The truth about Windows Defender on Windows 10 (Home & Pro).

[Andy Ful]

I noticed on many MT threads, that one post about Windows Defender (WD) can start the long discussion about its cons and pros. The discussion is usually off topic and simply bloats the particular thread. So, I thought that it might be more fruitful to open the separate thread for such discussions.

In this post, I will try to address some problems as objective as I can. It is probably not fully possible, because I usually tweak & use WD in the way that many people will never do. So please, do not blame me too much if I fail.

The comparison of Windows 10 editions is available in the below Microsoft document: https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf

Is WD good only for the advanced users?
The advanced users can take advantage of any AV - some of them can choose WD by chance or for compatibility reasons. So, maybe the question should be addressed to someone else?

Can WD be recommended to average users?

• The answer is Yes, for people who use the computer in a way similar to activities chosen in AV-Comparatives real-world tests, where WD scores very well. It can be recommended also to advanced users, who install AVs and take care of computers of those people, because there will be fewer problems with broken updates and other compatibility issues.
• The answer is No, for people who are the happy-clickers, engage in high-risk behaviors or use cracks, pirated software, frequently transfer data through their external drives/flash drives, etc. In those cases, Windows Defender would require some tweaks and system hardening, or additional real-time protection. Such advanced setup is possible with the occasional help from an experienced user, but many people will simply choose a good 3rd party AV. This probably will not prevent the infection, but some AVs are better for mitigating the malicious actions and healing the system.
  WD should not be also recommended to people who are happy with 3rd party AV. Happiness is a great thing and can be easily spoiled by changes.

Can WD be recommended to average MT member?
Yes, like any AV. MT members are the seekers who like security experiments. They should try some possibilities to learn and find whatever suits best their needs.

Is WD resource hog?
Any statement about bad WD performance is true ... for some computers. On many computers, the performance is average and the users do not complain. Generally, there can be some performance issues related to WD updating and computer management (installing/uninstalling applications, copying/opening folders with many executables, making the full scan, etc.). Those issues can be especially irritating on computers with low resources and slow disks. WD usually behaves like most AVs in the common tasks like: web browsing, downloading files, playing the media and games, running applications, running the quick scan, etc.

Is WD usable?
It is, but not especially convenient. Some GUI features can be seen as they were invented in the XX century by a child (joke). Many users complain about the quarantine and exclusion management issues.

Why WD (not tweaked) scores not great on Malware Hub?
Malware Hub testers use samples with the high rate of the 'never seen malware'. The test results can reflect the very limited WD features available by default on Windows 10 Home or Pro editions.

Why WD tweaked can score well on Malware Hub?
WD on Windows 10 Home and Pro, has some built-in ATP features which can be tweaked when using PowerShell cmdlets or Windows policies. This additional protection and SmartScreen set to Block, can significantly improve WD detection for 'never seen malware' samples. Enabling those features can increase the rate of false positives.
Yet, the protection against 'never seen threats' in Windows 10 and Pro is not as good as in the Enterprise editions (especially in E5 edition) or some 3rd party AVs (tweaked), which have access to advanced ATP modules.

Why WD scores very well in some Real-world tests?
Those tests often use the web-based samples with a much lower rate of the 'never seen malware'. Most samples are 'a few-day malware' which are not new to WD, and many were already detected by advanced WD ATP features. So, even when the tests are done on Windows 10 Home or Pro, the scores also reflect the advanced ATP features available in Windows Enterprise editions. That is possible because all Windows 10 editions share the "Block at first sight" feature that is enabled by default.

Why WD can generate many false positives even without SmartScreen?
"Block at first sight" feature is related to AI detection based on machine learning. It is very fast but not as good as the manual analysis of malware samples.
If the user is going to turn off this feature, the detection will depend on WD signatures, which are known to have a very low rate of false positives.

 

[RoboMan]

Excellent share my friend, thank you very much!

 

[ForgottenSeer 72227]

Good job and very good summary. Hopfully this will help clear up some of back and forth that goes on when discussing WD.

 

[Evjl's Rain]

excellent post
1 point I want to add: WD without any tweak has to be used with more caution for people who frequently transfer data through their external drives/flash drives because Smartscreen and BAFS are intentionally bypassed

this is very common in Asian countries and it's a major source of infection where WD is the main AV

 

[509322]

Hopfully this will help clear up some of back and forth that goes on when discussing WD.

It's not going to stop any ongoing debate because it has been proven over time - across decades - that people are better off with 3rd party security over Windows security. That was true 20 years ago and it is certainly true today despite all the "improvements" to Windows security.

I have no vested interest whatsoever in what people use as an AV. I have always maintained that people should use what they like. But there is a central issue here... and that is Microsoft. My complaint is centered around Microsoft making Windows and its security for the IT Pro at the E5 level and passing it down to Home versions as a mere afterthought. Now, if anyone is paying attention, Microsoft's screw-ups are just absolutely fantastic for 3rd party business. My stance is pro-user and not pro-3rd party. The more that Microsoft keeps failing, the more money that the 3rd-party AV industry stands to make. Instead, I am promoting what is the best for home users that have no inclination to install, let alone buy, a 3rd-party security soft. So I find it curious that people on this forum continually bash my pro-user stance. The fact of the matter is that 3rd party vendors just do a better job. Plain and simple. Not to mention that Microsoft does a lot of underhanded stuff, whether they mean to do it by intent or not doesn't matter.

Ever wondered why Microsoft has not fixed the 5+ year WD GUI, exclusion and other bugs ? It's not as if they cannot do it... and they are certainly aware of it as it has been a resounding complaint for years. It's a fascinating woven tale that people should research but the bottom line is that Microsoft is no one's friend.

Everybody has the right to use whatever they wish and to get themselves infected. I can tell you this... smashing fully tweaked Windows Defender is trivial.

 

[Andy Ful]

excellent post
1 point I want to add: WD without any tweak has to be used with more caution for people who frequently transfer data through their external drives/flash ...

Thanks. Added to the No answer under the "Can WD be recommended to average users?":emoji_ok_hand:

 

[Moonhorse]

Whats your opinion for the ransomware protection( wich is disabled by default) ; protect important folders with controlled folder access? and does it improve so so called protection or would you recommend to use it in any case?

 

[noob guy]

I noticed on many MT threads, that one post about Windows Defender (WD) can start the long discussion about its cons and pros. The discussion is usually off topic and simply bloats the particular thread. So, I thought that it might be more fruitful to open the separate thread for such discussions.

In this post, I will try to address some problems as objective as I can. It is probably not fully possible, because I usually tweak & use WD in the way that many people will never do. So please, do not blame me too much if I fail.

The comparison of Windows 10 editions is available in the below Microsoft document: https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf

Is WD good only for the advanced users?
The advanced users can take advantage of any AV - some of them can choose WD by chance or for compatibility reasons. So, maybe the question should be addressed to someone else?

Can WD be recommended to average users?

• The answer is Yes, for people who use the computer in a way similar to activities chosen in AV-Comparatives real-world tests, where WD scores very well. It can be recommended also to advanced users, who install AVs and take care of computers of those people, because there will be fewer problems with broken updates and other compatibility issues.
• The answer is No, for people who are the happy-clickers, engage in high-risk behaviors or use cracks, pirated software, frequently transfer data through their external drives/flash drives, etc. In those cases, Windows Defender would require some tweaks and system hardening, or additional real-time protection. Such advanced setup is possible with the occasional help from an experienced user, but many people will simply choose a good 3rd party AV. This probably will not prevent the infection, but some AVs are better for mitigating the malicious actions and healing the system.
  WD should not be also recommended to people who are happy with 3rd party AV. Happiness is a great thing and can be easily spoiled by changes.

Can WD be recommended to average MT member?
Yes, like any AV. MT members are the seekers who like security experiments. They should try some possibilities to learn and find whatever suits best their needs.

Is WD resource hog?
Any statement about bad WD performance is true ... for some computers. On many computers, the performance is average and the users do not complain. Generally, there can be some performance issues related to WD updating and computer management (installing/uninstalling applications, copying/opening folders with many executables, making the full scan, etc.). Those issues can be especially irritating on computers with low resources and slow disks. WD usually behaves like most AVs in the common tasks like: web browsing, downloading files, playing the media and games, running applications, running the quick scan, etc.

Is WD usable?
It is, but not especially convenient. Some GUI features can be seen as they were invented in the XX century by a child (joke). Many users complain about the quarantine and exclusion management issues.

Why WD (not tweaked) scores not great on Malware Hub?
Malware Hub testers use samples with the high rate of the 'never seen malware'. The test results can reflect the very limited WD features available by default on Windows 10 Home or Pro editions.

Why WD tweaked can score well on Malware Hub?
WD on Windows 10 Home and Pro, has some built-in ATP features which can be tweaked when using PowerShell cmdlets or Windows policies. This additional protection and SmartScreen set to Block, can significantly improve WD detection for 'never seen malware' samples. Enabling those features can increase the rate of false positives.
Yet, the protection against 'never seen threats' in Windows 10 and Pro is not as good as in the Enterprise editions (especially in E5 edition) or some 3rd party AVs (tweaked), which have access to advanced ATP modules.

Why WD scores very well in some Real-world tests?
Those tests often use the web-based samples with a much lower rate of the 'never seen malware'. Most samples are 'a few-day malware' which are not new to WD, and many were already detected by advanced WD ATP features. So, even when the tests are done on Windows 10 Home or Pro, the scores also reflect the advanced ATP features available in Windows Enterprise editions. That is possible because all Windows 10 editions share the "Block at first sight" feature that is enabled by default.

Why WD can generate many false positives even without SmartScreen?
"Block at first sight" feature is related to AI detection based on machine learning. It is very fast but not as good as the manual analysis of malware samples.
If the user is going to turn off this feature, the detection will depend on WD signatures, which are known to have a very low rate of false positives.

Thanks Andy, you're the man! I believe as both WD and Andy's H_C continue to develop, there'll come a time we don't need any 3rd party AV anymore (though we probably will always use the layered approach).

 

[oldschool]

A balanced and reasoned overview. Another excellent @Andy Ful post. This thread should be pinned!

 

[ForgottenSeer 72227]

Now, if anyone is paying attention, Microsoft's screw-ups are just absolutely fantastic for 3rd party business. My stance is pro-user and not pro-3rd party. The more that Microsoft keeps failing, the more money that the 3rd-party AV industry stands to make.

Just playing devils advocate here, but do 3rd parties really have the best interest for users in mind? Like you said they are making money off it, so it's a business, and we all know that businesses do not always have the best interests of their customers in mind (this includes Microsoft). My point being, do you honestly think that if Microsoft fixed all these issues that 3rd parties won't cry and complain about it, saying it's a monopoly? They cried when Microsoft was adding kernel protection to vista, saying Microsoft is trying to block them out of doing their thing. They cried when they added WD saying Microsoft is going to have a monopoly, etc...

Point is, despite the fact that they claim to "protect users" and are champions of security, they cannot applaud Microsoft for at least trying to make things more secure. There's always backlash and it has nothing to do with them trying to improve things, its always about companies saying Microsoft is trying to put them out of business. So the question is, is it really due to Microsoft being lazy, or is it that no matter what they do some how they are being labelled as trying to have a monopoly and putting people out of business, or a combination of both?

 

[Andy Ful]

Whats your opinion for the ransomware protection( wich is disabled by default) ; protect important folders with controlled folder access? and does it improve so so called protection or would you recommend to use it in any case?

I can recommend to turn it on and try for a week or two. If you can live with it, then it is OK. If not, then turn it off. Controlled Folder Access will protect also your Desktop. So, when installing applications you will often see the blocking alert, when the application tries to make a shortcut there. For running the new installed applications, you have to use the shortcuts from the Start Menu or drag the shortcut from the Start Menu to the Desktop.

Controlled Folder Access can stop many basic ransomware and some malware droppers (to Desktop), but not advanced ransomware. Yet, most advanced ransomware are 'never seen' only for Enterprises, which are attacked first. For the home users those advanced ransomware will be at least 'a few-days' type, so can be detected via "Block at first sight".

Anyway, nothing can replace the safe habit of making backups.

 

[Andy Ful]

...
Everybody has the right to use whatever they wish and to get themselves infected. I can tell you this... smashing fully tweaked Windows Defender is trivial.

That is right, unfortunately. It is as easy, as killing the man. :emoji_disappointed:
The one thing, that saves our lives is that we are not the targets for the true killers.

Most malware samples in the wild are like 'petty criminals', and the dangerous ones are interested in attacking Enterprises. For similar reasons we use locked doors to protect our homes, and Enterprises have to hire the guard. Our computers are probably safer, because there is no analogy for "Block at first sight" in the real world.
Of course, that does not mean that we cannot be killed or cannot be infected.:emoji_pray:

 

[Andy Ful]

Guys, let's do not continue the general discussion about Microsoft, please. We will soon sink in the sea of speculations, beliefs and the history of Microsoft sins. It would be better for the readers to keep this thread close to Windows Defender.:emoji_pray:

 

[Local Host]

Whats your opinion for the ransomware protection( wich is disabled by default) ; protect important folders with controlled folder access? and does it improve so so called protection or would you recommend to use it in any case?

Bad, is easily bypassed by malware, you'll find a good chunk of videos on MT where malware simply disables WD and it's modules.
The only way people managed to remain protected from randomware using WD is by using default-deny.

 

[Weebarra]

Thank you @Andy Ful, as always your posts are level headed, objective and easy to understand without bringing anyone down whether it be a company or individual and i appreciate you and your posts for that.

Unfortunately you will always get the odd one (or two) who will go off topic but some people just get too emotional (emotionally attached or detached whatever the case may be)

 

[plat]

Bad, is easily bypassed by malware, you'll find a good chunk of videos on MT where malware simply disables WD and it's modules.

Was Defender tested within its sandbox? My beef with Windows Defender is that's it's cloaked in mysterious and imcomprehensible terms to the laypeople, all the good stuff is tucked away like sunken treasure and why a unified interface with text we can actually comprehend is so needed--whether it's ConfigureDefender or Group Policy, something. Defender can be very robust for those who are willing to invest time and energy into it. It's just not a user-friendly product, period.

 

[Local Host]

Was Defender tested within its sandbox? My beef with Windows Defender is that's it's cloaked in mysterious and imcomprehensible terms to the laypeople, all the good stuff is tucked away like sunken treasure and why a unified interface with text we can actually comprehend is so needed--whether it's ConfigureDefender or Group Policy, something. Defender can be very robust for those who are willing to invest time and energy into it. It's just not a user-friendly product, period.

It was recently tested with the sandbox feature as well, the result was the same, Video - (Sandboxed) Windows Defender vs Zero Day Malware

 

[Andy Ful]

Thank you @Andy Ful, as always your posts are level headed, objective and easy to understand without bringing anyone down whether it be a company or individual and i appreciate you and your posts for that.

Unfortunately you will always get the odd one (or two) who will go off topic but some people just get too emotional (emotionally attached or detached whatever the case may be)

I am used to it.
I think that some emotional or off topic posts are OK, if they are not continued endlessly. Let's keep it that way.

 

[ForgottenSeer 72227]

It was recently tested with the sandbox feature as well, the result was the same, Video - (Sandboxed) Windows Defender vs Zero Day Malware

Since the release of the sandboxing feature there has been some confusion as to its purpose. It was never designed to improve its detection capabilities, its only there to protect the OS from vulnerableabities within WD that have not yet been found/fixed.

 

[Local Host]

Since the release of the sandboxing feature there has been some confusion as to its purpose. It was never designed to improve its detection capabilities, its only there to protect the OS from vulnerableabities within WD that have not yet been found/fixed.

Bad, is easily bypassed by malware, you'll find a good chunk of videos on MT where malware simply disables WD and it's modules.
The only way people managed to remain protected from randomware using WD is by using default-deny.