[Fiahil]

I'm so happy to see a thread on Windows Defender, because my org recently switched antivirus software and I can't wait to tell you how bad it is !

There's a hidden feature in Defender, that will delight any user : it can turn your 15" MacBook Pro into a full breakfast machine. Want pancakes ? Start a zoom call.

While you wait for your favorite video conference app to start, don't hope to finish your docker pull/save/build in less than 30 times its usual time. Your laptop I/O will be so cripled that you might get better bandwith with a floppy disk drive (I'm exagerating a bit, but that's how it feels to go from 120MB/s to 4MB/s on a SSD).

Our Mac IT is completely powerless. I never thought I would ever regret getting rid of Symantec. I was wrong.

[foepys]

We are using Defender at work, too. There is a group policy that lets Defender do a full system scan once a week.

To not interfere with the user there allegedly is a group policy setting to limit the CPU usage and it is set to 15%. The thing is, it simply does not work. Every week my fans spin up to max, Defender hogs all my CPU cores, 25% of my GPU according to the Task Manager. Even typing becomes laggy.

The only way to stop it is to open Task Scheduler and end the scheduled task from there.

[nix23]

Wait...your are local Admin on your machine?

[tallanvor]

Outside of highly regulated environments, technical staff usually have local admin rights. Is it a risk? Yes, although one that can be minimized. Letting people do what they need to do with minimal interference is an important part of keeping employees happy.

[causi]

Even if they're not supposed to, most people do, or at least they know an admin login. All it takes is one frustrated person who knows someone higher up and the login is on a sticky note in a drawer. Technical security measures are not and will never be a substitute for proper training.

[brokenmachine]

> Technical security measures are not and will never be a substitute for proper training.

What would proper training achieve to solve GGP's problem of his machine becoming unusable every week?

[nix23]

And proper training is never achievable in non IT Enterprise...because no one cares, whats left are technical restrictions.

[AnIdiotOnTheNet]

Everyone at the company I work for has local admin on their machines. It is not the big deal people make it out to be.

1) Malware doesn't care. It is happy to eat the user's personal data or anything they have access to on the network.

2) The OS is easily replicable if it gets damaged or destroyed thanks to imaging.

3) Whitelisting applications is a bitch to implement properly and causes a lot of friction for users.

4) There is one PC per user, so there's absolutely no reason to protect the PC from it's user.

[gspr]

I'd quit my job if work didn't let me be root on my work machine.

[nix23]

That's exactly the one single reason why no one should give a developer a Windows machine in a enterprise environment ;)

[formerly_proven]

Well that and the shitty dev tools on Windows in general ;)

[mszcz]

Care to elaborate? I'm using Windows as a primary dev machine for years and I've encountered no problems aside from the infuriating update-related restarts.

What am I missing? This is an actual, emotionless, genuine question? Always looking to find new ways to procrastinate by trying out new tools ;)

[antihipocrat]

I'm a relative beginner to development and have found no issues with WSL2 so far. Any pitfalls to be aware of?

[ocdtrekkie]

And anywhere with a good IT department would say "bye". From my experience, people with reasonable technical skills are the most likely people to defy IT policies, even without admin rights.

[gspr]

Then hold me responsible if I do.

[ocdtrekkie]

Often by the time the violation is noticed, the damage is done. And when you're cleaning up a million dollars worth of ransomware damage, you rethink whoever thought anyone should ever be operating with admin rights to their machine.

[nix23]

>people with reasonable technical skills are the most likely people to defy IT policies

Absolutely true...aka "i know computers since the C64 nothing bad will ever come from my machine...bumm ransomware...but my Antivirus never said anything"

[DangitBobby]

Less to do with that and more to do with it being infuriating that you can't install or do tiny things you need. It can be less frustrating to hop jobs.

[Flow]

Our company just switched from Symantec to Windows Defender and so far I'm very pleased. On my Windows laptop the fans were running more or less all the time when we had Symantec. With Defender the computer is nearly dead silent.

When looking in Task Manager before, it seemed that Symantec used more CPU than even Visual Studio and related processes.

[ASalazarMX]

We had Symantec too, also switched to Windows Defender. Symantec was an awful piece of software for something that should be invisible until needed.

[leokennis]

My very good solution on dealing with corporate antivirus: noise cancelling headphones.

[marcodiego]

I remember a few students using windows that took a very very long time to compile anything; even smallish single-file examples. Is is possible that this slowness is caused by windows checking the binaries that were just compiled?

[munchbunny]

Not just the binaries. The source code too.

A common practice is to exclude both the whole repo and the compiler from Defender.

[nix23]

Oh man....a mac with antivirus software...is your IT's mindset from the 90s?

[AnIdiotOnTheNet]

People apparently disagree, but I'm with you. The idea that antivirus software is actually a worthwhile mitigation tool is a relic from the 90s. Malware defeats antivirus all the time, and sometimes even exploits it directly. Meanwhile, aggressive antivirus software is eating a percentage of every single task you do on your computer, actively impeding your work every second of your day.

The tradeoff is not worth it, in my professional opinion.

[mszcz]

While I wholeheartedly agree with you, I think that putting the horrible piece of shit antivirus software on enterprise boxes is a cover-your-ass tactic. It's required from IT depts to be able to say they followed industry standard practices and did their due diligence to prevent threats, regardless of whether those have any useful, practical effects at all.

My wife has a brand new corp issued Carbon X1 and I can hear it routinely spin fans 100% because of Norton FuckYourCPUandIO (tm) software doing nothing of use besides inducing anger.

[hdjjhhvvhga]

Of course it's not worth it, but in many orgs it's required for compliance. It may change in the future as most people realize it's not that useful, just like NIST changed the rule about password updates.

On the other hand, it might seem useless because malware creators know it's there. Basically all functional pieces of malware have to go through VirusTotal otherwise they won't be effective. But if all orgs dump antivirus software it would be a bit like giving up MMR vaccination in children.

[nix23]

Compliance for the sake of Compliance is just to protect ones ass and has nothing todo with security (aka no one gets fired for buying IBM)

[astura]

Most companies have to have Antivirus anyway, for compliance reasons.

[MonaroVXR]

Depends on what the "anti-virus' does isnt it?

[_fat_santa]

My company recently signed a deal with a healthcare company to do some work on their systems. I got a laptop from this company, MBP 16" so not bad. But lord oh lord are there so many things on this laptop.

Two worst offenders are:

- Antivirus: Just hogs memory, the scan runs "throughout the day" and I've had to resort to using scripts to shut the thing down just so my code will compile.

- Other annoying features: Lets make you stare at a dayglow green wallpaper and give you no way to change it to something that doesn't offend your eyes, lets place a bunch of icons on your dock and desktop that you can't get rid of, just bookmarks to common apps. Lets also make a popup show up on your laptop every day to remind you that you need to upgrade to OneDrive but forget to give me the permission to actually upgrade so this message repeats itself and fails every time..

endrant.

[tomc1985]

"There's something wrong with your iCloud ID, please log in to fix it" popup. But hey we disabled iCloud integration so they'll never be able to actually login! (cue evil laughter)

[Arrath]

My work-issued iPhone wants me to verify me Apple ID password for whatever reason.

By device management policy I am locked out from entering my Apple ID information again. Great success.

[novok]

You'd be surprised about how many high profile silicon valley companies use similar software such as crowdstrike or carbon black.

It's a scourge.

[Macha]

Unfortunately many big customers insist on it as part of security questionaires and depending on who audits your compliance with certain security standards, they may insist it's required too.

[xmodem]

My work mac has both Carbon Black and FireEye. It takes 30% longer to do a large build of an open source project than my personal laptopk, despite having 2 more cores and twice the RAM.

[dirkf]

We even have McAfee on our Linux machines... And yes, doing a build is impacted by this...

[nix23]

Holy caracho!! I understand if you have it on a file-server (bad rep if you send a MS-Word-Macrovirus to a Customer) but on a linux build server?? That's just madness!

[ASalazarMX]

Depending on the use, the server could be immune to malware and still transmit it to their clients.

[nix23]

Then check the binary before installation/tests if you have to, but not on the linux build server itself...that's ridiculous. A HIDS would be the the answer, so you can be ~sure that your tools are not altered to inject code into your compiled product.

[ASalazarMX]

I'm guessing they're covering the case where a feature or a vulnerability allows uploading Windows malware and exposing it with other users.

[mavhc]

A Mac with AntiVirus software written by Microsoft.

[kmonsen]

Google, Amazon and Facebook do that as well (at least if you include Santa as antivirus).

[nix23]

No Santa is the right way to do it (whitelisting binary's), that's the opposite of an antivirus.

[greedo]

Lol, we have to have it on our *nix servers as well. Despite the fact that it's almost completely useless.