App Review Kaspersky vs Windows Defender

[Andy Ful]

But sometimes they do. A video was published on Dec 26 (Defender excluding ransomware), and on the following day:

Infected by Loki ransomware

I can guess you have in mind the "Defender exclusions" issue. But in this case, the Defender exclusions were not the cause of the infection, but happened after the infection. We can expect that the infected computer with added exclusions can be "more compromised" compared to the infection without exclusions. But this is not necessarily true, because there are tenths of similarly (or more) dangerous techniques (the computer was infected with high privileges). We can also expect that by using exclusions, the attacker did not use another dangerous technique that could be used in the case of another AV. There is no evidence, that "exclusions" are more efficient or used more frequently than other possible techniques. Finally, the user did not post that exclusions caused another infection. So, there is no evidence, that this example is more than another "Ebola case".
As we know, Loki ransomware can infect computers protected by any popular AV on default settings.

Edit.
Of course, popular AVs on default settings cannot protect against many fresh malware samples (Loki ransomware is only an example).

 

[Zero Knowledge]

Of course, popular AVs on default settings cannot protect against many fresh malware samples

You summed up the major problem with cyber security, at default you cannot protect users/networks so people will get infected, but you will have less user support requests and more availability of systems. And on the other hand, if you tweak the software/hardware to secure users/networks in 99.9% of cases you will have lots of support requests and less availability and less uptime and you will have to train and employ people who understand the systems, architecture, networks and can implement/run the software at a huge cost.

 

[simmerskool]

You summed up the major problem with cyber security, at default you cannot protect users/networks

agree, but... how prevalent are weak default settings? My current experience is limited to ESET, Kaspersky Standard & FS SAFE. My recollection of ESET has all or almost all of its setup features were "ON", and I just installed K Standard the other day, and was surprised how comprehensiive and locked-down that win10 was on default. And SAFE seems strong right out of the box with nothing or little to tweak. So is this more of a MS Defender issue and why we have ConfigureDefender and DefenderUI?? Perhaps Panda has this issue too (recent reading here)

 

[Zero Knowledge]

You're coming at the problem from an experienced security person who is able to manage settings on security software, most people can't be bothered or don't have the skills or patience to manage security software at anything but default settings. 3rd party AV is dying, most home users use WD on default settings hence the problem. People won't pay when you can get something for free, and most people either use the AV that was installed by default on their laptop, or they use WD on default settings as I mentioned before.

Enterprise is a different beast altogether because there you have people employed to manage software and troubleshoot user problems. But even at enterprise level they usually just ship AV at default levels and spend most of the time troubleshooting user problems/issues. The more complex/configurable security software like EDR/NDR is usually the domain of businesses that have regulation that forces them to have high levels of protection/logging/defenses think financial/health/government.

 

[simmerskool]

You're coming at the problem from an experienced security person who is able to manage settings on security software, most people can't be bothered or don't have the skills or patience to manage security software at anything but default settings. 3rd party AV is dying, most home users use WD on default settings hence the problem. People won't pay when you can get something for free, and most people either use the AV that was installed by default on their laptop, or they use WD on default settings as I mentioned before.

Enterprise is a different beast altogether because there you have people employed to manage software and troubleshoot user problems. But even at enterprise level they usually just ship AV at default levels and spend most of the time troubleshooting user problems/issues. The more complex/configurable security software like EDR/NDR is usually the domain of businesses that have regulation that forces them to have high levels of protection/logging/defenses think financial/health/government.

you are correct!! or I agree (made 1 minor edit)

 

[simmerskool]

yes fwiw, I have kaspersky standard running in vmware Guest win10 22H2, and F-Secure SAFE running in another identical Guest (I do not run both vm at the same time). I gleaned that kaspersky "locks down" more aspects of system, but is obviously heavier, while SAFE is relatively light. Both Guests have 16 gb RAM. cpu is aging some...
EDIT now I recall kaspersky blocked bitwarden from auto loading pw, it said to do that manually. (maybe there's a way to turn off that "feature" in K?)(I'm running vm with SAFE at the moment)

EDIT updated correction: I was mistaken about both Guest vm being identical. Both Guests were identical but VM workstations were not which led me to think Kaspersky was somewhat heavy BUT I tweaked the VM settings, they are now the same, and happy to report that Kaspersky Standard is now (or feels) very fast as well as being very comprehensive.

 

[Andy Ful]

@cruelsister,

The post mentioned by you gives us too little information about the attack scenario. I realized that many people use the name of the final payload to describe a more complex attack. So indeed, we cannot definitely exclude the possibility that the victim of the Loki ransomware was infected in a more complex scenario (not simple ransomware), like "trojan + ransomware" or "loader + ransomware" (like in your video).

The "loader + malware" is pretty much popular nowadays, so it is possible that there are already some samples in the wild mixed with Defender exclusions ("loader + exclusions ---> new malware"). It would be interesting to confirm how popular can be such a mixed scenario against home users. If it becomes popular, then we will see it in some reports soon. So, let's wait ...

 

[monkeylove]

IMO, most computers users are not familiar with basic Windows operations, which means they don't know or can't remember what various system tray icons do, etc. Given that, they will have difficulty learning how and what to exclude, what not to allow, and so on.

Meanwhile, there are some who criticize those who show tests through Youtube, and then criticize company tests, preferring Youtube testers instead. If the tests do too much, they argue that these are unrealistic because most users won't be affected by various malware, anyway, but in case they're wrong, provide tweaks that can create more problems, e.g., users complaining that something no longer runs. From there, they're criticized for not learning how to use computers.

Then there's advice that only common sense is needed, that backups can reverse stolen data, that any slowdown is simply imaginary, etc., just to push one type of AV or another, or that one has to get better hardware, etc.

Given that, I think one is better off just looking at the test results from companies as they generally tie up with tests from Youtubers, look at not just performance but also usability and performance impact, and for free versions what's missing and if there are any annoying things like popups for upgrades (and whether or not they can be disabled). From there, use the one that does best across the three criteria and are basically set-and-forget. Do the same for backup software, etc.

 

[Andy Ful]

Meanwhile, there are some who criticize those who show tests through Youtube, ...

Most critique is not related to the tests, but to the misinterpretation of test results. Simply, many YouTubers do not understand what they get after doing the test. They are victims of wrong statistics. Here is a known joke about wrong statistics:

Many people do not know that they use a deadly substance every day (ReTaw). Here are some facts about it that follow from the statistical correlations:

• It is very addictive for anyone.
• The withdrawal symptoms are very strong and most people can die in a few days.
• Long-term usage can significantly impair sight and hearing.
• It finally kills 100% of people who use it.
• Scientists proved that the human body tries to get rid of it in one hour through the skin or with urine.
• It is also strongly correlated with vomiting.
• Close contact with it (for example on the beach) can cause death, especially for children.
• It can be easily found in sewage.
• There is a close correlation with mood irregularities. It was detected in every case of dissolving into tears.
• It had been the main cause of death in the Atlantis population.
• It is mentioned even in the Bible.
• etc.

 

[RoboMan]

You summed up the major problem with cyber security, at default you cannot protect users/networks so people will get infected, but you will have less user support requests and more availability of systems. And on the other hand, if you tweak the software/hardware to secure users/networks in 99.9% of cases you will have lots of support requests and less availability and less uptime and you will have to train and employ people who understand the systems, architecture, networks and can implement/run the software at a huge cost.

I think it's time to agree you can't have strong protection without compromising usability. The only way to not compromise usability is relying on static detection or behaviour blocker to do all the work, and this never gives a 100% accurate result. I believe that only with SRP, anti-exe, Application Control modules you can get strong protection, and this ALWAYS compromises usability.

 

[cruelsister]

Not suggesting it, but for those concerned about usability, how about a system that will only use: 1. Imaging software that uses daily Incremental backups. 2. An Outbound alerting firewall without predefined Whitelist (but with the ability to add currently installed applications if one desires). 3. Weekly on-demand scans with KVRT.

 

[goodjohnjr]

Not suggesting it, but for those concerned about usability, how about a system that will only use: 1. Imaging software that uses daily Incremental backups. 2. An Outbound alerting firewall without predefined Whitelist (but with the ability to add currently installed applications if one desires). 3. Weekly on-demand scans with KVRT.

Hello Cruelsister,

1. Which free imaging programs would you recommend?

3. Which free non-Kaspersky on-demand (Norton Power Eraser et cetera) and / or bootable (Norton Bootable Recovery Tool et cetera) antimalware scanners would you recommend?

- Thanks

 

[cruelsister]

For Imaging, Macrium (and not the freebie as one would need the images to be protected from ransomware); for the on-demand scanner only KVRT will do as none of the others (includng NPE, which although better than junk like MB or HMP still will ignore things like nastier worms) that I've ever tried is as inclusive.

 

[Divine_Barakah]

For Imaging, Macrium (and not the freebie as one would need the images to be protected from ransomware); for the on-demand scanner only KVRT will do as none of the others (includng NPE, which although better than junk like MB or HMP still will ignore things like nastier worms) that I've ever tried is as inclusive.

I do not see the need to get the paid version of Macrium. As long as backup images are stored on an external HDD that is not always connected to your device, nothing is gonna happen to the backups. It is a good practice to keep multiple copies of your backups on other external devices, though.

 

[goodjohnjr]

For Imaging, Macrium (and not the freebie as one would need the images to be protected from ransomware); for the on-demand scanner only KVRT will do as none of the others (includng NPE, which although better than junk like MB or HMP still will ignore things like nastier worms) that I've ever tried is as inclusive.

Thanks.

I know that you are a fan of Kaspersky Virus Removal Tool and I assume of Kaspersky Rescue Disk, but I need the closest non-Kaspersky alternatives for a variety of reasons (Kaspersky is not recommended and / or banned in some uses et cetera by some governments / companies / organizations / users, Kaspersky is still being investigated, and various other reasons).

So I assume that both of those two Norton products that I mentioned are the closet (not better than, but closer) products in each of those two categories to both of those Kaspersky products, in your opinion?

 

[RansomwareRemediation]

Thanks.

I know that you are a fan of Kaspersky Virus Removal Tool and I assume of Kaspersky Rescue Disk, but I need the closest non-Kaspersky alternatives for a variety of reasons (Kaspersky is not recommended and / or banned in some uses et cetera by some governments / companies / organizations / users, Kaspersky is still being investigated, and various other reasons).

So I assume that both of those two Norton products that I mentioned are the closet (not better than, but closer) products in each of those two categories to both of those Kaspersky products, in your opinion?

and Bitdefender ?
Bitdefender is at the same level and in some tests even higher.
Greetings

 

[goodjohnjr]

and Bitdefender ?
Bitdefender is at the same level and in some tests even higher.
Greetings

They do not have a free on-demand scanner anymore, unfortunately, and I do not think that they have their free bootable scanner either, I could be wrong, otherwise that would be one of my choices (I do use their free scanner on Android, and their free antivirus on Windows is my second choice for a free antivirus on Windows (if they remove the account requirement, then I would probably recommend it to others over Windows Security set to Recommended Settings by DefenderUI).

 

[cruelsister]

So I assume that both of those two Norton products that I mentioned are the closet

Yes, that in my opinion is correct, NPE being a trifle bit better than Emsisoft Emergency Kit.

 

[Andy Ful]

Not suggesting it, but for those concerned about usability, how about a system that will only use: 1. Imaging software that uses daily Incremental backups. 2. An Outbound alerting firewall without predefined Whitelist (but with the ability to add currently installed applications if one desires). 3. Weekly on-demand scans with KVRT.

One has to whitelist the web browser, svchost.exe, explorer.exe, and probably a few others. After whitelisting the web browser and Svchost, such a setup will not be safer than the standard setup. It could be probably a good solution if there was a firewall with a cloud & local whitelist of trusted IP addresses, similar to the cloud & local software whitelist of Comodo Firewall. For usability, the firewall should have some learning abilities. I am not sure how usable this setup could be in practice, but I like the general idea.

Edit.
I would also add the security feature of turning on strict execution restrictions triggered by connections with malicious addresses.

 

[Zero Knowledge]

2. An Outbound alerting firewall without predefined Whitelist (but with the ability to add currently installed applications if one desires).

WFC is perfect for this task and it's free. The key here is that it will alert you to any unknown outbound connections in medium mode. Password protect WFC after you add all exclusions/block rules and enable secure rules and your good to go. It can be time consuming adding rules, but you can export config anyway the only problem is if Microsoft changes the path or directory of the file with an update, but I don't think it happens much.

Is it bulletproof? No! But it's a lot better than just going with stock WF rules.