jaclaz Posted October 7, 2015 Posted October 7, 2015 Seemingly a new kid on the block:http://www.prnewswire.com/news-releases/microsofts-windows-10-privacy-nightmare-addressed-with-free-total-defense-privacy-shield-utility-300155431.html I wonder whether this kind of apps/tools are actually the "real thing" or they are just automating otherwise easily accessible "privacy settings", i.e. basically providing a "false" sense of security to less technically advanced (I guess representing the majority) Windows 10 users which actually care about th edata the good MS guys collect. jaclaz
JorgeA Posted October 7, 2015 Posted October 7, 2015 (edited) Seemingly a new kid on the block:http://www.prnewswire.com/news-releases/microsofts-windows-10-privacy-nightmare-addressed-with-free-total-defense-privacy-shield-utility-300155431.html I wonder whether this kind of apps/tools are actually the "real thing" or they are just automating otherwise easily accessible "privacy settings", i.e. basically providing a "false" sense of security to less technically advanced (I guess representing the majority) Windows 10 users which actually care about th edata the good MS guys collect. jaclaz In principle, it shouldn't be difficult to determine that. Might be little more than a matter of comparing the sotfware's features with the various Win10 privacy settings, to see if the software offers things you can't easily access via the settings. --JorgeA Edited October 7, 2015 by JorgeA
JorgeA Posted October 18, 2015 Posted October 18, 2015 Anybody here who's familiar with this product? For those who know how to use such tools, might it be useful in determining what sorts of connections Windows 10 is making, or not really? --JorgeA 1
jaclaz Posted October 18, 2015 Posted October 18, 2015 Anybody here who's familiar with this product? For those who know how to use such tools, might it be useful in determining what sorts of connections Windows 10 is making, or not really? --JorgeANot really . (I can state that though this does not in any way imply that I know how to use such tools ) That would be only HTTP/HTTPS connections. The protocols used by "the abomination" may well be not HTTP/HTTPS. jaclaz
JorgeA Posted October 18, 2015 Posted October 18, 2015 Thanks, jaclaz. I suspected that it might not be suitable for our needs, but wanted to make sure. --JorgeA
Tripredacus Posted October 23, 2015 Posted October 23, 2015 dragosr on twitter shared this powershell script. Debloat-Windows10.ps1 (Windows 10 Enterprise N LTSB) http://pastebin.com/Uk9BRrRJ
NoelC Posted October 24, 2015 Posted October 24, 2015 Does anyone know why, on an otherwise completely quieted down Windows 10 system that's got the Windows Update Service disabled, the "Malicious Software Removal Tool" makes an encrypted https: (port 443) connection to spynetalt.microsoft.com (191.238.241.80)? It's tempting to think this is just an attempt to update a local database with updated malware data, to make the tool more likely to succeed, but... Why encrypt such a communication? This address resolves as a Microsoft Azure server outside Wichita, Kansas (CDN?). This is the last unexplained communication I have come across from Windows 10. -Noel
jaclaz Posted October 24, 2015 Posted October 24, 2015 It's tempting to think this is just an attempt to update a local database with updated malware data, to make the tool more likely to succeed, but... Why encrypt such a communication?It makes perfectly sense to me. (not that I "like it", only saying that it makes sense) If it was plain http or plain text anyone could probably find a way to (say) spoof the server and fill the database with every kind of crap, imagine that someone manages to insert in the database as "malware" a few tens of MS's own's .exe's . jaclaz
NoelC Posted October 24, 2015 Posted October 24, 2015 Yes, that's sensible, though one thing still bothers me... This "Malicious Software Removal Tool" is clearly running on a schedule attempting these connections, yet note this wording: -Noel
jaclaz Posted October 24, 2015 Posted October 24, 2015 (edited) Sure, you didn't notice the fingers crossed behind the back when they wrote that .Just in case, a reminder for the good MS guys: To be picky, that would be more like an omission, you know like:After the download the tool runs one time to check your computer for infections by specific .......... and several other times whenever we feel like it should run to do whatever we see it fit doing .... jaclaz Edited October 24, 2015 by jaclaz
NoelC Posted October 24, 2015 Posted October 24, 2015 (edited) Looking through the registry, it appears mrt.exe can be run as a fallback if Windows Defender fails in some way. For example, mrt.exe is listed in the "FailureCommand" value in [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]. For me MsMpEng.exe may be considering itself to fail (and thus causing mrt.exe to run) because it is unable to use (the disabled) Windows Update to load the latest virus definitions - even though it falls back to direct access and succeeds. One possible answer may be to just disable Windows Defender. It's not like it has EVER blocked anything for me. -Noel Edited October 24, 2015 by NoelC
GrofLuigi Posted October 25, 2015 Posted October 25, 2015 (edited) It's tempting to think this is just an attempt to update a local database with updated malware data, to make the tool more likely to succeed, but... Why encrypt such a communication? No, it's an attempt to update Microsoft's database. At least that's what it looks like to me (SpyNet Alternative?). And "improved" by including MRT. Edited October 25, 2015 by GrofLuigi
NoelC Posted October 25, 2015 Posted October 25, 2015 (edited) It's tempting to think this is just an attempt to update a local database with updated malware data, to make the tool more likely to succeed, but... Why encrypt such a communication?No, it's an attempt to update Microsoft's database. Participation in that is all turned off here. I suppose the software could be attempting the connection anyway. Nothing seems to break when the firewall blocks these connections to spynet2.microsoft.com and spynetalt.microsoft.com, though I always prefer to set things up so the system doesn't even try unwanted communications. Could just be sloppy programming on Microsoft's part (OMG, is that even possible?)... FYI, this seems to apply equally to Win 7, 8.1, and 10. -Noel Edited October 25, 2015 by NoelC
GrofLuigi Posted October 26, 2015 Posted October 26, 2015 Could just be sloppy programming on Microsoft's part (OMG, is that even possible?)...Or could it be just disrespect of user's preferences by Microsoft? OMG is that even possible?...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now