Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Thanks @stapp. Hadn't seen that.

 

Question, how do I make windows defender quarantine threats automatically again? In recent builds of it, any time it catches something in one of my tests, it makes me open the UI to tell it what to do with the threat, and THEN to salt the wound, sometimes it won't remove the threat and show an error. This has been happening since a little bit before updating the VM to 1903

 

A few fresh tests:

https://www.youtube.com/watch?v=SKhq6LTKOok
https://www.youtube.com/watch?v=iCx0dc4B-R0

 

I don't like that tester, they never turn off the web filters in their browser and they count a catch by the browser's filters as a fail on the security product's part.

When that person tested comodo I.S. they gave it an F, but they gave voodooshield an A+

The problem there is they're not applying the same standards to every test, if C.S. tested voodoo the way they tested comodo, then voodoo would've gotten an F and if they tested comodo the way they tested voodoo then comodo would've gotten an A+

As you can see by my signature, I use a combo that includes voodoo AND comodo, so you can't call me biased in favor of one or the other. I like them both and I've only seen one test of comodo where you could make an argument that it sort of failed to protect the system. In that case I speak of, comodo kept catching the same payload over and over and snuffing it out with virusscope in the sandbox. Probably loaded from an exploit.

in my own antivirus/security product tests I count a fail on the security product's part as any malware that was allowed to make meaningful changes to the system. So if CIS/CFW/CAV catches something in the sandbox, and the sandbox isn't bypassed in any way, I count that as a successful catch.

And if I'm able to download malware with a system protected by voodooshield, but voodoo doesn't allow the malware to do anything or even run at all for that matter, then I also count that as a catch.

C.S. counted the fact that they were able to download the malware in the first place as a fail for comodo and in that test, they never tried to run any of the malware that got past comodo's web filter.

And even in the test on windows 10 that C.S. did, for the malware part of the test, they counted Edge's webfilter's catches as a fail on windows defender's part.

 

Can any of the gurus here comment on this test? https://www.youtube.com/watch?v=sE-xdb9hTqY&t=1s
I would not be surprised at the results if it were published a few years ago, but with recent accolades WD got from the heavyweights, it seems to me somebody is doing it wrong.

 

Here you can read a comment from Andy regarding that test.

https://malwaretips.com/threads/windows-defender-sandbox-test-vs-malware.94545/post-830720

 

That's actually one of the better testers, he applies the exact same standards to every test and every time I've seen him test WD, WD fails. It has the same weakness that all of the top sellers have, as soon as it encounters something unknown, it can't protect you from it.

Emsisoft, BitDefender's paid version, Kasperky's paid version, Sophos' paid version and all comodo security products free and paid all have backup plans for when/if something gets through that first layer of the realtime scanning. WD is just a realtime scanner that may or may not have heuristics too. (I'd be surprised if it didn't have heuristics)

I don't understand why there are so many people that think a computer is safe with just the default windows defender stuff. It's been shown many times over the years going all the way back to when MSE/windows defender was first released on XP, vista and 7 that it's not enough.

The same people who praise windows defender will say that comodo is worthless. Those people think that just because CIS/CAV/CFW don't detect very many things with their signatures that they're worthless, but almost everyone I've spoken to who thinks comodo is worthless never vocalizes a single syllable about all of the other stuff comodo I.S. does for you besides the realtime scanning.

There's nothing wrong with using windows defender, but I would highly recommend running some kind of supplementary protection along side it. WD/Microsoft has a good malware database, but if there's malware unknown to microsoft trying to run on a system protected by WD it's most likely not going to get detected.

The malware that took over the system in that test was unknown to microsoft's malware database.

 

IMO computer is as safe as the person using it. Antimalware software should be last line of defense and not first. So if you practice safe computing any AM will do OK. If you're running and clicking on everything none of them will probably save you all the time. I also doubt that there are many users that would expose their system to all the malware used in this tests.
I agree with you that there are better AM solutions than MD but IMO it's not that important for most people if they practice safe computing.

 

Right! I have Windows Defender active on one machine along with WFC, OSA, HMP.A, MB, SysHardener, 0Patch, & VoodooShield (because I can) and I never get alerts from any of those programs.

 

But not all threats are obvious and plain to see, and almost all threats loaded from redirect attacks are zero day if not zero hour. The whole point of the tests is to see how the product will perform against known and unknown threats.

Is a completely useless anti malware solution like IObit good enough? No, not at all. The only time it was good is when they were stealing signatures from MBAM back in the day.
Is McAffe good enough? No and it never has been.
Is Norton good enough? It depends on whether or not the threat is in its database. If not then no.
Is Comodo good enough for all users? No, you need to set it up right or at least know what to do with the alerts it will give you with the default settings and the vast majority of non-advanced users don't know how to do that.
Is the free version of Sophos good enough? Again, same weakness as Norton and Windows defender. If the threat isn't in its database, it will go undetected.

Even if you're an advanced user. What about a threat like the BadRabbit ransomware? Perfectly disguised as an update for adobe flash player complete with a fake publisher signature from symantec and a copyright label. If the threat is unknown to Windows Defender or Norton and your system is protected by one of those products and you happen to have gotten redirected to the landing page of bad rabbit BOOM! Infected.
"Oh, but it looked like the real adobe flash player!"

 

https://www.microsoft.com/security/...ivirus-and-layered-machine-learning-defenses/

 

From that article you linked: "Windows Defender Antivirus uses a layered approach to protection..." What else does it have besides realtime scanning? Are they counting the cloud connection as another layer? And if they count the Smartscreen blocking as another layer then they should count the UAC too. I never turn off smartscreen blocking in my tests on a VM and it never catches anything. And the UAC gives the exact same alert to every request with no information related to malware activity,

Next thing in the article: "...While Windows Defender AV detects a vast majority of new malware files at first sight." "...However, we catch the vast majority of malware at the first (fastest) protection layers and only need to move on to a more sophisticated (but slower) level of inspection for rarer/more advanced threats."
Again, I've seen it miss lots of stuff that's sometimes a few days old.

And all of that babble about "next gen" AVG was saying that back in 2007 and it was one of the worst antivirus products back then. Yes, WD might have M.L.A.I. now, but there was a test just recently linked in this thread where the new sandbox feature was enabled and it even though it got a good detection rate overall, the threats that it did miss destroyed the VM on screen. That tester even showed that the WD processes was running in the app container in process explorer.

Okay, now I'm at the part of the article that shows the blue triangle chart. The extra layers they spoke of aren't part of the protection on the computer, it's data sample analysis sent off to their servers long after the malware could've done it's damage to a system. It's totally reactive. "Yes, user number 1! We have identified the threat! But not in time to protect YOUR computer! SORRY!"

Comodo actually analyses the unknown malware there on the system inside the sandbox, the behavioral analysis it does for things running in the sandbox almost always catches unknown malware within seconds, minutes at most. And with the firewall and hips set to auto-block all requests and the container is set to automatically run privilege escalation requests inside the container, the malware can't do much of anything in the meantime.

Again, WD has a good database and with a consistent connection to the cloud it's database is even better. But like I keep trying to say. It has the same weakness every other conventional AV has, it can't protect you from the unknown. That doesn't make it useless, it just means that if you're going to use it, you need to have some supplementary protection along side it too.

 

I agree - some security solutions are better at detecting new malware than another. Also those scenarios are possible but in my opinion very unlikely to happen to users that practice safe computing. So at the end I still think that for such users 100%, 99% or even 90% detection rate on some test does not make much difference.

 

This is not completely true. Norton has more levels to offer protection than just definitions.

 

There was a hacked version of Ccleaner that was distributed from ccleaner's website. This was AFTER Avast had bought it and taken over development of us. For months they were distributing malware unaware. The only kinds of security products that can stop that kind of attack are behavioral AV and things like HMP.Alert probably would've been able to at least hinder it.

Even if you're super safe with your computer usage, there's stuff that even an experienced user won't be able to catch, you need a proper security setup with layers to it. WD would've caught that hacked version of ccleaner after hours, comodo would've caught it after a few seconds of it running on the system.

Comodo probably wouldn't have sandboxed it though. I have to be honest about that, but if you set virusscope to monitor things happening across the whole system instead of just the sandbox, I'm confident that it would be able to detect a hacked version of legit software.

 

Yeah, Symantec has a database of safe software, but if something unknown runs on the system, norton will notify the user, but norton won't do anything about it.

Granted, it may have changed since I last fiddled with it, but it consistently gets the lowest detection rates out of all the top sellers.

 

No, they use heuristics and monitor behaviour too.

 

Yes I remember CCleaner fiasco but as I remember non of AM solutions detected that backdoor. At that moment payload was not sinister so sending some data to servers was not detected as suspicious by security solutions. So we could argue that they all failed. Luckily backdoor was detected before something more dangerous was released so we don't know how WD, Comodo or any other solution would fare if stage 2 of attack happened. We can only assume from past experience how they would be effective.

 

No you don't. While that would be ideal, I'm quite happy only using an antivirus for protection, as I know that the chance of my system ever getting infected, is extremely minimal.

 

I agree, where is the malware? I know as a private user I'm not worth the attention of the dark guys, big companies are the real targets particularly with ransomware.

My security has never caught anything in the last 7-8 years, I had problems of configuration at times with Windows forcing me to restore an image system. Lately I had problems that I couldn't solve even with my reliable backup program, and in the end it turned out my HDD was in its death throes... I still use Sandboxie and Avira Pro because I paid for a license, but honestly the only program that matters at the end of the day is the one that backs up your OS reliably day in day out...

 

I stopped using ccleaner years ago, partly because there was never a test that showed cleaning your temp files, registry, etc. results in any meaningful performance difference.

 

Maybe you should check the topics in the Malware Removal Forums. There are plenty of topics on every few hours...
While I didn't encounter a real malware on my personal PC I dealt with a large number of threats in the past 14+ years and some of them were really stubborn.

 

I guess I just have a different mindset about it. I have a lot of files on my system that I can't replace. I have backups of them, but still. I'm not a professional, just an advanced user, I'm fairly poor too, so if something happened to my system that I can't fix myself, I'd be without a computer for quite awhile.

My security hasn't caught much either, that's why I don't bother with realtime scanning, as long as I have good application whitelisting, good HIPS and anti-exploit protection with some on-demand scanners I'm good.

 

A new Transparency report are now available : Examining industry test results, August 2019.

The report can be downloaded here (PDF) :

Code:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl

Details on recent tests from :

• AV-TEST.
• SE Labs.
• AV-Comparatives.

 

"3.3 Analyzing false positives"




Consumer Test Charts
https://www.av-comparatives.org/com...chart_month=Feb-May&chart_sort=1&chart_zoom=0

https://www.av-comparatives.org/com...hart_month=July-Nov&chart_sort=1&chart_zoom=3

-------------------
Enterprise Test Charts
https://www.av-comparatives.org/com...chart_month=Mar-Jun&chart_sort=1&chart_zoom=3