Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

BTW, I noticed that Win Defender is using quite some CPU time when I'm trying to download Secure Folders from Softpedia. So seem sthat WD's cloud based behavior blocker is at least working, but it does get on my nerves a bit, this stuff should be a lot faster.

https://www.softpedia.com/get/Security/Security-Related/Secure-Folders.shtml

 

Firefox's users should be glad to hear this. Question is, what takes them so long?

 

A promotional measure for the Edge browser.

 

I'm not surprised by this bug. On Win 10 1909 I sometimes also see a bit odd behavior from WD. I never noticed this particular one since I don't use Firefox.

 

after more recent updates to windows 11, MS defender has become very, very CPU hungry. Every time it's scanning, it slows down my entire system, using all 24 of my cores.

What exactly is it doing that uses 99.99999% of my CPU? other solutions don't do that.

 

Microsoft Defender is one of the very few products along with Bitdefender that can make use of all available cores and threads to speed up manually performed scans. But of course, if it slows down the system then that's not ideal. But what are you scanning with MD? It's not a very good scanner as it's dependent on the cloud a lot and it's mainly good at the pre-infection detection. Block At First Sight is their main defense which checks every single file with their local + cloud-based AI/ML models. But the file has to be downloaded from the internet to trigger BAFS. Otherwise, files are sent to cloud for analysis only if the local ML models deem something suspicious. I would use some other second opinion scanner if I had to scan something regularly. Kaspersky Virus Removal Tool, Emsisoft Emergency Kit, Norton Power Eraser, ESET Online Scanner are some of the great options.

 

What's weird is despite it using all cores as you mention, it is the slowest scanner and takes ages to complete.

 

That sounds like it assumes this was a manual scan. One of my primary gripes about Defender is that it scans all of the time on its own, the same files over and over.

 

yes, in this day and age, I would've hoped that the creators of the OS are smart enough to implement a whitelisting feature so it won't rescan the same files if the hashes didn't change, that would be a game changer in terms of performance.

 

I agree, it's quite slow. It's down to their engine probably and it's not easy to suddenly make it fast. They probably didn't put much effort to make it fast. They invested/invest most of their time and money into their cloud protection part, I think.

Yeah, I automatically assume that it's a manual scan because otherwise it won't use all the processor cores.
It has cache and they are kept until a system reboot. Users who don't turn off fast startup benefits more from this. I disable fast startup, so caches are usually gone after a system reboot. On my PC, I would say it's fast for anything typical a normal user does like launching a couple of popular signed apps, browser the web, watch a movie on a media player, do some work on office apps, etc. basic things. I guess they don't like to keep cache for long because of its very high reliance on the cloud. They want everything to be checked by the cloud. It's the cloud that causes most of the slowness in many situations. Turn off internet and MD is as fast as ESET and Norton at almost everything (I tested this)

 

I hope they'll agree with the rest of us at some point that it is not necessary to check the cloud more than once for the same file.

 

"cloud" for defender means - check unknown samples online if there is no result for previous scan options.
ESET ever had "cloud" as i can think of, but they call(ed) it different.
ofc it is possible to turn off this feature, i did (GPO)

 

Sounds good but I have had it scan and re-scan files that I have downloaded from Microsoft. They don't even trust their own files. I have a Windows 11 VM on the canary channel... not much installed in it. Firefox, LibreOffice, Acrobat Reader, that's about it. Defender sits and uses about 100% disk for a half hour after booting (mechanical disk). There are no new files or updates since the last time I booted it. Just the sound of the disk chugging away. For anyone that is fine with that, no problem. For those that aren't, this is one of the biggest longstanding complaints going that they could address and have not.

 

never had such issues, maybe it depends giving an example.

 

I'm sure it does depend to some degree. I have had it scan Windows ISO files downloaded from Microsoft for extended periods of time and multiple times. At one point I gave up and deleted them from my local drive to stop it.

 

Here it goes again, using up 73% of the hard drive, otherwise idle, same VM, no good reason for it to be going again...

I don't complain of these things for the sake of doing so, I want them to stop doing it.

 

Never experienced anything like this. Maybe for ~ a minute or so, but that's it.

 

I find WD very slow when opening certain programs like VLC Player (digitally signed), even on a speedy SSD, but very fast with other, similar programs like MPC-BE. I use paranoid cloud settings, so I expect a small performance hit, but the difference between starting VLC (30 sec. to open) and MPC (1 sec. to open) is striking.

 

Yeah, not for known files. There should be certain files that should be trusted unless changed, even if they are unsigned. I think they have such a thing, but for very few apps. No one manage cache better than Kaspersky and Norton. Then maybe ESET. MS should learn some things from them.

The issue with Defender is that its local signature is very weak compared to most products. Most of the signatures are on the cloud, so without the cloud it becomes almost useless in many situations. Often they even miss weeks old threat without cloud protection. So people should not disable it unless they know exactly what they are doing.

I have a Windows 10 VM on a mechanical HDD and I have no such issue. MD is quite fast in the VM. Your issue could be a bug, maybe something to do with the fact that you're running the Canary build of Windows 11. In insider editions, MD is also set to test builds, which are sometimes buggy.

 

The reason many security programs make rescanning files already passed
previously am option is because a pass (non-detection) can occur with
newly encountered threats - until further analysis has been done.

Choosing to never scan a file again once it has been scanned once without
any detection - unless it has been altered - means that the file will
*never* be flagged as a threat during scans even when it could be
recognized as a threat subsequent to the initial scan.

I have seen this happen with numerous new malware samples in the
past when using Bitdefender Internet Security 2015. The help for
that product described the option to not rescan files as a means
of improving the speed of scans. But it also noted that there would
be a (slight?) loss of security as a result.

Another top-tier security product I also used at that time used a
more nuanced approach. If the option was set, then it would not
rescan a file if (a) it has not been changed, and (b) no new
signatures, etc. have been added since the file was scanned
which could potentially yield a different verdict.

In sum, choosing to NEVER rescan a file once it has been passed
can - and in some cases definitely will - result in a threat not
being detected even when the product used now is fully capable of
recognizing and flagging the threat.

Note that failure to *detect* a threat during scans does not
necessarily mean that the product being used will not *protect*
against that threat. But it may give a false sense of security.

 

Not the way that works with products that scan once. They tag it as scanned and keep the checksum. Should that file be detected as actually malicious later it would match it by the checksum rather than scanning the entire drive over and over and over. The paid vendors seem to know how to do this. Microsoft should be able to figure it out.

 

Defender is more than signatures. it includes exploit and some more. please cycle through its settings.
and ofc any program reduced to signatures may be week.
i remember a notice from malwarebytes that MBAM used from external media is reduced to signatures because teh other features cant be applied to the scanned system which is different from the host (on media).

 

Isn’t the Exploit Protection independent from Windows Defender though?