App Review Microsoft Defender Antivirus with Andy Ful WHHLight

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,082
Running H_C and Xcitium or CF together will take some whitelisting to allow Xcitium / Containment to work. CF runs fine with the likes of Cyberlock/VoodooShield but it's a different kettle of fish with system hardening. I'm sure it might be possible, just not a combination I've toyed with.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,082
I don't get it. Total overkill.o_O
I was actually trying to make that point. While theoretically possible, there wouldn't be much point having both and cause more issue than it's worth. Pick a default deny setup and go with the one.

I chose to go with CL/VS this year hence I don't use H_C. True I have been trying out CF in combination with it but more because I favour CF over WFC but I've been there with full CIS and everything on paranoid level. It wasn't worth it and as @cruelsister has so fantastically demonstrated several times, CF with her setup is 100 times simpler and just as bulletproof.

Anyways, this setup tested by @Shadowra shows how amazing built-in protection is, particularlly when using @Andy Ful 's tools can be just as effective as CF or CL.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,259
Xcitium + H_C can be an overkill for many users. Of course, an advanced user can probably tweak both applications to get some advantage.
The @cruelsister settings are very efficient but also very restrictive, and not applicable in many business environments.
I think that it is possible to tweak Xcitium without H_C, but I am not sure how much work would be required.

Edit.
I am not sure if we should talk too much about other AVs. The thread is about Microsoft Defender. :)
 
Last edited:

simmerskool

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,172
finally got around to creating a new win10_VM with only WHHL + MS Defender. Very nice, install was easy and VM is running very light & fast.
my only comment or wishlist... I'd like to see some sort of systray icon telling me WWHL is installed and operational, perhaps with a right-click showing all features optimized, etc, something lke that, but perhaps that is not feasible?? or even contra indicated... :unsure: The desktop does have WHH_Tools folder... perhaps that is enough? or should it then be easy to add systray running icon :unsure: (DARFC)
now I'll read the docs and see what I done wrong... :D
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,259
my only comment or wishlist... I'd like to see some sort of systray icon telling me WWHL is installed and operational, perhaps with a right-click showing all features optimized, etc, something lke that, but perhaps that is not feasible??
WHHLight is a configurator and not a real-time application. When you close it, all WHHLight processes are closed, too.
The systray icon is a feature of real-time applications.
The idea of configurators is widely implemented in Windows. Most Windows settings are modified by using Windows built-in configurations (display settings, privacy settings, personalization settings, time & language settings, etc.).

The desktop does have WHH_Tools folder... perhaps that is enough?

Yes, to see the current state of protection, you must run WHHLight.
More precisely, there is no WHH_Tools folder on the Desktop (it is not a folder). If you delete it, the WHHLight folder is not deleted.
WHH_Tools is a shortcut to the WHH_Tools folder. The shortcut file is on the Desktop, and the target folder is in %ProgramData%.

1707131285233.png
 
Last edited:

simmerskool

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,172
@Andy Ful, yeah I know that which is why I "hedged" my comment somewhat, although I don't know what can and cannot be done with systray. So appreciate your detailed explanation. I asked because I have been known to open a VM and could not remember if H_C or SWH had been run. I do take and keep notes, but __it happens. :D eg, forgetting and installing something not exactly compatible on top of it. :oops: Will not let that happen with WHHL. Enjoying it.
 

Shadowra

Level 34
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,393
Thanks, but this raises my curiosity why you prefer Defender with WHHL over Avast free with WHHL

I prefer MS Defender because I find it much more reactive than Avast! in terms of virus base (I often see detections with Defender than Avast on 0days).
Windows Defender doesn’t have a proper behavior blocker ala System Watcher right? IIRC only the Endpoint version has one? @Shadowra @Andy Ful
Yep, but there are Behavior detections
 

likeastar20

Level 8
Verified
Mar 24, 2016
378
I prefer MS Defender because I find it much more reactive than Avast! in terms of virus base (I often see detections with Defender than Avast on 0days).

Yep, but there are Behavior detections
What’s the difference really ? @Trident maybe you know?


Applies to:

Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. Here’s what it entails:

  1. Real-Time Threat Detection:
  • Continuously observe processes, file system activities, and interactions within the system.
  • Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure.
  1. Dynamic Approach:
  • Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats.
  • Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesn’t fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection.
  • If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions.
Behavior monitoring enhances Defender Antivirus’s ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures.

The following features depend on behavior monitoring.

Anti-malware

  • Indicators, File hash, allow/block
Network Protection

  • Indicators, IP address/URL, allow/block
  • Web Content Filtering, allow/block
 
Last edited:

Gangelo

Level 6
Verified
Well-known
Jul 29, 2017
285
Anyone know of an good software updaters. Because I'm going to switch from Kaspersky to this config I could do with a software updater because Kaspersky usually does all that for me. I'm very happy with Kaspersky. This is just a lighter config. And I Love the fact that it's all Windows based.
Late reply because I just noticed your post.
The one I have been using for ages is PatchMyPC Home Updater.


They also have a paid option for automated updates and patching via WSUS and ConfigMgr if you are interested.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top