Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

The trouble with YouTube reviews is they in no way replicate real-world conditions; Eugene Kaspersky had an interesting article back in 2011 about this.

 

Still using CatchPulse? You have been very negative about this program in the past. Has it gotten better now?
https://www.wilderssecurity.com/threads/catchpulse-thread-formerly-secureaplus.444946/page-3

 

That is an interesting article, thanks! What he said back then probably still holds true to this day.

 

Because the free solutions are more likely to give false positives and cause performance issues.

 

Cruelsister’s test are very different from the standard youtube tests you may find online.

 

To clarify, the point that I'm trying to make is that just because you never got infected, doesn't mean that your AV did a great job, unless it has actually protected you a couple of times per year. But it's likely that if you practice safe computing you won't encounter malware anyway. But I personally wouldn't want to use an AV that is easy to bypass.

But you can barely blame AV's for this bypass method. This is more about how Windows is designed, it gives malware writers all kinds of tricks they can use like code injection and unhooking. I wonder if AV's can protect themselves against this stuff. But AV's should at least be able to block malicious access to their exclusions.

 

A user over on Malwaretips reported that

So this certainly seems like something Microsoft needs to fix

 

I honestly don't see the problem with malware testing. I mean, you just need to simulate how malware would end up on the PC. Which is most of the time a user that will download malware from the web to the Downloads folder. And will then execute this app and of course give it admin priviliges, so UAC won't help either. If it's an unknown app, MS Smartscreen may pop up, which will most likely be ignored.

What do you mean with this, do you execute all apps that you download inside a sandbox controlled by Sandboxie? And you then monitor those apps for suspicious behavior?

 

Right, because the AV was never tasked with a job to do, because it never encountered malware in the first place.

How much malware is out there that can easily bypass it, and what is the likelihood you encounter this kind of malware in the first place? In my case at least, and probably yours too, I reckon practically never, so it doesn't concern me at all that I use a second rate freebie in Defender, especially with my other security measures in place to augment it.

You can probably tell that I really don't care about the mediocre performance, or wherever Defender stands, against its ability or lack thereof to stop all threats.

Speculation only, but probably because of Patchguard, but I'm not about to make excuses for AV developers.

 

Exactly, so this doesn't tell anything about how effective WD truly is.

Exactly, that's why I'm using extra protection too. But this doesn't make this WD bypassing method any less embarrassing, that's the point that I'm trying to make. Certain people make it sound like it's not a big deal, while it might be a big deal to many companies around the world. Not all of those companies can afford advanced behavioral monitoring, so they likely rely just on WD.

Yes, it's because AV's can't use kernel hooking anymore. So this means that PatchGuard should perhaps get an update, it should perhaps allow certain security software access to the kernel, in order to better protect against bypassess that use user-mode unhooking. And Windows itself should of course protect against BYOVD attacks, see link.

https://arstechnica.com/information...ed-millions-of-pcs-to-potent-malware-attacks/

It wouldn't surprise me, it's probably why so many companies get hacked successfully, there are way too many ways to bypass AV's. I'm a bit disappointed by the state of the computer security industry, I feel like hackers are often winning the war.

 

Nor the effectiveness of other AV's

That's probably a poor IT-related business decision if they are depending on Free WD to protect their company assets. For a typical security-conscious home user the free WD is probably fine, but not for a company, even a small business, unless they are incorporating other security tools to augment it.

Haven't they always been ahead of the game?

EDIT

btw, the Loki ransomeware victim at MT was using Acronis True Image, so I don't understand why she/he didn't just restore back to normal, unless there's more to the problem than meets the eye.

 

Correct, but this topic is about WD of course. And I often see people bring up this argument, that they never got infected before, so their AV must be doing a great job, even if it rarely actually catches something.

I was talking about smaller companies, of course I assume that companies in let's say the S&P 500 and Russell 2000 all make use of so called EDR systems which combines AV with behavioral monitoring on endpoints and network traffic. But this stuff is quite expensive.

 

Emsisoft Business Security has EDR and is affordable even for a smaller company. 3 computers 1 year = 59.97 euros
https://www.emsisoft.com/en/pricing/?product=EBS

 

They fixed several issues, including the issue where it would cause MSD to glitch. I don't know about their other users, but they seem to listen to me over email whenever I tell them about something that's wrong.

Dan of voodooshield is also pretty quick to respond to issues I discover.

 

Some people might claim this, but I and others rarely get infected because we don't allow malware onto our systems in the first place, not because Defender is doing a great job, so even an apparently middling AV such as Defender is good enough for us.

I knew that.

 

I understood that and agreed. I was just making the point that I have never been unintentionally infected.

 

I disagree with this...somewhat.

You can get a pretty accurate idea of how well an antivirus program performs by looking at many videos where the antivirus is being tested. Not just tested, but tested honestly. MSD on ConfigureDefender MAX and DefenderUI Aggreesive is very good from every test I've seen of it being tested like that...but cruelsister has brought some of its weaknesses to light.

Norton, McAffee, Panda and several others fail at protecting the system as soon as an unknown malware is dropped on the system

Unknown malware is what most users will encounter. Because most malware is delivered through means that doesn't require the user to be tricked into clicking on something. So any time you see an antivirus product consistently fail against malware that's unknown to it, you can get a good idea that the antivirus product being tested with the same result by so many different people is a bad product.

 

Yes, it was more meant as a reply to Wat0114. To me it's not important that I almost don't encounter any malware, I still want an AV that isn't bypassed by some easy trick. So no, it's not good enough for me. And WD's unhandy and too simple GUI is also getting on my nerves a bit.

BTW, Trickbot also targeted WD, but I assume WD's Tamper Protection blocks most of these methods. And I have done a search on Google and I couldn't find any specific articles about third party AV's being bypassed via exclusions. But I wouldn't doubt that other AV's might be vulnerable too, see third link.

https://www.bleepingcomputer.com/ne...rsion-focuses-on-microsofts-windows-defender/
https://www.bleepingcomputer.com/ne...s-a-windows-10-uac-bypass-to-evade-detection/
https://www.theregister.com/2016/12...g_av_exclusion_lists_as_malware_safe_harbour/

 

Of course WD also has got some advantages, it doesn't slow down the system, most of the time. And in most AV tests it does pretty good. So I'm not saying it's crap. But this ''exclusion bypass'' trick is the final straw for me. Unless it has been improved on Win 11, then I might stick with it.

This doesn't look too bad. Of course the question is just how advanced Emsisoft's EDR exactly is, compared to others.

 

Don't your additional security tools address this bypass?

 

Not Rasheed here. But I want to say even if additional security tools may protect some users from this bypass. It doesn’t protect the average user or those that expect Windows Defender to be enough.

 

True, but in the right hands such as Rasheed's, then they should defeat the malware techniques that defeat Defender alone.

 

Yes, hopefully. But many people rely solely on WD or other AV. Like I said, if you practice safe computing, the risk of encountering malware is quite low, so I'm not extremely worried. However, I am extremely disappointed, I mean this should have been fixed 8 years ago. So this hasn't got anything to do with WD bashing or being extremely paranoid.

Yes exactly, the reason why I have been a WSF member for so long is not because I live in fear of malware, but to me the technical part is interesting. So how does malware work and how can we protect against them. We must not forget, not all people and companies are as tech savvy as most of us. So when they do make mistakes, we should be able to count on AV's and behavior blockers to mitigate these attacks.

 

That was beautifully written!

 

Please let me know when the day arrives, if ever it does, that you place such implicit trust in your AV or Behavior Blocker - including the paid products - to mitigate all attacks that you no longer use additional security tools to augment them.