I guess I just have trauma from the old WIndows XP days...
1.
www.av-comparatives.org
Also if the file was transfered via Bluetooth?
99.9999999% you don't have malware and from your habits only way to even get malware is via a state sponsored targeted attack and I'm pretty sure they won't waste an exploit chain to attack you
Well the 63.1% is via local signatures and default settings but you can extend it's behavior monitoring with tools on this site add software restriction polices too etc and anyway it's not easy for malware to get to systems nowadays the browsers are sandboxed and hardened and you rarely see sandbox escape (browser is the main way most malware goes through ) so as long as you have good habits and don't execute executables that sites download well you should be Malware free1.
Just to be sure, that we are talking about the same.
When I mean "offline scanner", I mean when MS Defender scans a file, and there is no internet connection.
Are you meaning the same?
2.
"the offline (signatures)"
How can local MS Defender on my laptop, contain signatures / bits of code, for all possible kinds of malware?
This I have never quite understood...
It makes sense to use and compare to an online cloud, since it has unlimited space / data.
3.
In regard of this test:
MS Defender has an online detection rate of 97.5% and offline detection rate of 63.1%.Malware Protection Test March 2024
The Malware Protection Test March 2024 assesses program’s ability to protect a system against malicious files before, during or after execution.
3.
If the offline scanner clears a file / says the file is clean, and the online scanner don't scan it - then how come the detection rate of the online scanner is way higher / almost 100%?
4.
To me that is a problem, that the offline scanner that is worse / not good - can clear / say a file is clean, and let the file come into the system. Because with a detection rate of 63.1%, it is letting a lot of bad stuff get through. Or am I misunderstanding something?
Thank you again for all your great replies!
Yes exactly, this is the offline scanner which rely on signatures.
The signatures are file containing hashes of known malware, it is just a kind of text files, and that makes their size very small on your laptop, so space is not a problem here, MS Defender signatures size around 160 MB, this can contain millions of signatures to deal with malware.
Yes this is because in tests they use new malware not old one, but in real world you will not face only new malware, if you are a target to the attacker mostly what you will find on the internet or in a USB stick and old malware, and old here not mean old for years, after 3 days of new malware it becomes old and most vendors will catch it.3.
In regard of this test:
MS Defender has an online detection rate of 97.5% and offline detection rate of 63.1%.Malware Protection Test March 2024
The Malware Protection Test March 2024 assesses program’s ability to protect a system against malicious files before, during or after execution.
Again this is about 0-day malware, so the offline scanner here didn't say these samples clear, it can't quarantine them because it doesn't have signatures about them, while the online scanner will test them in an isolated environment and get the result by testing.
Don't think about it as someone better than the other, look at them as each one of them compliment the other, in the end they are a security layers to close impossible gaps in security not to challenge each other, and this is the best to keep the performance lighter on the system and the procedure faster.
1.
2.
When it first discovers by any vendor consider it will be known for others too, so yes between 2 and 3 days.
No, the offline scanner scans it first, if it didn't recognize it, the online scanner scans it in the cloud, if it is malware then it will be quarantined for you and report it to be included in the next signatures update to be added to the offline scanner so it can deal with it in the future.
Didn't recognize it?
3.
Imagine the following scenario:
I don't have answer about this, but you can manage the period through 3rd-party apps like DefenderUI
I don't have answer about this too, but if you are suspicious about certain file that you can update the signatures before doing a scan, then you will mostly not need the online scanner.
No, the online scan have better results than the offline scan, no error.
Why should the offline scanner not be able to do it / determine the file?
Regarding your earlier post, it answers it aswell:
Because the definitions update in offline scanner didn't happen every second, it may happen daily or twice a day "you can configure if you want it to be shorter", while the online scanner is up-to-date all the time, so if the file is new it will not be determined in offline scanner "which is rarely".
You asked about the time needed for the online scanner to recheck a file after connecting to the internet, but my answer was about my experience while I was connected already to the internet and I don't really know exactly which component of MS Defender that blocked the file.
Edit: I think there are misunderstood between your question and my answer, I thought you asked about the time needed for MS Defender online scanner to check file after it connects again to the internet, but what I did with the CCleaner portable is that I disabled MS Defender completely, so when I enabled it back it catch the sample again, but as I mentioned I don't know which component that blocked the file.
