New Update How the hell WD works on Windows Home & Pro?

[notabot]

They seem to work well together.
Windows does not detect Comodo firewall, and does not turn it off automatically, which can be seen if you check in Windows Control Panel. But if you install Comodo Internet Security, which has an AV component, then Windows firewall will turn off.

Thanks, and reference for CS settings is



?

 

[Andy Ful]

Is there any advantage of BAFS on Windows Home and Pro?

Yes, it is, and this is a very important WD feature. BAFS is enabled by default in all Windows editions for all Windows 10 versions supported by Microsoft.
By design, it works only for files with MOTW. Furthermore, only PE executables (EXE, DLL, etc.) and some script types (JS, VBS, VBA macros, etc.) can be protected.
Usually, BAFS is automatically triggered when the file has been downloaded from the Internet via Edge or Chrome.

Enable block at first sight to detect malware in seconds - Microsoft Defender for Endpoint

Turn on the block at first sight feature to detect and block malware within seconds.

docs.microsoft.com

What is the advantage of BAFS protection?

Without BAFS, the downloaded files are checked only against local signatures, which in the case of WD are optimized to minimize false positives. These signatures are only average for fighting new threats.
BAFS was introduced to cover new threats by applying additional protection:

1. It forces scanning the file against fast signatures in the WD Cloud. Fast signatures are created when malicious files have been executed on any computer connected to the cloud. This also includes any computer which uses Windows E3 or E5. So, fast signatures can take advantage of advanced WD features like: "Advanced machine learning and AI based protection for apex level viruses and malware threats", and "Advanced cloud protection that includes deep inspection and detonation". All fast signatures ale available for any computer which uses the BAFS feature (also with installed Windows Home or Pro).
2. If the file is not known, then it is automatically blocked just as in the case of executing it. This prevents the user from running files after the download, until they are checked by behavior-based cloud features. The behavior-based features are activated just like in the case of file execution and the user can see the usual WD behavior block warning:
   
   
   

So, for the unknown malware, BASF on Windows E5 is still stronger than on Windows Home and Pro.

In the Real world malware tests, the samples have MOTW attached, so BASF is triggered and the WD scoring is high.
In the video tests, BASF is usually inactive due to the test procedure. The tester unpacks the password-protected archive with malware samples by using 3rd party unpackers (like 7-ZIP). Most unpackers do not transfer the MOTW from archive to extracted samples. The malware samples do not have MOTW, so they are ignored by BASF.
The MOTW can be transferred from the archive downloaded from the Internet to extracted malware samples when using Bandizip.

Edit.
The conclusion that fast signatures are not used when the malware file without MOTW is executed, follows from some tests made on Malware Hub in this year. I do not understand the purpose of such counterintuitive behavior, except when it is for updating fast signatures. It should be confirmed by other tests, because Microsoft can allow fast signatures with any update also for files without MOTW.

 

[oldschool]

In the Real world malware tests, the samples have MOTW attached, so BASF is triggered and the WD scoring is high.
In the video tests, BASF is usually inactive due to the test procedure. The tester unpacks the password-protected archive with malware samples by using 3rd party unpackers (like 7-ZIP). Most unpackers do not transfer the MOTW from archive to extracted samples. The malware samples do not have MOTW, so they are ignored by BASF.

Yes, I think this is what we see in YouTube tests like TPSC, etc. when testing WD and thus the poor results. Leo @TPSC apparently doesn't understand how WD features work so he can continually advertise its "horrible" protection.

 

[Moonhorse]

Yes, I think this is what we see in YouTube tests like TPSC, etc. when testing WD and thus the poor results. Leo @TPSC apparently doesn't understand how WD features work so he can continually advertise its "horrible" protection.

guy works for emsisoft, few last hub results;
emsisoft on default settings = infected
Windows defender + configurefender = Protected

Make video about above, and the odds change , cheeky

 

[shmu26]

The YouTube testers do reflect a certain segment of the population, and that is the pirates who download their stuff in rar files and then unpack them. Their unpacked stuff doesn't have MOTW. But that's irrelevant, because even if every AV in the world would detect it as malware, they would turn off their AV anyways, so they can run their crack. People who do that have forfeited their right to complain.

 

[blackice]

The YouTube testers do reflect a certain segment of the population, and that is the pirates who download their stuff in rar files and then unpack them. Their unpacked stuff doesn't have MOTW. But that's irrelevant, because even if every AV in the world would detect it as malware, they would turn off their AV anyways, so they can run their crack. People who do that have forfeited their right to complain.

Amen to that! I don’t think people who work around their AV when it’s inconvenient count as security conscious people.

 

[Andy Ful]

Some precautions can be made to maximize protection for files shared via USB sources and files extracted from archives:

1. The ASR rule "Block untrusted and unsigned processes that run from USB" should be activated. This rule works also for files which were blocked when executed from the USB source and next copied to hard disk. The protection is removed after renaming the file on the hard disk.
2. The user should install Bandizip if he/she needs something more that is available via Windows built-in ZIP unpacker.

 

[amico81]

I found this graphic...is it current?
should we upgrade to win 10 pro?

 

[Venustus]

I found this graphic...is it current?
should we upgrade to Windows 10 pro?


View attachment 225821

You don't need to for home use.

 

[Andy Ful]

I found this graphic...is it current?
should we upgrade to Windows 10 pro?


View attachment 225821

This is a document mentioned by me in the first post. If you want to use the features which are not available on Windows Home (but are present in Pro ed.) then you can upgrade to Windows Pro.

 

[93803123]

I found this graphic...is it current?
should we upgrade to Windows 10 pro?


View attachment 225821

This table is accurate, but what they do not explain in it is that the ASR features for E3 and E5 are not simply settings in the GUI, GPO or AppLocker. All those additional items shown for E3 and E5 have to be manually configured individually on a policy which resides on an Enterprise master configuration system. Then that policy needs to be pushed and installed to the other systems that comprise the group or domain. How the policy gets configured and then pushed (e.g. via subscription Insight service or one's own policy server) is flexible and up to a company to configure.

In other words, @Andy Ful just cannot decide that he wants to enable ASR HIPS rules and then make them work on Home or Pro via Hard Configurator.

To be honest, not even I am sure how it all works because getting access to a fully functioning setup is difficult and expensive. I've had to do just like most people - which is to piece together little tidbits of infos that are available here and there.

 

[Andy Ful]

...
In other words, @Andy Ful just cannot decide that he wants to enable ASR HIPS rules and then make them work on Home or Pro via Hard Configurator.
...

That is right. The situation is rather complicated and dimmed by Microsoft. In fact, first I discovered that some advanced rules work, because they blocked a few of my scripts. Next, I found this document, which shows that really some advanced features should work on Windows Home and Pro.

 

[93803123]

That is right. The situation is rather complicated and dimmed by Microsoft. In fact, first I discovered that some advanced rules work, because they blocked a few of my scripts. Next, I found this document, which shows that really some advanced features should work on Windows Home and Pro.

To complicate matters further there is also the problem of Microsoft changing (tweaking) ASR rules as they go along. The Windows security division is actually small. It's not as if there are literally thousands of people sitting there just waiting for reports to come in from the field and then they pound-out fixes. It's just a guess, but I'm thinking the main players in the Microsoft Windows security division totals 50 or less. What I do know is that whatever the actual number is, it is a very small number relative to the entire organization.

So what. We just deal with it. As if we have any real choice in the matter except to switch to another operating system - and we all know that isn't a practical solution for many people.

 

[Andy Ful]

Does WD use behavior blocking?

It is funny, but many people think that WD cannot use behavior blocking. Yet, this is the most evident and sometimes annoying WD feature. If WD uses it, then the file execution is temporarily blocked and WD usually shows the alert:

View attachment 225230

The time required for scanning is set by default to 10s and can be changed up to 60s. After finishing the scan WD takes the below actions:

1. The file is allowed to run.
2. The file is not allowed to run. WD removes or quarantines it.
3. The file is allowed to run, but analysis in the cloud is continued. If the malware is recognized as malicious then WD tries to stop the malware. In some cases, the reboot is required to remove or quarantine the malware.

How does it work on Windows Home and Pro?
WD uses the local signatures and local Machine Learning (ML) models to find out if the file behavior can be malicious or suspicious. If it is suspicious, then the file metadata is sent to WD cloud for quick detection or analysis. This can take several milliseconds. If ML models in the cloud still cannot classify the sample, then it is uploaded to the cloud and analyzed by more comprehensive ML models - this can take several seconds.
Each suspicious action is scored and an overall score is computed for each process. High scoring will trigger the detection of the process as malicious. The threshold when the detection is triggered depends on WD setting (CloudBlockLevel).

On Windows E5 some more advanced features are available, which can take several minutes:

• Advanced machine learning and AI based protection for apex level viruses and malware threats
• Advanced cloud protection that includes deep inspection and detonation
• Emergency outbreak protection from the Intelligent Security Graph
• Monitoring, analytics and reporting for Next Generation Protection capabilities

Here are some examples of ML behavior-based detections on Windows Pro (default, high or max ConfigureDefender settings):

https://malwaretips.com/threads/mixed-threats-17-01-07-2019.93492/#lg=thread-93492&slide=39

https://malwaretips.com/threads/malware-samples-24.93439/#lg=thread-93439&slide=7

https://malwaretips.com/threads/malware-samples-17-9-08-2019.94252/#lg=thread-94252&slide=74

https://malwaretips.com/threads/malware-samples-19-8-07-2019.93625/#lg=thread-93625&slide=3

https://malwaretips.com/threads/malware-samples-15-4-07-2019.93559/#lg=thread-93559&slide=3

https://malwaretips.com/threads/malware-samples-15-4-07-2019.93559/#lg=thread-93559&slide=4

https://malwaretips.com/threads/malware-samples-15-4-07-2019.93559/#lg=thread-93559&slide=6

https://malwaretips.com/threads/malware-samples-15-4-07-2019.93559/#lg=thread-93559&slide=9

https://malwaretips.com/threads/malware-samples-15-4-07-2019.93559/#lg=thread-93559&slide=10

https://malwaretips.com/threads/predator-stealer-21-09-2019.95137/post-835681

The update about behavior blocking:
"Components of behavioral blocking and containment

• On-client, policy-driven attack surface reduction rules Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center https://securitycenter.windows.com as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
• Client behavioral blocking Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
• Feedback-loop blocking (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
• Endpoint detection and response (EDR) in block mode Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)"

From the tests on Malware Hub it follows that the first two components work on any Windows edition (also Windows Home and Pro). The last component seems to work only on Windows E5 (also Microsoft 365 E3 with the Identity & Threat Protection offering subscription). I am not sure about feedback-loop blocking, but this component should work (at least) via "Block At First Sight" feature.

Behavioral blocking and containment - Microsoft Defender for Endpoint

Learn about behavioral blocking and containment capabilities at Microsoft Defender for Endpoint

docs.microsoft.com

Client behavioral blocking - Microsoft Defender for Endpoint

Client behavioral blocking is part of behavioral blocking and containment capabilities at Microsoft Defender for Endpoint

docs.microsoft.com

Feedback-loop blocking - Microsoft Defender for Endpoint

Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint

docs.microsoft.com

The behavior-based detections related to Client behavior blocking (Behavior:Win32/Persistence.*!ml , Behavior:Win32/Generic.*!ml, ... ) can be seen in the tests made by @SeriousHoax. Also, the behavior blocks related to the ASR rules can be easily recognized in these tests.
In addition to ASR rules, the below techniques should be detected on Windows 10 Home and Pro:

Tactic	Detection threat name
Initial Access	Behavior:Win32/InitialAccess.*!ml
Execution	Behavior:Win32/Execution.*!ml
Persistence	Behavior:Win32/Persistence.*!ml
Privilege Escalation	Behavior:Win32/PrivilegeEscalation.*!ml
Defense Evasion	Behavior:Win32/DefenseEvasion.*!ml
Credential Access	Behavior:Win32/CredentialAccess.*!ml
Discovery	Behavior:Win32/Discovery.*!ml
Lateral Movement	Behavior:Win32/LateralMovement.*!ml
Collection	Behavior:Win32/Collection.*!ml
Command and Control	Behavior:Win32/CommandAndControl.*!ml
Exfiltration	Behavior:Win32/Exfiltration.*!ml
Impact	Behavior:Win32/Impact.*!ml
Uncategorized	Behavior:Win32/Generic.*!ml

 

[mazskolnieces]

The update about behavior blocking:
"Components of behavioral blocking and containment

• On-client, policy-driven attack surface reduction rules Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center https://securitycenter.windows.com as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
• Client behavioral blocking Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
• Feedback-loop blocking (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
• Endpoint detection and response (EDR) in block mode Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)"

From the tests on Malware Hub it follows that the first two components work on any Windows edition (also Windows Home and Pro). The last component seems to work only on Windows E5 (also Microsoft 365 E3 with the Identity & Threat Protection offering subscription). I am not sure about feedback-loop blocking, but this component should work (at least) via "Block At First Sight" feature.

Behavioral blocking and containment - Microsoft Defender for Endpoint

Learn about behavioral blocking and containment capabilities at Microsoft Defender for Endpoint

docs.microsoft.com

Client behavioral blocking - Microsoft Defender for Endpoint

Client behavioral blocking is part of behavioral blocking and containment capabilities at Microsoft Defender for Endpoint

docs.microsoft.com

Feedback-loop blocking - Microsoft Defender for Endpoint

Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint

docs.microsoft.com

The behavior-based detections related to Client behavior blocking (Behavior:Win32/Persistence.*!ml , Behavior:Win32/Generic.*!ml, ... ) can be seen in the tests made by @SeriousHoax. Also, the behavior blocks related to the ASR rules can be easily recognized in these tests.
In addition to ASR rules, the below techniques should be detected on Windows 10 Home and Pro:

Tactic	Detection threat name
Initial Access	Behavior:Win32/InitialAccess.*!ml
Execution	Behavior:Win32/Execution.*!ml
Persistence	Behavior:Win32/Persistence.*!ml
Privilege Escalation	Behavior:Win32/PrivilegeEscalation.*!ml
Defense Evasion	Behavior:Win32/DefenseEvasion.*!ml
Credential Access	Behavior:Win32/CredentialAccess.*!ml
Discovery	Behavior:Win32/Discovery.*!ml
Lateral Movement	Behavior:Win32/LateralMovement.*!ml
Collection	Behavior:Win32/Collection.*!ml
Command and Control	Behavior:Win32/CommandAndControl.*!ml
Exfiltration	Behavior:Win32/Exfiltration.*!ml
Impact	Behavior:Win32/Impact.*!ml
Uncategorized	Behavior:Win32/Generic.*!ml

MS is using MITRE ATTACK IQ matrix Tactic names.

 

[Andy Ful]

There are also other partners:

Extending Microsoft Defender ATP network of partners

A typical enterprise depends on multiple security solutions to operate and to combat advanced cyber adversaries. At Microsoft, we believe that when these..

techcommunity.microsoft.com

The integration with MITRE ATTACK IQ can be visible via Microsoft Defender Security Center with the paid ATP subscription.

 

[Andy Ful]

There is an interesting podcast on the web: Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions.

"In each episode, hosts Nic Fillingham and Natalia Godyla take a closer look at the latest in threat intelligence, security research, and data science. Our expert guests share insights into how modern security technologies are being built, how threats are evolving, and how machine learning and artificial intelligence are being used to secure the world.
Each episode will also feature an interview with one of the many experts working in Microsoft Security. Guests will share their unique path to Microsoft and the infosec field, what they love about their calling and their predictions about the future of ML and AI.
New episodes of Security Unlocked will be released twice a month with the first three episodes available today on all major podcast platforms. We will talk about specific topics in future blogs and provide links to podcasts to get more in-depth."

Security Unlocked

The Microsoft Security Podcast

securityunlockedpodcast.com

Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions | Microsoft Security Blog

It’s hard to keep pace with all the changes happening in the world of cybersecurity. Security experts and leaders must continue learning (and unlearning) to stay ahead of the ever-evolving threat landscape. In fact, many of us are in this field because of our desire to continuously challenge...

www.microsoft.com

The experts are people that actually work on Microsoft Defender (AI/ML , AMSI, etc.).

 

[Andy Ful]

WD in Windows Home includes some ATP features, e.g. part of Attack surface reduction and Next Generation protection. The available features on Windows Home are in green & bold.

Attack surface reduction
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.

• Hardware based isolation (partially available on Windows Home, fully available on Windows Pro)
• Application control (partially available on Windows Home, fully available on Windows Pro)
• Device control (partially available on Windows Home, fully available on Windows Pro)
• Exploit protection
• Network protection, web protection
• Controlled folder access
• Network firewall
• Attack surface reduction rules

Not included in Windows Home and Pro:

• HIPS rules
• Enterprise management of Application Guard (Edge browser)
• Allow/deny lists (IP/URL, files, certificates)
• Device based conditional access

Next-generation protection
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.

• Behavior monitoring (not sure about rapid protection, e.g. Feedback-loop blocking)
• Cloud-based protection
• Machine learning
• URL Protection
• Automated sandbox service

Not included in Windows Home and Pro:

• Advanced ML/AI based protection for apex level viruses and malware threats.
• Advanced cloud protection (deep inspection and detonation in the sandbox).
• Emergency outbreak protection.
• Monitoring, analytics, and reporting.

 

[Andy Ful]

Windows Defender Ransomware Protection on Windows Home and Pro.

WD can prevent/fight ransomware by using several features:

1. Deep Learning and heuristic-based behavior detections. This is a common way of detecting ransomware by modern AVs. Unsupervised Deep Learning is used to detect totally unknown ransomware families.
2. ASR rule "Use advanced protection against ransomware". This works as a behavior blocker.
3. Other ASR rules prevent popular scripting attacks and other attacks used to finally execute the ransomware payload.
4. "Ransomware Protection" feature available via Security Center. It enables Controlled Folder Access, which is smart-default-deny for applications/processes that want to access the protected folders and system protected disk areas.

The article about Deep Learning:

Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection | Microsoft Security Blog

Learn how we're using deep learning to build a powerful, high-precision classification model for long sequences of wide-ranging signals occurring at different times.

www.microsoft.com

The articles about ASR rules:

Microsoft Defender for Endpoint Blog

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement

techcommunity.microsoft.com

Używanie reguł zmniejszania obszaru ataków w celu zapobiegania infekcji złośliwym oprogramowaniem - Microsoft Defender for Endpoint

Reguły zmniejszania obszaru podatnego na ataki mogą pomóc w zapobieganiu używaniu aplikacji i skryptów do infekowania urządzeń złośliwym oprogramowaniem.

docs.microsoft.com

The articles about Controlled Folder Access:

Protect important folders from ransomware from encrypting your files with controlled folder access - Microsoft Defender for Endpoint

Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.

docs.microsoft.com

Customize controlled folder access - Microsoft Defender for Endpoint

Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.

docs.microsoft.com

When using Controlled Folder Access (CFA) the user should bear in mind some inconvenience. The 3rd party applications like: system optimizers, backup software, disk management software, media management applications, document editors, etc. will be usually blocked from accessing the protected folders and system protected disk areas. So, the user has to have some skills to identify access issues and exclude the right executables in CFA.

One can use Windows Event Log or use ConfigureDefender to create the Log of events related to Windows Defender. The events related to CFA starts with:

• Event ID: 1123
  (Blocked by Controlled Folder Access)
• Event ID: 1127
  (Blocked by Controlled Folder Access - sector write block event)

The first event is a typical block when the application is blocked from accessing a file in the protected folder.
The second event is not related to protected folders, but to blocked processes when they try to access system protected disk areas.

 

[Andy Ful]

How strong is WD (default settings) in the Home environment?

WD was is tested for a long time by professional AV testing labs (home or consumer reports):
AV-Comparatives (Real-world, Malware Protection): Test Results - AV-Comparatives (av-comparatives.org)
AV-Test: Home users (av-test.org)
Se Labs: SE Labs

One should not be excited or disappointed by the results of the particular test because any such test has a strong random factor. This is noted for example in the AV-Comparatives test methodology:
"Our tests use much more test cases (samples) per product and month than any similar test performed by other testing labs. Because of the higher statistical significance this achieves, we consider all the products in each results cluster to be equally effective, assuming that they have a false-positives rate below the industry average."
Real-World Protection Test Methodology - AV-Comparatives (av-comparatives.org)
As can be seen from the reports, the best AVs are usually in the first cluster (10 Avs or more), so they can be equally effective on malware in-the-wild (despite the differences in the particular test).

So, the best method is to gather the results of 4 types of tests (AV-Comparatives Real-World, AV-Comparatives Malware Protection, AV-Test, and SE Labs) for a long period. I did it for the period April 2018-June (October) 2020. Here are the results (1-9 places) for AVs that participated in all these tests (with exception of Bitdefender):

AV-Comparatives Real-World (July 2018 - October 2020)
1. TrendMicro, 2. F-Secure, 3. Norton, 4. Avira Pro, 5. Bitdefender, 6. Kaspersky, 7. Microsoft, 8. Avast, 9. McAfee

AV-Comparatives Malware Protection (September 2018 - September 2020)
1. Avast, 2. Norton, 3. Bitdefender, 4. Avira Pro, 5. Microsoft, 6. Kaspersky, 7. F-Secure, 8. McAfee, 9. Trend Micro

AV-Test (June 2018 - June 2020)
1. Norton, 2. Kaspersky, 2. Trend Micro, 4. Bitdefender, 4. F-Secure, 6. Avira Pro, 7. Avast, 7. Microsoft, 9. McAfee,

SE Labs (April 2018 - June 2020)
1. Norton, 2. Kaspersky, 3. Trend Micro, 3. F-Secure, 5. Microsoft, 6. Avira Free, 7. *Bitdefender, 8. McAfee, 9. Avast
Bitdefender participated only in one SE Labs test and missed 5 samples. The first 5 AVs never missed more than 3 samples in any SE Lab test.

(1) AV-Comparatives - Consumer Real-World Protection Test July-October 2020 | MalwareTips Community
(1) AVLab.pl - Microsoft Defender - pros and cons (November 2020) | MalwareTips Community
(1) AVLab.pl - Microsoft Defender - pros and cons (November 2020) | MalwareTips Community

It is hard to do the proper statistics, so let's make the simplest one (average place):

April 2018-June (October) 2020 Final List of 4 types of tests (rounded +- 0.25).
Norton ................... (3+2+1+1)/4 ~ 2
Trend Micro ...........(1+9+2+3)/4 ~ 4
F-Secure .................(2+7+4+3)/4 = 4
Kaspersky ..............(6+6+2+2)/4 = 4
* Bitdefender ............(5+3+4+7)/4 ~ 5
Avira .......................(4+4+6+6)/4 = 5
Microsoft ...............(7+5+7+5)/4 = 6
Avast ......................(8+1+7+9)/4 ~ 6
McAfee ..................(9+8+8+8)/4 ~ 8

It seems that even when considering 2 year testing period and 4 types of tests, we have very little differences between the most popular AVs (most are grouped around the 5th place). Furthermore, the second-best AV on the final scoring (Trend Micro) was the last (and far away) in the AV-Comparatives Malware Protection tests and there is no AV that could be consistently better in all 4 types of tests than Avast (second-last on the final list).
My personal opinion is that these tests cannot measure the real differences between malware protection (home environment) of the most popular AVs (marked in green on the list), because the differences are too small. Probably, only Norton and McAfee can be distinguished from the other due to very consistent high (Norton) and low (McAfee) scorings.

So, the answer for Microsoft is that WD anti-malware protection for the home users is as good as the protection of most AVs (free or Home versions). It does not mean that WD (on default settings) is as strong as for example Kaspersky (KIS participated in all tests). The advantage of some solutions (like KIS) can be seen in the business environment.

Edit1.
If we include the false positives rate which is consistently biggest for Norton and Trend Micro in AV-Comparatives False Alarm tests, then the differences will be even smaller.
For example in AV-Comparatives False Alarm tests September 2018 - September 2020 (6 tests):

-----------------------The number of false positives -------
Kaspersky.........5 + 3 + 0 + 10 + 3 = 21
Bitdefender.......9 + 6 + 7 + 7 + 6 = 35
Avira..................2 + 4 + 1 + 24 + 8 = 39
Avast.................5 + 15 + 7 + 15 +10 = 52
F-Secure..........15 + 17 + 4 + 24 + 9 = 69
McAfee............35 + 9 + 2 + 25 + 10 = 81
Microsoft.........32 + 8 + 13 + 9 + 21 = 83
Norton..............47 + 19 + 7 + 25 + 41 = 139
Trend Micro.....40 + 81 + 14 + 1 + 5 = 141
False Alarm Tests Archive - AV-Comparatives (av-comparatives.org)

It easy to see that Norton and Trend Micro which have the best anti-malware scoring, also have the worst false positives rate.
It is also interesting that Trend Micro scored very very poorly in the AV-Comparatives Malware Protection test in the year 2020, just when the false positives rate was the best (1+5 false positives). On the contrary, when Trend Micro had stellar protection results, the false positives rate was very very high.

Edit2.
The phenomenon of consistently high results of Norton worried me because it cannot probably be understood as the statistical (random) effect.

But, when looking at consistently high false positives rate and user-dependent choices in the tests, it is clear that Norton uses aggressive file reputation check (something similar to SmartScreen and PUA protection in Edge). So, one could use Windows Defender + Edge web browser (SmartScreen + PUA enabled) to get similar strong protection.
Respond to incorrect Norton alerts about unsafe downloaded files

Edit3
Corrected the error in the AV-Test Kaspersky scoring and added the scorings of AV-Comparatives Real-World test from September 2018 to be closer to the testing period of other tests.