App Review Kaspersky vs Windows Defender

[Andy Ful]

Is it bulletproof? No! But it's a lot better than just going with stock WF rules.

I am afraid that the setup with WFC without the AV is not usable for most people and not safer than the standard setup. Of course, the properly configured WFC + AV is another story (but still the usability is not great).
It is hard to find out something as usable and efficient as the popular AV on default settings. This does not probably mean that the standard solution is the best idea, but follows from the support of the AV vendors. Applying any other solution is against the current.

 

[Zero Knowledge]

Yes, your absolutely right. AV at default settings has a high level of useability but a properly configured AV or *insert any* security software is what you want.

The reason I support using WFC is if you use WD then it's a good alternative to WF. And it has good logging ability where you can check allow/block.

*edit* Cleaned up post.

 

[goodjohnjr]

Yes, that in my opinion is correct, NPE being a trifle bit better than Emsisoft Emergency Kit.

Thank you very much, Cruelsister, I really respect your opinions on security programs et cetera; and I like to try to keep updated on the current best free security programs et cetera overall & the best free layered security strategies to recommend to the average person.

I am not sure if you have this here or somewhere else or not, but it would be nice if you had a place we could look at to see your current recommendations for free security programs et cetera at any given time.

When it comes to web browser protection beyond the built-in web browser security / privacy options, are there any security web browser extensions (Malwarebytes Browser Guard, Norton Safe Web, Bitdefender TrafficLight, et cetera) that you recommend using along an ad blocker like uBlock Origin or Adguard (which of these two ad blockers do you prefer, and which lists?)?

 

[Malleable]

Thanks.

I know that you are a fan of Kaspersky Virus Removal Tool and I assume of Kaspersky Rescue Disk, but I need the closest non-Kaspersky alternatives for a variety of reasons (Kaspersky is not recommended and / or banned in some uses et cetera by some governments / companies / organizations / users, Kaspersky is still being investigated, and various other reasons).

So I assume that both of those two Norton products that I mentioned are the closet (not better than, but closer) products in each of those two categories to both of those Kaspersky products, in your opinion?

That's what torments me about Kaspersky. I always want to use the best out there. Kaspersky was banned by our Government, for those who may not be aware and if my memory serves me correctly, because an NSA(?) employee had some novel malware the Government was developing on his home computer which also had Kaspersky installed. Kaspersky detected it and forwarded it to the Russian government. Now that I'm free to use it I just can't bring myself to. When I did try it I believe it leaft a file on my computer after each scan that CFW/CS always detects. Probably meaningless but since I just don't use it I haven't looked into that more deeply.

 

[simmerskool]

That's what torments me about Kaspersky. I always want to use the best out there. Kaspersky was banned by our Government, for those who may not be aware and if my memory serves me correctly, because an NSA(?) employee had some novel malware the Government was developing on his home computer which also had Kaspersky installed. Kaspersky detected it and forwarded it to the Russian government. Now that I'm free to use it I just can't bring myself to. When I did try it I believe it leaft a file on my computer after each scan that CFW/CS always detects. Probably meaningless but since I just don't use it I haven't looked into that more deeply.

I just installed Kaspersky Standard a few days ago, see if you can ID the file that its scan is leaving behind that is detected by CFW and I'll check my win10. maybe it's some sort of harmless temp file??

 

[cruelsister]

leaving behind that is detected by CFW and I'll check my win10. maybe it's some sort of harmless temp file??

It's a cleanup script (CF has Script analysis, so can be touchy about such) that runs when KVRT is closed. Specifically:

FOR /L %%i IN (1, 1, 1000) DO (
rmdir /s /q "C:\Users\cruel\AppData\Local\Temp\{eab07697-2c36-470a-8719-e9633933a737}"
if not exist "C:\Users\cruel\AppData\Local\Temp\{eab07697-2c36-470a-8719-e9633933a737}" goto RemoveOK
ping 127.0.0.1 -n 1 > Nul
)
exit
:RemoveOK
cd /D C:\Windows\System32\Drivers
FOR %%i IN ("klupd_7498628aa*.sys") DO (
REG DELETE "HKLM\System\CurrentControlSet\services\%%~ni" /f
DEL /F /Q "%%i"
)
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v b7c11351-129f-4362-b4ec-9bb0280a14c5 /f
@echo "Cleanup completed."
rmdir /s /q "%~dp0"

 

[goodjohnjr]

That's what torments me about Kaspersky. I always want to use the best out there. Kaspersky was banned by our Government, for those who may not be aware and if my memory serves me correctly, because an NSA(?) employee had some novel malware the Government was developing on his home computer which also had Kaspersky installed. Kaspersky detected it and forwarded it to the Russian government. Now that I'm free to use it I just can't bring myself to. When I did try it I believe it leaft a file on my computer after each scan that CFW/CS always detects. Probably meaningless but since I just don't use it I haven't looked into that more deeply.

Yeah, it is a little more complicated than that.

That situation probably went a little differently than that, but that situation is probably what started most of the current investigations / bans / recommendations to not use it / et cetera.

The Kaspersky saga goes deeper than that, with various investigations / allegations / et cetera still ongoing, with a lot of the information not being publicly released by various governments / intelligence agencies / law enforcement agencies / companies / et cetera.

So us, the public, still have not seen some / most of the alleged evidence et cetera in most of the investigations / allegations / et cetera.

Besides that, there are the ethical / moral issues et cetera with the war et cetera, and depending on whether your government et cetera is an ally or enemy of Russia et cetera.

So I am still taking the cautious approach and following the recommendations of various local / international authorities.

Especially because I work in IT for a public organization (public library), and my country is not an ally of Russia (it is probably not the best idea to use online connected software et cetera from / connected with a country / company / et cetera that your country is at war with and / or may be at war with in the future et cetera).

It is unfortunate, it is what it is, et c'est la vie!

It is up to each person to decide for themselves whether to use Kaspersky products or not.

Hopefully one day the investigations et cetera will be complete, so we can learn the details et cetera.

 

[ForgottenSeer 69673]

MalwareBazaar | Malware sample exchange run all them you can to see how great your setup is

 

[ForgottenSeer 69673]

It's a cleanup script (CF has Script analysis, so can be touchy about such) that runs when KVRT is closed. Specifically:

FOR /L %%i IN (1, 1, 1000) DO (
rmdir /s /q "C:\Users\cruel\AppData\Local\Temp\{eab07697-2c36-470a-8719-e9633933a737}"
if not exist "C:\Users\cruel\AppData\Local\Temp\{eab07697-2c36-470a-8719-e9633933a737}" goto RemoveOK
ping 127.0.0.1 -n 1 > Nul
)
exit
:RemoveOK
cd /D C:\Windows\System32\Drivers
FOR %%i IN ("klupd_7498628aa*.sys") DO (
REG DELETE "HKLM\System\CurrentControlSet\services\%%~ni" /f
DEL /F /Q "%%i"
)
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v b7c11351-129f-4362-b4ec-9bb0280a14c5 /f
@echo "Cleanup completed."
rmdir /s /q "%~dp0"

you sure like the appdata folder my kitten

 

[simmerskool]

MalwareBazaar | Malware sample exchange run all them you can to see how great your setup is

I couldn't get passed I am not a robot...??

 

[monkeylove]

Most critique is not related to the tests, but to the misinterpretation of test results. Simply, many YouTubers do not understand what they get after doing the test. They are victims of wrong statistics. Here is a known joke about wrong statistics:

Many people do not know that they use a deadly substance every day (ReTaw). Here are some facts about it that follow from the statistical correlations:

• It is very addictive for anyone.
• The withdrawal symptoms are very strong and most people can die in a few days.
• Long-term usage can significantly impair sight and hearing.
• It finally kills 100% of people who use it.
• Scientists proved that the human body tries to get rid of it in one hour through the skin or with urine.
• It is also strongly correlated with vomiting.
• Close contact with it (for example on the beach) can cause death, especially for children.
• It can be easily found in sewage.
• There is a close correlation with mood irregularities. It was detected in every case of dissolving into tears.
• It had been the main cause of death in the Atlantis population.
• It is mentioned even in the Bible.
• etc.

And what is the correct interpretation of the results described in the test discussed in this thread?

 

[monkeylove]

That's what torments me about Kaspersky. I always want to use the best out there. Kaspersky was banned by our Government, for those who may not be aware and if my memory serves me correctly, because an NSA(?) employee had some novel malware the Government was developing on his home computer which also had Kaspersky installed. Kaspersky detected it and forwarded it to the Russian government. Now that I'm free to use it I just can't bring myself to. When I did try it I believe it leaft a file on my computer after each scan that CFW/CS always detects. Probably meaningless but since I just don't use it I haven't looked into that more deeply.

Most don't know this, but some AVs also operate through "eyes" countries. In addition, by default all AVs are intrusive for obvious reasons.

 

[devjit2020]

Thanks.

I know that you are a fan of Kaspersky Virus Removal Tool and I assume of Kaspersky Rescue Disk, but I need the closest non-Kaspersky alternatives for a variety of reasons (Kaspersky is not recommended and / or banned in some uses et cetera by some governments / companies / organizations / users, Kaspersky is still being investigated, and various other reasons).

So I assume that both of those two Norton products that I mentioned are the closet (not better than, but closer) products in each of those two categories to both of those Kaspersky products, in your opinion?

ESET Online scanner and Malwarebytes. Although Malwarebytes can mostly detect exe files yet I have found it to be one of the only ones that does a thorough scan of your system registry and removes infected registry keys. None of the other free scanners do that as far as I'm aware (except KVRT).

 

[goodjohnjr]

ESET Online scanner and Malwarebytes. Although Malwarebytes can mostly detect exe files yet I have found it to be one of the only ones that does a thorough scan of your system registry and removes infected registry keys. None of the other free scanners do that as far as I'm aware (except KVRT).

Thank you, Devjit2020, for sharing that.

 

[Andy Ful]

And what is the correct interpretation of the results described in the test discussed in this thread?

I did not post about possible correct interpretations of videos (there can be probably many), but about incorrect interpretations presented by some YouTubers and people who watched the videos.
If you are interested in the possibly correct interpretation of the video in this thread, then it is a presentation of AV abilities in the business network. The presentation showed, that:

• Defender had some problems from the user side - for example, the Protection History crashed a few times.
• The result of the first part of the video is consistent with known professional tests (Malware Protection tests). But, one cannot say anything interesting about the differences in AV protection due to the small number of samples. One can only say that the difference should not be very big.
• In the second part (ransomware) the samples were executed from the local network with high privileges. This scenario has nothing to do with attacks on home users. It could be useful in business networks to test the protection against lateral movement.
• The result of the second part is inconclusive because of the small number of samples. The samples were old and only one file type was used, so they cannot reflect the in-the-wild scenario. The author did not check if Defender failed by one sample or more. Also, he did not check in any way if the system with Kaspersky was compromised. He simply assumed that when he cannot see obvious signs of infection then the system is probably OK.
• The author mentioned that the detection of Defender was probably impaired because of running many samples one by one. So the cloud backend could be overloaded and it did not respond on time.
• The video is well done as a presentation. One cannot demand more from it. To avoid misunderstanding, I would not call it a test.

The author did not interpret the results of the video. So one cannot blame him for the wrong interpretations made by people who watched the video. The video cannot show a real comparison test of AV protection in the wild and I do not think that it was the author's intention.
I agree with the author's opinion (from his other tests) that Microsoft Defender (free version on default settings) is not a good choice for businesses. This presentation cannot prove it, but anyway, the presentations are not made to prove anything but to visualize the author's opinions.

 

[ForgottenSeer 69673]

MalwareBazaar | Malware sample exchange run all them you can to see how great your setup is

I couldn't get passed I am not a robot...??

was it the traffic lights or bridges that got you

 

[cruelsister]

And what is the correct interpretation of the results described in the test discussed in this thread?

My last 2 videos should be viewed together. Part 1: "Defender vs a Novel Stealer Variant" shows how malware currently in the Wild can exploit Defender by the addition of an exclusion and be stealthy/persistent by where the payload is dropped and by Scheduling a Task.

In Part 2: "Microsoft Defender- A Possible Future" showed how the malware used in Part 1 accomplished the Stealth, Persistence, and exclusion (essentially a "How To" primer for those with the eyes to see). It also demonstrated that ANY payload will work (ie be excluded) with this technique.

The main point was that Microsoft should prevent applications from being prone to these mechanisms.

​

 

[simmerskool]

was it the traffic lights or bridges that got you

...yes

 

[monkeylove]

I did not post about possible correct interpretations of videos (there can be probably many), but about incorrect interpretations presented by some YouTubers and people who watched the videos.
If you are interested in the possibly correct interpretation of the video in this thread, then it is a presentation of AV abilities in the business network. The presentation showed, that:

• Defender had some problems from the user side - for example, the Protection History crashed a few times.
• The result of the first part of the video is consistent with known professional tests (Malware Protection tests). But, one cannot say anything interesting about the differences in AV protection due to the small number of samples. One can only say that the difference should not be very big.
• In the second part (ransomware) the samples were executed from the local network with high privileges. This scenario has nothing to do with attacks on home users. It could be useful in business networks to test the protection against lateral movement.
• The result of the second part is inconclusive because of the small number of samples. The samples were old and only one file type was used, so they cannot reflect the in-the-wild scenario. The author did not check if Defender failed by one sample or more. Also, he did not check in any way if the system with Kaspersky was compromised. He simply assumed that when he cannot see obvious signs of infection then the system is probably OK.
• The author mentioned that the detection of Defender was probably impaired because of running many samples one by one. So the cloud backend could be overloaded and it did not respond on time.
• The video is well done as a presentation. One cannot demand more from it. To avoid misunderstanding, I would not call it a test.

The author did not interpret the results of the video. So one cannot blame him for the wrong interpretations made by people who watched the video. The video cannot show a real comparison test of AV protection in the wild and I do not think that it was the author's intention.
I agree with the author's opinion (from his other tests) that Microsoft Defender (free version on default settings) is not a good choice for businesses. This presentation cannot prove it, but anyway, the presentations are not made to prove anything but to visualize the author's opinions.

It can't and shouldn't do "a real comparison test of AV protection in the wild" as users will have different experiences, use different types of hardware, etc. Given that, the presentation is logical.

 

[Divine_Barakah]

because an NSA(?) employee had some novel malware the Government was developing on his home computer which also had Kaspersky installed. Kaspersky detected it and forwarded it to the Russian go

So basically, Kaspersky did its job. This is how I see it.