Difference between the GPEDIT options "Turn on behavior monitoring" and "Monitor file and program activity on your computer"? And do I need them both?


Local time
2:58 PM
Posts
60
OS
Win11 64 Pro
Hi!

So, after the inputs received in my other thread about if I really need real time protection, I decided to activate it again.
In GPEDIT (where I had deactivated all, because otherwise Windows Security keeps reactivating the real time protection even if the anti-tampering option is disabled) I find two similar options, which I wrote in the title.
When I DuckDuckGo for the latter, I find results for the former.
The latter sounds also a bit like DEP although I guess it's not DEP.

Anyway, can you explain what's the difference between the two, and if I really need them both running?
Ah, btw, what's your take about having DEP set in "for all programs"?

thanks
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
Data Execution Protection (DEP) is one of several Windows tricks to defend against buffer overflow attacks. By carefully designating which memory pages are assigned to code vs. stack (dynamic memory), exploits can't take advantage of buffer overflows to overwrite a code page. The cost of running DEP all the time is negligible for a modern CPU.

Should you run it all the time? Yes, it helps prevent some basic security attacks.
Why does Windows allow me to disable it? On really old CPU's, it was known to cause stability issues.

Windows security is based on in-depth layers, because a single security feature isn't enough to protect you from all forms of attack.
 

My Computer

System One

  • OS
    Windows 7
Data Execution Protection (DEP) is one of several Windows tricks to defend against buffer overflow attacks. By carefully designating which memory pages are assigned to code vs. stack (dynamic memory), exploits can't take advantage of buffer overflows to overwrite a code page. The cost of running DEP all the time is negligible for a modern CPU.

Should you run it all the time? Yes, it helps prevent some basic security attacks.
Why does Windows allow me to disable it? On really old CPU's, it was known to cause stability issues.

Windows security is based on in-depth layers, because a single security feature isn't enough to protect you from all forms of attack.
Well, disabling it completely is only possible with special tools and I didn't feel the need. The question was if leaving it in the default "only for windows files" or set it in "for all programs".

And what about those two Defender GPEDIT settings, any idea what the latter does?
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
if I really need real time protection, I decided to activate it again.
You're the one who decided to strip your OS. Did you not keep record of what you did so you would now how to undo it?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 2600.1742
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External +512gb Samsung m.2 sata+1tb Kingston m2.nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
You're the one who decided to strip your OS. Did you not keep record of what you did so you would now how to undo it?

That is a must. Also, is the OP keeping a regular full system backup using Macrium, AOMEI or similar while they're carrying out all this tinkering? :unsure:
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2002
    Memory
    Corsair Dominator 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External Fiio K5 Pro ESS DAC - Headphone Amplifier
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Ergo Trackball
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
is the OP keeping a regular full system backup
That was strongly advised but this OP has not indicated in his other thread whether he took the advice or not.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 2600.1742
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External +512gb Samsung m.2 sata+1tb Kingston m2.nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
What are you two even talking about?
I've stripped nothing.
This is just an option that can be deactivated and reactivated at al times.
And I'm simply asking what are these two options for, so I can better decide if I want to keep them both active or only the behavior monitoring.
Easy.
All this sarcasm you can save it for when you need to digest things that need more acidity. Really not needed.
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
Well, disabling it completely is only possible with special tools and I didn't feel the need. The question was if leaving it in the default "only for windows files" or set it in "for all programs".

And what about those two Defender GPEDIT settings, any idea what the latter does?
There are no "special tools", it's always been in the legacy Control Panel for System Properties or the newer W11 Settings control panel.
How to Enable or Disable Data Execution Prevention

The two Defender policies in a nutshell:
Behavior monitoring in Microsoft Defender Antivirus
Enable and configure Microsoft Defender Antivirus always-on protection

Sometimes these policies cause false positives, which is why you're allowed to disable them. All these settings (including DEP) can be enabled or disabled on the fly.
 

My Computer

System One

  • OS
    Windows 7
"Monitor file and program activity" is the setting for on access protection. This is for the "automatic" anti-malware protection that kicks in whenever something is accessed, as opposed to on-demand action where you tell Defender to scan something specifically.

Behavior monitoring is, well, monitoring the behavior of processes and killing things that act suspicious. This is different from, say, the anti-malware engine having a set of known signatures and blocking files it knows are bad, based on history. Behavior monitoring acts on things based on what they do, whether they're known processes or not.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
There are no "special tools", it's always been in the legacy Control Panel for System Properties or the newer W11 Settings control panel.
How to Enable or Disable Data Execution Prevention
Hmmm, but would that completely disable it also for windows files?
Or would that only disable it "for all programs" but leave it for windows files?
Considering that in the advanced system settings (that until now was the only place where I was aware that this could be changed) doesn't give the possibility to completely disable it, I took for granted that it can not be.
I even saw that there's a voice about it in the Exploit Protection of Defender, I saw it many times, but I always believed that it wouldn't completely disable it :)

In the second link (which I knew, but thanks :geek: ) I don't find anything about "Monitor file and program activity on your computer".
It just says that the always-on protection is a holy trinity made of Real Time Protection, Behavior Monitoring, and Heuristic.
Now, apart for the fact that I never really understood what's the difference between Heuristic and Behavior Monitoring, as both are ways to detect bad stuff without using signatures, in this case I can only think that you imply that Heuristic is the same as "Monitor file and program activity on your computer", otherwise I don't get the connection that you're making :unsure:
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
"Monitor file and program activity" is the setting for on access protection. This is for the "automatic" anti-malware protection that kicks in whenever something is accessed, as opposed to on-demand action where you tell Defender to scan something specifically.
But wouldn't that be the same as "real time protection"?
I mean, real time protection means that all what happens is monitored in real time "on access", or am I inventing stuff (which could be, because my knowledge is completely DIY)?

What confuses me is that there's an option for real time protection already.
There are 4 similar options, real time protection, heuristic, behavior monitoring, monitor file and program activity.
Ah, and DEP.
And I am unsure as to how they differ.
RTP and MFAPA seem completely the same to me.
And BM and H also seem the same.
DEP, I understand that it's a different thing but for example I don't understand if by disabling RTP and/or MFAPA also DEP would be disabled, because DEP implies that things are monitored in real time.
In the same way I wonder if by disabling RTP and/or MFAPA also BM and H would stop...
So, it's all a bit confusing.
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
What are you two even talking about?
I've stripped nothing.
Is this not your thread.? So, I got obsessed with achieving the perfect clean install and it took me a week and many many attempts. Feel free to comment what can be improved.

strip=deloat, remove, alter, disable... anything that stops normal windows functions. You said yourself your were obsessed in your quest against against "MS from 'interfering' with your Windows." I mean no disrespect. Is that not what was discussed in your other thread?

All I'm saying is if you set out to make major changes, you should keep detailed notes on what you do so that, as in this case, you can undo it.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 2600.1742
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External +512gb Samsung m.2 sata+1tb Kingston m2.nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
But wouldn't that be the same as "real time protection"?
No. You already said it yourself, but MSFT clarifies that "Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities."
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
Is this not your thread.
Yeah but I meant that in THIS case I stripped nothing.
It's two completely unrelated things.
I do keep track of what I do.
But in this case I didn't need to understand these two processes in detail when I wanted to disable things, so I didn't bother looking for detailed info, I just disabled all what was implying some for or background activity.
Now that I decided that it's indeed not safe to be completely without real time, I am trying to understand what's the difference between these processes so that I can on one hand satisfy my need to know what's what, and on the other hand decide what I need and what I don't.

Your comment seemed a generic discrediting of my entire attitude towards Windows, which is your right to believe so, and I have no problem with you saying it (although it would be nice if you can do it without sarcasm, like if you're right and I am wrong, which is different from "I prefer this way"). But it didn't seem to contribute to what this thread is for.
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
No. You already said it yourself, but MSFT clarifies that "Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities."
Sorry, I don't get it.
There is the holy trinity, and there is MFAPA.
What's the relationship between them?
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
"MFAPA" is not a thing. That's the friendly human-readable description for a setting. The actual registry entry created when you change that setting is "DisableOnAccessProtection."
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
Not related to the question in this thread either but in case you're interested. Just as an FYI, I believe you have windows update off. Defender AV depends on windows update to download a new definitions' update every day, sometimes more often for zero day fixes.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 2600.1742
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External +512gb Samsung m.2 sata+1tb Kingston m2.nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Back
Top Bottom