App Review Microsoft Defender Antivirus with Andy Ful WHHLight

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra
Running H_C and Xcitium or CF together will take some whitelisting to allow Xcitium / Containment to work. CF runs fine with the likes of Cyberlock/VoodooShield but it's a different kettle of fish with system hardening. I'm sure it might be possible, just not a combination I've toyed with.
 
  • Like
Reactions: vtqhtr413, ZeroDay, [correlate] and 3 others
oldschool said:
I don't get it. Total overkill.o_O
Click to expand...
I was actually trying to make that point. While theoretically possible, there wouldn't be much point having both and cause more issue than it's worth. Pick a default deny setup and go with the one.

I chose to go with CL/VS this year hence I don't use H_C. True I have been trying out CF in combination with it but more because I favour CF over WFC but I've been there with full CIS and everything on paranoid level. It wasn't worth it and as @cruelsister has so fantastically demonstrated several times, CF with her setup is 100 times simpler and just as bulletproof.

Anyways, this setup tested by @Shadowra shows how amazing built-in protection is, particularlly when using @Andy Ful 's tools can be just as effective as CF or CL.
 
  • Like
  • Applause
  • +Reputation
Reactions: kylprq, wat0114, vtqhtr413 and 7 others
Xcitium + H_C can be an overkill for many users. Of course, an advanced user can probably tweak both applications to get some advantage.
The @cruelsister settings are very efficient but also very restrictive, and not applicable in many business environments.
I think that it is possible to tweak Xcitium without H_C, but I am not sure how much work would be required.

Edit.
I am not sure if we should talk too much about other AVs. The thread is about Microsoft Defender. :)
 
Last edited:
  • Like
  • +Reputation
Reactions: vtqhtr413, Digmor Crusher, oldschool and 7 others
finally got around to creating a new win10_VM with only WHHL + MS Defender. Very nice, install was easy and VM is running very light & fast.
my only comment or wishlist... I'd like to see some sort of systray icon telling me WWHL is installed and operational, perhaps with a right-click showing all features optimized, etc, something lke that, but perhaps that is not feasible?? or even contra indicated... :unsure: The desktop does have WHH_Tools folder... perhaps that is enough? or should it then be easy to add systray running icon :unsure: (DARFC)
now I'll read the docs and see what I done wrong... :D
 
  • Like
Reactions: vtqhtr413, Andy Ful, Gandalf_The_Grey and 2 others
simmerskool said:
my only comment or wishlist... I'd like to see some sort of systray icon telling me WWHL is installed and operational, perhaps with a right-click showing all features optimized, etc, something lke that, but perhaps that is not feasible??
Click to expand...
WHHLight is a configurator and not a real-time application. When you close it, all WHHLight processes are closed, too.
The systray icon is a feature of real-time applications.
The idea of configurators is widely implemented in Windows. Most Windows settings are modified by using Windows built-in configurations (display settings, privacy settings, personalization settings, time & language settings, etc.).

simmerskool said:
The desktop does have WHH_Tools folder... perhaps that is enough?
Click to expand...

Yes, to see the current state of protection, you must run WHHLight.
More precisely, there is no WHH_Tools folder on the Desktop (it is not a folder). If you delete it, the WHHLight folder is not deleted.
WHH_Tools is a shortcut to the WHH_Tools folder. The shortcut file is on the Desktop, and the target folder is in %ProgramData%.

1707131285233.png
 
Last edited:
  • Like
  • Thanks
  • +Reputation
Reactions: anirbandutta01, Jonny Quest, roger_m and 4 others
@Andy Ful, yeah I know that which is why I "hedged" my comment somewhat, although I don't know what can and cannot be done with systray. So appreciate your detailed explanation. I asked because I have been known to open a VM and could not remember if H_C or SWH had been run. I do take and keep notes, but __it happens. :D eg, forgetting and installing something not exactly compatible on top of it. :oops: Will not let that happen with WHHL. Enjoying it.
 
  • Like
  • Hundred Points
Reactions: vtqhtr413 and Andy Ful
LennyFox said:
Thanks, but this raises my curiosity why you prefer Defender with WHHL over Avast free with WHHL
Click to expand...

I prefer MS Defender because I find it much more reactive than Avast! in terms of virus base (I often see detections with Defender than Avast on 0days).
likeastar20 said:
Windows Defender doesn’t have a proper behavior blocker ala System Watcher right? IIRC only the Endpoint version has one? @Shadowra @Andy Ful
Click to expand...
Yep, but there are Behavior detections
 
  • Like
  • +Reputation
  • Thanks
Reactions: anirbandutta01, Parkinsond, Jonny Quest and 7 others
Shadowra said:
I prefer MS Defender because I find it much more reactive than Avast! in terms of virus base (I often see detections with Defender than Avast on 0days).

Yep, but there are Behavior detections
Click to expand...
What’s the difference really ? @Trident maybe you know?

learn.microsoft.com

Behavior monitoring in Microsoft Defender Antivirus - Microsoft Defender for Endpoint

Learn about Behavior monitoring in Microsoft Defender Antivirus and Defender for Endpoint.
learn.microsoft.com

Applies to:

Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. Here’s what it entails:

  1. Real-Time Threat Detection:
  • Continuously observe processes, file system activities, and interactions within the system.
  • Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure.
  1. Dynamic Approach:
  • Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats.
  • Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesn’t fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection.
  • If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions.
Behavior monitoring enhances Defender Antivirus’s ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures.

The following features depend on behavior monitoring.

Anti-malware

  • Indicators, File hash, allow/block
Network Protection

  • Indicators, IP address/URL, allow/block
  • Web Content Filtering, allow/block
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: Jonny Quest, Idanox, simmerskool and 5 others
ZeroDay said:
Anyone know of an good software updaters. Because I'm going to switch from Kaspersky to this config I could do with a software updater because Kaspersky usually does all that for me. I'm very happy with Kaspersky. This is just a lighter config. And I Love the fact that it's all Windows based.
Click to expand...
Late reply because I just noticed your post.
The one I have been using for ages is PatchMyPC Home Updater.

patchmypc.com

Home Updater

Did you know your home device/computer needs regular updates to stay secure? Automate your patching for over 500+ applications free of charge.
patchmypc.com patchmypc.com

They also have a paid option for automated updates and patching via WSUS and ConfigMgr if you are interested.
 
  • Like
Reactions: Jonny Quest and Shadowra

You may also like...