App Review Windows Defender vs Ransomware 2024 (TPSC)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
The PC Security Channel

monkeylove

Level 12
Verified
Top Poster
Well-known
Mar 9, 2014
597
Windows provides choice and control for users to configure their PCs to meet their specific needs, including the ability to turn Windows features like Memory Integrity and VMP on and off. Gamers who want to prioritize performance have the option to turn off these features while gaming and turn them back on when finished playing. However, if turned off, the device may be vulnerable to threats.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
It does not protect well against zero hour malware,

I am afraid that there are no such tests for any AV. In known Real-World tests, there are some 0-day samples (but not zero-hour). The rest are 1-day or even a few days old malware. If I correctly recall, about 2/3 of samples in the wild can be 0-day malware. But when tested in the lab, the ratio can rapidly drop with any hour (many 0-day samples became dead or 1-day samples). If the test is done one time a day, the ratio can drop probably to one 0-day sample per 10 samples.

and fails utterly against banking trojans

That is true, but only if the banking trojan is run in the already infected environment. Such a scenario is probable in Enterprises via lateral movement. At home, the banking trojans are delivered by other malware types that are well-detected. So, the chances of banking trojan infection are very small (combined chances of initial_malware_infection * chances of banking_trojan_infection).

Anything beyond normal attacks and it is more probable that Microsoft Defender will fail to protect a system. This is confirmed by testing by MRG Effitas and AVLab.

That is more or less true for a free version (similarly to other free AVs), but I would not say that it is confirmed by MRG Effitas and AVLab.

MRG Effitas (360° Protection) does test only the business versions. It can confirm that Defender Antivirus Enterprise is an average protection layer against malware simulation on the already infected system (not good in the Banking Simulator Test) and as good as the top solutions in other banking tests (Real Botnet Test and Financial Malware Test). The overall protection against banking malware is better than Trend Micro Security and Avira Antivirus Pro.

The AVLab testing procedure is somewhat flawed for Microsoft Defender, because the "Block at first sight" feature does not work properly. It is rather a custom protection level (different from the real protection) used as a reference for other tested AVs.
Anyway, the results of the last test in January 2024 (2 missed samples) would be probably the same as with a fully functional "Block at first sight. The missed samples are legal PUAs (XMRIG, ReksFN) and Defender was tested with disabled PUA protection. Those PUAs were probably used as payloads and abused by initial malware. It is not clear if AVLab tested also the initial malware, if so then they were detected and Defender might score with 100% protection in the wild.

I can confirm from my experience, that Defender can miss some legal adware and PUAs even when PUA protection is enabled.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
Most users are not going to employ a utility to tweak Microsoft Defender so the rationale, at least for Windows Home, is to test Defender at 100% defaults.

"Block at first sight" is a default setting of Microsoft Defender free. It does not work properly in AVLab tests because of a specific testing procedure. This topic was discussed a few times on MT.

Is MD a decent baseline when considering security from a general perspective? Sure it is. Is it good enough? That depends to a large extent upon the person using the system.
I think so. (y)
 

likeastar20

Level 9
Verified
Mar 24, 2016
419
I know Kaspersky use their own hypervisor which is required for some specific malware detection functions, but not aware of other security programs using something like this. Just as I was writing this I remembered, Avast uses hardware assisted virtualization (default but optional) for CyberCapture but that is a very different thing from Kaspersky's hypervisor. Personally, I think if you have a PC with very high config, then you should enable it, especially if you're not using Kaspersky.
@Trident Any knowledge on this? Or is it used only for safe browsing?
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,861
@Trident Any knowledge on this? Or is it used only for safe browsing?
Not for/not just for safe browsing.
Before moving on we should note a different approach taken by Kaspersky to hook the kernel it made use of its own hypervisor.
This comes with several downsides as it requires virtualization support
I found this info in this endpoint test. At that time, I even saw their interview on YouTube after the test was released. A University professor and his student if I remember correctly:


Also, there is this demo and probably others too using Kaspersky's hypervisor to hook system calls:
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Kaspersky hypervisor to my knowledge is not used in malware detection because kaspersky does not have a sandbox. The hardware assisted virtualisation in Avast is used for the sandbox and on the foundation of the sandbox steps DeepScreen that runs the app sandboxed for certain period of time, which is part of the Cyber Capture routine.
It prevents sandboxed apps from accessing non-sandboxed regions or simply said “escaping the sandbox”.

Kaspersky does use dynamic emulator but this emulator, like all other vendors, lives in the memory space, in user mode, which means it will not require hypervisor. Furthermore, most of the vendors’ dynamic emulators are ephemeral and go away when there is nothing more to emulate.

The Kaspersky hypervisor is used mainly to isolate the browser from the rest of the system and to protect it from injection, from what Kaspersky explains in documentation. It is possible to find other uses for the code (it allows kernel access after all) but Kaspersky does not seem to be using it for malware detection.
 

zidong

Level 2
Jul 15, 2024
57
Gives less fps on lower hardware, but really not issues with high end rigs, its dependant on the setup you have
In CPU intensive games Memory Integrity affects performance a lot. I guess that Kaspersky Hardware Virtualization affect performance too, but AV-Comparatives and others independent organization wouldn't mention that.
 

Attachments

  • Screenshot (4).png
    Screenshot (4).png
    748.3 KB · Views: 39
  • Screenshot (5).png
    Screenshot (5).png
    829.3 KB · Views: 36
  • Screenshot (6).png
    Screenshot (6).png
    3.4 MB · Views: 27
  • Screenshot (7).png
    Screenshot (7).png
    3.2 MB · Views: 26
  • Screenshot (8).png
    Screenshot (8).png
    3.3 MB · Views: 25
  • Screenshot (9).png
    Screenshot (9).png
    4.4 MB · Views: 29
  • Screenshot (10).png
    Screenshot (10).png
    4 MB · Views: 26
  • Screenshot (11).png
    Screenshot (11).png
    3.8 MB · Views: 34

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top