Q&A Is the improved performance of Microsoft Defender a myth? Should we necessarily be using a 3rd party AV?

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,163
Yes, I am aware. The SRP was also tested with Recommended Settings + Forced SmartScreen. From the point of view of the user, these setups are similar. The Forced SmartScreen in the SRP test did a similar thing as VirusTotal (and AI lookup) in the VS test. If VS was tested in "Always ON" mode and SRP with All_ON setup, then one could probably test them over a year without any misses.



It is nice that we can agree on something.
But, it seems that we differently understand modern threats. I understand them as in the Microsoft documentation, and that means the lateral movement especially with using .NET DLLs and kernel-based malware (Bad USB, kernel exploits, etc.). For fighting such threads you need the "Modern SRP" which is Microsoft Defender Application Control (a mix of the classic SRP idea with Application Guard).
The VS test was performed mainly with signed and verified malware, at my request. SmartScreen on its own will not fair nearly as well if only signed and verified malware is used in the test. The reason I know this is because SS is implemented into WLC / VoodooAi as feature. We should test in the MH using the same malware to be sure ;).

You cannot equate user-mode SRP with kernel-mode mechanisms. As much as you a few other people wish for this to be the case, it simply will never be.
 

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,163
None of the ConfigureDefender profiles (DEFAULT, HIGH, INTERACTIVE, and MAX) need to disable Tamper Protection.
In the interest of clarity, can ConfigureDefender toggle Behavior Monitoring, Scan all downloaded files and attachments or Script scanning when Tamper Protection is enabled, yes or no?
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,814
You cannot equate user-mode SRP with kernel-mode mechanisms. As much as you a few other people wish for this to be the case, it simply will never be.
The kernel-mode mechanism has nothing to do with these tests. It seems that you have a problem with understanding my clear statements about (classic) SRP's inability to fight kernel-based threats (I mentioned this inability in several posts on this thread). Should I repeat this in any of my posts or you finally can remember this?:unsure:
 
Last edited:
F

ForgottenSeer 92963

@danb and @ScandinavianFish I worded that wrong, Yes Dan I have 2 questions

DUI asks the user to disable MD tamper protection last time I tried it (which was also the reason for de-installing it again)

1. Can I use DUI PRO advanced features (like the really great context aware anti exploit protection) with MD tamper protection enabled when I don't "toggle Behavior Monitoring, Scan all downloaded files and attachments or Script scanning" and disable MD through security center in the rare and unusual occasion that would be needed (so not using the features which Dan mentioned why user had to disable tamper protection)?

2. I have MD running in a sandbox, is DUI PRO able to protect and restart MD also in that use case?
 
Last edited by a moderator:
F

ForgottenSeer 92963

The kernel-mode mechanism has nothing to do with these tests. It seems that you have a problem with understanding my clear statements about (classic) SRP's inability to fight kernel-based threats (I mentioned this inability in several posts on this thread).
Agree I also mentioned that SRP lives in the wrong ring, see my earlier post, but that does not makes it useless. (y)

Anti-virus companies like to refer to real virus infections for comparison, but a vaccine passes medical certification when it protects for 50% or more (not 100%). Yesterday I got my Covid booster, it probably protects only for 30% to 50% against latest Omicron variant (and 50% to 80% against hospitalization), so not bulletproof, but still useful IMO.
 
Last edited by a moderator:

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,430
So why not use ConfigureDefender or Group Policy Editor to harden it so you dont have to worry about your family running it?
Cause as stated, Windows Defender fails to protect them even with those settings, not to mention the useability that is lost, I would get constant calls to solve issues cause of Windows Defender.

Last time I had an uncle arguing he didn't want to install anything, I used ConfigureDefender on it, and I had constant calls due to Windows Defender bugs and false positives, not to mention restrictive measures, so I set the settings to High instead and he got his browser hijacked in less than a week.

He stopped arguing since I installed Kaspersky, and hasn't call me once in months about having issues with his PC.
 
  • Like
Reactions: Nevi and Correlate
Dec 12, 2021
133
Cause as stated, Windows Defender fails to protect them even with those settings, not to mention the useability that is lost, I would get constant calls to solve issues cause of Windows Defender.

Last time I had an uncle arguing he didn't want to install anything, I used ConfigureDefender on it, and I had constant calls due to Windows Defender bugs and false positives, not to mention restrictive measures, so I set the settings to High instead and he got his browser hijacked in less than a week.

He stopped arguing since I installed Kaspersky, and hasn't call me once in months about having issues with his PC.
Sounds a lot like overreaction on his part, I have used Windows Defender for 3 years now, while going back and forwards with different AV's, it has most of the time ive just ran it a alone and I have not encountered a single false positive on High protection level using ConfigureDefender, and while yes, it has some visual bugs, but its never anything serious.

Expecting an antivirus to do all the dirty work is fooling yourself into an false sense of security, if your uncle cant avoid malware and PUP's then thats on his part, not the security software, and there are many things AV's cant really protect you against, like scams involving tech support, snake oil, etc.
 

wat0114

Level 6
Verified
Well-known
Apr 5, 2021
264
(y)Agree I also mentioned that SRP lives in the wrong ring,...
Assuming you are talking about ring 0, this should not matter if SRP prevents the malware gaining a foothold at this low level in the first place. If the initial and first one or two links in the infection chain are prevented at, let's say ring 3, then ring 0 becomes a moot point anyway. The goal, I believe, is to stop the infection process in the very early stages so as not to allow a malicious process to proceed to the ring 0 attack stage level.
 
Last edited:

Digmor Crusher

Level 13
Verified
Top poster
Well-known
Jan 27, 2018
640
Cause as stated, Windows Defender fails to protect them even with those settings, not to mention the useability that is lost, I would get constant calls to solve issues cause of Windows Defender.

Last time I had an uncle arguing he didn't want to install anything, I used ConfigureDefender on it, and I had constant calls due to Windows Defender bugs and false positives, not to mention restrictive measures, so I set the settings to High instead and he got his browser hijacked in less than a week.

He stopped arguing since I installed Kaspersky, and hasn't call me once in months about having issues with his PC.
I've been using Configure Defender for over a year and Defender is so quite its becoming boring, so me thinks the problem is not WD.
 

Deletedmessiah

Level 25
Verified
Top poster
Content Creator
Well-known
Jan 16, 2017
1,448
This thread right now

A96QJuu.gif
 

monkeylove

Level 7
Verified
Well-known
Mar 9, 2014
303
In such a situation, the preferred Windows built-in setup would be Defender with ConfigureDefender HIGH settings + Simple Windows Hardening. This config is very silent. You probably used ConfigureDefender MAX settings that apply some noisy ASR rules and can block non-prevalent applications/updates.



It is also a good setup for adults. You can try Simple Windows Hardening to strengthen the protection against scripting/fileless attacks. Nowadays, the applications use scripting methods extremely rare, so this setup should be also silent. On the contrary, cybercriminals like scripting malware very much.

Thanks! I'll give it another shot.
 
Last edited:
F

ForgottenSeer 92963

Assuming you are talking about ring 0, this should not matter if SRP prevents the malware gaining a foothold at this low level in the first place. If the initial and first one or two links in the infection chain are prevented at, let's say ring 3, then ring 0 becomes a moot point anyway. The goal, I believe, is to stop the infection process in the very early stages so as not to allow a malicious process to proceed to the ring 0 attack stage level.
That is my point also :) but nearly everything you download from the internet or mail lands in user land. User land processes are allowed to modify other user land processes (called a side by side infection*). Therefor it is better for a security program to have higher rights, because lower rights objects can't modify higher rights objects.

After XPoff (forgot his exact nickname) made behavioral protection program Cyberhawk blind (decades ago in a Poc) by unhooking its userland controls, the general consensus is that security should be enforced at kernel level (DanB has a point with his critism). it is not the fact that it is "game over" when intrusions reach system level, but lower rights objects can not touch higher level objects and more important can't disable them (with a side-by-side attack in user land).

* This is why Microsoft and Google started to render webpages in untrusted processes (pushing them to lower rights processes and preventing them to infect processes running with medium rights). Same applies for opening PDF's in the the browsers and running Windows mail app in a lower rights sandbox.
 
Last edited by a moderator:

ticklemefeet

Level 26
Well-known
Jan 31, 2018
1,521
That is my point also :) but nearly everything you download from the internet or mall lands in user land. User land processes are allowed to modify other user land processes (called a side by side infection*). Therefor it is better for a security program to have higher rights, because lower rights objects can't modify higher rights objects.

After XPoff (forgot his exact nickname) made behavioral protection program Cyberhawk blind (decades ago in a Poc) by unhooking its userland controls, the general consensus is that security should be enforced at kernel level (DanB has a point with his critism). it is not the fact that it is "game over" when intrusions reach system level, but lower rights objects can not touch higher level objects and more important can't disable them (with a side-by-side attck in user land).

* This is why Microsoft and Google started to render webpages in untrusted processes (pushing them to lower rights processes and preventing them to infect processes running with medium rights). Same applies for opening PDF's in the the browsers and running Windows mail app in a lower rights sandbox.
If I remember correct, XP_Xoff went to work for Microsoft. That sure brings back old memories Kees. The days of Rootkit.com, Holyfather (RIP), wave, 29a, Russ R's Rootkit Revealer from Sysinternals, now also with Microsoft. Thanks for the trip down memory lane Kees.
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,814
That is my point also :) but nearly everything you download from the internet or mall lands in user land. User land processes are allowed to modify other user land processes (called a side by side infection*). Therefor it is better for a security program to have higher rights, because lower rights objects can't modify higher rights objects.
...

It does not really matter for home users. When SRP is not running in Ring 0, then the malware running with Admin privileges must bypass fewer obstacles to dismantle the SRP protection, compared to the security running in Ring 0.
But this also assumes that:
  1. Malware knows that the home user applied SRP (hardly possible).
  2. Malware has to infect/exploit the system (hardly possible with SRP on Windows 10).
  3. Malware has to elevate (hardly possible with SRP on Windows 10, especially with Defender).
All of this can matter only with highly targeted attacks that can happen in Enterprises via lateral movement. Diplomats and dissidents can also consider this danger.
It is worth knowing that running a security program in Ring 0 does not mean that it can protect against kernel-based malware (like for example WannaCry worm). Also, running the security program in Ring 0 can be rather easily bypassed in highly targeted attacks. Furthermore, most security programs do not run fully in Ring 0, so they can be exploited/bypassed by processes from the userland.

The true security boundary has to be run in Ring -1 (Virtualisation-based Security). Such security was already adopted by some AV vendors. The Windows built-in Microsoft Defender Application Guard ("Modern SRP" model) uses it too.
 
Last edited:
F

ForgottenSeer 92963

It is worth knowing that running a security program in Ring 0 does not mean that it can protect against kernel-based malware
That is what I tried to explain
myself :-) said:
"it is "game over" when intrusions reach system level"
This argument often clouds the discussion about system level vs user land protection (to your irritation as I noticed from your responses to DanB :) )
 
Last edited by a moderator:

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,814
This argument often clouds the discussion about system level vs user land protection (to your irritation as I noticed from your responses to DanB :) )

I am irritated when people try to incorrectly interpret my posts. So, if I state something clearly several times and next I see the post that clearly suggests that I stated the opposite, I am irritated.:)
Of course, I would like when the (classic) SRP could run in Ring 0, but this would not improve much its protection for home users. Simply, the attackers do not even try to dismantle it, because it is so rarely used at home. I did not see any anti-SRP modules in any exploit kit. Furthermore, I did not see any malware in the wild (in the last few years) which would try to dismantle SRP.
So, I will worry only when half of the home users will start using SRP (which will never happen). :)(y)
 
Last edited: