Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

To be fair, every AV has that problem with zipped files. Waste of time scanning them because they're not an executable, just a container for holding one.

Smartscreen only kicks in when an executable is run.

 

OK, here: first picture, it's the 7z file (downloaded with Chromium). Second picture, it's the exe (after extracting it to my desktop)

 

Maybe it is something related to 7-Zip File Manager

Anyway, I almost sure that SmartScreen will kick if you run the compressed file.

 

@imuade you can verify it via the ADS (Alternate Data Stream) of the file.

 

Yes, thats my two cents too.

 

VooDooShield had the same problem few releases ago. Comodo, for example, can sandbox files running from an archive

 

verify what?

 

@imuade verify if the file has the mark of the web

 

how can i verify that by ADS ?

 

Also , some zippers (it was/is the case for 7-zip) doesn't propagate the MoTW to file extracted by it if you didn't read it inside the container first.

 

Thanks guest, I am almost sure that it is the case

 

So, are you using the zip manager integrated in Windows? Maybe that's why

 

I tested the following (downloaded with Edge & Winzip):

Same story as imuade said above (#702).

 

you have some tools like NVT Stream Detector

but i often use cmd , go to the directory of the file and type: dir /r

you will see like the screenshot. zone.identifier is the MoTW.

 

the Windows built-in Zipper propagate the MoTW on extracted files.

 

Yeah, i can see that both files (the downloaded .zip-file and the extracted file) have the MOTW (geek.zip + geek.exe)
And after extracting it with 7-zip, the MOTW is gone (but launching it within the .zip-archive is fine = alert from SmartScreen)
Edit: tiny fix

 

Perfect, thanks for the link, so it is really a bug with 7-zip.

 

So because Win Defender is a "basic AV" it shouldn't be tested at all? And who says that newbies couldn't be affected by the malware samples that WD missed? Sounds a bit ridiculous doesn't it? This and other tests prove that it's a good idea to rather go for a third party AV like Avira and Avast for the best security. No one should be using a basic AV.

No I do understand, but fact of the matter is that Win Defender didn't do a good job in this test under this particular testing scenario. Again, this test wasn't about Win SS. If people want to know how effective Win SmartScreen is, someone should do a separate test. So execute 500 pieces of malware and 500 legitimate apps, and let's see how many are auto-blocked by Win SS.

 

and make sure the block is ticked and not ask.

 

For Home Users Windows doesn't care of the best security, it cares more for "the decent security for everybody without hassle" which no AVs can ever achieve. They are all buggy or faulty in some points. Did you ever see "WD bricked my system"? i don't remember one.
WD shouldn't be tested because it relies on other components that labs don't want enabled , WD doesn't protect the system alone but "Windows Defender Security Center" does
However MSE (on Win7) can be tested , because it is a real standalone AV.

Honestly i don't care of the score as i said many times, but things have to be done properly and fairly. There is no Windows10 without UAC and SS disabled by default , so disabling them already makes the test irrelevant. They said they use the AVs with default settings, so why not do the same with the OS? or maybe because most of the sample may be blocked by SS?
So if labs want to disable them (to satisfy 3rd party vendors as indirectly stated by @Sveta MRG) they can't call it "real world test" but "fictional test". that is simple.
the labs should use SS and UAC , and tell the effect on them on the test , for example:

- number of sample used : 200
- number of sample blocked by Win10 built-in security: 100
- number of missed sample blocked by product "x" = 90

That should be the baseline methodology and closer to real world; labs knows it, they won't do it because it would increase the "positive" effect of Windows Security , and vendors need Windows to be weak to sell their AVs...

People must see the "Big Picture" then all becomes clearer.

 

WD doesn't need to do that. Microsoft does that quite well by themselves with windows update

 

That is another topic, even if true for some, but we talk WD not WU...

 

That's why I find Microsoft's rolling versions of Windows - Home and Pro - come out with new features just for the sake of having them.

I value stability over new software enhancements. My view in regards to WD, is what works, works. Good enough for every day needs.

 

Tested some files from malc0de. Without the powershell hack Windows defender is not detecting adware which other AV vendors detect. MS should provide an option within defender to enable PUA detection since the powershell hack might not work in future releases and users who are not technically savvy are not aware of this.

 

SS, as well as UAC and others, they are components of Windows itself that work together with WindowsDefender for the security of the OS. You just CAN'T disable any of their components to simulate a "test" which only purpose we all know in advance.