides the fact that the policy itself is optional, just like everything else.

This sounds like a good idea.

[HotCakeX]

Fair enough. Wouldn't removing quarantined files put the user at risk of re-infection though?

No because the information about the quarantined file (aka metadata) should be automatically uploaded to the Defender's cloud server so other users can stay protected too (That's how the Harden System Security app configures Defender). The quarantined file itself isn't the only source of information.