Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I wouldn't if it were not for Microsoft's never ending blog propaganda postings that it does indeed offer such security performance. The danger in that garbage is that there are a lot of naive consumers and system admins to boot that take those statements verbatim.

    The truth of the matter is Windows Defender is security-wise "architecturally" flawed since it employs a "band-aid" collection of existing and accessible Windows mechanisms. As such, it will always be susceptible to exploitation and by-passing. It really doesn't matter what "latest and greatest" security mitigation WD is currently introducing if the product or related protection mechanisms themselves can be easily circumvented.
     
  2. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Which "flawless" AV do you use? I'd love to try it.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There are no "flawless" AV's; at least when it comes to malware protection. If one existed, it would be the one used and all others would cease to exist.

    As far as existing third party AV solutions, I would encourage one to spend the time to find out internally how they work. This is not always an easy thing to perform. For obvious reasons, AV vendors are fairly tight lipped on their internal design components and self-protection mechanisms. Also these details are usually beyond the average user's technical knowledge and desire to even be interested in such things. These details also really need one to have some security mechanism technical knowledge to be able to ascertain "good" versus "bad" security design. Lastly, these details are definitely not catchy as concepts like advanced machine learning, deep behavior inspection, and like current "buzz" malware detection methods being marketed.

    Overall, the top tired third party AV solutions are integrated. That is they contain individual components that are work together in unison to prevent malware infections. The compounded effect yields a product with greater protection capability than if like multiple components from different sources were used. Likewise, this integration allows for greater self-protection methods. Most important, the security component elements such as rules, settings, etc. are stored internally within the product processes and files utilizing encryption or other internal proprietary formats that make it extremely difficult for an attacker to read, modify, or bypass them.

    As far as the top tired third AV product component features, I will briefly list and comment. I will only list the major components. Many of these solutions have additional features such as Network monitor that will analyze the status of all internal network components, hardened browser safe banking mode, anti-theft protection, client e-mail protection, etc., etc..

    1. Two-way stateful firewall with rule capability to support all network traffic flow modes; inbound plus either all outbound, interactive, or policy. Product alert and logging capability to support these modes.

    2. Intrusion Detection System (IDS) to detect internal network breeches and prevent CVE listed exploit activity. The latter feature allows commercial installations exploit protection when they have chosen not to implement the provided OS patch. Product alert and logging capability to support these modes.

    3. Botnet Protection - this will block all outbound communication to known botnet C&C servers.

    4. Active Web Access protection - this includes SSL/TLS protocol scanning plus active web page content scanning of Javascript, etc. code execution. Product alert and logging capability to support these modes.

    5. HIPS and/or behavior monitoring. In this area is ransomware protection, deep behavior inspection, and advanced memory scanning post-execution protection. Product alert and logging capability to support these modes.

    6. Aggressive real-time scanning and analysis - local heuristic and advanced machine learning scanning using signatures, black/whitelists, reputational methods, probabilistic algorithms, and further cloud analysis. Product alert and logging capability to support these modes.
     
    Last edited: Sep 23, 2019
  4. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    @itman your reply completely missed the ironic meaning of '"flawless" AV'. :D
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    How about this reply. A flawless AV is one that is never installed.
     
  6. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    I restate Post #2550 above

     
    Last edited: Sep 23, 2019
  7. Tyreman

    Tyreman Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    145
    Location:
    Cambridge Ontario,Canada


    I can see the for average users setting up on their own these items/apps programs whatever could be a fairly tall mountain to climb
     
  8. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    It's actually simple. Just install ESET Internet Security or other AV internet suites since those sounds like features they already have.
     
  9. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    That list is actually a description of ESET Internet Security features.
     
  10. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    I'm sure you are correct but why didn't @itman just say it if that's what he uses?
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Agreed, it's some progress for sure and better than nothing. Actually, I find it more disappointing that some of the ASR rules don't seem to work properly fromm the Researcher's pov. I found the same thing when I tested, that some of them don't work as advertised.

    Yet my approach is to utilize what's already built into Windows first, and add 3rd-party only where needed. I've always found less stability with 3rd-party software - at least too much of it - than with built-in Windows mechanisms. For example, I'm using Software Restriction Policy in default-deny, with "tight" Path rules. In the testing I've done with it, I'm completely satisfied it is both secure and stable.
     
    Last edited: Sep 24, 2019
  12. 142395

    142395 Guest

    Nowadays malware are polarized and WD is for protecting common user from the lower-end one. It has been done the job relatively well, but this would be not much due to behavior monitoring but more to cloud ML analysis, tho MS haven't published official stats about protection components like Symantec once did. What Rasheed calls BB is usually called as HIPS. In WD it corresponds to ASR and not WD-ATP, tho both of them have common with being meant for corporate user. But if MS think ASR not having well user communication is okay as it's for corporate, that's wrong - even in corporate, they're not always centrally managed and even when they are, the admin is not always efficient & diligent.

    MS have made significant progresses in some areas such as ML, but that doesn't mean they take security seriously - they're always behind Google. Do you know the meaning that MS limit # of char for Office365 password to 16 (hint: hashing)? Remember when they adopted forward secrecy? Have you ever scanned their websites for security? Examined MTA-STS? Why they still don't support U2F despite user requests? Some much smaller companies do all of them properly. Speaking on Winodows, do you know how many legacies are still present on Win10? Who needs a floppy disk driver? A question is whether criminals are looking at new features or legacies as both of them are treasury of vuln. MS also lack a view of practical security from user stand point, evidently shown in Office365 ATP Safe Link. And on iOS or Android if an app needs a permission to do sth it displays a dialogue. On Windows nothing appears so you have to hunt down the culprit.

    BTW itman is correct about flawless AV 'cause the most secure system is one such a privileged program like AV can't be installed, but ESET betray this by recommending to disable SELinux to install their AV.
     
    Last edited by a moderator: Sep 25, 2019
  13. 142395

    142395 Guest

    If you're 100% sure you won't use floppy disk, you can run these commands as admin:
    Code:
    sc config fdc start= disabled
    sc config flpydisk start= disabled
    sc config sfloppy start= disabled
    There're more legacies w/ few documents tho.
     
  14. james246

    james246 Registered Member

    Joined:
    Nov 5, 2005
    Posts:
    139
    I see in the latest AV TEST (July / August results) Microsoft has again scored top marks in all three categories. These consistently high marks are probably not good for the commercial anti virus industry.
    If the average punter uses free Windows Defender with say free Voodoo Shield, then probably such a combination could not be bettered by any paid solution.
     
  15. polly77

    polly77 Registered Member

    Joined:
    Jan 13, 2014
    Posts:
    70
    I agree james246 ,tried many other av's and alot of them is just garbage ,resource hogs.
     
  16. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    WD itself isn't really that much resource-friendly either. After trying for a while I discovered an issue with WD scan.

    After a full scan is finished WD constantly shows high CPU usage. Decided to use the Resource Monitor to see what WD was scanning but even after making exclusions the issue isn't fix yet.

    For me, while WD has improve in features it still seems unpolished in simple things.

    They need the option to enable on-modified or on-execution scanning. Which in my opinion would be good for Microsoft to implement.
     
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    Agreed. I'll keep my paid product. It seems counter-intuitive to get the solution from the same place that creates the need for one.
     
  18. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,424
    Location:
    Dubai
    I tried, many times, I gave it a chance, even with my beast of a system that you see in my signature, I can really feel how heavy Windows Defender is, even browsing folders which contain my setup EXEs, they load in slow motion. That is because Windows Defender keeps scanning the same files over and over and has no whitelisting feature, let alone the fact that it's heavy. That just adds insult to injury.
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    You'e using Windows Pro, you do know you can go into Group Policy and modify many Windows Security settings to reduce resource usage on your system?
     
  20. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,424
    Location:
    Dubai
    Could you elaborate on this please? How to do that?
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Start->Search type in: gpedit.msc and open as Administrator

    then:

    Computer Configuration->Administrative Templates->Windows Components->Windows Defender Antivirus

    There are many options you can modify, especially under:

    -Exclusions
    -Scan
    -Security Intelligence Updates
    -Real Time Protection

    A computer with those specs you list should not show any noticeable signs of laboring under Windows Security (Defender) whatsoever.
     
  22. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    There are about 22 policies under Scan section in Windows Defender Antivirus alone. I have a more modest i7 6700K and the specific policy "Configure low CPU priority for scheduled scans" made not one whit of subjective difference in performance. Maybe for older and weaker i3/i5, it's more worth it to check out.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    I've only got a 7th gen i5 Lenovo laptop and there's no perceptible difference with Real Time scanning on or off.
     
  24. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,424
    Location:
    Dubai
    Thanks a lot man. I have been tweaking Windows through the Group Policy Editor for years and never thought of looking at that section. It has some interesting settings that I will try on other computers to see if it improves things like lowering the CPU priority during scans.

    As for now, I just purchased and installed VIPRE Antivirus and I'm very happy with it. It's super light.
     
  25. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    That's the problem I find. Most folks don't realize it is constantly doing this. I've had to use Process Explorer to figure out what was happening and found it scanning .iso files that were multiple GB in size (Windows Install disk images). It's just a terrible waste of resources.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.