Explicit support for Windows Dev Drives and WSL MDE plugin best practices

[byjrack]

Tell us about your request Microsoft Defender continues to be a heavy tax on Docker Desktop because its attempt to introspect all the activity in the WSL2 space. We do our best to use exclusions, but they never seem to hold out.

Which service(s) is this request for? Docker Desktop

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Managing AV and related security rules can feel like a game of whack a mole as signatures change and all of the sudden something that seemed ok now is deemed a threat. This can significantly impact build and other inner loop activities on the machine that we would like to reduce.

Microsoft has introduced new features to W11 around developers though.

Dev Drives are basically a mount point that Defender treats differently. So hypothetically docker builds and runs that trigger IO on that mount point instead of %LOCALAPPDATA% might have a lower tax on the tooling.

They are also releasing a plugin for WSL2 that should allow for better insight into what is going on in the distributions.

So work around making DD smart enough to use these features to help reduce the overhead on the endpoint would be valuable. And if those features cause issues with DD, the Moby WSL2 env, or other things well that would be great to know as well.

Are you currently working around the issue? Lots of work on analyzing logs and adding targeted rules that never seem to fix things for long.