App Review Microsoft Defender Antivirus Tested 7.3.21

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Computer Solutions
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Microsoft Defender is weird. In my testing, I have seen its right-click scanner not detecting samples even for which it did have local signatures. Then I turned off the internet and entered into the folder containing malware and it started detecting most of them.
I don't know if their scanner is broken or it's like this by design. It's very much dependent on the Real-time protection module. With an internet connection, the real-time scanner will detect most samples anyway so users will remain protected.
 
  • Like
Reactions: KonradPL, roger_m, Venustus and 8 others
CyberTech

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
SeriousHoax said:
Microsoft Defender is weird. In my testing, I have seen its right-click scanner not detecting samples even for which it did have local signatures. Then I turned off the internet and entered into the folder containing malware and it started detecting most of them.
I don't know if their scanner is broken or it's like this by design. It's very much dependent on the Real-time protection module. With an internet connection, the real-time scanner will detect most samples anyway so users will remain protected.
Click to expand...
Maybe thats because of Windows 11? it's beta..
 
  • Like
Reactions: KonradPL, Dave Russo, Venustus and 5 others
Marko :)

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,263
SeriousHoax said:
Microsoft Defender is weird. In my testing, I have seen its right-click scanner not detecting samples even for which it did have local signatures. Then I turned off the internet and entered into the folder containing malware and it started detecting most of them.
I don't know if their scanner is broken or it's like this by design. It's very much dependent on the Real-time protection module. With an internet connection, the real-time scanner will detect most samples anyway so users will remain protected.
Click to expand...
Microsoft should really fix the Defender. It's the most buggiest antivirus software I've seen. So, I tested it few times before with the simple EICAR test file. Detection was fine, but for some strange reason, it couldn't quarantine or delete the file. Then I've tried to delete it manually, but couldn't because Defender was using the file and it was "locked". It kept nagging me how threats were found and the only way for me to get rid of it was to add an exclusion in Defender, delete it and then remove exclusion.
Not to mention it takes ages to quarantine/delete the file while competitors do it in the matter of seconds.

They should make new Defender from scratch. SmartScreen too as there are more private ways to do it instead sending full URLs of visited websites.
CyberTech said:
Maybe thats because of Windows 11? it's beta..
Click to expand...
It's just the way how Defender works. It's the same in 10.
 
Last edited:
  • Like
  • Applause
Reactions: KonradPL, Dave Russo, Venustus and 6 others
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
SeriousHoax said:
Microsoft Defender is weird. In my testing, I have seen its right-click scanner not detecting samples even for which it did have local signatures. Then I turned off the internet and entered into the folder containing malware and it started detecting most of them.
I don't know if their scanner is broken or it's like this by design. It's very much dependent on the Real-time protection module. With an internet connection, the real-time scanner will detect most samples anyway so users will remain protected.
Click to expand...
I’ve noticed the same! Funnily enough I swear it always reliably deletes the KMS activators and watermark removers from my VMs’ desktops the moment my primary AV reloads due to an update but there are times where the on demand scanner just doesn’t want to detect anything at all.

I get that MD’s primary purpose is real-time protection of the everyday user (and secondarily competing with enterprise endpoint features) but it’s a bit of a shame because with a bit more work it can genuinely replace so many use cases of paid AVs, it’s just that doesn’t seem to be their priority.
 
  • Like
Reactions: KonradPL, roger_m, Dave Russo and 6 others
Dave Russo

Dave Russo

Level 22
Verified
Top Poster
Well-known
May 26, 2014
1,130
SeriousHoax said:
Microsoft Defender is weird. In my testing, I have seen its right-click scanner not detecting samples even for which it did have local signatures. Then I turned off the internet and entered into the folder containing malware and it started detecting most of them.
I don't know if their scanner is broken or it's like this by design. It's very much dependent on the Real-time protection module. With an internet connection, the real-time scanner will detect most samples anyway so users will remain protected.
Click to expand...
Just when I decided to just use Microsoft Defender(I'm doubting again)
 
  • Sad
  • Like
Reactions: KonradPL, cryogent, Venustus and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
It seems that the author wrongly recognized the number of detected threats in signature (offline) tests.
In the File Detection test - New malware samples (300) the result was 75 threats found, but most of the detected samples were not removed by Defender from the folder with malware samples (removal can last several minutes).

1625758994776.png


The correct number of detected samples could be counted by inspecting Windows Event Log.

Normally such a test would be worthless because of the small number of samples and several methodology flaws. But in this case, the signature detection of Defender differs significantly from other products, so it can show something real. Detecting even all 75 threats (from 300) is still a poor signature detection result. This is a well known fact for Defender local signatures. One can compare it with the professional tests made by AV-Comparatives that show the same.

On the contrary to signature tests, other tests in this video showed very good results. But, this means nothing, because of the small number of samples and flawed methodology. Testing other AVs in this way cannot show statistically meaningful differences between popular AVs.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: KonradPL, Szellem, roger_m and 12 others
Marko :)

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,263
Just tried the cloud protection using the file downloaded from Microsoft Defender Testground. I could normally run the file that was supposed to be detected by the Defender. Even right-click scan isn't finding anything suspicious.

Is this some kind of joke?

Screenshot_1.png Screenshot_2.png Screenshot_3.png Screenshot_4.png
 
  • Wow
  • Like
Reactions: KonradPL, Dave Russo, Venustus and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Marko :) said:
Just tried the cloud protection using the file downloaded from Microsoft Defender Testground. I could normally run the file that was supposed to be detected by the Defender. Even right-click scan isn't finding anything suspicious.

Is this some kind of joke?

View attachment 259568 View attachment 259569 View attachment 259570 View attachment 259571
Click to expand...
It is not. These files are for testing the efficiency of Cloud Protection Level. They are fully detected only with Cloud Protection Level set to Highest. With default settings, most samples created in the test will not be detected.
 
  • Like
  • Wow
Reactions: KonradPL, roger_m, Venustus and 2 others
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
Microsoft never announced that Windows 11’s MD would be different from Windows 10’s. We shouldn’t be surprised here.

This doesn’t really affect the user in the real world, it’s more just something to keep in mind for people with special use cases or who rely on right-click scanning to protect others.
 
  • Like
Reactions: KonradPL, roger_m, Dave Russo and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
MacDefender said:
...
This doesn’t really affect the user in the real world, it’s more just something to keep in mind for people with special use cases or who rely on right-click scanning to protect others.
Click to expand...
Yes, in such cases, Defender alone is not a good solution.
Anyway, it is easy to support it by HitmanPro or simply upload the samples to OneDrive (online storage) and download them to disk. The downloaded files will get the MOTW and they will be automatically checked in the Defender Cloud via "Block at First Sight" feature.
 
  • Like
  • Thanks
Reactions: roger_m, Dave Russo, CyberTech and 3 others
marcopaone

marcopaone

Level 7
Verified
Well-known
Jul 15, 2016
321
  • Like
Reactions: Dave Russo and Venustus
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
marcopaone said:
Same here... I'm in high protection.
Click to expand...
Your irony is understandable. :)

But when using Defender + Edge, you have a similarly "high protection" as with any Home AV on default settings.
When Defender uses Cloud, the signatures are needed only to remove leftovers that were dropped to disk and were not executed.
 
Last edited:
  • Like
  • Applause
Reactions: KonradPL, Lenny_Fox, Yanick and 6 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
CyberTech said:
Maybe thats because of Windows 11? it's beta..
Click to expand...
The experience that I shared is based on Windows 10's Microsoft Defender. Windows 11's Defender is the same but it's possible that there are a few bugs here and there but don't think that would change the on-demand scanner result shown in the video.
Marko :) said:
Detection was fine, but for some strange reason, it couldn't quarantine or delete the file. Then I've tried to delete it manually, but couldn't because Defender was using the file and it was "locked". It kept nagging me how threats were found and the only way for me to get rid of it was to add an exclusion in Defender, delete it and then remove exclusion.
Click to expand...
I haven't face the latter part but the first part happens a lot when I decide to test it against multiple samples (not all at once like Leo does, I do one by one and wait for it to finish its removal process). A couple of weeks ago it detected malware after execution with its cloud protection and asked for a system restart for full removal. I checked task manager and Defender wasn't using any CPU so I decided to restart the system but after restarting, the files were still there and Defender UI kept showing active threats even after I told it to delete them. I was able to delete those files after disabling Defender's real-time protection and running a scan of Norton Power Eraser (Manual deleting was also possible).
MacDefender said:
I get that MD’s primary purpose is real-time protection of the everyday user (and secondarily competing with enterprise endpoint features) but it’s a bit of a shame because with a bit more work it can genuinely replace so many use cases of paid AVs, it’s just that doesn’t seem to be their priority.
Click to expand...
I fully agree. I still think Defender is good enough for average consumers but some of the flaws it has are simply terrible. I have not seen other home AVs with these types of issues. I don't understand why Microsoft doesn't bother with these basic flaws.
 
  • Like
  • +Reputation
  • Wow
Reactions: ErzCrz, Yanick, Marko :) and 9 others
peterfat11

peterfat11

Level 11
Verified
Top Poster
Well-known
Mar 25, 2021
515
SeriousHoax said:
Microsoft Defender is weird. In my testing, I have seen its right-click scanner not detecting samples even for which it did have local signatures. Then I turned off the internet and entered into the folder containing malware and it started detecting most of them.
I don't know if their scanner is broken or it's like this by design. It's very much dependent on the Real-time protection module. With an internet connection, the real-time scanner will detect most samples anyway so users will remain protected.
Click to expand...
same with norton, when I scan with right lick it tell it is safe if I open the folder it removes it.
 
  • Wow
  • Like
Reactions: Venustus, CyberTech, roger_m and 3 others

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,309
Video Reviews - Security and Privacy
tofargone
tofargone
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,257
Video Reviews - Security and Privacy
lokamoka820
lokamoka820
NB InfoTech
    • Like
App Review Is it worth to use G Data Antivirus? | G Data Antivirus Review | G Data Antivirus Test | 2024
Replies
4
Views
479
Video Reviews - Security and Privacy
mlnevese
mlnevese

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top