Windows Defender 13 FPs...when it used to be zero, easy to block more when you block without looking at what you are blocking...
Windows Defender the new hidden anti-executable
Windows Defender the new hidden anti-executable
AV-Comparatives Real-World Protection report (September '17)
- Thread starter Parsh
- Start date
Windows Defender 13 FPs..., easy to block more when you block without looking at what you block...
Windows Defender the new hidden anti-executable
Last month during testing I saw Defender didn't like virtualized protected code and was quarantining a bunch of legit stuff. I reported that observation here somewhere.
Aha. Wether with tweaks or not you need to understand that Defender and SmartScreen are doing the most work. SmartScreen is the greatest cloud AV I`ve ever Seen.
IF you download from internet, because if not...
Or if you use Hard_Configurator
Yeah , but few knows itOr if you use Hard_Configurator
- Sep 14, 2014
- 1,026
I've been running F-Secure for quite some months now and it has only once or twice blocked something that I've used (via DeepGuard).I never had FP problems with Deepguard
This is the way Deepguard works:
DeepGuard’s behavioral analysis is activated by two events. When a program is launched for the first time, DeepGuard analyses it to determine if it is safe to run. Subsequently, DeepGuard continues to monitor the program while running.
1. Pre-launch analysis When a program is first executed, regardless of how it is launched (the user clicks the file icon, an e-mail attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing in order to perform the following checks:
1.1 File reputation check If an Internet connection is available, DeepGuard sends a query to the Security Cloud (below) to check for the latest information on the program’s reputation in the clean file database, which contains the latest security evaluations for a vast catalog of commonly used applications. This database is maintained and constantly updated by F-Secure Labs analysts. Programs that have been rated as clean in the database are allowed to bypass additional checks and launch immediately, whereas known malicious files are blocked at once.
Read more here:
https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
Deepguard needs internet connections so without an internet connection it may block legitimate software: D
But the good thing is that it actually does not delete the file, only blocks it from executing. Because of this and the ease of use, user can quickly allow this file to run.
When talking about F-Secure's FPs, it's 99% "DeepGuard - Rare application" ones where F-Secure's cloud is not populated with program X to allow it to run (read: cloud has little statistics about one particular file). However, I'm yet to see file FP like "Gen.Heuristics.Trojan" or similar. For me, it has been limited to DeepGuard only (and reputational blocking).
I'm not defending F-Secure in any way, I'm just saying what I think causes this high false positive rate. Day-to-day use I see quite agressive website blocking (which I actually like). There are one or few FPs regarding this as well, but nothing serious in my opinion. Most website blocking takes place in a form of blocking 3rd party sites/links on particular site, not the site itself.
Bitdefender & Kaspersky is looking good
Written from my HTC Nexus 9.
Written from my HTC Nexus 9.
Superior in what? Windows offers surf protection and BBMicrosoft have been improving with signatures lately but regardless of this test, Emsisoft is superior in terms of the potential for protection when compared to Windows Defender, due to factors such as their Surf Protection and Behavior Blocker modules. I would suspect they are also much more reactive in terms of adding new signature detection's.
Edit:
Sorry, I forgot this was a dynamic test and didn't include signatures. Regardless though, in reality the Emsisoft Behavior Blocker has the potential to protect the user a lot more than Windows Defender IMO. It is nice to see Microsoft improving a lot and taking things more seriously though.
Personally I stick to User Account Control, SmartScreen, ad-blocker and I occasionally enable Windows Defender for signature/cloud scanning; you could say this is really bad security practice but it works for me and I am comfortable with it, and require nothing more.
You may be wondering, "Why am I telling you this?". The answer to that is because I believe from personal testing (not with just individual samples found from various sources, but manually testing specific attack techniques through custom samples which would obviously have never been seen before to cloud engines) that the Emsisoft Behavior Blocker has the potential to protect the user much more compared to the current dynamic implementations from Microsoft. Does this mean I think that the behavioural monitoring now being provided by Microsoft is not very good? Of course not. I may not utilise such features, but I do use Windows Defender from time-to-time and it works well for me, so I know that either solution can protect you if you make good decisions as well.
Microsoft are bound to improve and they tend to focus more on business protection regarding security than specifically Home users (not even at an equal level actually), and I believe only recently awhile ago they started cracking down on mitigating injection techniques such as dynamic forking (process hollowing - replacing a process' PE image with another for concealment of operations) and atom bombing (known technique since 2016 and documented via open-source code available over on GitHub), and chances are this sort of mitigation implementations were only aimed for business users. I am pretty sure Emsisoft could have stopped dynamic forking even back in Mamutu days, and they will block Atom Bombing for sure (no way they would have let that slipped).
Maybe I am wrong or am just talking rubbish, so to the resolve the situation I will re-phrase what I said appropriately so there is not a misunderstanding between you and I:
I personally believe that if Emsisoft Anti-Malware is used to its full potential regarding their protection components, it would provide enhanced protection compared to using Windows Defender to its full potential (with the tweaks performed for features such as Behavior Blocking).
Regarding web protection, I would trust Emsisoft a lot more overall for both privacy and security. I would never have a doubt in my mind about collection of search history and/or selling of it for quick cash due to their impressive ethics (compared to other famous vendors), and I would suspect that they are quicker at adding malicious hosts to their blacklist databases and have better web-based heuristics (should they have such a feature internally implemented - I am not sure).
At the end of the day, even though Microsoft do have a team of highly qualified and skilled engineers who focus on Windows Defender, I would trust an independent security company to protect me if I required full protection capabilities provided in most traditional security solution suites. Compared to a company that focus on a wide-variety of things, even if they have dedicated teams for each individual area. Speaking of Emsisoft, it appears they pretty much focus entirely on bloat-free protection, therefore putting all of their resources into both Home and Business protection, and not on several other things. I suspect that their team engineers do not change too frequently, compared to a large corporation like Microsoft that must have people coming and going on a regular basis for whichever reason.
This is opinion and not fact just to be clear. Everything expressed in this post is my personal view. Nevertheless, I am a fan of Windows Defender and have been for a long time when they heavily improved their situation with Windows 8, Windows 8.1 and Windows 10. I might seem like a fan-boy, however I haven't used Emsisoft as a main solution for myself in years from now, and I probably won't in the coming future either (simply because Windows Defender combined with built-in Windows security mechanisms and an ad-blocker is good enough for my liking).
Hopefully that runs smoother with you.
Last edited by a moderator:
- Jan 28, 2016
- 525
It's always puzzled me why Panda nearly always gets excellent scores in these sorts of tests but isn't liked very much by MT testers. Can anyone explain this difference of opinion?So many companies perform worse than MS. Is Panda that good?
Cause test labs rarely use 0-days that is where it counts, reason why everyone scored so high on this test...
Windows Defender is still below average for the common user, for most people here included myself is more than enough though, I only don't use Windows Defender cause it has an awful impact on my System Performance.
Even Kaspersky is running extremely light for me, I feel no impact whasoever.
Fortinet looks horrific here. Until you realize it missed 5 samples..
The chart is designed to accentuate and glamorize the differences that when all things are considered, are very slight between products and not reflective of the reality of the threat landscape.
The chart is designed to accentuate and glamorize the differences that when all things are considered, are very slight between products and not reflective of the reality of the threat landscape.
- May 3, 2015
- 1,540
I don't think anyone who is a regular in this forum take these tests seriously... At least I know I'm not considering changing Kaspersky for Bitdefender because of any tests but because I believe it will offer me comparable protection and I can get it for a fraction of Kaspersky's price in my country...
Maybe they pay the most to the AV-Comparatives for it's product to be tested?
A while back, Panda was quite bad in Malware Hub.
Last edited by a moderator:
- Dec 23, 2014
- 8,154
Microsoft team should learn more about Defender usability from other AV companies. Windows Defender is now more complex, but I am not a fan of its GUI and configuration. Anyway, in my opinion, it is the 'less headache' solution in Windows 10, for home users. The most problems may arise with the fresh malware, like:
- obfuscated scripts (also embedded in documents), because of poor AMSI detection;
- malware in the compressed archives (*.zip, *.7z, *.arj,...) because after decompression, they are ignored by SmartScreen Application Reputation.
Not taken seriously - really ? These monthly AV-Comparatives threads get people banned from the forum on a regular basis.
That's the argument from end-users, but the labs argue - and rightly so - that protection isn't entirely about newly released malware.
- May 16, 2017
- 197
I think you should take the results seriously.... WHY?
Because.... Let's say you don't think AVComparatives tested with enough samples, since they tested with only samples X, Y, and Z.
Thus you feel the test wasn't stringent enough, that it was to easy...And yet you're favorite software failed.
So weather it was tough enough or not doesn't matter, if a security software fails, an easy test, or hard test, some show to have done better than others, and this fact alone still gives you an idea of how they each perform.
If your software failed an easy test, it stands to reason it will fail a hard test also.
Because.... Let's say you don't think AVComparatives tested with enough samples, since they tested with only samples X, Y, and Z.
Thus you feel the test wasn't stringent enough, that it was to easy...And yet you're favorite software failed.
So weather it was tough enough or not doesn't matter, if a security software fails, an easy test, or hard test, some show to have done better than others, and this fact alone still gives you an idea of how they each perform.
If your software failed an easy test, it stands to reason it will fail a hard test also.
While that seems logical, it isn't reality.
Similar threads
