Advice Request Does Windows Defender Antivirus cause Slowdown?

[Ink]

If @mickel1 said "I use Comodo Internet Security", I would understand, since it has an Antivirus that replaces WDA and VirusScope is pro-active protection on top.

I can't see a strict use for signatures when you have automatic sandbox for unknown files + Comodo Viruscope

VirusScope is not an actual Antivirus. It's behaviour-based technology that cannot determine a definite threat, or based of a suspicion. It monitors certain criteria of the processes, but only after it's already running in an isolated environment. A known threat would have been picked up by the resident AV - if one was installed.

Viruscope is a behavior analysis technology built into Comodo [..] that monitors the activities of sandboxed processes and installers and alerts you if they take actions that could threaten your security.
[..]
Viruscope is another key layer of security [..] Our real-time virus monitor protects you against known threats, while auto-sandboxing protects you against unknown threats. With Viruscope on top, you also get proactive warnings about brand new malware.

Source: Viruscope – Feature Spotlight, Computer Protection, Comodo Cloud Antivirus | COMODO

Image source

VirusScope+A/C is only useful for undetected threats, it cannot perform scans like a traditional malware scanner.

 

[Back3]

I use WD and Comodo Firewall at CS settings. On my PC, Comodo Viruscope is set to supervise only the sandbox ( Containment). WD and Comodo are complimentary with those settings.

 

[shmu26]

I can't see a strict use for signatures when you have automatic sandbox for unknown files + Comodo Viruscope

Just adding to what others already said:

1 Comodo is known to mistakenly whitelist malware, and also be painfully slow to correct the mistake

2 A number of users have complained that Autocontainment suddenly stops working, without notice, so it's good to have a safety net in the form of a traditional AV

3 The most likely cause of infection is user mistake. For instance, you forget to turn Autocontainment back on after an install, or you mistakenly decide that a blocked file is safe. Here again, a safety net saves you.

4 A layered approach is usually safest because no software is perfect.

 

[Penguin]

There is a possibility that signatures know something you don't, although less likely.

Practical example : you want to update your favorite program which had been compromised by malicious code, for which Comodo doesn't have signatures yet, but it allows it to run because it is signed + other non signature criterias.

Complementing protection components with one another, and layered setup will always beat signature or signatureless setup.

Thank you for your explanation. Given the case my favorite program is compromised on it's legit installer, I doubt anything, signature or signatureless will catch it. Maybe an HIPS would block certain actions that infected installer wants to do, but highlight it as malware? Please confirm, I really don't know.

If @mickel1 said "I use Comodo Internet Security", I would understand, since it has an Antivirus that replaces WDA and VirusScope is pro-active protection on top.
VirusScope is not an actual Antivirus. It's behaviour-based technology that cannot determine a definite threat, or based of a suspicion. It monitors certain criteria of the processes, but only after it's already running in an isolated environment. A known threat would have been picked up by the resident AV - if one was installed.
VirusScope+A/C is only useful for undetected threats, it cannot perform scans like a traditional malware scanner.

Thank you too for the explanation and for taking the time of sharing the definition for this module. I know it's not an antivirus, I just meant that the given module + automatic sandbox would leave very few covered areas for signatures. Of course there are others areas CFW wouldn't protect. Anyways, if such case occurs and somebody needs signatures, he either installs a lot of programs (for which CFW wouldn't be suitable) or just got unlucky and got hit by some malware like CCleaner case, for which no signature could have helped.

Stated this, I still must say I'm not against signatures, I just wouldn't use them paired with CFW if configured with automatic sandbox. I do used them at Defender with VS and WFC.

Just adding to what others already said:

1 Comodo is known to mistakenly whitelist malware, and also be painfully slow to correct the mistake

2 A number of users have complained that Autocontainment suddenly stops working, without notice, so it's good to have a safety net in the form of a traditional AV

3 The most likely cause of infection is user mistake. For instance, you forget to turn Autocontainment back on after an install, or you mistakenly decide that a blocked file is safe. Here again, a safety net saves you.

4 A layered approach is usually safest because no software is perfect.

Thank you for sharing these advice!

 

[BoraMurdar]

A layered approach is usually safest because no software is perfect.

Probability that user (who doesn't purposely seek for a malware sample, or download random cracks, patches and similar), protected by known Antivirus, will encounter a threat is really small these days.
Percentage that AV will not catch it is even smaller.
Percentage that AV missed the threat and your second protection layer doesn't catch it either is negligible.

I don't have a correct info but I think that 99,9% of total infections on world level are human factor mistakes.

Given the case my favorite program is compromised on it's legit installer, I doubt anything, signature or signatureless will catch it. Maybe an HIPS would block certain actions that infected installer wants to do, but highlight it as malware? Please confirm, I really don't know.

There are still good companies that catch zeroday in wild, Kaspersky, Avast, Microsoft, ESET... Signatures are released usually before press (and media) knows it.
Comodo HIPS may catch it, but only if you know what you're allowing or denying.

We, at MalwareTips, go sometimes too deep into security and reality is something else. Nevertheless, it's our job.

And we are going off topic too much.

 

[monkeylove]

The PC Security Channel has two videos about that topic here:

 

[Moonhorse]

Just adding to what others already said:

1 Comodo is known to mistakenly whitelist malware, and also be painfully slow to correct the mistake

2 A number of users have complained that Autocontainment suddenly stops working, without notice, so it's good to have a safety net in the form of a traditional AV

3 The most likely cause of infection is user mistake. For instance, you forget to turn Autocontainment back on after an install, or you mistakenly decide that a blocked file is safe. Here again, a safety net saves you.

4 A layered approach is usually safest because no software is perfect.

and the 5th....when you compare WD to CF (should not) or any comodo product....after every windows update WD is less prone to has bugs than comodo firewall, since theres still people that are using comodo 10 and the current release is sitting at 12...makes wonder is their products that stable

 

[ForgottenSeer 72227]

The PC Security Channel has two videos about that topic here:

These tests should be taken with a grain of salt. Not just for defender, but for all security products. A couple of points to his tests on performance.

First, these products are being tested in a VM, so already the system is running slower than if it was ran in the actual hardware. VMs are important for malware testing , but aren't needed for performance testing, as you aren't running any malware samples IMO.

Second, performing benchmarks using a benchmarking tool is irrelevant IMO. In this day in age we can use tools like these to measure things so fine, that to us humans we really wont be able to notice any difference what's so ever. I honestly don't think I someone would be able to accurately tell the difference in a score of 750 vs 720 for example, if a person was asked to see if they notice a difference between 2 systems right un front of them with no scores to show the difference.

When it comes to performance testing there are way to many variables IMO to accurately get a straight answer. The way I look at it is, if you have to run a benchmarking tool to see/measure any differences, then there isn't a performance difference, as you cannot see one without having to run a testing tool.

 

[AtlBo]

When it comes to performance testing there are way to many variables IMO to accurately get a straight answer. The way I look at it is, if you have to run a benchmarking tool to see/measure any differences, then there isn't a performance difference, as you cannot see one without having to run a testing tool.

OK, but isn't this a little bit like saying that having to use an mri to analyze a patient's discomfort means the patients pain wasn't real and that there wasn't any need for the surgery that you discovered will be required? Just saying that I feel this kind of testing (especirally since the test was run multiple times) are 100% valid and relevant. OK, a second opinion on the surgery could be a good idea for sure, but the only issue about the test in my view is whether some security is being sacrificed if Bitdefender is turning off some of the elements native to Windows. As for running the test in a VM, I get the point that PCs don't run that slow. That could be valid. However, you wouldn't take the 7%? I would and no matter what too, long as the security was adequate.

With W10 security, my feeling is that it has become bloated and cluttered. Still running Windows 7, I wouldn't want that much security to be present on a system, when I would only use some of the elements. I feel strongly about this and that it's good that there are options for W`0 users.

Actually, I would be kind of interested to see how you guys would feel if you ran W7 for awhile, responisbly as you do, and then moved over to W10. Not to tempt anyone, just conjecture on my part that you might sense some things that could be improved about W10. I'm not interested in the slightest at this point I have to say. It's all the things MS that I can't stand but to a through the roof scale once all the "features" are added to the list. Just not for me...

One last thing about the test I will concede as a final consideration. I'm not sure how turning off Defender affects, for example, the operability of the Windows firewall or maybe UAC also. Maybe there are some slight considerations there? If Bitdefender turns off smart screen, surely that would be a consideration too in deciding between the two. However, it is VERY interesting to me that Bitdefender actually sped up the system. I think that's cool in a way and something to think through...

 

[oldschool]

OK, but isn't this a little bit like saying that having to use an mri to analyze a patient's discomfort means the patients pain wasn't real and that there wasn't any need for the surgery that you discovered will be required? Just saying that I feel this kind of testing (especirally since the test was run multiple times) are 100% valid and relevant.

As someone who has had multiple back surgeries, MRIs, medical opinions, etc. and who has become quite well versed on the subjects of pain, testing and physical examinations - I can say with an extremely high degree of confidence that your example actually supports @Raiden's view. You can test 1000 people with MRI, CAT scan, etc. and 99.5 - 99.9% of them will have abnormalities of the spine and no specific reported complaints. The rest who do report pain will then be faced with a variety of "professional" opinons about the cause of the pain and only very rarely is there a clear indication that surgery is necessary. And even then, results of surgery are highly variable and the pain may or may not be resolved.

You may have valid reasons why bench testing is reliable, but this example is certainly not one of them.

 

[blackice]

As someone who has had multiple back surgeries, MRIs, medical opinions, etc. and who has become quite well versed on the subjects of pain, testing and physical examinations - I can say with an extremely high degree of confidence that your example actually supports @Raiden's view. You can test 1000 people with MRI, CAT scan, etc. and 99.5 - 99.9% of them will have abnormalities of the spine and no specific reported complaints. The rest who do report pain will then be faced with a variety of "professional" opinons about the cause of the pain and only very rarely is there a clear indication that surgery is necessary. And even then, results of surgery are highly variable and the pain may or may not be resolved.

You may have valid reasons why bench testing is reliable, but this example is certainly not one of them.

A little off topic, but my case proves that point. I had an MRI due to back pain. Solved by PT for muscle imbalance issues. However, the MRI found abnormalities that cause me no issues a year later. My point being the results of the MRI didn’t show the cause, and what it did find causes no issues.

 

[AtlBo]

You can test 1000 people with MRI, CAT scan, etc. and 99.5 - 99.9% of them will have abnormalities of the spine and no specific reported complaints.

Well, I intended to convey that the patient was experiencing pain as I mentioned. That most certainly changes this equation. Well, the pain in the case of Defender could be slowdowns. Not experienced with W10 to be able to say on that. However, the benchmark is very interesting to me and I think worthy of note. Bitdefender is either very confident and bold with their security offering or a reckless and possibly dangerous product. However, the improved system speed is interesting to me. Just following the discussion.

A little off topic, but my case proves that point. I had an MRI due to back pain. Solved by PT for muscle imbalance issues. However, the MRI found abnormalities that cause me no issues a year later. My point being the results of the MRI didn’t show the cause, and what it did find causes no issues.

Again, the intention was to convey that the MRI found a problem for which an action would be required. This is not a commentary on the doctors or the procedure. Just a meager comparison.

 

[blackice]

Again, the intention was to convey that the MRI found a problem for which an action would be required. This is not a commentary on the doctors or the procedure. Just a meager comparison.

Fair enough. I guess my point was the scan didn’t find the actual source of the pain. As benchmarks vary I have actually found little difference with third party AVs and WD for the benchmarks concerning how I use Windows. I do value benchmarks, and enjoy when the numbers go up as much as anyone. I also enjoy TPSC and find his tests to be informative to some degree.

 

[ForgottenSeer 72227]

OK, but isn't this a little bit like saying that having to use an mri to analyze a patient's discomfort means the patients pain wasn't real and that there wasn't any need for the surgery that you discovered will be required? Just saying that I feel this kind of testing (especirally since the test was run multiple times) are 100% valid and relevant. OK, a second opinion on the surgery could be a good idea for sure, but the only issue about the test in my view is whether some security is being sacrificed if Bitdefender is turning off some of the elements native to Windows. As for running the test in a VM, I get the point that PCs don't run that slow. That could be valid. However, you wouldn't take the 7%? I would and no matter what too, long as the security was adequate.

I hear what your saying.

As someone who works in healthcare and deals with this on a daily basis I agree 100% with @oldschool . Everyone's pain tolerance is different. Running tests like CT, MRI's can help diagnose an issue, but they don't always correspond to the amount of pain a person is experiencing. A lot of times someone can be in a significant amount of pain, but the tests show nothing, or nothing really noticable. That doesn't mean the person is lying, but the tests weren't able to give a definite reason for it. Other times a test can show something, but the individual is none the wiser as it's not bothering them in any way. For all the advancements in medicine it's still not an exact science, as things still get missed and there are still things that no one can really explain.

Again I'm not saying that WD or other products don't have a performance impact, but my main point was to ensure that people take any test, performance, or otherwise with a grain of salt. There are flaws in the testing, just as medicine isn't an exact science at times. Can they be helpful? Yes, but again what you can measure and what your experience is are two different things.

As someone who has had multiple back surgeries, MRIs, medical opinions, etc. and who has become quite well versed on the subjects of pain, testing and physical examinations - I can say with an extremely high degree of confidence that your example actually supports @Raiden's view. You can test 1000 people with MRI, CAT scan, etc. and 99.5 - 99.9% of them will have abnormalities of the spine and no specific reported complaints. The rest who do report pain will then be faced with a variety of "professional" opinons about the cause of the pain and only very rarely is there a clear indication that surgery is necessary. And even then, results of surgery are highly variable and the pain may or may not be resolved.

You may have valid reasons why bench testing is reliable, but this example is certainly not one of them.

+1

 

[AtlBo]

As someone who works in healthcare and deals with this on a daily basis I agree 100% with @oldschool . Everyone's pain tolerance is different. Running tests like CT, MRI's can help diagnose an issue, but they don't always correspond to the amount of pain a person is experiencing. A lot of times someone can be in a significant amount of pain, but the tests show nothing, or nothing really noticable. That doesn't mean the person is lying, but the tests weren't able to give a definite reason for it. Other times a test can show something, but the individual is none the wiser as it's not bothering them in any way. For all the advancements in medicine it's still not an exact science, as things still get missed and there are still things that no one can really explain.

Again, was my intention to convey in the example that the MRI had discovered something that absolutely required surgery. YES, as I mentioned in the first post, a second opinion about painful and costly surgery might be in order. In this case, I think it's CRUCIAL to note that this is ONE short series of repeated tests. You are 100% correct here. This is a miniscule sample size which o/c renders the test to almost no statistical significance and renders the results statistically meaningless. YET, why was my first desire to test all the a-vs against a W10 system running Bitdefender and then each of the other security products available? Meaningful solutions are many times at least discovered in a single instance of a situation where improvements or gains can be engineered.

Benchmarking is kind of a brutal thing. So many little things affect performance and hence affect results. That the tester went so far as to test and retest is worthy of note. Even then, Bitdefender could slow the system at other times without the slowdown being noted during the test, etc. Tons of considerations in all of that, where only extreme testing in a lab could possibly bring any sort of firm answer. On a final note, though, if enough people ran benchmarks to test this, maybe something would come to light that MS could improve...just interesting.

 

[ForgottenSeer 72227]

Again, was my intention to convey in the example that the MRI had discovered something that absolutely required surgery. YES, as I mentioned in the first post, a second opinion about painful and costly surgery might be in order. In this case, I think it's CRUCIAL to note that this is ONE short series of repeated tests. You are 100% correct here. This is a miniscule sample size which o/c renders the test to almost no statistical significance and renders the results statistically meaningless. YET, why was my first desire to test all the a-vs against a W10 system running Bitdefender and then each of the other security products available? Meaningful solutions are many times at least discovered in a single instance of a situation where improvements or gains can be engineered.

Benchmarking is kind of a brutal thing. So many little things affect performance and hence affect results. That the tester went so far as to test and retest is worthy of note. Even then, Bitdefender could slow the system at other times without the slowdown being noted during the test, etc. Tons of considerations in all of that, where only extreme testing in a lab could possibly bring any sort of firm answer. On a final note, though, if enough people ran benchmarks to test this, maybe something would come to light that MS could improve...just interesting.

I understand where your coming from now. Often things get misinterpreted when reading vs talking with someone face to face.

Just to clarify, I'm in no way against tests, or trying to say that we should disregard them completely. I am just trying to say that we should look at everything objectively. They may not always represent what's really happening, or rather explain all instances. Again test can provide valuable and interesting information like you said, but they may not be able to tell us everything.

Just looking at WD we can see that there are varying experiences, some find ot light, some find it heavy, but what I have noticed as of late is that there seems to be an increased trend with more and more people saying its lighter than before, so I take it as a positive sign.

 

[Local Host]

The same old topic, that has spammed this community with a new discussion about it at least once a week, if people used the search feature would spare us of the frustration to say the same thing over and over.

Fact is Windows Defender performance has improved with each Windows 10 build, but it still lags behind third party solutions.

Comparing Windows Defender to Kaspersky Free on laptops and desktops over the course of months now, and it's easily noticeable.

But it all goes down to the usage you're going to make of the PC, in some cases Windows Defender will be barely noticeable (but never superior to third parties in any way, I say equal at max).

However if you using the computer for games, work, etc. You'll notice the performance hit from Windows Defender with ease.

Adding to this the fact Windows Defender still has exclusions bugs (which fail to comply with exclusion rules, and keeps nagging you over false positives on top of deleting your files), that another problem with Windows Defender false positives (this constant frustration where I constantly had to send my code for review to Microsoft so they could whitelist the files, else I wouldn't be able to implement and use them across companies).

Any unknown unsign file will trigger Windows Defender, for someone like me who writes software, scripts, etc for work and even personal usage, it gets in the way a lot (compared to Kaspersky Free which never nagged me once on any machine).

As a bonus, when compiling code with Visual Studio, Windows Defender adds a delay of minutes compared to Kaspersky Free seconds on the same machine.

I'll be looking forward to what the new Windows 10 Build has to offer, however I don't expect miracles.

 

[oldschool]

Totally agree with you @Local Host, especially this:

The same old topic, that has spammed this community with a new discussion about it at least once a week, if people used the search feature would spare us of the frustration to say the same thing over and over.

In fact, I need to make a note to myself to abstain from replying to threads like this! This thread is not the only example, by any means.

 

[plat]

Well, this isn't supposed to be amusing, but threads like this one are a convenient way to either stick it to Microsoft or praise Microsoft, under the pretense of discussing its antivirus product in a reasonable and at times, mannerly fashion. lol.

Every one/computer varies so to say a product performs the same across a spectrum of machines/software is a little far-fetched. Others more experienced have pointed to Defender's poor optimization viz cache--scanning the same folders over and over again. This should be a task with priority, Microsoft. You listening?

 

[ForgottenSeer 72227]

The same old topic, that has spammed this community with a new discussion about it at least once a week, if people used the search feature would spare us of the frustration to say the same thing over and over.

Fact is Windows Defender performance has improved with each Windows 10 build, but it still lags behind third party solutions.

Comparing Windows Defender to Kaspersky Free on laptops and desktops over the course of months now, and it's easily noticeable.

But it all goes down to the usage you're going to make of the PC, in some cases Windows Defender will be barely noticeable (but never superior to third parties in any way, I say equal at max).

However if you using the computer for games, work, etc. You'll notice the performance hit from Windows Defender with ease.

Adding to this the fact Windows Defender still has exclusions bugs (which fail to comply with exclusion rules, and keeps nagging you over false positives on top of deleting your files), that another problem with Windows Defender false positives (this constant frustration where I constantly had to send my code to review for Microsoft to whitelist the files, else I wouldn't be able to implement and use it across companies).

Any unknown unsign file will trigger Windows Defender, for someone like me who writes software, scripts, etc for work and even personal usage, it gets in the way a lot (compared to Kaspersky Free which never nagged me once on any machine).

As a bonus, when compiling code with Visual Studio, Windows Defender adds a delay of minutes compared to Kaspersky Free seconds on the same machine.

I'll be looking forward to what the new Windows 10 Build has to offer, however I don't expect miracles.

Very good post and I agree 100%.

I do have to admit it does get a little tiring in what seems like we go around in this endless circle everytime this topic comes up. I think this topic has been discussed very thoughly on this forum and the end result is pretty much always the same. WD has made sigificant impromvents on both the protection front, as well as it's overall performance. Does that mean it's perfect? No, it definitly still has it's issues, but then again no product is perfect. My advice will always be to try the program(s) for yourself and decide if it meets your needs or not. There is way more to a program than how it scores on a test. Everyone has different computer specs (both hardware and software), as well as differing usage, hence why it's always important to try the program for yourself.

Totally agree with you @Local Host, especially this:



In fact, I need to make a note to myself to abstain from replying to threads like this! This thread is not the only example, by any means.

I have to agree and like you, I will try to be more mindful when these threads come up.