Hot Take A Reason to use 3rd-party AV other than Windows defender: Clickfix

In my case, hard configurator might have blocked it,

Yes, this attack is blocked in H_C by one of the following restrictions:
  • Powershell set to Constrained Language Mode (default setting in H_C),
  • FirewallHardening (default configuration),
  • Blocking PowerShell (custom configuration)
  • ConfigureDefender ASR prevalence rule (custom configuratio)

Generally, ClickFix attacks are effectively prevented by blocking outbound connections to popular LOLBins (such as PowerShell).
 
The malicious URL is currently dead and blocked by good browser protection extensions such as APIVoid and Symantec.
For people who use Microsoft Defender, it is recommended to use a good browser protection extension or DNS filtering.
However, this can still allow about 5-15% of attacks even for AVs with web protection (such as Eset).
For ClickFix attacks, the most effective (and still useful) countermeasure is blocking outbound connections to popular LOLBins.
 
Last edited:
I do, but I also think of a more "average" user, and what I could have done for them, that is not as complicated as my own set up.

In my case, hard configurator might have blocked it, although I've been experimenting with using one cloud client with split tunneling recently. More privacy, but less malware protection, because I have to use 1.1.1.1's malware DNS filtering.
I was going for the general idea that, for an average user (not people who beef up their stacks on MT), that may be easy to fall for social engineering, a default comprehensive protection (browser, network/download protection, file write, file read, etc.) might be better. One such solution (ESET) saved the OP; MB Premium probably would have too. I’m not really rating ESET better than Kaspersky.

For paid solutions, I’d go for Kaspersky if the user is mostly online. But if the user is offline for some extended time, ESET might be better.

For free solutions, I’d go with Avast Free, or beefed up MD if I could IT their computers. For myself, I'd just use my mangled MD stacks, but it's a hobby.
When setting up protection for people inexperienced in security field, you can't just install AV, browser extension and call the job done. Neither solution will protect them completely.
For this cases, you have to think like an IT admin in enterprise environment would. That means setting up standard account, setting up AV software and browser protection more rigorously. There isn't much you can do with DNS, but you can choose one with higher detection rate according to the various tests. Also, disabling Macros in Office products, disabling Windows Script Host and PowerShell is very important.

I guarantee to you, this will prevent pretty much all threats. Days when malware spreads exclusively through .exe files were over long time ago. New threats come from various forms of scriptlets which is why Macros, WSH and PowerShell are main targets and should be disabled if not used.
Yes, this attack is blocked in H_C by one of the following restrictions:
  • Powershell set to Constrained Language Mode (default setting in H_C),
  • FirewallHardening (default configuration),
  • Blocking PowerShell (custom configuration)
  • ConfigureDefender ASR prevalence rule (custom configuratio)

Generally, ClickFix attacks are effectively prevented by blocking outbound connections to popular LOLBins (such as PowerShell).
Exactly. Defender does have protection from all kind of threats and is very capable. The only issue here, most of them aren't really shown in the UI; probably for a good reason. When set up correctly, it can provide you better protection than 3rd party antivirus software suites.

This is where your tools comes in and allow average user to set it up correctly without messing something up. I just realized you have two different tools; they should really be integrated into one. With nicer UI as well.
 
I just realized you have two different tools; they should really be integrated into one. With nicer UI as well.

The integrated application is H_C.
The integrated package is WHHLight.
Unfortunately, the programming language (AutoIt) does not allow a "nicer" GUI.
Anyway, the current GUIs become nicer with each day of use.
 
Any reason in particular you chose out-dated programming language instead of more popular and modern one?

I chose AutoIt in 2015 to create a simple hardening application.
  1. It did not require the installation of an all-in-one digital workshop such as Visual Studio.
  2. The compiled executable is independent of external components such as different versions of the .NET Framework or Microsoft Visual C++ components.
  3. The executable works on very old and new versions of Windows without the necessity to install additional components.
I thought that a decent GUI could be sacrificed for the above.
 
Exactly. Defender does have protection from all kinds of threats and is very capable. The only issue here, most of them aren't really shown in the UI; probably for a good reason. When set up correctly, it can provide you better protection than 3rd party antivirus software suites.

I disagree. MD is not better than a third-party AV.