Why I HATE Windows Defender

Website Article: christitus.com/bad-windows-defender/
It should also be noted that I bought my code signing certificate from comodo and it was fulfilled by Sectigo. Which is strange because comodo's pricing is considerably cheaper.

As a dev, my least favorite part of Defender is the "real time protection" crap. It hooks every time a program closes a file to scan it for anything suspicious. The Defender process seems to be single threaded. When compiling code, it saturates a single core and prevents the rest from actually doing work. Turning it off on my old 4 core 7700K machine speeds up compile times by ~20%, and even more on my newer 8 core AMD machine. Annoyingly it helpfully turns it back on the next day. You're supposed to be able to exclude folders, but it simply doesn't work. Oh, and this is on top of the 2-3x slowdown in compile times compared to Linux running the same tools on the same machine. Augh! Pretty happy that I can usually just get away with cross-compiling from Linux. >_>

LMAO the thumbnail

Since moving to Linux, this hasn't really been a thing I've thought about. I figured people using my FLOSS apps on Windows could just audit the code if they were concerned. But I suppose my ignorance is allowing MS to grow their AV monopoly.

I just zip up my executables, it bypasses the smartscreen because the unzipped executable technically originated from the computer, not the internet.

Apple does worse with gatekeeper, where they require you to send them your executables each release to sign them. Granted, it's cheaper
At least with Microsoft you can choose your key provider and don't have to upload your code to their site.
Yes it costs money, but it's an easy and cheap solution to a complex problem: developers pay 300$ per year and in exchange windows gets rid of most spammy viruses
If you mess with your key or distribute malware with it it will be blacklisted and you'll have to pay again. It makes gaming the system unaffordable for hackers (generic malware etc). Also, that 300$ goes into somebody validating the company is legit before issuing the cert, so even if a hacker had the economic power to print certs they wouldn't be able to order them en mass
Perhaps Microsoft may get to keep a cut. But it's peanuts compared to having all computer users having to pay 50$ per year to keep their computer secure.

Awesome video man. I gotta stop giving microsoft credit when they don't deserve it. I legit believed MS just wanted windows to be a secure platform and offered free AV protection for people. Silly me.

That makes the $99 Gatekeeper certificate from Apple look really cheap in comparison.
Where Microsoft makes their money is that the certification authorities have to pay Microsoft (and Google, and Apple, and Mozilla) to be approved as certification authorities.

This is an interesting heads up and update on a couple of things: ...
_ If I recall correctly, your first self-written Debloat/ Utility script back in July 2020, disabled Windows defender, and the next version enabled it. Your first GUI version in December 2020 gave the option to disable or enable it., I think.
Since then it was not discussed much on the script so good to get an update on your thoughts on it
_ I heard a few rumours or background comments on what Microsoft were doing with some Validation stuff more recently. It sounded a bit suspicious, but as a Layman I don't really understand these things. So it’s helpful when you catch these things and pass on some actual info on them for us.
Alan

Extended Validation Certificates is a way of proving that you really are a certain company
in order to obtain an EV cert you have to prove you are who you say you are, not just that you own a domain like with DV certificates.

I've looked at the price of the certificates in general and it's all about how much insurance they are insured for if they are ever breached at the provider's end. That's why some cost more. Some may only insure them for $10,000, while others it is $250,000, and that is what you're paying more for.

If the fee contributes to making sure the code a developer distributes is malicious free, I'm all for it. If, on the other hand, nobody makes sure the code is malicious free, then yes, it is like the mafia.

EV requires a lot of eyes on the subject, at least when doing a certificate for a website. So I suspect that carries over to signing of code as well. The EV usually comes with better assurances as well.

For extended validation they're *supposed* to make sure you are who you say you are, verify the information provided is accurate, check business records for the company specified, etc before providing the cert. Whereas for the normal one they'll mostly just revoke it if you give BS info and they later notice.

For noobs and ordinary users (99 % of windows desktop), some antivírus is necessary, unfortunately. Anyone with a bit more knoledge wont need any, as If Vírus total is there to check when we download stuff ... What is indeed nice is a firewall running with inbound and outbound blocked except for the services and processes that we manually set. Try Malware Bytes Firewall Control freeware

So what happens if you don't sign your software? Isn't it just a one time popup warning the user that the software is unsigned?

Thank you for this video, Chris. I was unaware of this but as you say it’s definitely mafia-esque territory!

The certificate is for proving that the software is indeed from the vendor it is telling. So, if the software tells me it is from Chris Titus Tech and it is not signed by a trusted authority, then what is the prove that it is coming from this vendor?
It is all build on trust and the certificate authorities cannot make mistakes, because they are out of business when they do as they cannot be trusted anymore. So yeah… there are some checks involved to see if they are doing it correctly.
You can still ship your software without a certificate. Smart Screen will only yell at you for the first x downloads because that is what the warning is for: hey, this file is not very much downloaded. When you thing this should be the case, pay attention.
This has nothing to do with the maffia or more money for microsoft. You can try to set up a trustworthy free service for this kind of certificates, like Let’s Encrypt.

"This industry has always been a little corrupt". Every industry is corrupt.

This is a VERY interesting subject, and not to be seen discussed very much. Thank you for the enlightenment. I didn't knew the rabbit hole was more deep that I thought about this.

What a great and informative video! Thanks so much for your candor and honest opinions on this topic. Keep up the great work!

👍👍👍Thanks for sharing. Learnt something new today.
Hmmm.... hv upgraded from Xp to Linux and away from the "yearly headache" of jumping from 1 AV to another. Yes, every year I sat down and re-evaluate AV before buying a 1yr subscription for myself - that is living with winboxes.
Now I simply use ClamAV for my Nixboxes.
Software houses shifted this cost to consumers...
Wonder how win freeware & open source s/w developers handle this issue.

I used to use AVG many many years ago but ever since one of my family members had a really hard time with it and I had to come to the rescue and reset everything I had a hard time recommending it after that. ever since then I used Avast but since I actually haven't been using Windows for at least 10 years and anytime I get on my wife's computer i see that Avast is always trying to sell her things I started getting tired of them as well. when Windows defender came prepackaged with Windows 10, I figured taking the easy route was not the worst option, but I am glad that you are getting the word out. I've always heard really good things about Kaspersky, but since you have had a hit or miss time with it, I will try out bitdefender. I should have known better than to go with the Microsoft default.. bitdefender is not one that I've used myself in the past, but I will give it a try..

Never knew how Microsoft could be this dirty with there windows defender. It’s built into windows and they are doing this type of stuff behind the users back this is straight up shady af.

As a Layman, I had just a gut feel that Microsoft were like a Protection Racket, especially since windows 10, - they protect you from the other bad people, as long as you pay up and do what they want.
It’s great that you, as a professional, share your ideas on these things.

Hi Chris. Thank you for the video.
Question: Why do you not recommend Webroot anymore? I remember reading that was your preferred AV.

Please, please, look more in depth into EV certification and you’ll see that your main point here is invalid. It’s NOT the same thing as a regular certificate.
Not to say that MS defender doesn’t have its fair share of flaws, but between it and any other AV, even paid ones, I’d rather use Defender.

hi Chris, you may be right there used to be over three hundred breweries in the U.S. Now you see only a few national brands but that has changed. Now you see a new mix of microbreweries all over the country in every state and this could be a new beginning for small software developers in creating new antivirus software or software content that you and many other developers aren't trying to break the mold of software creation independent thinking and ideas to revitalize a revolution.

Thank you for bringing this issue to light. I'm not a dev but appreciate this information. As far as Windows Defender I disabled it years ago.
I use Comodo's fire wall only, not their antivirus as you can only get the firewall as part of their Internet Security Suite now, and then disable the whitelist entries, the firewall, for any program that I have installed, including any Microsoft entries, so the firewall catches any outgoing internet requests.
This works very well for putting a check on any app that wants to randomly call home. The firewall asks if its ok for the app to access the internet. Not running an anti-virus at this time. Was using AVG but Avast has been slowly disabling features on AVG in an attempt to move AVG users to Avasts anti-virus. One valuable feature AVG had that is now gone is their free emegency boot CD to run AVG off the CD oe USB to check for virus's. It's now an Avast feature.

Unless there's barriers to entry as a code signing certificate provider, which I suspect there are, overtime the market should drive this down to a price equals marginal cost level.

Is this applicable to end-user apps (say, office suites or note-taking apps) as well, or is it required simply for apps that dwindle in Windows' guts (say, anti-viruses, PowerShell scripts, Anti-Cheat software)?
And if the former is true, can it be avoided by publishing the app on Microsoft Store?

Every Windows 10 installation I have, I've used all the workarounds I can to disable Defender and all components related to it. I understand tge internet well enough that I don't normally have any issues with not having antivirus.

I think it's a fresh and strong step from Microsoft towards Linux evolution

hey Christitustech hope you are doing well I just dual boot pop is with Windows and it has been great with pop os. All my games work with Linux and am doing everything on pop os
thank you for teaching Linux and have a great day.

hello, so basically i had a virus on Windows 11 called Trojan or something like that, and i removed it but after that my Windows Updates arent working and i cant downloand anything from the Microsoft Store, is there any way to fix it without to Factory reset my pc?

Hey Chris will you do a Video on Umbrel , it's a self host everything dashboard and one click installer for self host alternatives for most of the free Cloud services

Have you seen that Britec09 have shown your 'Ultimate Tool for Windows' in his latest vid?

I have been using ESET for a few years now as I also found it the lightest, but if you want to recommend something free, I'd go Panda Dome over BitDefender. On my PCs it was lighter, it had 0 popups or ads (you untick those 2 from within settings), there are more false positives especially after you enable PUA option, but not by that much in everyday use - other than that it's the lightest you can get for free* IMO. ; )
*-the only 2 that were lighter on my machines were K7 and eset, both paid. BTW, K7 is hella cheap these days, like 8 dollars for a year and around 15 for 3 years if I remember well, really good deal, if they keep that price I'll think about switching to it when my current eset licence expires. : )

what do you mean "required"? i run unsigned stuff on my PC and my mac all the time. just do the "run anyway" thing. its literally not an issue unless i guess you have a locked down work PC that is trying to run the program. i "run" defender. i set exclusions for all my mounted drives. smart screen pops up when it should. nothing is limited... i'm confused.

I recently gave Avira the flick on my windows machines and just starting using Defender again, as I was fed up with all of Avira's add on crap and slowing my system down. I think you're on the money here if that's what's happening behind the scenes. Think I might put Bitdefender on instead

so how to completely uninstall it? please

Unfortunately this is the level of in depth look that 99,9999% of Windows users will never do 🙏

One clarification, this is the personal, home user version. The enterprise version (MDE) is actually quite good.

Im making a new set of programming tools, mostly languages. Im making it for both windows and linux, with linux prefferred now. Granted, i do install from zip file so far, but why have i never had to worry about this, or being flagged as virus falsely? Is my language too similar to java? I know it shares some concepts, but it has a lot of differences too. Its not designed for it, but im sure its capable of being used for a virus so far, even though im doing everything i can to prevent that.

do we really need an antivirus or defender if we are using strong adblockers, maybe a pi hole server, and avoid pirated stuff? where do you guys think the point that we should start worrying about viruses? i mean what is the minimum use case that requires us to use defender and kind of av?

I knew there was something wrong when it declared an exe I downloaded was ransomware, but when I ran it anyway, nothing happened. I'll remember to do that every time!

Ya, it is like secure boot signatures. And btw I just use Kaspersky Internet Security. Really really good AV.

I dont like how i cant really control Defender. Theres no obvious way to shut it off until i want to turn it on again, it always turns on itself after a period of time. I switched to the free Comodo versionrecently and I dont have any problems so far.

first thing i do with windows 10 (was not necessary in other versions) is deactivate windows antimalware software, if you don't know how to deactivate it permanently then there is a small program that can do it for you (dcontrol)

Wait, so any unsigned executable can't run on Windows box anymore? I'm confused!? AFAIK Code Signing is a pretty universal thing, no? It works on any platform as a way of validating the authenticity of a code. Your argument seems to point to a disadvantage for the app developer side rather than the consumer side. Also I'm not clear on why recommending another AV accomplish? Is it just to disable smartscreen and or to avoid supporting their "bad practice" to validate a piece of software? 🙃
PS. MS Defender Smartscreen have a review system where you can submit your file for analysis if you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware.

You forgot the garbage called McAfee which is practically unavoidable if you try to buy a new laptop or pre-built system

I can not help wondering why developers keep taking that crap. We need a developer revolution. More and more people are making the Jump to Linux based operating systems. And since Flatpack has come into the world, distributing to all linux users has become a lot simpler. I am sure that many people use Windows purely out of habit. They feel secure that all programs will have a Windows version. Maybe if developers bypassed windows. The users would migrate to Mac or Linux, and see the advantages.

I always though that Windows was so insanely vulnerable that they had to create somthing to keep it from getting infected, to save them from all the bad press. Also when you get a cert, doenst that mean that the program wont harm windows or let in the bad guys?

I have never seen it that way and hearing about it shocks me.
What freaks me out the most is even if we switch to linux, these businesses will find a way to creep in there as well and ruin it ...

Again, thank you for another excellent content vid!

What's your thoughts on tronscript would want to know your insight on it, if possible

Thanks for the information it helped me to keep choosing Windows Defender over the rest of AV

Well, I did not expect that high prices for nothing...
Thanks for the video!

If you use windows you don't have privacy
That is so accurate

Totally unrelated, but I'm diggin' the Gil Grissom look rather than Mr Babyface. Makes you look more "seasoned" and knowledgeable. 😉👍

Thanks for the video!

Sounds like we need a lets encrypt like service in this space. We used to see the same bullshit for SSL certs on sites too.

Unfortunately, you sound spot on. Fortunately, I ditched Windows as my daily driver some time ago.

I use Bitdefender paid version. I buy it every 2 years when it goes on sale. 2 year key, 7 devices for $14 on ebay.

Hey Chris, love your work. I just got a new budget gaming laptop. Ryzen 7 5800H, RTX 3060, 16bg ram, 1 TB NVMe But it came with Win 11. I really want to use Win 10 still yet. Would I be best served by creating a bootable USB drive with win 10? I have a Win 10 Pro key. I don't even want to waste my time for a sec on win 11. This won't effect the machine? To just install 10 even though it never ran win 10 on it?

The only time I've seen Windows Defender detect anything is during tests of it in videos I see here. PC Security channel videos, mostly. "In the real world", the ONLY time I've seen Windows Defender 'detect' anything was in a scam web page designed to trick the user into thinking Defender found child pr0n on the user's computer. In all of the computers I've worked on where Windows Defender was running, I've noticed two things: 1) Defender hasn't detected or blocked anything and the system was free of viruses or malware; 2) Defender didn't detect or block anything and the system had malware running which I had to deal with. How is it that I NEVER see anything Defender has blocked or put in quarantine across a handful of Windows systems (handful = 10-15) I've dealt with over the past decade? Is it a personal thing with me? lol Great video! Interesting points about "Smartscreen". Recently, I've been dealing with frustrations using "Controlled Folder Access". Anyway, thanks for posting!

I would never use windows if my fingerprint works as a touch/tap to unlock fingerprint instead of swipe to unlock fingerprint in Linux. Please help me sir Chris

In Microsoft's "perfect world", we - the end users - would not be able to install any software on our computers that didn't come from the Microsoft store. Of course MS knows that's not going to fly, so you're right - they will put up obstacles as much as they can, like smartscreen. Personally I'm shocked how much privacy invasion MS has been able to get away with, but Win11 adoption seems to show people in general don't care about it enough to switch OS usage at scale.
I'll continue to stick with Linux and a highly customized, ameliorated++ version of Win10 for gaming & the rare program that just won't work on anything else. Have been dual booting for ~15 years now, really just part of SOP.
Started using Windows with v.3.1. On top of DOS. Moved on to 95, 98, NT, XP, 7 (still the best overall windows experience in my opinion), then 10. Entirely skipped Vista, 8, & 8.1. End of the windows line for me, not going to use 11 or what follows based on Microsoft's business practices & trajectory, even with new hardware.

Thanks for sharing!

Chris, how do we remove Windows Defender completely from windows 11?

What about ClamAV for windows ?

I have been using Kaspersky TS for years and have never got a single malware even tho I have downloaded a f ton of stuff.

The thumbnail is perfect!

Don't you need EV for Kernel Mode Driver Signing?

That was one of the reasons I've been using Fedora Linux for a long time. Actually, if you don't need it, for work or something else, apps that only work in Win# moving to Linux is the healthiest thing to do. Greetings Chris!

Malwarebytes Antimalware for me

Thanks for info

I don't use AV software, i disabled Defender and i disabled UAC...

I haven’t used Windows for years. Thought I’d watch this video to see what’s going on in Windows world. Good grief! I’m all Linux now. Glad I switched.

Yup, the whole code signing scheme is totally a mafia system. The cheapest issuer I could find was certum, who has special open source certificates but still not 100% smartscreen-proof like the EV ones. Another solution would be to ditribute your self-signed key along with the software but that makes more sense for an enterprise internal tool of some kind. There's sigstore for containers and linux apps but doesn't help with smartscreen (you can pracically sign anything with sigstore, it just ain't trusted by MS or Apple). Apple only trusts its own certificates btw and they sign your app themselves upon auditing (on every update/version), which can take months if you have the slightest mistake in your app manifest...

Sounds like the same sort of experience as when making iOS apps. You pay Apple 99 dólares a year for the privilege of being able to upload your apps to the app store, which they can revoke at any time if breaching the agreement (but Sir, of course, you might think), and then having to maintain signing certificates for signing the apps and so on.
That's for being able to distribute to end consumers. There's a different one price and certificate type for if you want to distribute your app as an in-house app etc.

Thanks again Dude for telling it like it is. Another reason why I switched to Linux for sure.

Also, it's curious that you're claiming that even removing telemetry is not any better for your privacy in Windows, and it's still invading privacy? How so?

Doesn't the other OS Apple do something similar (if you don't pay your not getting in)

I am already laughing at 2 minutes. MS shady weirdness? Who would have thunk?
Edit: Well, it sucks, but most people seem happy to be ripped off for billions of dollars by what amounts to a monopoly of a product that needs to be fixed to work well -- or at all.

Believe it Chris, remember back in the day nobody could prove a thing with the internet explorer thing. And what did we find out eventualy.....!!?

0:52 MS has never once been 'good guy', or 'awesome', in its entire history. Not once. These people would charge you for every breath of air you breathe, if they could.
First thing to die in a Windows installation of mine, is "Windows Defender", and "SmartScreen". I rip them both out of my install ISO entirely.

looks like even ur average dev needs to pay for mafia protection

you know there are people in here like "tHiS iS wHy i uSe a mAc"
*snrk

Your payment for getting "Validation' or 'Extended Validation' was a waste of money Chris. I've had to manually turn off Windows Defender. And I do have your '.exe' file version of your program. Windows "Smart Screen" is just too stupidly intrusive. Incidentally, having a signed version of your program ALSO DOES NOT MATTER with either Malwarebytes AntiMalware or Trend Micro. They BOTH declare it a virus. Malwarebytes is particularly aggressive & persistent in doing so, even after following their instructions to Allow it, and Never show it as a virus. This includes, most recently, declaring the UNPACKED file a virus. Incidentally, I have several computers, before anyone accuses me of using multiple anti virus programs on one computer & getting conflicts as a result. Several days later, Trend Micro has been removed permanently, from one machine, and Malwarebytes removed & reloaded on another. No further problem. Sorry Chris.

Imagine having to pay to publish software so that it isn't considered malicious instead of having an AV that actually detects real malicious software

you came in a good time, yesterday I decided to kill anti malware executable service! cause it uses a lot of ram.

Good video and yes sad but true. As a developer I have seen the same kind of fuckery and as a tech I recommend Avira AV 100%.

Bit defender sucks for sys admins as you have to boot up in safe mode to uninstall certain programs. PITA. My Wholesalers sell Bitdefender 3 Licence for equivalent of $8 and $12 for 5 User. Most of my work is remote and booting up in safe mode is a PITA with BD.

Choosing an antivirus besides Defender then my go choice is Sophos.

Let's not forget that Windows Defender is a resource hog, making your PC really slow. I have it disabled from gpedit and regedit on every install.

I have duel booted Linux and win 11
No third party antivirus installed
Whenever I boot into windows the fan just ramps up just after startup on idle
Why??
I opened the task manager and it's antimalware service executable (AKA Windows Defender) consuming 30% of my CPU and 50% of ram ( 4 core and 8 gigs )
😡😤
Then i boot into Linux
It's a breath of fresh air
and my laptop stays quite and cool
😇😌

"You have to pay us for protection". Doesn't sound like a mafia at all lol

Update on Lenovo Chromebook please

the irony.
So many programs you'd download that have paid the extortion can be backdoors to your system. And don't get me started on Cortana...