Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.
One word: Exclusions
totally agree bro. It surprises me so much when people who hadn't tested other AVs claim that Windows defender is "Free" and "light" because they don't know what the real definition of light is or how their system would perform with another security solution. I love the fact that Windows Defender has come a long way since its inception in terms of security, now only if they can fix this performance issue they would strike gold and people wouldn't even need to buy another AV. Heck, if you think of it, since Windows Defender is from Microsoft themselves, one would think they would nail the performance issues easily and make it the lightest AV on the planet.
One shouldn't have to rely on exclusions for an AV to perform normally.
Vipre is not released official in europe. I have the same system specs and dont like the WD. what can u recommend too?
See for me, even though I have a fast laptop, I still want the lightest AV to enjoy the max performance and thus I have tried almost every AV under the sun.
ESET NOD32 = very light but its HTTP scanner slows down my internet browsing and more importantly my VPN's performance suffers a lot. I can disable its HTTP scanning feature but then the NOD32 icon would turn orange and that messes up with my OCD that something is not functioning right.
Norton Antivirus Basic = very light, its HTTP scanner doesn't mess up with my browsing or VPN performance, my only gripe with it is sometimes it nags me to install the toolbars and whatnot, not a big deal breaker, it's great and I recommend it.
A couple of days back, I thought of looking at AV-Comparatives latest Performance Testing and couldn't help but notice that VIPRE is listed as one of the lightest ones so I gave it a spin and was very impressed, no bloatware, very very light it's like you have no AV installed and its real world testing is great according to the latest AV-Comparatives Real World Test results
If VIPRE is not offered in your country, either find a way to buy it say from Amazon or maybe contact them otherwise give Norton Antivirus Basic a spin.
Avast Antivirus Pro is also very light but I do a custom install to remove all the bloatware as it has a LOT if one doesn't take care. Ultra Male's recommended method to install Avast Antivirus
Finally, Panda Antivirus Free is also very light and I recommend it for a free solution
I have similar experience when managing customers' computers (copying files, installing software...). I usually temporary disable WD and reenable it when I'm done. IMO there's still a lot of room for improvement with WD.
EDIT: here is an example that shows how speed improves when WD is disabled:
Like that ... though to be fair the need is more likely due to the user.
Thanks for that example, that speed is horrible
People think Defender is light because they think Windows itself is slow. This is probably why the Defender UI shows nothing as far as what it is doing. If they would resolve the performance issues it would greatly improve my opinion of it. I do have to give them points for the fact that at least for me the false positives have been less than they were in the past. Many tests still identify it as an issue but they appear to be improving.
My daily experience matches with the results from AV-Test.org
Nothing to complain.
Some of you may be interested in following Windows Defender testing done in the Hub @Malwaretips by member @SeriousHoax. Some of you may not.
How true is that? It's seems so machine-specific. My Windows drive is only 10% in use, hardly anything for Defender to rummage around in. I don't have a lot of .exe-loaded folders either. Can't complain about Defender either, and augmenting it with something like SysHardener or gpedit.msc doesn't affect performance while strengthening Defender considerably. (can't bring myself to call this "Microsoft Defender." Just can't do it.)
I find WD somewhat "heavy" on a 2016 i3 laptop with a small 4 GB of RAM, but at least it doesn't hang when opening folders of EXE's on this machine like MSE did on my 2010-vintage T4400 W7 laptop. I tolerate WD's heaviness because it's free, it doesn't nag for upgrades, and it doesn't mess up the operating system. (MSE slowed my W7 laptop to a crawl, which is why I eventually put Webroot on it.)
Each to their own, but I never have and never will tolerate heaviness from any security software. If an antivirus isn't extremely light, I won't use it.
The thing is, it seems like you were contradicting yourself. First you said that you only care about malware not being able to run. But then you said that you do use multiple layers, so apparently you DO care what happens if malware is somehow able to run. So I would sure like to know more about this Win Def AV bypass that I posted about.
It's not exactly what I meant. I'm talking about post-execution behavioral monitoring. Win Def AV does not do this. So once malware is allowed to run, it will be able to perform lots of stuff. I guess after all these years, AV companies still haven't figured out a way to offer this without causing many false positives. So what I'm saying is, I would like to see more features from Win Def ATP integrated into AV's.
WD ATP does have it as noted in this Microsoft article: https://docs.microsoft.com/en-us/wi...on/microsoft-defender-atp/respond-file-alerts . And it requires both a combination of configuration and manually intervention. In other words, it is no different than existing third party EDR solutions. Its major plus factor is given Microsoft's huge cloud Azure server network, response to detailed cloud analysis is quite fast.
I never said my setup guarantees that malware can't run in the first place. I have measures in place that make it difficult for malware to get a foothold, and if it somehow does, it will have to bypass other measures (hurdles) in place for it to properly accelerate its ability to fully compromise. Obviously it would be foolish to run only a firewall or only Windows Security, or only browser hardening and expect to be fully safeguarded against malware.
I will also add that post-execution detection is far from "bullet-proof" regardless of what security solution is employed. That is because system modification activities could have occurred prior to detection. On a stand-alone device, something like Kaspersky's system snapshoting or like system snapshot software can rollback to pre-execution status. However on a network with multiple devices such is not possible. Hence these EDR solutions via their logging features will at least allow a forensic analysis to be performed to access the extent of network modification activity that has taken place.
But that's what the misunderstanding was about. You made it seem that you didn't really care about Win Def AV being bypassed, since malware won't ever run on your system. But then why use any AV at all?
Yes that's what I meant. I don't know of any AV that terminates malware based on certain behavior after it has already been running in memory. That's what EDR does, it let's malware run, but as soon as it sees certain uncommon behavior like process hollowing, it blocks it.
Well I'm not sure how you reach that conclusion. The last sentence in my post #2535:
Also I explained earlier why I use a layered approach in my device's security.
Most of the major AV vendors employ some form of AMS protection. This does allow the product to terminate the process. The "rub" with AMS scanners is most use API monitoring and assumed a selective sub-set since there are over 10,000 API's. If the product has a HIPS or behavior monitor that hooks processes like HMP-A, those will also contain preset internal rules that monitor for known malware system modification areas such at reg. keys, startup locations, etc..
There are many AV that does; Kaspersky with System Watcher, Norton with SONAR, Bitdefender with ATC, Emsisoft with its behavior blocker (MAMUTU) and so on.
Some of those can even rollback malware traces and damage.
There is one thing I would like see Microsoft to implement that would improve Win 10 security overall. That is to run WD block-at-first-sight scanning concurrent with any currently supported third party AV solution; i.e. uses properly Microsoft signed ELAM driver.
Reviewing the WD security architecture a while back, I believe that this would be easy to implement on Microsoft's part. The BAFS is an independent front-end interface to WD just like the AMSI interface is. When the cloud scanning verdict is rendered, it would be passed to a provided third party AV interface versus being forwarded to WD's real-time scan engine.
Time Microsoft got together with the third party AV's and work out the financial end of such an option. Appears to me, a small percentage of per seat license revenue might be a way to go.
Another way Microsoft could offer stand alone block-at-first-sight option that would take the AV vendors out of the picture.
Offer it the Win 10 Pro versions. I would gladly pay the $100 to upgrade to it. Believe this could be accomplished though the existing native SmartScreen Win Store check interface. This appears to intercept process execution startup prior to existing real-time solution processing. Although it would be preferable to use another method to do so.
BAFS would return the confidence factor in regards to malicious status. Provided options would be to block or execute. Execute would whitelist the process from further BAFS scanning and release it for third party AV scanning. Block would place the process in a quarantine-like directory. Option would be provided to remove the process from the directory and whitelist it. Options could also be provided to auto whitelist process based on returned confidence percentage. Also assumed is whatever existing BAFS scan exclusions for system processes and the like would still apply to this feature.
Assumed also is some type of reputation scanning is also involved here for unknown and "safe" process status. Assumed that is native SmartScreen existing processing.
-EDIT- An additional desired enhancement would be to also perform a signature check as part of the BAFS processing. Now we have a full featured supplemental cloud based real-time scanner. Microsoft could market this as a low cost AV supplemental scanner. Price it at something affordable for the masses; like $1 monthly or $10 annually. Or offer a bulk pricing deal with the third party AV vendors. Most I suspect will jump at the opportunity since none want to come close to spending the money to try to duplicate what current exists with the Azure server network. Also the BAFS Microsoft option gets them "off the hook" as far as the FP issue which is one reason most don't have a similar feature.