Malware Research Group 360 Assessment & Certification – Q1

Discussion in 'other anti-virus software' started by itman, May 25, 2019.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This is an endpoint software test. The big surprise in this test was WD came in second on the performance testing; higher than Eset.o_O:doubt:
    https://www.mrg-effitas.com/wp-content/uploads/2019/05/MRG_Effitas_2019Q1_360.pdf
     
  2. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    conventional av industry is dying out, that's for sure & good.
     
  3. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Windows Defender can be extremely light or heavy on system performance, it depends on the hardware and what software is actually running (it is true for every security, but more pronunced with WD).

    WD is good enough and will only becomes better with time (machine learning/cloud + huge telemetry); nowadays is hard to justify the purchase of a third party security solution when native security solution of Windows 10 is free and most cases better.

    Personally I think Windows is in a great position security-wise, out of the bubble of security paranoia with fileless malware and APT, the average user never has been safer than today and it is something great.
     
    Last edited: May 25, 2019
  4. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    Don't know what version of Windows is tested but there are massive improvements in the latest update 1903.
    Opening folders with a lot of exes is now much and much faster than before with Windows Defender.
    Generally speaking everything is faster and more responsive on my laptop with 1903.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Windows Defender scored poorly on the Expoit and Fileless Malware test; i.e. 87.5%. As such, its certainly not adequate for endpoint protection. Possibly with implementation of ASR rules and the like, this score could be improved. This however is outside the scope of AV Lab testing since ASR and like mitigations are not directly configurable from WD itself.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I wonder what M$ has to say about this? Because I can imagine that especially in a business environment, you really need to be able to detect these more advanced attacks.
     
  7. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Its not a big deal ...

    https://docs.microsoft.com/en-us/wi...-guard/attack-surface-reduction-exploit-guard


    Anyway against real advanced persistent threat I doubt that the other products tested would fare much better; you need mitigation and security policy to deal effectively with those kind of malwares.

    Windows Defender ATP is actually very good at investigation and remediation, so I dont see why it isnt a good solution for business environment (price aside).


    atp-incident-details.png

    https://docs.microsoft.com/en-us/wi.../microsoft-defender-atp/investigate-incidents
     
    Last edited: May 25, 2019
  8. guest

    guest Guest

    Wait... Endpoint tests on Win10 home... Looool.

    The test obviously "forgot" to test Windows ATP
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This test wasn't about EDR systems, it was about AV's. They should be able to stop malware from running in the first place. Win Def ATP only alerts about ongoing attacks. So there is nothing wrong with this test.
     
  10. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Good catch :thumb:

    Without Windows 10 Enterprise license with a Windows E5 license Windows Defender is just a domestic antivirus solution, so there isnt Windows ATP.

    I would love to see Windows Defender ATP properly configured tested, I guess it would make almost all solutions look really really bad.
     
  11. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Fair point, but Windows Defender actually did good (just a free, domestic solution) in this test and WD ATP with ASR rules (the way it should be run in a enterprise/business environment) would do much better.

    Ps: You are wrong there, WD ATP isnt only about ongoing attacks.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I thought I had just explained that this test was about AV's. None of the other solutions made use of EDR. So no need to test Win Def ATP, it's not relevant in this particular test.
     
  13. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I wrote my reply for guest before your post.

    So what is this?


    Capturar.JPG


    And again, Windows ATP isnt only about alerts:

    h t t ps://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don't believe that all businesses will choose to make use of EDR solutions. Some may choose to simply use AV (business edition) only. And WD ATP is mostly about alerting about suspicious behavior triggered by malware. It's Win Def that should block it from running at all.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm not sure, but I believe that Falcon Protect is the AV part, but they also offer other tools for complete network monitoring. But anyway, AV's should be able to stop malware from running, that's what this test is about. You guys need to realize that Win Def and Win Def ATP are two different products with different purposes.
     
  16. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Defender ATP is the business edition, without the enterprise license with a Windows E5 license it is just the same product that is used by the average home user.

    There are more differences in protection than just the EDR module, you can see all the details here:

    https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv


    The fact is that this test simple doesnt give the full picture of the protection offered by the business solution of Microsoft, altough I understand your point.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Sorry, I removed my post that you quoted by accident. So I guess M$ expects that you always combine Win Def with Win Def ATP, when running in a business environment? BTW, I can't open the link that you posted, but I've found another article that perhaps explains my confusion:

    https://practical365.com/security/windows-defender-atp-intro/

    It clearly states that malware prevention is not the role of Win Def ATP. It's a highly advanced EDR solution, not to be compared with a business edition AV that runs on local machines. So no wonder they didn't test it. The question is if it's fair to compare Win Def AV to the other solutions that were tested. I wonder if the home user versions of the other AV's that were tested would have scored the same.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    SE Labs tested it in the Oct. - Dec., 2018 Small Business Endpoint test here: https://selabs.uk/en/reports/small_business . It tied for first place with a score of 100%. On the other hand, Eset was right behind it with a score of 99%. Add to that, Eset Endpoint will run on Win 7 - 10 with any OS version installed.
     
    Last edited: May 25, 2019
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I think this might give us a clue. They call it "Win Def ATP's Antivirus", so it might as well be the exact same version as the home user edition. In the link I posted you can clearly see that it's Win Def AV's job to block malware, if it fails to do so, then Win Def ATP will step in and monitor and block the ongoing attack.
     
  20. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I see, thanks for the link, the problem with Microsoft Defender ATP is the ridiculous final price, but the performance is superb.
     
  21. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Not exactly, for example the ATP version has the full exploit guard (it would make the difference in the test posted here) and pay attention to the requirements to use it:

    https://docs.microsoft.com/en-us/wi...ace-reduction-exploit-guard?ocid=cx-blog-mmpc
    https://www.microsoft.com/security/...tack-surface-against-next-generation-malware/


    SE Labs did the right thing, but we cant say the same for MRG.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Let's highlight what the article states:
    -EDIT- Most AV labs allow for a 24 hour detection and mitigation period. Note that this is not scored as high as an immediate detection depending on the test and the lab performing it.
     
    Last edited: May 25, 2019
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I see what you mean, so basically you can only get extra protection like Exploit Guard and Attack Surface Reduction when you buy Win Def ATP? I believe that M$ has made it a bit too confusing. Also, I can't say for sure what type of malware was tested by SE Labs, perhaps they didn't even test file-less malware.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No. Those features are available to every Win 10 installation using WD as their realtime AV solution(ASR mitigations). Exploit protection is configured using Windows Security Center -> App & Browser Control. ASR mitigations are deployed via GP or PowerShell usage.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so the issue is then not about Win Def ATP. I'm guessing that in order to test the other non-M$ solutions they had to disable this stuff. But they probably didn't enable them when testing Win Def AV. So perhaps these features should be integrated within Win Def AV itself.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.