User Feedback Microsoft Defender 6/12/2020 Review

Software
Microsoft Defender
Installation
5.00 star(s)
Installation Feedback
Installation rating N/A
Interface (UI)
2.00 star(s)
Interface Feedback
See bellow
Usability
3.00 star(s)
Usability Feedback
See bellow
Performance and System Impact
4.00 star(s)
Performance and System Impact Feedback
See bellow
Protection
5.00 star(s)
Protection Feedback
See bellow
Real-time file system protection
5.00 star(s)
Proactive Intrusion protection
2.00 star(s)
Pros
  1. It's a free software
  2. No setup required
  3. Ransomware protection
  4. Excellent scores in independent tests
  5. Effective malware removal
Cons
  1. Clumsy or awkward interface (UI)
  2. Noticeable system impact
  3. Can be resource-hungry
  4. Scans can be rather slow
Software installed on computer
Less than 30 days
Computer specs
See configuration for details
Recommended for
  1. All types of users
Overall Rating
4.00 star(s)
Disclaimer
  1. Any views or opinions expressed are that of the member giving the information and may be subjective.
    This software may behave differently on your device.

    We encourage you to compare these opinions with others and take informed decisions on what security products to use.
    Before buying a product you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

McMcbrad

Level 23
Oct 16, 2020
1,252
Time has now come to review Windows/Microsoft Defender, as I stated earlier in a profile post.

As per the usual the test and review will be divided in few categories:

1. Protection in Theory
This chapter of the review will scratch how Microsoft Defender works and will provide brief explanation over the recipe of the product.

2. Protection Tested
This chapter will include my observations over how effective the product is and will be divided in 2 parts:
2.1. Out-of-the-Box Protection - default settings, no 3-rd party tools
2.2. Protection achieved by using 3-rd party tools, namely @Andy Ful "Configure_Defender" set to "Recommended Level"

3. Additional Tools
This chapter will provide an overview and test of additional in-product tools that I have found useful, namely Controlled Folders Access.

4. Performance and impact
This chapter will provide an overview of how responsive the machine feels with Microsoft Defender being the primary AV in several different situations
4.1 On Idle
4.2 On Browsing
4.3 In the event of a threat discovered
4.4 On software Installation and launch

5. User Interface and User Experience


Microsoft relies on every approach that is known today:
Machine Learning/AI, behavioural blocking, reputation enhancements, cloud detection and detonation.
This is not different than any other vendor and by using Microsoft Defender you are not missing out on any of the current security trends.
1607290892897.png
How protection is tested?
The methodology was already discussed and is copied from my AVG review:

To conclude how good protection is, I test a product continuously for 14 days.
To perform the test I use samples and links collected from several sources, such as any.run, hybrid analyses, malwarebazaar and others. I have several emails that have been breached and registered in not-so-trustworthy websites, so these receive a vast amount of phishing emails. I analyse relations on VirusTotal and discover more and more malware, and links.

Every day the test includes:
  • 5 Phishing Links
  • 5 Malicious Links
  • 5 Malware Executables (*.exe files)
  • 5 Malicious Word/Excel Documents
  • 5 Scripts that abuse Windows processes
  • 5 Loaders that rely on PowerShell. I do not download these, but rather copy and paste the code into PowerShell.
  • Few Java malware files (*.jar)

I do not handpick links, but I specifically choose samples that are more difficult to detect (evasive, compressed, packed etc.). It's not necessary for these samples to be 0-days, but they should be prevalent.
Test has 2 outcomes - success (everything blocked) or failure (something has been missed)
A product must block everything to be successful.
It's not necessary for the malware sample to be deleted - for example blocking a loader from downloading any additional files is good enough.
At the end I use Hitman Pro, Norton Power Eraser and RogueKiller, as well as various utilities such as Process Explorer to establish whether everything has been blocked (when behavioural blocker has been involved.
In case of ransomware, products that support Secure Folders should keep the selected folders unencrypted.
I discard PUPs from the test, due to the fact that different vendors have different understanding of what's PUP. I consider misleading applications a form of malware.

As a last stage of the test I usually register a service, a scheduled task and auto-run pointing to a malware sample and containing malicious PowerShell code. I perform a scan and then check whether everything has been removed.

From time to time I can come up with other tests. These will be discussed in separate threads.

Windows Defender did not let my system get compromised in many of the test cases (except with 3 samples). Even if threats were not discovered instantly, they were eradicated minutes later and fully remediated. This happened only 3 times, but it's important to note that once a credentials stealer has sent your data, or ransomware has encrypted your files, effective threat remediation is not helpful.
The product has one of the best removal engines I have seen (I've not tested Kaspersky extensively) and removes all threat artefacts effectively.
The only sample that was missed and compromised my system (not detected at all) was the Pegasus Ransomware, which looks more like a PoC, not like a real malware. Nevertheless, my system was encrypted and that can be seen here:

My usual tests with my own malicious PowerShell droppers and loaders were run and these were all blocked by Microsoft Defender behavioural blocking both Out-of-the-Box and with Configure_Defender.

I ran an additional tests with PUPs and it is recommended that you use Configure_Defender as detection and removal of these is not really great.
I also ran an additional tests with a pack of cracks and these were all deleted with or without Configure_Defender.

All in all, Defender provides solid protection which can compete with, if not outperform many vendors out there, such as McAfee (in their home products).
I observed very quick reaction times to undetected malware, which is a very important factor to consider. It takes <10 minutes for Microsoft to react.
I have deliberately bypassed all SmartScreen warnings and all threats were still detected. Under normal situation, I believe SmartScreen warnings should be followed.

I tried the product's alleged IPS with various tools and I found it to be very ineffective.

False positives weren't an issue (if you don't count cracks), but I have tested it with a small number of programs frequently found on every computer.
Microsoft Defender is a no-bells and no-whistles package that doesn't include anything unnecessary - after all the package is part of Windows Security. Defender is just the antivirus component of the whole ecosystem. Exploit Prevention, Core Isolation, Firewall and Parental Controls are included within Windows Security and can be combined with other products, if needed. This type of modal design allows for countless number of possible configurations with third-party tools.

The only tool that I saw is the ransomware protection - it can backup files to OneDrive - it might be a great idea purchasing space and using this feature.
Controlled Folders Access is also part of this module, but its over-sensitivity caused me to disable it quickly. Every software installation, as well as every file change triggers a warning.
It might be a good idea to collect all sensitive data in one folder and protect it.

Java ransomware was able to bypass CFA, which can be seen in this thread again:
Microsoft Defender's impact is almost unnoticeable during idle:
1607292556445.png


On browsing it doesn't even reach 1%.

During software launch (Adobe Photoshop, Visual Studio 2019, Microsoft Office Apps, Google Chrome) it barely reaches 5-6%.
During software installation, archiving/unarchiving it goes up to 15-20%, which has been improved from before.

This makes Microsoft Defender almost invisible to many users.

However, once a threat has been detected things change. This has caused me to end Microsoft Defender test prematurely.
Every time a threat has been detected (especially if it's ransomware) a very lengthy removal procedure is started. This is a behaviour I have observed in Norton too.
There is a CPU activity of 20-30% going on for quite some time (half an hour approximately) and it goes up to 90%. Resmon check revealed that the product is performing a full scan, but there is no communication/notification over what it is doing.

1607289827321-png.250518

1607292998692.png
1607293033494.png


In this case I downloaded 3 threats which were all discovered by Microsoft Defender. The ongoing activity was again, full system scan and kept going on for 30-40 minutes.

Under normal circumstances everything feels snappy and responsive.
User Interface/Experience and usability are not an area of excellence in Microsoft Defender.
The product issued prompts for all threats that it detected and I had to click "Apply Actions" for them to be removed. This triggered the high CPU activity already discussed above, but sometimes led to awkward notifications:

It says feel free to keep working whilst we take actions, which is very reassuring.
1607293392853.png


Few minutes later this appears:

1607289568603-png.250517

It says "Threats found, see recommended actions", but there are no recommendations anywhere.
This remained for quite some time and then I was prompted to remove the same threats again.
When I opened the UI, there was no threats on the list at all.
I had to reboot my system and the same behaviour re-occurred. After second reboot, Defender managed to remove them.
They were not even active infections, they were files that I just downloaded and didn't even execute.

There is a weird scanning behaviour as well - scans only go on until you close the window. As soon as you close it, they stop, this can be mitigated by simply minimizing the window.

Microsoft Defender alerts are still infrequent and free of complicated tech terms. It also doesn't display any nags/ads.
Using custom malware, I was able to completely disable Windows Defender. This something that should be fixed ASAP. I will contact Microsoft with more details, as malware authors may abuse the same tactic. I also observed other tactics used in-the-wild.

Final Verdict:
Microsoft Defender offers solid protection that can compete with all main leaders, without installation or payment.
Performance and usability glitches can be faced frequently in synthetic situations, but in a real world where users won't come across malware so frequently, they probably won't matter.
Users looking for a free protection package don't need to look any further.
However, paranoid ransomware protection (which causes it to be turned off, which = nonexistant) and lack of Web Protection/System-Wide Web Blocking might be a reason to look elsewhere, if more premium protection is needed.

The next product to be tested and reviewed will be Kaspersky Internet Security.
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
2. Protection Tested
...
2.2. Protection achieved by using 3-rd party tools, namely @Andy Ful "Configure_Defender" set to "Recommended Level"
This was probably HIGH Protection Level (and it is recommended by me).:)
However, paranoid ransomware protection (which causes it to be turned off, which = nonexistant) and lack of Web Protection/System-Wide Web Blocking might be a reason to look elsewhere, if more premium protection is needed.
Yes, without advanced settings WD is not for users who seek advanced protection.
One can get excellent Web Protection by using the Edge web browser (SmartScreen + PUA protection).
The System-Wide Web Blocking can be enabled by using ConfigureDefender HIGH Protection Level (the option "Network Protection"). (y)

In the home environment:
Edge + WD + ConfigureDefender HIGH ~ any AV Home version (free or paid).

If one does not care about Password Manager, VPN, and Banking module in the home environment then:
Edge + WD + ConfigureDefender MAX ~ any AV Business version with ATP (not tweaked).

The advantage of some 3-rd party AVs can be visible while tweaking the ATP features like Application Control in KIS or HIPS in Eset. But this advantage can be hardly seen in the home environment.
 

FireHammer

Level 9
Aug 27, 2020
427
Hi, @McMcbrad, I have read your full report, there is so much I could learn about AVs in general, not just Microsoft Windows Defender, it is a wonderful Forum, and I am so happy to be a part of it, there is often words or phrases I do not understand, but the more I read such articles like yours, or short messages are given in a rush, then suddenly the pieces fit together! I love every day that I am a member of this outstanding Forum, and communicate with its very capable members, Thanks, Everyone!:love:
I apologize for the incorrect grammar.:unsure:
Kind Regards @FireHammer.:)
 

McMcbrad

Level 23
Oct 16, 2020
1,252
Can you clarify how your default and ConfigureDefender results differed
Java as an infection vector was a hit and miss in any case and a java discord RAT that I was again the first to discover was fully missed.
I believe there is Simple Windows Hardener that can close this loophole. Excuse me if I didn't get the name right.

Other vectors such as maldocs (malicious documents) were 100% blocked with Configure_Defender, whilst there were minor misses, followed by remediation on default setup.
I couldn't run some of my custom malware at all, namely the PowerShell loaders and droppers that I do with Configure Defender, which means this "portal" if we can call it that way is fully closed, rather than being open and attempting to secure it.
I tried to write malware to test one of the rules "Block Credentials from Isass", but it was taking me too much time to research that, so I left it untested.

From the above, the conclusion is that Configure_Defender closes some "doors" completely, before Microsoft is able to identify the bad guys trying to sneak in through them.

Hi, @McMcbrad, I have read your full report, there is so much I could learn about AVs in general, not just Microsoft Windows Defender, it is a wonderful Forum, and I am so happy to be a part of it, there is often words or phrases I do not understand, but the more I read such articles like yours, or short messages are given in a rush, then suddenly the pieces fit together! I love every day that I am a member of this outstanding Forum, and communicate with its very capable members, Thanks, Everyone!:love:
I apologize for the incorrect grammar.:unsure:
Kind Regards @FireHammer.:)
When reading your messages I always thought your English was great, but I am glad you feel this way :)
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
I pressed High, as this is the middle ground and the network protection option got turned on, but I didn't see it blocking anything. Is that a bug?
  1. Did you restart the computer?
  2. In many cases, Network Protection does not block the malicious domain or subdomain, but only the malicious file (if it is loaded when rendering the web page). So, you have to try downloading the malware from the website to see the block (use scripting to avoid SmartScreen in Edge).
 

McMcbrad

Level 23
Oct 16, 2020
1,252
  1. Did you restart the computer?
  2. In many cases, Network Protection does not block the malicious domain or subdomain, but only the malicious file (if it is loaded when rendering the web page). So, you have to try downloading the malware from the website to see the block (use scripting to avoid SmartScreen in Edge).
Is that supposed to work on a system-wide level or only in Edge?
 

McMcbrad

Level 23
Oct 16, 2020
1,252
You can test the Network Protection by using the below command-line in PowerShell console:
Code:
Import-Module bitstransfer;Start-BitsTransfer 'https://smartscreentestratings2.net/sumo_lite.exe' $home\Downloads\sumo_lite.exe;
An alert appeared, saying that administrator doesn't allow me to access content from this page... maybe it's just the links that I get are not blacklisted :D
 

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,383
Great review 👌 Thanks.
The less than 10 mins reaction time after first infection is a really crucial point and in home environments not every product is reactive like this.
maybe it's just the links that I get are not blacklisted :D
That's the case probably. SmartScreen's web protection isn't as good as the likes of Bitdefender, ESET, McAfee, Kaspersky, etc. You can verify this by opening malicious links in Edge first. If it gets blocked in Edge by SmartScreen then try it in other browsers or using other method outside of browsers. I checked this two days ago and it was working.
 

oldschool

Level 59
Verified
Mar 29, 2018
4,833
Performance and usability glitches can be faced frequently in synthetic situations, but in a real world where users won't come across malware so frequently, they probably won't matter.
This line in particular is one really great aspect of your review. You don't sugarcoat anything in your anlysis and then lay it all out in plain language. Most excellent! (y)(y):D
 
Top