MS Defender vs. ...

[maflynn]

I started doing more research on antivirus and how well Defender does. My company (which is extremely security minded) relies on Defender and anyone using VPN is required to have at least defender.

I came across this video and was shocked at how poorly it did against ransomware. Looking a little deeper it seems that Defender doesn't do a good job at either identifying an attack and/or blocking it. Obviously new ransomware may not be identified, but the software should block any attempt to encrypt your drive.

Defender vs. Ransomware

I'm trying out Malwarebytes and this seems to do a bit better and in this YT by the same author shows what I think a more robust level of protection, though this test isn't strictly a ransomware but there are ransomware test in his suite and they're actively identified and/or blocked

 

[MBAir2010]

Windows defender is included in windows, correct?
or is that called windows security?

 

[maflynn]

Windows defender is included in windows, correct?
or is that called windows security?

Yes, Windows Defender is the included antivirus and I'm sure its fine for most people. My browsing habits are incredibly tame, news sites, sports, YT and here, nonetheless I just wanted to add a higher level of peace of mind.

I know Defender has improved over the years but the point remains there appears to be better options

 

[MBAir2010]

Yes, Windows Defender is the included antivirus and I'm sure its fine for most people. My browsing habits are incredibly tame, news sites, sports, YT and here, nonetheless I just wanted to add a higher level of peace of mind.

I know Defender has improved over the years but the point remains there appears to be better options

thanks again, i have the same web browsing patterns but stay off you tube and nothing google.
what i like about Microsoft edge is that will let me visit a safe site safari deems unsafe.

 

[kazmac]

Thanks for this thread @maflynn

Guess I will have to look into Malwarebytes (Not happy about subscriptions), but if it offers more protection against ransomware then it’s a necessity for a W10 machine I buy.

 

[iluvmacs99]

I started doing more research on antivirus and how well Defender does. My company (which is extremely security minded) relies on Defender and anyone using VPN is required to have at least defender.

I came across this video and was shocked at how poorly it did against ransomware. Looking a little deeper it seems that Defender doesn't do a good job at either identifying an attack and/or blocking it. Obviously new ransomware may not be identified, but the software should block any attempt to encrypt your drive.

Defender vs. Ransomware

I'm trying out Malwarebytes and this seems to do a bit better and in this YT by the same author shows what I think a more robust level of protection, though this test isn't strictly a ransomware but there are ransomware test in his suite and they're actively identified and/or blocked

On both my Windows 10 and 8.1 machines, I always paired it with Malwarebytes as it wprks seamlessly with Defender and I also have a security router running TrendMicro security which sniffs packets for possible ransomware sites and blocks malicious sites and files. I found that Defender is sufficient if you surf trusted sites and links and avoid programs downloaded from untrusted sites. I found that sometimes Defender didn't detect malware that Malwarebytes did as well as virustotal.com.

 

[velocityg4]

I'd just note. Which anti-virus is best changes every few months. For a while Defender was one of the best. Now it's dropped down some. I go to AV-compartives.org for testing. It seems Covid lockdowns must have slowed down their testing cycle.

I'd consider Panda, Trend Micro and F-Secure as the best at the moment. As the most recent tests show a full lockdown. Three months from now it could be some other AV. I'm a bit curious as to how they'd perform against this test. They do have a downside of too many false alarms. I'd rather have false alarms than an infection though.

Real-World Protection Test July-October 2020

The second half year results of the ongoing Real-World Protection Test July-October 2020 are now available.

www.av-comparatives.org

I know there is AV-test.org too. I'm a bit dubious about their results. As AV-comparatives seems to find flaws when av-test does not. I'm not sure if this is a result in differences of methodology or not.

I've always treated Malwarebytes as a removal tool not a blocking tool. It's great for removing malware from an infected system. I wouldn't mind using them as an anti-virus. But I'd like to see it in tests from an independent lab which is testing other products during the same time period. Plus frequently retesting.

 

[sracer]

Yes, Windows Defender is the included antivirus and I'm sure its fine for most people. My browsing habits are incredibly tame, news sites, sports, YT and here, nonetheless I just wanted to add a higher level of peace of mind.

I know Defender has improved over the years but the point remains there appears to be better options

I'm interested in seeing what impact "common sense computing practices" have on a system that has no security, basic security (like Windows Defender), and a higher level security (of the type that is being discussed in this thread).

I think the reverse scenario would be informative also... take those systems and not employ common sense practices.

 

[maflynn]

what impact "common sense computing practices" have on a system that has no security, basic security

The first line of defense is certainly your brain but I think even with common sense, there is a risk. Whether its due to someone else getting infected and you're on the same network, i.e., propagating through the network, or just receiving an email with an attachment - even if you're expecting that attachment, it certainly could be infected.

We don't live in a vacuum, and as such its my belief that safe computing practices can only take you so far, and you still need some level of protection. Just look at how many of these products prohibit your data from being encrypted. I'd rather not rely solely on common sense when in a flash your data could be gone.

Just look at some of the recent issues. I forget the app, but if memory serves me there was one situation where that if you downloaded a known app from the developer's site it was infected. Also a similar problem on the macOS side - macOS has its share of malware and their use of various developer certificates, so again you think you're doing the right things and boom you're infected or worse your data is encrypted.

Its just my personal opinion but living without any security is not worth the risk, While Defender failed in much of the ransomware tests, that's still better then no antivirus app

 

[LiE_]

Malwarebytes is really good and sometime I always run. I probably don't need it really as I don't visit dodgy websites or download apps from suspect websites.

 

[kamikazeeMC]

Since windows 7 I’ve been running just defender + malwarebytes/adwcleaner. I like to keep background tasks to a minimum, though with computer specs these days, I guess it doesn’t really matter.

I do torrent and time to time (rarely), pick up something dodgy. If defender misses it, malwarebytes gets it.

I remember when I got dial up and then adsl, weekly/monthly formats was a common occurrence for me. Apart from torrenting that time has taught me safe browsing practices aha.

 

[I7guy]

I've been experimenting with ways of reducing the number of cycles dedicated to scanning and antivirus.

I created a windows 10 virtual machine that I use for 100% of my downloading and browsing. I'm thinking of putting a good anti-virus in the virtual machine. As I posted above (or elsewhere) with this type of setup, was considering disabling windows defender, but I haven't yet convinced myself.

 

[velocityg4]

I've been experimenting with ways of reducing the number of cycles dedicated to scanning and antivirus.

I created a windows 10 virtual machine that I use for 100% of my downloading and browsing. I'm thinking of putting a good anti-virus in the virtual machine. As I posted above (or elsewhere) with this type of setup, was considering disabling windows defender, but I haven't yet convinced myself.

Seems like a lot extra you have to do in steps and time. To launch a VM whenever you want to browse. Plus the VM will eat a lot more resources if left running than just an AV alone. Then you have to move files back and forth too.

On a good, fast computer. The impact of an AV isn't much. Maybe just disable it when gaming or doing whatever task you want more resources in. Many AV also have a temporary disable option.

 

[maflynn]

I've been experimenting with ways of reducing the number of cycles dedicated to scanning and antivirus.

Have you done any quantitative analyses where you can say that running Defender or another AV program slows your computer down x percent?

I have no hard numbers just my subjective look and feel and for me, I've not noticed any impact whether using Defender or right now Malwarebytes. Its my opinion, given how fast CPUs are, background tasks such as an AV have no perceptible or noticeable degradation to overall usage. Again, I have no numbers to back that up, just my overall experience in using the system

Truth be told, setting up and running a VM as a sandbox will certainly protect your system further and of course you'd need to run an AV in that environment but as @velocityg4 stated, that's a lot of work just to do browsing and downloading. I also would think having a VM up and running would slow your host machine more then an AV running.

 

[iluvmacs99]

Another appeal less well known running VMs is that advanced malware and viruses won't infect VM systems precisely because they know running in a VM means that they are not infecting the host machine. Many of the advanced malware and viruses intentionally disable themselves when running in a VM and then reactivate themselves once out of VM, so the people can't easily study the behaviour of the malware and viruses while running in a VM nor effectively scan for them when running a server program in a VM either. Which is why it's also important to see how people actually evaluate Defender either under a VM or actual host machine because results can differ. Malwarebytes is really good at detecting malware signature in many different machine environment, while Defender assumes you are running on an actual host machine and may not be able to detect sneaky advanced malware that may lay dormant and harmless when running in a VM that Malwarebytes can pick up while Defender won't.

I run an android emulator (Bluestacks) on my PC and allow somewhat seamless file sharing between the host and the VM android machine and so far so good and it doesn't slow down my i5 machine all that much other than I need more RAM for my PC to run more VMs.

 

[maflynn]

precisely because they know running in a VM

I don’t think that’s the case. The YTer I linked too runs his tests in a VM and I don’t recall him having any problems with the high number of malware he tests with

 

[iluvmacs99]

I don’t think that’s the case. The YTer I linked too runs his tests in a VM and I don’t recall him having any problems with the high number of malware he tests with

I think that part of the difficulty of testing ransomware is that those programmers are smart and are using a new but old technique called "Living Off The Land" attack vector, because they know people are using VM sandboxed machines to test malware attacks. Malware hackers always think "out of the box" and testing malware in a VM is really not thinking out of the box. It's just for convenience of the reviewer, because then the YTer can wipe the VM clean and do these tests quicker, while ignoring that newer Malware are smarter and more covert that it can hide and not deliver payload in a VM machine or it's not seeing what is possibly a host machine, so it requires more behavioural analytics on the part of the AV software to detect them and not necessarily the incompetence of MS Defender. Because testing in a VM is not really real life scenarios that it can trick the malware to deploy the payload or appears to deploy the payload.

What Are Fileless Malware Attacks and “Living Off the Land”? Unit 42 Explains - Palo Alto Networks

Ragnar Locker ransomware deploys virtual machine to dodge security – Sophos News

 

[I7guy]

Seems like a lot extra you have to do in steps and time. To launch a VM whenever you want to browse. Plus the VM will eat a lot more resources if left running than just an AV alone. Then you have to move files back and forth too.

On a good, fast computer. The impact of an AV isn't much. Maybe just disable it when gaming or doing whatever task you want more resources in. Many AV also have a temporary disable option.

Have you done any quantitative analyses where you can say that running Defender or another AV program slows your computer down x percent?

I have no hard numbers just my subjective look and feel and for me, I've not noticed any impact whether using Defender or right now Malwarebytes. Its my opinion, given how fast CPUs are, background tasks such as an AV have no perceptible or noticeable degradation to overall usage. Again, I have no numbers to back that up, just my overall experience in using the system

Truth be told, setting up and running a VM as a sandbox will certainly protect your system further and of course you'd need to run an AV in that environment but as @velocityg4 stated, that's a lot of work just to do browsing and downloading. I also would think having a VM up and running would slow your host machine more then an AV running.

A couple of thoughts on this:
- The virtual machine takes less than 1/2 hour to create using the media creation tool. I install the bare minimum of stuff. The VM itself is given two cores and 4 gb. And it's a throwaway, which can be recreated in .5 hour or less.
- I usually just keep the VM running and other than normal telemetry and scanning there is nothing else going on in that VM. If I want, I can pause it. If I want to test something I can set a snapshot and then back it out.
- My main disk doesn't get polluted with all of the remnants of what is needed to support browsing.
- I do have to move files between the VM and the main desktop, but that doesn't seem to be a big operational headache.

Anyway this is more of an experiment to see how I like this type of environment.

 

[maflynn]

I usually just keep the VM running and other than normal telemetry and scanning there is nothing else going on in that VM. If I want, I can pause it. If I want to test something I can set a snapshot and then back it out.

I'm still not understanding your reasoning or the justification of using a VM for antivirus scanning/protection and not your host machine. Running a VM will be more impactful to your overall performance then having an antivirus app running.

If it were me, that I decided to run a VM to download and verify files and browse the web, I'd probably start off with the grandest intentions but I would easily start using chrome and downloading stuff and not use the VM.

Plus, as I play games, maybe I want search out a tip or walkthrough - if I have the VM suspended while playing, well that defeats the purpose.

Its your machine, your choice and I'm not trying to belittle you, but we as humans tend to go the path of least resistance and this seems like more work, and more impact on the system for no benefit. just my $.02

 

[I7guy]

I'm still not understanding your reasoning or the justification of using a VM for antivirus scanning/protection and not your host machine. Running a VM will be more impactful to your overall performance then having an antivirus app running.

If it were me, that I decided to run a VM to download and verify files and browse the web, I'd probably start off with the grandest intentions but I would easily start using chrome and downloading stuff and not use the VM.

Plus, as I play games, maybe I want search out a tip or walkthrough - if I have the VM suspended while playing, well that defeats the purpose.

Its your machine, your choice and I'm not trying to belittle you, but we as humans tend to go the path of least resistance and this seems like more work, and more impact on the system for no benefit. just my $.02

If I can’t explain/justify this to a bunch of tech people, I must be really off the wall. This started out as an experiment to see what I could to speed up the boot time of my newish laptop. On the laptop I only have one product that uses a service and that is vm workstation, so I was thinking the boot time slowness was with respect to Defender.
I was thinking to turn off defender on the laptop and creating a VM with a good anti-virus just for browsing. So I took the concept of creating a vm just for browsing to my new desktop which if you recall has a 10th gen intel cpu.
Desktop still has defender running, but I’m liking the concept of a vm for browsing after using it for a few weeks. Here’s what I see are the pros and cons.

Pros
- Isolated browsing environment
- Footprint of browsers is contained to VM
- Scope of the anti-virus scans is limited
- Being a virtual machine, you can set cores, memory and priority, as well as take snapshots and make configuration changes.
- Can leave the virtual window open on another monitor and can pause vm if needed
- Environment can be treated as temporary

Cons
- Takes ½ hour to create if needed
- Need to setup browsers with add-ons etc.
- Takes cycles when not paused (how much is up for debate)
- Is okay for youtube videos up to HD spec
- Requires vm workstation or free virtual box or vm player
- Browsing might be slightly slower due to overhead of vm
- Downloads are a two process (albeit a fast two step process)
- Requires “maintenance” such as windows update

 

[velocityg4]

Just as an update. Malwarebytes, at least Malwarebytes Endpoint Protection. Has also withstood the Ransomware test with superb results by a third party lab, MRG Effitas. As did other AV.

PDF file of results https://www.mrg-effitas.com/wp-content/uploads/2021/03/MRG_Effitas_360_2020Q4.pdf

 

[maflynn]

If I can’t explain/justify this to a bunch of tech people

A more likely explanation is that I'm not sharpest knife in the drawer

so I was thinking the boot time slowness was with respect to Defender.

How many times do you reboot your machine? I rarely restart my PC and so long or short reboot times is really a non-issue. I don't mean to sound so critical or harsh, but the solution does sounds worse the problem. I mentioned the path of least resistance, why bother embracing a workflow that requires more steps. For instance, (just using made up numbers), why bother with a workflow that requires 10 steps when you can do the same sort of work with 2 or 4 steps? Similarly trying to run some things in a VM just to ensure its being scanned by an antivirus requires more steps then if you just run an antivirus in your host machine

May I also interject that you're putting your machine at a higher risk. there are other ways to to get infected, not just from downloading a file. By only having defender running in a VM for one reason, you're still leaving your host machine unprotected and vulnerable

Again, I'm not trying to sound critical of you, and ultimately, its your computer and your choice. Regardless of my opinion if that's how you want to roll, more power to you

 

[IowaLynn]

This article got me shopping for a security package. I do have Malwarebytes on all devices, Windows, Mac, Android (but not iOS)

A Windows Defender Vulnerability Lurked Undetected for 12 Years

Microsoft has finally patched the bug in its antivirus program after researchers spotted it last fall.

www.wired.com

And a review from Windows Central gave But defender high marks, one I've never even tried.

Best antivirus in software 2024

Protect your PC the right way with my top antivirus picks.

www.windowscentral.com

 

[velocityg4]

This article got me shopping for a security package. I do have Malwarebytes on all devices, Windows, Mac, Android (but not iOS)

A Windows Defender Vulnerability Lurked Undetected for 12 Years

Microsoft has finally patched the bug in its antivirus program after researchers spotted it last fall.

www.wired.com

And a review from Windows Central gave But defender high marks, one I've never even tried.

Best antivirus in software 2024

Protect your PC the right way with my top antivirus picks.

www.windowscentral.com

Bitdefender's a pretty big name. Looking through the tests at the leading AV testing labs. Bitdefender's about as good as it gets. I'm considering them as my Avira subscription is up. Unfortunately they don't offer any deals on a five computer anti-virus package. They require their Security Suite for a deal on more than three computers.

I absolutely hate security suites as they add a bunch of bloat. Worse yet they mess with the firewall. Causing a mess for file sharing and accessing network devices on a local network.

Although butt defender would have been a much funnier name.

 

[I7guy]

[...]
May I also interject that you're putting your machine at a higher risk.[...]

Yep. I thought about this and not worth it disabling defender, which will leave my devices open for potential threats. Here is what I'm doing for now. (This entire thought process started due to the boot up time on my laptop, which I really have to analyze to find out why it takes 3 or 4 minutes before the disk settles down)

On my desktop.
- I created a small vm; 2 cores 4 gb for web browsing. It's on an ssd so it's fast. I don't use my desktop for general web browsing. If anything happens I have a zip backup of the vm files right after installation that I can restore and be up and running in a minute or two.
- I checked Settings. The last Defender scan took about 1 minutes 30 seconds to scan about 35,000 files. That's fast enough for me.
- My main desktop is somewhat protected, unless a virus can leak through the vm firewall into my desktop. But the browsing vm also has defender running.