Upcoming Windows change: MDAV performance mode is bad for your security and needed only in very specific cases (developers)

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md

https://hotcakex.github.io

MIT License

1.84k stars 143 forks source link

Upcoming Windows change: MDAV performance mode is bad for your security and needed only in very specific cases (developers) #43

Closed rafalfitt closed 1 year ago

rafalfitt commented 1 year ago

"The goal of performance mode is to improve functional performance for developers who use Windows 11 devices."

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-antivirus-performance-mode

rafalfitt commented 1 year ago

"Performance mode is enabled by default when a new Dev Drive is created."

rafalfitt commented 1 year ago

'Performance mode can only run on a “trusted” Dev Drive.'

HotCakeX commented 1 year ago

Hi, It's currently in Windows insider Dev channel builds https://learn.microsoft.com/en-us/windows/dev-drive/#prerequisites

There isn't a Group Policy in stable builds to control it. The commands to query or assign trust to it also don't work on stable builds when I run them (tested them on Windows insider beta build too that I use for day-to-day usage) https://learn.microsoft.com/en-us/windows/dev-drive/#how-do-i-configure-additional-security-filters-on-dev-drive

So if someone is using insider Dev builds and they use Dev drive, they can change the Microsoft Defender's behavior with those commands.

That's my idea, let me know what you think :)

rafalfitt commented 1 year ago

"Performance mode is enabled by default when a new Dev Drive is created." so this Powershell command is not needed and can be safely removed.

HotCakeX commented 1 year ago

"Performance mode is enabled by default when a new Dev Drive is created." so this Powershell command is not needed and can be safely removed.

Which PowerShell command?

rafalfitt commented 1 year ago

(please ignore my previous comment, my mistake)

HotCakeX commented 1 year ago

This was just added to the beta channel https://blogs.windows.com/windows-insider/2023/08/02/announcing-windows-11-insider-preview-build-22621-2129-and-22631-2129/

I've been testing it, couldn't find a group policy for it yet but we can mark a Dev drive as untrusted and restore its protection using fsutil

fsutil devdrv untrust <Drive Letter>:

HotCakeX commented 1 year ago

Added the feature to disable the performance mode in Microsoft Defender for Dev drives

https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.20