AVLab.pl May 2021 - Advanced In The Wild Malware Test

[Andy Ful]

​

If you look at test scores from testing organisations, they indicate that there typically any of the big name antiviruses will provide similar levels of protection. However, if you look at the tests here in the Malware Hub, where often more recent malware is tested, you will much more of difference between antiviruses. To provide one example, Panda often does very well when tested by testing organisations, but as you can see from the tests here, often fails terribly at detecting zero-day malware.

The differences between Consumer AVs are also visible in the tests of AV testing Labs, as I have shown in my previous post. You could for example say that McAfee (on default settings) is 7 times worse than Norton, because it missed 7 times more samples. But of course, 7 * "something very small" is still very small (compared to total tested samples), that is why you still can say that most popular AVs can give similarly good protection. A similar impact on your protection (as choosing the AV) could have your mood, quarrel with your wife, or pain in the neck. I am sure that simply reading the MT forum can have a stronger impact on your protection than changing the AV.

You should also take into account that testing 0-days is not the best representative of the protection of Home users. I think that tests from Malware Hub are probably closer to testing the Enterprise environment. They include more 0-days and more malware used in targeted attacks. Some malware samples are tested "out of the infection chain" as payloads (the initial chains are skipped). This is also natural in Enterprises, where one has to assume a fair chance that the environment is already compromised.

 

[plat]

I keep all Internet-facing software (Windows, browsers, apps, drivers) rigorously updated. That's my first line of defense. If there's a vulnerability in the wild, the watchdogs generally find it way before it would snake its way to my lowly machine.

I use Microsoft, not because it's fabulous, but I'd rather not deal with added 3rd party bulk to the hard drive. The rest is up to me (and H_C/OSArmor).

 

[Lenny_Fox]

I am currently using:
- Next DNS (with Google's safe browsing)
- Bitdefender extension with Edge
- Smartscreen MOTW with explorer
- Kaspersky Free (without HTTPS scanning) assisted by
a) H_C blocking: scripts, enhanced blocking of sponsors and blocking elevation of unsigned binaries
b) WD Exploit protection only allowing M$ signed DLL's in Microsoft programs (explorer, edge, office)
c) Set deny write/execute on user land startup folders/registry keys

I am not aware of any infections, so it does as wel as my 2020 setup with H_C and Microsoft Defender. I only switched to Kaspersky Free, because the husband of a (girl)friend of my girlfriend is an IT-er and he convinced my girlfriend to switch to KCF. When that would not have happened, I would still be using H_C and MD. Reason explained by @roger_m (because it is already preinstalled and with H_C and Configure Defender it offers even more protection).

 

[Andy Ful]

I think that also the AVLab tests can support the view that users should keep the popular AV that they like most. If one likes most the compatibility with Windows, then Defender + Edge is a natural choice. If the most important thing is strong security and a very low rate of false positives, then Kaspersky (and a few others) can be recommended. If one requires an exceptionally strong solution for a happy clicker, then there are also many choices among tweaked AVs and security applications.
The prices of commercial AVs (family pack) in many countries are not high. So the argument that one spent money for nothing is not convincing for many users. People can spend much more when smoking, drinking, buying unnecessary things, etc. Furthermore, the people who buy AVs also support diversity and concurrency, which are important for improving protection.

 

[Digmor Crusher]

I think that also the AVLab tests can support the view that users should keep the popular AV that they like most. If one likes most the compatibility with Windows, then Defender + Edge is a natural choice. If the most important thing is strong security and a very low rate of false positives, then Kaspersky (and a few others) can be recommended. If one requires an exceptionally strong solution for a happy clicker, then there are also many choices among tweaked AVs and security applications.
The prices of commercial AVs (family pack) in many countries are not high. So the argument that one spent money for nothing is not convincing for many users. People can spend much more when smoking, drinking, buying unnecessary things, etc. Furthermore, the people who buy AVs also support diversity and concurrency, which are important for improving protection.

Exactly, many balk at spending $50 for an AV but will spend twice that per week eating out because they are too lazy to cook.

 

[Lenny_Fox]

@simalinga

Come on man losen up. AV industry is a billion dollar industry. There must be millions of consumers buying 3rd party AV. Even when there are more people just using what comes with OS, 3rd party security is still a substantial market.Avast for instance has multi billion turn over only in the home user market.

So no black and white or good and wrong, just different perceptions on what is the best choice for an individual. As you mayy have noted when you signed on, this is what we discuss at this security forum.

So take it easy whe someone disagrees and respect other opinioms

 

[MacDefender]

Exactly, many balk at spending $50 for an AV but will spend twice that per week eating out because they are too lazy to cook.

Shhh don’t give Norton360 ideas for new features….

 

[peterfat11]

Even Microsoft Defender gets 100%. That means paying for third party AV for security is a waste of money.

but also consider the performance impact of windows defender, it is huge.
WD vs Norton at idle

WD just got to 28% cpu and 200 mb of ram, so I just turned it off.
As I said other avs still have their use, WD is good but there are still a lot of place to improve such as this.

 

[ForgottenSeer 85179]

but also consider the performance impact of windows defender, it is huge.
WD vs Norton at idle
View attachment 259284
View attachment 259285
WD just got to 28% cpu and 200 mb of ram, so I just turned it off.
As I said other avs still have their use, WD is good but there are still a lot of place to improve such as this.

My idle is:

"sehr niedrig" means very low.

 

[peterfat11]

but also consider the performance impact of windows defender, it is huge.
WD vs Norton at idle
View attachment 259284
View attachment 259285

Mine is still like this after leaving on for hours and constantly poping cpu to 10, and that is only its passive protection, I wonder what will the real time look on my pc.

 

[blackice]

Mine is still like this after leaving on for hours and constantly poping cpu to 10, and that is only its passive protection, I wonder what will the real time look on my pc.
View attachment 259290

There have been many cpu usage bugs with WD. One of the downsides. As everything with every software, there are bugs. Microsoft is good at manifesting bugs.

 

[Jan Willy]

Even Microsoft Defender gets 100%. That means paying for third party AV for security is a waste of money.

Yet for the vast majority of people. paying for 3rd party security software is a waste of money.

Those that have money to burn on 3rd party security software certainly do have the right to waste their money. Nobody is saying otherwise. Nobody is trying to stop them from wasting their money.

All the rest is a waste of money though for most users.

So like my original premise, buying 3rd party AV is a waste of money for most people

My impression is that you've made your point.

 

[roger_m]

Most consumers do not pay for the AV after the trial expires, if they activate the trial in the first place. So the argument that consumers only use MD because it is already pre-installed is false. What is really happening is that they are choosing MD over other AV - even the ones that come with a free trial! And in this day and age, just about everybody younger than age 60 knows about 3rd party security software. They know what it is and that they can buy it. They just don't buy it because they already get what they need from MD.

They don't buy third party antiviruses because MD is included with Windows and is free, as a result many couldn't be bothered switching antiviruses. There's nothing wrong with that, as it is a decent antivirus. However, there's also nothing wrong with a good third party antiviruses, which provides comparable or better protection. If MD was not included with Windows, then far fewer people would use it.

Nowhere did I say MD users never get infected. You are making up your own interpretation of my posts. I said most MD users do not get infected.

Actually, I misread what you posted. You wrote "many never have a serious infection," which is I misread as never getting infected.

People in 1st world nations do not run their AV on obsolete, slow HDD; they are running it on SSD and there are few cases where MD slows systems down on SSD. I have tested against folders as large as 1 GB containing literally tens of thousands of files. I create a real-time and scan exclusion in MD and there is no problem. File hoarders that run their OSS on obsolete HDD are the primary complainers about Defender. As Microsoft has said in the past, it has moved on from HDD technology and MD is optimized for SSD.

MD causes slowdowns for people with SSDs as well as those with hard drives. The slow-downs I've seen from MD, have been caused by CPU use, not disk use, so the type of storage used is irrelevant, and I have witnessed one of my own systems, which has a SSD, running much slower with MD than with a third party antivirus.

 

[Andy Ful]

Mine is still like this after leaving on for hours and constantly poping cpu to 10, and that is only its passive protection, I wonder what will the real time look on my pc.
View attachment 259290

This is an indication that some process is working on files in the background. Defender monitors files when they are moved, copied, archived, downloaded, etc. This can happen when you use backup software, advanced disk cleaners, etc. Normally, the Defender on idle consumes 0% resources.

 

[roger_m]

@simalinga I don't know why you keep pushing the point that third party antiviruses are not needed. Microsoft Defender and big name third party antiviruses provide excellent protection. As a result, it really does not matter what you use, as you'll be well protected regardless.

As already mentioned, for me, MD causes noticeable slowdowns. Since I don't want my computer to be running slowly, I would need to upgrade to a faster computer if I was to use MD. So it would actually cost me more to be using Microsoft's free antivirus, than a cheap third party one.

The links you posted prove absolutely nothing, as it's just the authors' opinions. You could just as easily have found articles saying that third party antivirus is better. Here's one I found which does just that.

Is Microsoft Defender good enough for your PC – or do you need a better free antivirus?

How good a job does Defender do in defense, exactly?

www.techradar.com

Is Microsoft Defender good enough for your PC?​

The short answer is, yes... to an extent. Microsoft Defender is good enough to defend your PC from malware on a general level, and has been improving a lot in terms of its antivirus engine in recent times.

That said, there are still free antivirus apps out there which offer better levels of protection, or more features (with improved levels of depth); or indeed all of the above. Given how simple a task it is for the majority of users to go through the process of installing a different third-party antivirus, it’s worthwhile doing that to avail yourself of these benefits.

 

[marcopaone]

Is Kaspersky a Waste of Money? NO.

 

[Andy Ful]

The discussion has somewhat positioned Defender against 3rd party AVs, and people who use Defender against those who use 3rd party AVs.
Such a division is artificial and unnecessary on MT. Most of the people who use Defender also used 3rd party AVs and liked them. Many will probably use 3rd party AVs in the future (for fun or good reason). Many of us use the AV we like and there is no good reason to stop doing this if it works well. Most of 3rd party commercial AVs are worth their price even when there are free good AVs available.
Should everybody use 3rd party AV? Probably no.
Should everybody use free AV? I do not think so.

There is a difference between Defender and 3rd party AVs. Some people have the right to think that this difference is not worth paying and some others have the right to think otherwise. There is no universal truth when we take into account personal preferences and personal experience.

 

[Andy Ful]

I would like to notice that @simalinga is the exact opposite of many people (also on MT) who still insist that people should not use Defender because there is a big difference in security technology and protection as compared to most of 3rd party AVs (even free ones). In such cases, I defended Defender (sometimes being irritated and harsh) because such a viewpoint contradicts the known facts. Many MT members use Defender and do not share extreme viewpoints about Defender vs. 3rd party Avs.

 

[Adrian Ścibor]

I'd like to say something from myself, if I may.

When we're looking at AV-Comparatives' benchmarks for performance over the past a few years, the MD is always the last. Moreover, if someone check the resource usage of Microsoft Defender or other apps, I recommend using the perfmon tool (CTRL+R and go to "perfmon" command). Then please set the average CPU and RAM usage for the all AV'processes and run the task for several hours in the background (for example if you work).

Then we can get better results, instead of momentary. Otherwise, we can always wait for 0-2% usage and take a screen shoot.

Some tutorial how it works: Using PerfMon to track process performance - National Instruments

 

[SeriousHoax]

I'd like to say something from myself, if I may.

When we're looking at AV-Comparatives' benchmarks for performance over the past a few years, the MD is always the last. Moreover, if someone check the resource usage of Microsoft Defender or other apps, I recommend using the perfmon tool (CTRL+R and go to "perfmon" command). Then please set the average CPU and RAM usage for the all AV'processes and run the task for several hours in the background (for example if you work).

Then we can get better results, instead of momentary. Otherwise, we can always wait for 0-2% usage and take a screen shoot.

Some tutorial how it works: Using PerfMon to track process performance - National Instruments

Even this test could be misleading I think. For example: after setting this, if the main thing you do is web browsing then you'll see some third-party AV specially those who have HTTS scanning like Kaspersky will use a higher CPU compared to Microsoft Defender.
If you're a developer and compiling apps then you'll see Microsoft Defender is consuming a higher CPU.
Sometimes things like system impact can't be and shouldn't be measured in CPU and ram usage. The time it takes to perform a task is more important.
In the first example, Kaspersky will not only use more CPU but also have slower browsing speed compared to Defender. By only measuring this scenario one may say Kaspersky is worse than Microsoft Defender, is slow, and have a higher performance impact.
In the second case, Microsoft will have a high CPU usage as well as it will take more time to complete the task compared to Kaspersky. Now one may say, Microsoft Defender is worse.
Then in a third scenario about launching common day-to-day apps like browsers, office apps, games, game launchers where the main factor is the speed where both of these AV perform similarly in terms of speed even though there is some more or less CPU usage difference. Here AV A using 5% and AV B using 8% CPU while launching an app doesn't matter in a real-world scenario.
Microsoft Defender is both fast and slow. It depends on what the user does on the PC. If web browsing, office apps, playing games are the number 1 priority then nothing or almost nothing is faster than Microsoft Defender, if you do other CPU-heavy tasks then Microsoft Defender is noticeably slower than the most.
So just looking at Microsoft Dedender's position in the AV-Comparative results is 100% wrong. One has to analyze such reports properly and see if that matches his/her own experience.