App Review Microsoft Defender Antivirus with Andy Ful WHHLight

[ErzCrz]

Running H_C and Xcitium or CF together will take some whitelisting to allow Xcitium / Containment to work. CF runs fine with the likes of Cyberlock/VoodooShield but it's a different kettle of fish with system hardening. I'm sure it might be possible, just not a combination I've toyed with.

 

[oldschool]

Running H_C and Xcitium or CF together

I don't get it. Total overkill.

 

[Kongo]

I don't get it. Total overkill.

+1

 

[ErzCrz]

I don't get it. Total overkill.

I was actually trying to make that point. While theoretically possible, there wouldn't be much point having both and cause more issue than it's worth. Pick a default deny setup and go with the one.

I chose to go with CL/VS this year hence I don't use H_C. True I have been trying out CF in combination with it but more because I favour CF over WFC but I've been there with full CIS and everything on paranoid level. It wasn't worth it and as @cruelsister has so fantastically demonstrated several times, CF with her setup is 100 times simpler and just as bulletproof.

Anyways, this setup tested by @Shadowra shows how amazing built-in protection is, particularlly when using @Andy Ful 's tools can be just as effective as CF or CL.

 

[Andy Ful]

Xcitium + H_C can be an overkill for many users. Of course, an advanced user can probably tweak both applications to get some advantage.
The @cruelsister settings are very efficient but also very restrictive, and not applicable in many business environments.
I think that it is possible to tweak Xcitium without H_C, but I am not sure how much work would be required.

Edit.
I am not sure if we should talk too much about other AVs. The thread is about Microsoft Defender.

 

[franz]

Final opinion:

Microsoft Defender really surprised me.
Microsoft has done a lot of work on the detection side, and it can compete with the big names in free and even paid antivirus!

If you had to choose between Microsoft Defender without WHHLight, and Free Avast, which would you recommend?

 

[Shadowra]

If you had to choose between Microsoft Defender without WHHLight, and Free Avast, which would you recommend?

Microsoft Defender

 

[Vitali Ortzi]

Hard Configurator + Xcitium. You saved me thousands on Microsoft Defender for Endpoint man! The Xcitium installer I have works on unlimited endpoints. I've got windows, mac (containment now stable) and Linux agents

How much did it cost ?

 

[simmerskool]

finally got around to creating a new win10_VM with only WHHL + MS Defender. Very nice, install was easy and VM is running very light & fast.
my only comment or wishlist... I'd like to see some sort of systray icon telling me WWHL is installed and operational, perhaps with a right-click showing all features optimized, etc, something lke that, but perhaps that is not feasible?? or even contra indicated... The desktop does have WHH_Tools folder... perhaps that is enough? or should it then be easy to add systray running icon (DARFC)
now I'll read the docs and see what I done wrong...

 

[Andy Ful]

my only comment or wishlist... I'd like to see some sort of systray icon telling me WWHL is installed and operational, perhaps with a right-click showing all features optimized, etc, something lke that, but perhaps that is not feasible??

WHHLight is a configurator and not a real-time application. When you close it, all WHHLight processes are closed, too.
The systray icon is a feature of real-time applications.
The idea of configurators is widely implemented in Windows. Most Windows settings are modified by using Windows built-in configurations (display settings, privacy settings, personalization settings, time & language settings, etc.).

The desktop does have WHH_Tools folder... perhaps that is enough?

Yes, to see the current state of protection, you must run WHHLight.
More precisely, there is no WHH_Tools folder on the Desktop (it is not a folder). If you delete it, the WHHLight folder is not deleted.
WHH_Tools is a shortcut to the WHH_Tools folder. The shortcut file is on the Desktop, and the target folder is in %ProgramData%.

 

[simmerskool]

@Andy Ful, yeah I know that which is why I "hedged" my comment somewhat, although I don't know what can and cannot be done with systray. So appreciate your detailed explanation. I asked because I have been known to open a VM and could not remember if H_C or SWH had been run. I do take and keep notes, but __it happens. eg, forgetting and installing something not exactly compatible on top of it. Will not let that happen with WHHL. Enjoying it.

 

[likeastar20]

Windows Defender doesn’t have a proper behavior blocker ala System Watcher right? IIRC only the Endpoint version has one? @Shadowra @Andy Ful

 

[ForgottenSeer 107474]

Microsoft Defender

Thanks, but this raises my curiosity why you prefer Defender with WHHL over Avast free with WHHL

 

[Shadowra]

Thanks, but this raises my curiosity why you prefer Defender with WHHL over Avast free with WHHL

I prefer MS Defender because I find it much more reactive than Avast! in terms of virus base (I often see detections with Defender than Avast on 0days).

Windows Defender doesn’t have a proper behavior blocker ala System Watcher right? IIRC only the Endpoint version has one? @Shadowra @Andy Ful

Yep, but there are Behavior detections

 

[likeastar20]

I prefer MS Defender because I find it much more reactive than Avast! in terms of virus base (I often see detections with Defender than Avast on 0days).

Yep, but there are Behavior detections

What’s the difference really ? @Trident maybe you know?

Behavior monitoring in Microsoft Defender Antivirus - Microsoft Defender for Endpoint

Learn about Behavior monitoring in Microsoft Defender Antivirus and Defender for Endpoint.

learn.microsoft.com

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender for Business
• Microsoft Defender for Individuals
• Microsoft Defender Antivirus

Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. Here’s what it entails:

1. Real-Time Threat Detection:

• Continuously observe processes, file system activities, and interactions within the system.
• Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure.

1. Dynamic Approach:

• Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats.
• Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesn’t fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection.
• If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions.

Behavior monitoring enhances Defender Antivirus’s ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures.

The following features depend on behavior monitoring.

Anti-malware

• Indicators, File hash, allow/block

Network Protection

• Indicators, IP address/URL, allow/block
• Web Content Filtering, allow/block

 

[Gangelo]

Anyone know of an good software updaters. Because I'm going to switch from Kaspersky to this config I could do with a software updater because Kaspersky usually does all that for me. I'm very happy with Kaspersky. This is just a lighter config. And I Love the fact that it's all Windows based.

Late reply because I just noticed your post.
The one I have been using for ages is PatchMyPC Home Updater.

Home Updater: Overview and Download | Patch My PC

Our home updater is a free, easy-to-use program that keeps over 300 apps updated on your PC. A key component of staying safe online is keeping your apps patched.

patchmypc.com

They also have a paid option for automated updates and patching via WSUS and ConfigMgr if you are interested.

 

[ddave]

It's abouth 4 month I'm using Defender+WHHLight+Comodo FW and I found this combo really good and light

 

[Trident]

@likeastar20 what exactly is the question?

 

[ForgottenSeer 107474]

AI have been running WHHL as Admin for two months and now one month as standard user with Defender on MAX, no issues on 3 year old laptop

 

[likeastar20]

@likeastar20 what exactly is the question?

Basically, I was asking about Defender's (home version) Behavior Blocker. How does it work? I don't think I've ever seen behavior detection in Defender.