Serious Discussion How good is Microsoft Defender's protection now in 2024?

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Microsoft Defender - even highly hardened with maximum settings - is routinely defeated by malware and other attack types. The list of attacks and bypasses submitted to Microsoft by various nations' Defense Ministries is constantly full and long. Then there are the financial sector industry cybersecurity groups that routinely inform Microsoft of its Defender failures. Do you have access to either of those? Both are Controlled Unclassified Information (CUI) so I know that you do not. I do.

This is probably true for all security solutions:

1729421224021.png

1729421284730.png


The Third Annual Study on the State of Endpoint Security Risk - Ponemon Institute LLC (Publication Date: January 2020).

Shortly: The effective solutions are hardly usable and the standard solutions are ineffective.:devilish:
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,581
This is probably true for all security solutions:

View attachment 285862
View attachment 285863

The Third Annual Study on the State of Endpoint Security Risk - Ponemon Institute LLC (Publication Date: January 2020).

Shortly: The effective solutions are hardly usable and the standard solutions are ineffective.:devilish:
Unfortunately that's true best way would be from the ground up to create permission management like iOS , android then trying to play catch an mouse to stop skid malware via filters wich both have too many false positives and let a lot in

Well technically you can do that by setting windows into window s and then you will have to worry just about state actor exploits , social engineering and not about skid malware
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
I suspect that @bazang could have in mind that Microsoft Defender on default settings does not protect against banking trojans which already infected the system. Such protection usually includes a dedicated web browser and Network Protection to prevent anti-keyloggers, anti-screenloggers, connections to C2 servers, etc.
This kind of protection is necessary for Enterprises because of the high probability of breaches and lateral movement. The banking protection tests are usually performed for the business versions of AVs, for example:

(MRG Effitas 360° Assessment & Certification Programme Q2 2024):

1729459035434.png

(MRG Effitas 360° Assessment & Certification Programme Q3 2023):
1729459591544.png
 
Last edited:

bazang

Level 8
Jul 3, 2024
359
He's a fanboy of a particular antivirus :)
Really? Which one?

I'll do a few tests later today as an answer, I think that'll be enough :)
No. It will not be enough. I am not talking about grabbing some malware samples and Microsoft Defender detects them by either via signature or reputation. I am talking about when it does not detect by signature or by reputation.

What really matters is what the security solution does - or more importantly what it does not do - in a case where it is bypassed.

This is probably true for all security solutions:
It is true to some extent to all of them. Some more than others. Microsoft Defender is only a top signature detection solution. To provide truly effective security, Windows must be hardened. Microsoft Defender is not nearly enough. It is decent for "I download a file now-and-then" types of users.

People here fail to grasp the reality. The reality is that Windows - and Microsoft Defender - are the most targeted systems in userland. Daily, tens of thousands of threat actors are able to defeat Microsoft Defender. Even hardened systems get borked if they are not configured properly.

I suspect that @bazang could have in mind that Microsoft Defender on default settings does not protect against banking trojans which already infected the system. Such protection usually includes a dedicated web browser and Network Protection to prevent anti-keyloggers, anti-screenloggers, connections to C2 servers, etc.
AVLab.pl has consistently shown that Microsoft Defender is not very good against banking trojans that get past the signatures. The evidence is irrefutable.

AVLab.pl has shown it to be true of both consumer and enterprise versions of Microsoft Defender. Same has been done by MRG Effitas and others.

Making a distinction between home and enterprise users is not helpful. It is a distraction from the fact that when it comes to banking trojans, Microsoft Defender is not as good as other solutions. That is because Microsoft never intended - by design - for Microsoft Defender to ever effectively deal with such malware. Defender is a limited-scope solution that is meant to be supplemented by fully integrating it into the full suite of Microsoft's other security. At the consumer\home user level, Microsoft makes Microsoft Defender the bare minimum baseline. It does not even want home users to tinker with it.

If the user is paranoid about doing financial transactions on their Windows system - as it appears the OP is, then Microsoft Defender is not sufficient. Period. It has been proven. Now whether or not the user will ever download and execute a banking trojan - nobody can say and therefore it is irrelevant. If it is possible, no matter how small the probability, then it matters to someone who has a heightened concern about "What could potentially happen?"

I work in regulated industries such as the financial and defense sectors. Nobody that I know of has ever used Bitdefender SafePay or Kaspersky SafeMoney. Not even enterprise versions. Those kinds of solutions cannot even satisfy the security requirements of the applicable regulations.

@bazang , I look forward to your comment :)
Yeah. So what? Detection by signature. Microsoft Defender is known to provide decent signature detection. That is not what I was ever talking about. I was talking about when it does not detect.

You do realize that thousands of malware get past Microsoft Defender every single day out in the real world, right? Do you know how to simulate such a real world scenario without disabling any protections?

Learn how to code your own banking trojan, then test it. You will see what I am talking about.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
AVLab.pl has consistently shown that Microsoft Defender is not very good against banking trojans that get past the signatures. The evidence is irrefutable.

This test was done in the year 2019 so the results are outdated. Anyway, it shows several techniques used by banking trojans on already infected systems. Defender free has insufficient features to protect against such techniques.

AVLab.pl has shown it to be true of both consumer and enterprise versions of Microsoft Defender. Same has been done by MRG Effitas and others.

AVLab did not test the Defender Enterprise version. The results in MRG Effitas tests are average (not best and not bad).


Making a distinction between home and enterprise users is not helpful. It is a distraction from the fact that when it comes to banking trojans, Microsoft Defender is not as good as other solutions.

It would be welcome if you could distinguish between Microsoft free on default settings and Microsoft Defender Enterprise. The banking protection of both products against banking trojans is very different. Also, making a distinction between home and enterprise users is important. As you can see most professional tests are done separately for home and enterprise users.

That is because Microsoft never intended - by design - for Microsoft Defender to ever effectively deal with such malware.

True for Microsoft Defender free version when fighting the actions of banking malware that already infected the system. Many banking trojans are detected by Microsoft Defender free or SmartScreen just like other malware.
In some way, all known by me banking tests can be questionable. I mean that the test results can be better than in reality. Nowadays, many malware are executed filelessly by Loaders, and this is not the way of execution used in tests.

If the user is paranoid about doing financial transactions on their Windows system - as it appears the OP is, then Microsoft Defender is not sufficient.
Let's agree on it. I can also add that any AV for home users cannot be sufficient, too.

I work in regulated industries such as the financial and defense sectors. Nobody that I know of has ever used Bitdefender SafePay or Kaspersky SafeMoney. Not even enterprise versions. Those kinds of solutions cannot even satisfy the security requirements of the applicable regulations.

Now I understand your point about Microsoft Defender. :)

Yeah. So what? Detection by signature. Microsoft Defender is known to provide decent signature detection.

I am afraid that the opposite is true, for example (the first two colums):

1729508155950.png


Microsoft has decent behavior-based detections (due to advanced Machine learning) via the cloud backend. It has also very good post-infection detection due to extensive telemetry and behavior monitoring.
It has also one of the best protection against scripting and macros (based on AMSI). This can be seen in professional tests (SE Labs) and @Shadowra can probably confirm this from practice.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top