App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
Use it for a week or two. Then install Avast/AVG Free Antivirus or Kaspersky Free. You will notice the difference.
I used Kaspersky Standard (IIRC) several months ago, seemed a tad slower here than MS Defender. I am sure Avast is very good, I see its test reports, but for me Avast has always been problematic, and I could never figure out why. Last time, I tried Avast One which lasted a few days and uninstalled. I'll get around trying Avast Free again in the near future. Is Free going to stay available or is One going to be the only version available in foreseeable future, if you know. :unsure:
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
It seems to me that Defender changes the way it scans in aggressive mode, basing itself on infection patterns.
@SeriousHoax could answer better than me :)
Sorry I didn't see the post before. But yeah, changing cloud protection level will have an impact on malware detection. On default cloud protection level, files with 90% malicious certainty by the cloud ML are detected which is enough for most samples. High put it down to 80% so would detect more. High plus/equivalent to Highest in Configure Defender should lower it down further. I haven't found any document/blog where Microsoft shared the exact value of High plus but it's probably 70%.
But Microsoft states that putting it to High plus might affect client performance and I can confirm that it surely does for some apps on my system and also for some downloaded files. It also twice produced false positives with Epic Games a couple of years ago and few more here and there. So, protection and false positives both will increase. Setting cloud protection to Zero tolerance made MD detect more in Shadowra's quick testing compared to my test with the same sample on default settings.
Personally, I just keep it on default as I'm kind of an expert user who knows how to avoid malware even when I need to dazzle into the world of piracy. Currently I'm using everything on default (except cloud timeout is set to 60 seconds instead of default 10), not even ASR rules 😛
But keep in mind that for MD's cloud protection to properly work, files must have Mark of the Web.
file hash computation
This is not related to protection. It's not needed for home users.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
On default cloud protection level, files with 90% malicious certainty by the cloud ML are detected which is enough for most samples. High put it down to 80% so would detect more. High plus/equivalent to Highest in Configure Defender should lower it down further. I haven't found any document/blog where Microsoft shared the exact value of High plus but it's probably 70%.
But Microsoft states that putting it to High plus might affect client performance and I can confirm that it surely does for some apps on my system and also for some downloaded files. It also twice produced false positives with Epic Games a couple of years ago and few more here and there. So, protection and false positives both will increase. Setting cloud protection to Zero tolerance made MD detect more in Shadowra's quick testing compared to my test with the same sample on default settings.
Personally, I just keep it on default as I'm kind of an expert user w
But keep in mind that for MD's cloud protection to properly work, files must have Mark of the Web.
Good info, for clarification (for me) I'm running DefenderUI. I have (had) it set to Recommended Profile and Basic | Cloud Protection is High+ with 20 sec timeout & User = SmartScreen . I just increased timeout to 30s. I do not have noticeable slowdown with MD on my win10_VM, it's all relative. :whistle: (changing the timeout to 30s, now I have a Custom Profile)
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
What is it related to? Threat hunting and remediation? 🤔

@SpyNetGirl enables it with her hardening script. Harden Windows Security | Only with official documented methods | Always up to date
Microsoft Defender Antivirus has the file hash computation feature that computes file hashes for every executable file that is scanned if it wasn't previously computed. This has a performance cost especially when copying large files from a network share.
Yeah, maybe something for threat hunting or maybe for performance but that part doesn't make much sense. For personal users, I only see downsides because this will increase CPU usage as MD will have to compute the hash of every scanned executables. MD also seems to remove cache after a system shutdown (if fast startup is disabled) and reboot, so this will probably make MD compute hash again and again on every reboot.
I think it's different from what I have enabled which logs the hash only for threats that are detected by the real-time protection. Configure Defender has this integration so I can just open the detection log from Configure Defender and check the hash on VirusTotal if needed. You can enable that by entering this in Terminal as admin,
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ThreatFileHashLogging" /t REG_DWORD /d "1" /f
 

bazang

Level 8
Jul 3, 2024
359
What is it related to? Threat hunting and remediation? 🤔

@SpyNetGirl enables it with her hardening script. Harden Windows Security | Only with official documented methods | Always up to date
Enabling file hashing has to be pair with Defender Threat Intelligence - which is available to Volume License (Enterprise) subscribers to the commercial\government product line. The hash is used to create an "Indicator" that can be used to create alerts (rule-based upon the various "Indicators" that can be configured).

Windows is a generic operating system that is available as a single image. That means it can be configured to activate the various features during installation based upon a number of factors, such as the license key entered. The key thing to understand is that fundamentally, the different Windows editions are the same as far as the core code.

What this means is that just because it ships with the operating system image does not mean that it makes sense to activate a security feature. Quite of the few of the enterprise\government security features do not perform the function intended with the associated web management portal.

File hash computation achieves nothing without simultaneous use of one of the various web-based portals as it is a web-based portal that actually does something with the computed file hashes.
 

bazang

Level 8
Jul 3, 2024
359
Like threat hunting, etc.
Or whatever Microsoft is calling it now. From 2021 to 2023 Microsoft renamed so many of its products, needlessly added names to features to make people think they're getting something new, and re-shuffled the product alignments & licenses to the extent that not even Microsoft personnel can figure out their own employer's products. In fact, only Senior specialists at Microsoft really know how to decipher the Microsoft products & licenses Rosetta Stone. Virtually none of the Microsoft Support personnel have a clue. Microsoft Partners have complained for decades about Microsoft's obnoxious "product re-name" culture.

Threat Intelligence, Threat Hunting, etc - all can be achieved 55.78 different ways on 29.41 Microsoft products & platforms all having different names that will be changed 109.57 times within the next 18 months. All you really do know is that the subscription fees and add-on prices keep going up. With every re-name there is a 10% price increase along with a requirement to purchase an additional 5 different service subscriptions so you can get whatever was re-named to actually function under Microsoft's re-shuffle scheme.

The U.S. Government receives 90% less from Microsoft for 40X the price of its 1995 contracts with Microsoft. A substantial part of that cost increase is driven by the subterfuge of highly confusing marketing.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
not even Microsoft personnel can figure out their own employer's products. In fact, only Senior specialists at Microsoft really know how to decipher the Microsoft products & licenses Rosetta Stone. Virtually none of the Microsoft Support personnel have a clue. Microsoft Partners have complained for decades about Microsoft's obnoxious "product re-name" culture.
Trying to find accurate, intelligible and pertinent official documentation is virtually impossible, and at best exceedingly difficult.
 

bazang

Level 8
Jul 3, 2024
359
Trying to find accurate, intelligible and pertinent official documentation is virtually impossible, and at best exceedingly difficult.
Everyone experiences this. It is not unique to Windows Home users. Microsoft Partners\Resellers, every local, state, and federal government institution or agency, Managed Service Providers (MSP), Managed Security Service Providers (MSSP), developers, program managers, contractors, etc.

Navigating Microsoft's products and services is a diabolical labyrinth of information with various sub-basements of confusing hell. It takes a lot of effort even for those that sell the products and services. When you think you know, you quickly learn you do not know because nobody seems to know - not even most of Microsoft itself. Only the chosen few do and nobody can reach them because Microsoft deliberately silos them off from the rest of the world. They're not allowed out much. Not even Satya Nadella can reach them.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
Trying to find accurate, intelligible and pertinent official documentation is virtually impossible, and at best exceedingly difficult.
no kidding! I was looking at MS Defender for Business a few months ago, never installed it, but somehow MS is / has been charging me $3.95/month with no way to contact them, no way to login to whatever MS account is making that charge. At that price I haven't gone to extreme lengths yet to get this fixed, but sorta amazing to me they're charging me for a product they know or should know I'm not using, never used, never fully deployed.
 

bazang

Level 8
Jul 3, 2024
359
Trying to find accurate, intelligible and pertinent official documentation is virtually impossible, and at best exceedingly difficult.
Either you have direct M$ contacts that know and supply the infos or you join a multitude of M$ Communities and post a lot of questions - of which you might get accurate, inaccurate, partial, not relevant, or other superfluous infos. But generally getting accurate infos involves persistence over a very long period of time, asking questions on the various M$ GitHub projects (Discussions), submitting questions to the official Microsoft Document keepers (their contact infos are usually on the webpage or at GitHub), submitting questions directly to the various Microsoft Product teams, and posting questions on:



The Big Ones for security:




I need a full-time assistant whose occupation is to manage all the Microsoft platforms that I need to participate on and collect the info across 5,000 Microsoft web hosted resources. Even if one does get the infos, those infos usually are not anything beyond basic. One has to dig, test, and figure out if it actually applies to whatever they are attempting to do or figure out.

@Andy Ful and @SpyNetGirl know of more or better sources of Windows security infos. Those sources will not necessarily be up-to-date or complete. A lot of it is decentralized and piecemeal. Bread crumbs.
 
Last edited:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
@Andy Ful and @SpyNetGirl know of more or better sources of Windows security infos. Those sources will not necessarily be up-to-date or complete. A lot of it is decentralized and piecemeal. Bread crumbs.
These forums are next to useless for Windows Home and Pro users. Searching on the forums themselves is impossible, so we're mostly relegated to Google or other search engines.
 

bazang

Level 8
Jul 3, 2024
359
These forums are next to useless for Windows Home and Pro users. Searching on the forums themselves is impossible, so we're mostly relegated to Google or other search engines.
Long-time participation on the Tech Communities can lead to online working relationships with some Microsoft employees. I am not sure where @SpyNetGirl gets her infos, but I do know she participates or did participate a lot on the Tech Communities and Windows Insider Program. Probably still does.

As far as Windows Internals, @Andy Ful has scoured the internet for sources. Those sources are all over the place and much of what he figured out he did in his test environments. There's a ton of Windows security behaviors that are not documented.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top