Like other antivirus programs, Microsoft Defender will upload suspicious files to Microsoft to determine if they are malicious. However, some consider this a privacy risk and would rather have their files stay on their computer than being uploaded to a third party.
When Microsoft Defender scans your device, by default, it will use the "Automatic sample submission' feature to upload files to Microsoft's servers when a file is suspected to be malicious.
Microsoft's cloud-based protection will analyze the file, and if it is determined to be malicious, cause Microsoft Defender to quarantine the file on the device.
When submitting files, Microsoft Defender will automatically upload executables and scripts but warn the user first to upload a file that may contain personal information, such as a document.
"If Windows Defender Antivirus is turned on, it monitors the security status of your device. It automatically prepares reports to send to Microsoft about suspected malware and other unwanted software. Sometimes, the report includes files that may contain malware."
"Files that aren’t likely to contain user data are sent automatically. However, you’ll be prompted for permission if Windows Defender Antivirus wants to send a document, spreadsheet, or other type of file that is likely to contain your personal content," Microsoft explains in a Windows 10 privacy webpage.
Possible privacy risk?
While I consider uploading suspected files for analysis to be a beneficial feature, some antivirus users consider this a privacy risk and may want to disable it.
"Perhaps most importantly, privacy. These are my files, on my computer, and read by a human or not, I don't want them being sent off, certainly without my permission," explained a Windows 10 user who wanted to disable the feature.
Automatic file submissions are also a possible cause for the fallout between the US government and Russian antivirus firm Kaspersky.
In 2015, Kaspersky disclosed that they had detected a suite of NSA surveillance and hacking tools associated with the mysterious "Equation Group."
These tools were reportedly later uploaded from an NSA contactor's PC who had brought the tools home and stored them on his home PC, running Kaspersky antivirus. When the software detected them as suspicious, the antivirus program uploaded them to Kaspersky's servers, which at that time, were in Russia.
How to disable Microsoft Defender's automatic file uploads
While we still suggest that users allow automatic sample submissions to increase the security of their computer, if you wish to disable the feature in Microsoft Defender, you can use the following steps:
- Click on the Start Menu, search for 'Windows Security', and open it when it appears in the search results.
- When the Windows Security screen opens, click on 'Virus & threat protection.'
- When the Virus & threat protection screen opens, click on 'Manage Settings' under the Virus & threat protection settings category.
- When the Virus & threat protection settings screen opens, scroll down and disable 'Automatic sample submission,' as shown in the image below.
- After disabling the setting, you will be shown a User Account Control (UAC) prompt, where you should click on the Yes button.
Automatic sample submissions are now disabled and can be enabled again by reversing these steps.
Comments
Hammerfest - 2 years ago
This is NOT a complete solution or article.
Sometimes the very next day (and after any Defender update) windows will alert you (notifications) and windows defender will have an "!" over the Defender icon about it being disabled and you have to go in and click dismiss then yes for UAC each time.
Gives the illusion that you are not protected just because this feature is turned off. Its important to note that, or disable submissions in some other way that it wont continue to throw the SCARE TACTICS at the user.
EmanuelJacobsson - 2 years ago
If you click Dismiss it wont bother you again.
Hammerfest - 2 years ago
you must not read much, it comes right back up next restart or next update of the windows defender engine as I CLEARLY stated in my comment
Starkman - 2 years ago
Never comes back up on my system.
bestantivirus - 2 years ago
The article is incomplete not only about Windows Defender (forgotten to say about the aggressive way the user is encouraged to use automatic sample submission), but also about Kaspersky. Suspicious sample sending is not enabled by default in Kaspersky commercial products. The user can accept or decline it at the product installation, as well as turn it on or off at any time. The fact that NSA contractor (cyber security professional) working with malware used Kaspersky Internet Security with sample sending turned on raises many questions, but it is a different topic. Currently, Kaspersky Security Network, where the suspicious samples are sent, is located in data centers in Switzerland, but the product code together with the said system is available for review by government regulators, etc.
Amigo-A - 2 years ago
"""Kaspersky's servers in Russia"""
Amendment:
kaspersky.com
kaspersky-labs.com
These main Kaspersky servers are located in the United States.
EmanuelJacobsson - 2 years ago
And the rest are in Switzerland.
Lawrence Abrams - 2 years ago
But they were located in Russia at the time of the NSA contractor story.
https://www.kaspersky.com/about/press-releases/2020_kaspersky-completes-its-data-processing-relocation-to-switzerland-and-opens-new-transparency-center-in-north-america
Lawrence Abrams - 2 years ago
Clarified in article that the servers were in Russian at the time of that event.
Peter___Adam - 2 years ago
From the article: "Possible privacy risk?"
No, it is a security risk. It tried to upload a Firebird 1.5 (*.fdb) database full with personal data like names, social security numbers, addresses, etc. because someone at the Outsourced Company thought a file with fdb extension may contain some harmful code ...
the_moss_666 - 2 years ago
"From the article: "Possible privacy risk?"
No, it is a security risk. It tried to upload a Firebird 1.5 (*.fdb) database full with personal data like names, social security numbers, addresses, etc. because someone at the Outsourced Company thought a file with fdb extension may contain some harmful code ..."
Even executable files can contain sensitive information:
https://www.bleepingcomputer.com/news/security/most-loved-programming-language-rust-sparks-privacy-concerns/
jblo - 2 years ago
I was walking through the execution of a malware recently. It executed the following command, which seems aimed at doing what this article references:
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Lawrence Abrams - 2 years ago
Love to see that malware sample if you don't mind sharing.
jblo - 2 years ago
Reached out to you via another channel.