Is there any advantage of BAFS on Windows Home and Pro?
Yes, it is, and this is a very important WD feature. BAFS is enabled by default in all Windows editions for all Windows 10 versions supported by Microsoft.
By design, it works only for files with MOTW. Furthermore, only PE executables (EXE, DLL, etc.) and some script types (JS, VBS, VBA macros, etc.) can be protected.
Usually, BAFS is automatically triggered when the file has been downloaded from the Internet via Edge or Chrome.
Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
docs.microsoft.com
What is the advantage of BAFS protection?
Without BAFS, the downloaded files are checked only against local signatures, which in the case of WD are optimized to minimize false positives. These signatures are only average for fighting new threats.
BAFS was introduced to cover new threats by applying additional protection:
- It forces scanning the file against fast signatures in the WD Cloud. Fast signatures are created when malicious files have been executed on any computer connected to the cloud. This also includes any computer which uses Windows E3 or E5. So, fast signatures can take advantage of advanced WD features like: "Advanced machine learning and AI based protection for apex level viruses and malware threats", and "Advanced cloud protection that includes deep inspection and detonation". All fast signatures ale available for any computer which uses the BAFS feature (also with installed Windows Home or Pro).
- If the file is not known, then it is automatically blocked just as in the case of executing it. This prevents the user from running files after the download, until they are checked by behavior-based cloud features. The behavior-based features are activated just like in the case of file execution and the user can see the usual WD behavior block warning:
- So, for the unknown malware, BASF on Windows E5 is still stronger than on Windows Home and Pro.
In the Real world malware tests, the samples have MOTW attached, so BASF is triggered and the WD scoring is high.
In the video tests, BASF is usually inactive due to the test procedure. The tester unpacks the password-protected archive with malware samples by using 3rd party unpackers (like 7-ZIP). Most unpackers do not transfer the MOTW from archive to extracted samples. The malware samples do not have MOTW, so they are ignored by BASF.
The MOTW can be transferred from the archive downloaded from the Internet to extracted malware samples when using Bandizip.
Edit.
The conclusion that fast signatures are not used when the malware file without MOTW is executed, follows from some tests made on Malware Hub in this year. I do not understand the purpose of such counterintuitive behavior, except when it is for updating fast signatures. It should be confirmed by other tests, because Microsoft can allow fast signatures with any update also for files without MOTW.