- Jul 22, 2014
- 63
- Content source
- https://youtu.be/ulm0lZIqYp0
Microsoft Defender vs Top 100 Malware Sites (TPSC)
- Thread starter Lymphocyte
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Jul 27, 2015
- 5,459
It's named Microsoft Defender since 2019 and today it's 2023. C'mon Leo, wake up and try to at least read the popup messages!
- May 26, 2014
- 1,058
I almost cannot believe it, Leo saying something good about Microsoft Defender,lol
- Apr 2, 2018
- 1,721
Not bad for a built-in protection. This is way much better than Microsoft Security Essential failure on Windows 7.
Seems legit! Im sure everyone slams their system with 100 malicious links at once via a python script when they do get infected, you know, the go big or go home effect, the whole operating system was screaming for mercy, that little squeaking noise i heard in my speakers.
On a serious note, if you are going to test something like this, wouldnt it be better to test one sample at a time, using analysis tools watching in real time anything that made it past the defenses, where it did, how it did, ect. One could learn more from that than this 1 in a million chances of happening kind of infection.
Edit: I guess i should specify. When a sample drops onto the system or is executed on the system, using more than just one tool to see a process was started is helpful. Autoruns for example, did the malicious item create a start up entry, tcpview after dropping or executing on the system did it call out and drop other items onto the system. Where in user space did it drop and anchor itself, how did the tested product handle these individual aspects/stages, you know, useful information.
This type of testing method above is really no different than the old right click context scan method, it is pointless.
On a serious note, if you are going to test something like this, wouldnt it be better to test one sample at a time, using analysis tools watching in real time anything that made it past the defenses, where it did, how it did, ect. One could learn more from that than this 1 in a million chances of happening kind of infection.
Edit: I guess i should specify. When a sample drops onto the system or is executed on the system, using more than just one tool to see a process was started is helpful. Autoruns for example, did the malicious item create a start up entry, tcpview after dropping or executing on the system did it call out and drop other items onto the system. Where in user space did it drop and anchor itself, how did the tested product handle these individual aspects/stages, you know, useful information.
This type of testing method above is really no different than the old right click context scan method, it is pointless.
Last edited by a moderator:
- Sep 2, 2021
- 2,311
Many people know what I'm thinking, especially when it comes to tests with Python script execution and "gang-band" effects on protection.
For once, Leo says good things about Microsoft Defender, but I'm still not convinced of his methods.
Xeno1234
Level 14
- Jun 12, 2023
- 699
Defender does poorly in tests, because it gets overloaded extremely easily. In terms of results, it provided a clean sheet, it just took a while. For built in protection, thats pretty good.
So Microsoft Defender is not as bad as some people make it out to be. You just have to configure it correctly and that makes me wonder why it isn't like that by default?
My recommendation: GitHub - simeononsecurity/Windows-Defender-Hardening: Take advantage of some more advanced Windows Defender settings.
My recommendation: GitHub - simeononsecurity/Windows-Defender-Hardening: Take advantage of some more advanced Windows Defender settings.
- Mar 29, 2018
- 7,117
Absolutely priceless, especially the last bit "... the whole operating system was screaming for mercy, that little squeaking noise i heard in my speakers."
- Jul 22, 2014
- 63
I think the reason is to avoid falses positives, for example ransomware proteciton is disabled by default and it generates many false posotives if you enable it.
But that depends on what you do, I didn't have any problems with the settings, but I only use official and well-known stuff like:
UiPath, Office, Mysql, DBeaver, Visual Studio Code, Cmake, Git etc. and only a single game (World of Warcraft). Just as an example.
For intrusion detection, Telemetry and SIEM I can understand that a security products generates warnings.When a system makes automated decisions, you might as well suppress these warnings also. Ransomware Protection generates some confusing messages for the average home user. It is simply bad UX-practices to throw a warning which the user can ignore.
Almost all security software "i say almost as im sure there is an exception out there somewhere" are set with balanced settings of protection and usability for average users. Windows is no exception it can be tweaked for stronger protections even the firewall can be set with custom rules to harden. If one has the Pro version you can extend upon this with Windows built in tools via gpedit. This last part though im going to keep mentioning, as eventually it will be understood at some level, is for instance the attack avenue Leo used above with his scripts, the urls. You have to ask yourself a very simple but profound question, how do i access a URL on the internet. Wouldn't that be the first line of defense i should be concerned with. From finding extensions such as ublock with its online malicious block list ect, to understanding how to look at URL addresses and question them if they are legit, to checking such URLs on sites like VIrustotal before proceeding to them if unsure. Back to the basics of looking before clicking.
Absolutely priceless, especially the last bit "... the whole operating system was screaming for mercy, that little squeaking noise i heard in my speakers."
In my best Elvis voice "why thank you, thank you very much" and he bows
SimeonOnSecurity
New Member
- Oct 26, 2023
- 6
That is actually my script. Thanks for sharing!
Yeah I found it odd as well. Many of those configuration options do cause some annoyances. But we took strides in minimizing those.
Some features actually are enabled by default on Enterprise versions of windows. Others are only available on Pro and Enterprise, but aren't enabled by default.
Things like credential guard, ASLR, sub process protections, etc are recommended for most people. But they can cause issues. For instance if you're a developer, a debugger can trip aslr and memory protections. This is why we have a recommended reading section and warnings plastered across our repos.
We will say, however, out of all of our repos and various scripts, we've yet to have anyone report issues with this repo. If you find anything, we'll do our best to fix it or help you fix it on your system. Most scripts online you shouldn't just be randomly running. Always verify. And when in doubt, ask questions. You did things correctly by discussing things here and we applaud you.
- May 3, 2015
- 1,540
That's basically the standard test method from most Youtube testers... I watch this kind of video for entertainment but do no take the results seriously. I actually think the lack of knowledge of some Youtubers hilarious, some even struggle to turn off real time protection to unzip the small army of supposed malware.
Most don't even check if the leftovers are malicious or were just harmless stuff that whatever product being tested was right in not detecting.
I remember one that complained the product being tested kept killing and blocking the python script itself as malicious
Most don't even check if the leftovers are malicious or were just harmless stuff that whatever product being tested was right in not detecting.
I remember one that complained the product being tested kept killing and blocking the python script itself as malicious
- Mar 9, 2014
- 545
Reviewers can't rely on users to do what they want the latter to do. At the same time, malware can now show up in what reviewers argue are safe sites and software (especially those with newly discovered vulnerabilities). In several cases, they can even run without user interaction, or stay hidden for a long time, go straight for embedded software, and so on.
Given that, "not as bad," "it's the user's fault," "just practice common sense," "use legit software," etc., no longer cut it.
Meanwhile, more careful analysis is preferred, and that means more expensive testing, which most can't afford to pay for.
Add more protection features, and there may be a performance hit. Let the user decide what to block or allow, and he may end up doing more harm than good. Harden the system and some features may malfunction, with the user trying to figure out what he tweaked and how to undo it. (At that point, the user realizes why the hardening wasn't enabled by default in the first place.)
Given that, "not as bad," "it's the user's fault," "just practice common sense," "use legit software," etc., no longer cut it.
Meanwhile, more careful analysis is preferred, and that means more expensive testing, which most can't afford to pay for.
Add more protection features, and there may be a performance hit. Let the user decide what to block or allow, and he may end up doing more harm than good. Harden the system and some features may malfunction, with the user trying to figure out what he tweaked and how to undo it. (At that point, the user realizes why the hardening wasn't enabled by default in the first place.)
