Video Microsoft Defender Antivirus (Windows 11) - Default Settings

Shadowra

Level 26
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
1,510
Hello and welcome to the Microsoft Defender test!
Microsoft Defender (formerly Windows Defender, and Microsoft Security Essentials on Win7) is the antivirus integrated in Windows since Windows 8.
Formerly very criticized for its lack of efficiency and reaction, Microsoft revisits it entirely for Windows 10 by adding AI Machine Learning detection, and various behavioral blocking.

Here, on Windows 11, Defender continues its performance.
It even has the luxury of detecting all the samples in my pack!
On the other hand, its scanning bug is still present. Indeed, Microsoft Defender is unable to remove everything... So I had to test via the interceptor.
Microsoft Defender is still an excellent and free antivirus!

Warning: Due to a bug with my Windows installation, some parts of Microsoft Defender are in French and others in English... I apologize, it is the translation of my virtual machine that has jumped.... This will be fixed with a new installation soon.



RAM Usage : Light
Malware URL test : 9/10 (1 missed, probably a fake Skype)
Fake crack : 1/1 (detected)
Malware Pack : A strange bug. Indeed, Microsoft Defender detects a large number, but can not clean everything. There are 358 threats left in the pack, but the interceptor removes them all.
There is nothing left, no malware is launched.

Resistance to script attacks: Yes

Result :
NPE : 1 (detected by Microsoft Defender)
KVRT : 2

Recommand : Yes
System Clean : Yes, system protected
 

SeriousHoax

Level 44
Verified
Top Poster
Well-known
Mar 16, 2019
3,312
MD did well (y)
Malware Pack : A strange bug. Indeed, Microsoft Defender detects a large number, but can not clean everything. There are 358 threats left in the pack, but the interceptor removes them all.
Yeah, they haven't managed to fix it yet. But to have the best possible chance of avoiding this bug, you can not turn off MD's real time protection before extracting the sample pack. You have to keep it on and extract the malware pack. When I tested a couple of months ago twice with a pack of 100+ exe malware, MD was able to empty the folder completely automatically without leaving anything behind.
IMO, every AV should be tested like this, turning off real time protection is not a proper way of testing but anyway, that's another thing. For MD, it's necessary but even this method doesn't guarantee success all the time, so they should fix it.
 

Shadowra

Level 26
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
1,510
MD did well (y)

Yeah, they haven't managed to fix it yet. But to have the best possible chance of avoiding this bug, you can not turn off MD's real time protection before extracting the sample pack. You have to keep it on and extract the malware pack. When I tested a couple of months ago twice with a pack of 100+ exe malware, MD was able to empty the folder completely automatically without leaving anything behind.
IMO, every AV should be tested like this, turning off real time protection is not a proper way of testing but anyway, that's another thing. For MD, it's necessary but even this method doesn't guarantee success all the time, so they should fix it.

Some antivirus programs block the extraction of the pack (like Eset, Norton and others), that's why I always disable the real time protection when I extract.
Microsoft should fix this bug because it can be a handicap if a machine has a big infection or in case of cleaning on an already infected system :/
 

SeriousHoax

Level 44
Verified
Top Poster
Well-known
Mar 16, 2019
3,312
Some antivirus programs block the extraction of the pack (like Eset, Norton and others), that's why I always disable the real time protection when I extract.
Microsoft should fix this bug because it can be a handicap if a machine has a big infection or in case of cleaning on an already infected system :/
ESET never did that in my tests, and Norton in my experience does things a bit differently. When you extract malware from a zip and Norton has database about it, it will often/most times block the extraction of those known threats before they are able to properly write themselves to the disk. This is some sort of early blocking, which helps them to reduce the time it takes to remove threats from the disk. Norton is probably the slowest at removing malware, so this method helps them to speed things up. Unknown threats are still extracted.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,388
I saw this is a new video ...

Yes. This can be bad news for people who download files when disconnected from the internet. :)

But seriously, this can be an issue for some people who often:
  • use USB or network drives to install files (shared with other people) while disconnected from the Internet,
  • open MS Office documents stored on USB drives or network drives (shared with other people) while disconnected from the Internet,
  • use a very poor Internet connection.
Such situations can happen, especially in businesses. Of course, using Defender free in businesses is not recommended for those and some other reasons.
Please note, that Trend Micro (one of the top AVs) has got much worse offline detection.

Edit.
Good signatures can be also useful when checking the computer offline from a live CD.
 
Last edited:

Guilhermesene

Level 9
Verified
Well-known
Jun 1, 2019
403
Yes. This can be bad news for people who download files when disconnected from the internet. :)

But seriously, this can be an issue for some people who often:
  • use USB or network drives to install files (shared with other people) while disconnected from the Internet,
  • open MS Office documents stored on USB drives or network drives (shared with other people) while disconnected from the Internet,
  • use a very poor Internet connection.
Such situations can happen, especially in businesses. Of course, using Defender free in businesses is not recommended for those and some other reasons.
Please note, that Trend Micro (one of the top AVs) has got much worse offline detection.

Edit.
Good signatures can be also useful when checking the computer offline from a live CD.
For these reasons, I still think AV's that do not rely exclusively or largely on the cloud (network connection) are valid, even though many may not like this approach, but in my opinion it is still valid.

In the end, as everything has its pros and cons, it all comes down to what you need in your environment 🙂
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top