Virus Scanning?

Could someone explain which program is actually used for virus scanning please? I don’t have a third party scanner installed, so I’m curious whether GW has one built in, or whether it checks databases from elsewhere etc.

1 Like

@codeknight

We use a Windows API. The documentation is a bit confusing, but if you have no antivirus installed I think it should use Windows Defender, and if you use another antivirus I believe it’s supposed to use your other antivirus (depending on how that antivirus is set up with the OS).

If you use an antivirus that doesn’t work to take over the antivirus scanning from Windows Defender then I believe our scanner will continue to use Windows Defender.

1 Like

Suggestion:

Can you make it optional for Glasswire to use VirusTotal?

Better to have 50+ engines scanning something than 1.

I see now this was already a suggestion in 2015:

Ken said this will be in Glasswire V2.0:
https://forum.glasswire.com/t/virustotal/4999?u=glasshole

I can confirm that the default Windows Defender (MsMpEng.exe) is being used on Windows 10 when I have no third-party Anti-Virus (AV) installed.

Here’s an example where MsMpEng.exe runs when the Virus Scan button is clicked in GlassWire for the file Firefox.exe:

This issue has been discussed last year. I’m still not sure how I would confirm that the file is actually being scanned when using a third-party AV. At least, I haven’t yet managed to record an actual file scan using a third-party AV. I just tried again with BitDefender Free - I may try some others:

2 Likes

So… glasswire can still scan with Windows Defender even if it’s disabled by group policy?

@Toad_004

It should not be able to.

I’ve even gone as far as to use NTLite to uninstall windows defender entirely. There are no programs on my PC that have the ability to scan (I prefer virus total, sandboxing programs, and of course glasswire). Yet GlassWire is still able to scan files, or at least claim it can scan files.

Most likely, it simply wasn’t programmed to throw an error if you don’t have anything installed that it can scan with. I actually tried to get glasswire to scan eicar (a testing file that will show as a virus on most scans, including windows defender) but realized that glasswire doesn’t have a way to scan a file that has never tried to connect to the network.

1 Like

I think that you’re probably right. Evidence for this is that Microsoft explicitly state that failure to find a virus scanner doesn’t always throw an error message. See Introduction to the Antivirus API Reference for Office | Microsoft Learn

Be aware that Microsoft Office does not warn the user that a virus scanner is not found.

@Toad_004

Thanks for your report. We’ll see if we can give the user an error. We use a Windows API for the scanning, so perhaps it cannot tell you have disabled Windows Defender.

1 Like

If it can’t tell if you’ve got it disabled, shouldn’t it display a message saying that the virus scan failed, rather than just going green and saying it scanned and no virus was found?

1 Like

Yes, but GlassWire won’t be able to tell if the Microsoft API doesn’t return a relevant error code.

In the case of Microsoft Office, I can see why they wouldn’t want an error message to appear for users viewing or editing a document. But GlassWire is a security product so it should ensure that scans are actually completed which probably means GlassWire should use another method to scan files if we’re correct about issue with the Microsoft API.

2 Likes

Agreed, oversight or not, showing a green confirmation when not valid is lying no
two ways about it.