Battle Bitdefender Total Security or Microsoft Defender — Who Wins for Everyday PC Users?

[IceMan7]

I don't have time to delve into this. That's your hobby on this forum

The point is that BD doesn't need signatures like oxygen, like ESET, for example. So if you don't update BD every hour, nothing major will happen to you, or at least it shouldn't. It would be worse if you didn't update at all.
So, you can deal with a large batch of BD signature data (protecting the drive) by setting less frequent updates. And the biggest "flaw" of BD opponents is becoming a myth

Best regards

 

[Trident]

I don't have time to delve into this. That's your hobby on this forum

The point is that BD doesn't need signatures like oxygen, like ESET, for example. So if you don't update BD every hour, nothing major will happen to you, or at least it shouldn't. It would be worse if you didn't update at all.
So, you can deal with a large batch of BD signature data (protecting the drive) by setting less frequent updates. And the biggest "flaw" of BD opponents is becoming a myth

Best regards

Not really, cuz some have switched to a NGAV-type of architecture. Anyway.

 

[Andy Ful]

Nowadays, many AVs use pre-execution behavior-based detections. Usually, there is more than one file involved in the attack. The initial malware can download/drop/execute intermediate payloads before executing the final payload. The pre-execution of the final payload can include the execution of the initial malware and intermediate payloads, which can produce many behavioral signals. All those signals are evaluated in real-time together with pre-execution analysis of the final payload.
Some AVs (like Microsoft Defender) use the above to create dynamic signatures in the cloud. Such signatures are delivered to endpoints in real-time, so the final payload can often be detected on the Endpoint by a signature, even though the malware was detected behaviorally in the cloud.

 

[Trident]

Nowadays, many AVs use pre-execution behavior-based detections. Usually, there is more than one file involved in the attack. The initial malware can download/drop/execute intermediate payloads before executing the final payload. The pre-execution of the final payload can include the execution of the initial malware and intermediate payloads, which can produce many behavioral signals. All those signals are evaluated in real-time together with pre-execution analysis of the final payload.
Some AVs (like Microsoft Defender) use the above to create dynamic signatures in the cloud. Such signatures are delivered to endpoints in real-time, so the final payload can often be detected on the Endpoint by a signature, even though the malware was detected behaviorally in the cloud.

That’s a very optimistic outlook of Microsoft Defender’s behaviour (and many others that are based on the same principle).
This will block quite a lot of script kiddies that haven’t got anything better to do and are trying to get money for a new moped.

But an advanced adversary with experience and motivation will employ a bunch if tactics (like bloating/pumping the file).

The automatically-created signature will probably only be useful on this variant and not on the variant that will be released 2 hours later.

If everything was as easy as “upload, emulate and block”, there wouldn’t be Defender (or a need for it) and there wouldn’t be attackers.

 

[Andy Ful]

I usually use the reference to a particular post to help readers understand the discussion flow among the posts of other MT members.

The readers could misunderstand your post in the discussion on behavior-based detection, because pre-execution detection of something can also include behavior-based detection. I am not sure how this is in the case of Bitdefender. You probably know more about it and can clarify the topic.

We should also remember that most detections of all AVs are pre-execution detections. The differences in overall detection in the wild due to behavior-based features are only a small part of the total detections.

 

[Andy Ful]

That’s a very optimistic outlook of Microsoft Defender’s behaviour

That is how Microsoft Defender works. There is no guarantee that it will be very efficient against evasive threats.
The above is true for any security layer. The attackers evolve to bypass any security layers.

 

[Parkinsond]

pre-execution detection of something can also include behavior-based detection

Does it require enabled virtualization in BIOS?

 

[Trident]

That is how Microsoft Defender works. There is no guarantee that it will be very efficient against evasive threats.
The above is true for any security layer. The attackers evolve to bypass any security layers.

It is how it works and if I remember correctly, Microsoft implemented several parsers, looking at the page, email body, archive name and metadata for a password. It’s difficult to track the Defender patents because they fall into an ocean of Microsoft patents and it requires insane digging around to discover what’s related to Defender (though I can ask Gemini to pull them).

But how well these parsers work, I’ve not tested.
I don’t expect much.

 

[Trident]

Does it require enabled virtualization in BIOS?

Pre-execution detections are usually not linked to virtualisation. There are several AVs like Kaspersky that use virtualisation for other components and Avast uses virtualisation for their DeepScreen (which is usually inefficient, it reports the file as safe only to block it later).

Typically, wherever local pre-execution emulation us used (that’s probably all AVs, including some like Protegent), the AV creates an ephemeral and secluded environment in memory. This is one of the reasons memory usage of AVs would usually fluctuate.

Once the AV is done analysing the results from the virtual environment, the emulator will “go away”, e.g it will be destroyed and the memory usage will go down.

This is highly efficient way of detecting malware, but not without its caveats. The local emulator is limited in terms of time and number of instructions. The solution generally has few milliseconds to emulate.
Attackers know this and it’s possible to pack the file with garbage instructions and loops that will prevent the emulator from reaching the true behaviour.

The AVs take care to avoid such evasions, but like everything else, it’s a cat and mouse game.

What @Andy Ful was referring to here is the Defender cloud emulation/detonation which is in no way linked to your PC or UEFI settings. That one is a bit more sophisticated than the local emulator.

 

[Andy Ful]

Does it require enabled virtualization in BIOS?

No. This feature depends on Block AT First Sight, which is enabled by default.

 

[Andy Ful]

I don’t expect much.

It would not be wise to expect too much from any kind of behavioral protection.

 

[Andy Ful]

What @Andy Ful was referring to here is the Defender cloud emulation/detonation which is in no way linked to your PC or UEFI settings. That one is a bit more sophisticated than the local emulator.

Yes, that is true. However, in the case of Microsoft Defender, it is considered much more sophisticated and effective than the local proactive features (which are often an introduction to cloud analysis).

 

[Trident]

It would not be wise to expect too much from any kind of behavioral protection.

Behavioural protections could be very sophisticated, depends on what the solution in question (Microsoft Defender, Avast, Eset) or the business leaders (Check Point, Palo Alto, CrowdStrike) that rely mainly on cloud emulations do. Some adopt a more aggressive approach where the solution is not trained on the unpredictable malicious behaviour, but on the behaviour of safe files. Any other behaviour becomes anomalous. Such solutions are usually backed up by third party engines and feeds, Yara rules, channels for obtaining safe files and so on.

Some of them are highly efficient, others not so much, third are plagued by false positives.

The challenge there is that not everything can be uploaded and whatever can be uploaded could be password protected. There are additional challenges that come through the usage of virtual environments, which more or less are sorted but still have a way around.

The challenge with the local behavioural blocking is the inevitable asynchronous mode, where the process acts first; the solution then classifies. By the time it reacts it can be too late. Another challenge is short vs long sequences of actions, where short sequences are more efficient in picking up malware, longer sequences less so.

 

[Parkinsond]

Any other behaviour becomes anomalous

This explains the high false positive detections.

By the time it reacts it can be too late

I prefer oldschool, signature-based detection for that reason.

 

[Trident]

This explains the high false positive detections.

This is the inevitable problem when protections are more efficient. It is the same with everything else.

I was working on heuristic auto-tagging of freeform text. You can either go more generic and have more picked up (but false positives start to occur) or you can go more precise, but then not everything is picked up. You then start playing whack-a-mole. There is no other way.

I prefer oldschool, signature-based detection for that reason.

But these are easy to evade. They just create performance overhead (updates and so on) to pick up 2-3 variants (if the developer is lucky).

There is no full happiness.

 

[Andy Ful]

I prefer oldschool, signature-based detection for that reason.

There is a problem with the efficiency of signature-based detection in the wild. Many of the signature-based detections (especially in the AV tests) are only proofs of prior infections. Many malware are intentionally used in attacks only for a short time (seconds, minutes, a few hours) and are not reused by the attackers except for AV tests. Some vendors (like Bitdefender) care to add post-factum signatures for such threats. Some other vendors (like Trend Micro) do not care much. In the end, we can have big differences in the AV detection tests, for AVs that have similar detection in the wild:

AV-Comparatives Malware Protection Test March 2025

AV-Comparatives Malware Protection Test September 2024

AV-Comparatives Malware Protection Test March 2024

 

[Trident]

Some other vendors (like Trend Micro) do not care much

Yeah, the Trend Micro signatures are very small size. The local file is 50 Mb and Trend Micro prefers to add mainly heuristics and very generic detections. In 24h they generate usually 4-5 of these. Trend Micro also likes to clean these signatures.

Trend Micro then uses the additional server-side pattern, which is a bunch of TLSH(s) (along with some metadata like certificates and so on). That one is cleaned up as soon as it is about to exceed 300mb, they start to remove thousands of detections till it becomes around 240-250 mb.

Trend Micro relies more on the local emulator (which ages ago was called SoftMice and ScriptTrap), as well as IntelliTrap which heuristically detects packers. And of course, their behavioural blocking.

For files that are low-prevalence, they use their Advanced Threat Scan Engine, which is static analysis on executables, modules, scripts and office files. For processes with low prevalence, they use Contextual Intelligence engine, which passes the behaviour to Contextual Intelligence Query Handler and the Predictive Machine Learning performs the classification. For trusted processes, they rely on the standard policy enforcement. They as of recently use proper memory scan as well.

They also use a very aggressive heuristic scan, called correlational scan, this one is executed by the Damage Cleanup Engine (the heuristics by themselves are enclosed in Damage Cleanup Template), which detects malware components when the initial infection has been detected. These detections would not have occured if the file was just scanned.

Anyway, that’s slightly off-topic but could be interesting to some people. Trend Micro is best described as NGAV, the signatures are there just to close the gaps in between retraining the ML models.

 

[Andy Ful]

It is funny that the AV-Comparatives Malware tests on relatively old samples can include more realistic information about AV detection in the wild compared to Real-World tests.
Due to skipping many post-factum signatures, the results of Trend Micro may roughly reflect the probable detection rate in the wild of most AVs, which is about 97%.
A similar detection rate was roughly calculated in my posts about Kaspersky:
https://malwaretips.com/threads/mac...re-detection-kasperskylab.134597/post-1116041
https://malwaretips.com/threads/mac...re-detection-kasperskylab.134597/post-1116058

The true detection rate may be even lower.

 

[Trident]

It is funny that the AV-Comparatives Malware tests on relatively old samples can include more realistic information about AV detection in the wild compared to Real-World tests.
Due to skipping many post-factum signatures, the results of Trend Micro can reflect the probable detection rate in the wild of most AVs, which is about 97%.
A similar detection rate was roughly calculated in my posts about Kaspersky:
https://malwaretips.com/threads/mac...re-detection-kasperskylab.134597/post-1116041
https://malwaretips.com/threads/mac...re-detection-kasperskylab.134597/post-1116058

The true detection rate may be even lower.

I was gonna say, that Trend Micro performance on this test closely reflects what users will get on their machines (and this is not 99.98%), whilst the rest is realistically slightly inflated. The signatures help nail the test, but in a real world scenario there won’t be “a signature”. Anyway, some of the solutions have other cards up their sleeves. Others don’t.

 

[ForgottenSeer 123960]

It is funny that the AV-Comparatives Malware tests on relatively old samples can include more realistic information about AV detection in the wild compared to Real-World tests.
Due to skipping many post-factum signatures, the results of Trend Micro may roughly reflect the probable detection rate in the wild of most AVs, which is about 97%.
A similar detection rate was roughly calculated in my posts about Kaspersky:
https://malwaretips.com/threads/mac...re-detection-kasperskylab.134597/post-1116041
https://malwaretips.com/threads/mac...re-detection-kasperskylab.134597/post-1116058

The true detection rate may be even lower.

I think it's important here, so there is no misunderstanding, is that when a user or reviewer bypasses the typical "true route of infection", like a malicious link or a phishing email, and simply drops a malware file onto the desktop, they are performing a test that is fundamentally misleading. Modern antivirus software isn't just a simple scanner; it's a multi-layered security suite. Its primary defenses are designed to stop a threat at the earliest possible stage, often before it even reaches the user's computer. This means that features like web filtering, URL blockers, and cloud-based reputation services are the first and most critical line of defense. By isolating and testing only the on-access scanner after the malware is already on the system, the user is ignoring the very protections that would have prevented the infection in the first place and by bypassing the typical infection vectors, the test fails to activate the very triggers that would prompt the security product's behavioral analysis to spring into action. This can make an otherwise highly effective product appear to fail, creating a false and unfair representation of its overall security capabilities.

The methodology used by professional labs like AV-Comparatives, AV-TEST, and others is designed to avoid these pitfalls.

They use:
* Real-World Scenarios: Their "Real-World Protection Test" starts with the malicious URL, allowing the product's entire security suite to be evaluated.

* A "Last Line of Defense" Test: Their "Malware Protection Test" is clearly defined as a test of the on-access and behavioral components after a file has landed on the disk. This test is valuable, but it is not meant to be a standalone measure of a product's overall effectiveness.

* Transparency: They publish detailed methodologies so users can understand exactly what is being tested and why.