AVLab.pl Microsoft Defender - pros and cons (November 2020)

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Adrian Ścibor

From AVLab.pl
Verified
Apr 9, 2018
56
Hello Readers!

This time we prepared an information about Microsoft Defender antivirus. I'm sorry, but it was published only in Polish, therefore please use the translator in your language.
In summary as a comment for Microsoft Defender and ATP version (for companies) in tests 2018-2020.

To get full opinion, please read whole article.

  • Microsoft Defender for home users in Windows 10 has some problems with protecting against threats and online banking session attacks (based on results from several tests).
  • Moreover the protection is not very good against banking Trojans, fileless attacks, detection of network traffic manipulation. Occasionally, ransomware samples continue to cause problems for Microsoft. It means the enabled protection that controls the access of malicious files to user folders, but the whole rest of the system files may be encrypted.
  • Ransomware protection is quite good, but only in the area of the user's folder structure, as long as you haven't manually added additional folders or entire drives to protect.
  • Summary, antivirus Microsoft Defender has been performing results from moderate to good as since 2018 in tests. Antivirus cannot get a high level of protection in tests for several months one after the other.
To get pros and cons Microsoft Defender, please read article at: Korzystasz z Microsoft Defender? Czy wiesz co robisz? - AVLab
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
Hello Readers!

This time we prepared an information about Microsoft Defender antivirus. I'm sorry, but it was published only in Polish, therefore please use the translator in your language.
In summary as a comment for Microsoft Defender and ATP version (for companies) in tests 2018-2020.

To get full opinion, please read whole article.

  • Microsoft Defender for home users in Windows 10 has some problems with protecting against threats and online banking session attacks (based on results from several tests).
  • Moreover the protection is not very good against banking Trojans, fileless attacks, detection of network traffic manipulation. Occasionally, ransomware samples continue to cause problems for Microsoft. It means the enabled protection that controls the access of malicious files to user folders, but the whole rest of the system files may be encrypted.
  • Ransomware protection is quite good, but only in the area of the user's folder structure, as long as you haven't manually added additional folders or entire drives to protect.
  • Summary, antivirus Microsoft Defender has been performing results from moderate to good as since 2018 in tests. Antivirus cannot get a high level of protection in tests for several months one after the other.
To get pros and cons Microsoft Defender, please read article at: Korzystasz z Microsoft Defender? Czy wiesz co robisz? - AVLab
That is true for WD/MSD on default settings, as compared to commercial AVs (paid versions). Some conclusions (banking protection, fileless attacks, anti-ransomware protection, detection of network traffic manipulation) are true as compared to AV business versions.
Shortly, WD/MSD on default settings cannot compete with commercial AV business versions. The reason for that is simple. On default settings, WD/MSD lacks some important ATP modules that are included in the AV business versions.

WD/MSD with advanced settings (tweaked by PowerShell, ConfigureDefender, or GPO) can compete with commercial AV business versions, except for banking protection on already infected computer (this would require a special banking module).
Generally, WD/MSD protection increased from the year 2018, as compared to other AVs. Nowadays it uses similar techniques as top commercial AVs (Deep Learning, post-execution ML modules, etc.).
The maximum WD/MSD protection can give more false positives as compared to top commercial AVs (business versions).

It would be interesting to see the AVLab test which would include WD ATP (paid) among other AV business versions. For now, we could see such tests only in the last four MRG Effitas reports (in older tests WD had default settings).
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
I suspect that there can be no measurable difference between most of the popular AVs, except for targetted attacks. If one takes a look at AVLab reports, all AVs have the same protection (differences are less than measurement errors). This can follow from the fact that AVLab honeypots catch mostly the large scale attacks (with a little delay). The biggest AV testing labs have a much larger infrastructure and can catch more 0-day malware used in targetted attacks - so we can see more missed samples in the reports.
If so, then the results of most AV tests are not relevant for home users.

I also suspect that the stellar results of Norton can come from corporate honeypots. Simply, Norton catches the malware used in targetted attacks on the Norton protected enterprises before AV testing labs do. So, Norton has an advantage because it has the biggest market share. This is an advantage for the test results, independently of the number of endpoints that were infected in the targetted attacks. Of course, the Norton protection is probably one of the best, even if the test results are slightly distorted.
One can say that WD/MSD has a bigger advantage, but it is not true because the popularity of WD/MSD is not the same as MSD ATP (paid).

Anyway, the above thoughts & speculations are far from something that could be proved.(y)
 
Last edited:

Arequire

Level 27
Verified
Content Creator
Feb 10, 2017
1,638
Why Microsoft hide advanced settings? Is it still 'beta'? I don't see a point
Because activating those settings can hamper usability and performance, and average users won't know that upping Defender's cloud protection level increases the chance of false positives and impacts system performance, or how to manage ASR rule exclusions when it inevitably ends up blocking their software from installing/executing/updating.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
Because activating those settings can hamper usability and performance, and average users won't know that upping Defender's cloud protection level increases the chance of false positives and impacts system performance, or how to manage ASR rule exclusions when it inevitably ends up blocking their software from installing/executing/updating.
I am not sure if this is a true reason. There are several AVs that can do similar issues and have the ability to tweak many settings. I think that its simplicity is related to Windows Home which is also a stripped version of Windows Pro. On Windows Pro, you can buy Defender ATP.
 

LDogg

Level 33
Verified
May 4, 2018
2,193
We also have to think outside of MWT, outside of anyone knowing Andy Ful, no one else will know @Andy Ful's software even exists. So we have to look at the major con, the home user outside MWT. So a major percentage of users which are not on this forum, doesn't know about Andy's software, or even understand the advanced settings of WD would essentially use the default settings, making WD effectively useless as detailed within this the first post.

This is why major AV companies have a massive advantage over WD, Configure Defender et al. So the average home user would use a free or paid alternative. Plus you have to factor it the bloat WD has compared to other(s), and factor in the time it takes some users to understand configuring out the WD advanced settings (not including Andys software). So the vital note here would be the alternatives would be seemlessly better. Also not good for those users who do a lot of internet banking/online shopping.

I do not use WD personally because of the bloat on memory, scan speeds, scan speeds on the memory and out of the box on default settings you may as well have a piece of cling film covering your laptop. I do not hate WD, I think incorporating the advanced settings w/ Andy's software would match AV competitors.

~LDogg
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
...making WD effectively useless as detailed within this the first post.
It is true that WD/MSD on default settings cannot compete with the commercial AV business versions. Simply, it is not designed for the business environment. But, from the OP it does not follow that WD/MSD is useless. On the contrary, it is easy to see that WD/MSD on default settings can compete with commercial AV Home versions, for example:

FIRST LIST
AV-Test June 2018 - June 2020 (added scorings from August and October 2020)

------------------------- 6----5.5-----5----4.5
Norton...........13+2.....0........0........0
Kaspersky.....12+2.....1........0........0
Trend Micro..12+2.....1........0........0
Bitdefender...11+2.....2........0........0
*F-Secure......11+2.....0........0........0
Avira..............10+1....3+1.....0........0
Avast...............9+2.....4........0........0
Microsoft........9+2.....4........0........0
McAfee...........7+2.....3........3........0
Vipre................4+1.....9........0+1...0
K-7...................5+1.....7........1........1
*Eset...............2...6.....4


SECOND LIST
AV-Comparatives Malware Protection
(September 2018, March 2019, September 2019, March 2020, September 2020):

----------------Missed samples----Clusters/Awards
Group 1

Avast, AVG........0+1+0+2+0.............1,1,1,1,1
Norton...............0+(2)+(2)+0+2.......1,1,1,1,1
Bitdefender.......1+1+5+2+1.............1,1,1,1,1
Avira ................2+0+4+3+4........ ....1,1,1,1,2

Group 2
Microsoft...........1+2+4+12+0..........1,1,1,3,1
Panda ................3+1+1+4+11.........1,1,1,1,3
K7......................20+5+5+1+2..... .....3,1,1,1,1 (better clusters than for Vipre)
VIPRE ................2+4+10+3+4 .........1,1,2,1,2
ESET...................7+15+12+1+2 .......1,2,2,1,1
Kaspersky......... 12(1)+13+9+3+1....2,2,2,1,1
F-Secure ...........16+14+9+0+1........ 2,2,2,1,1
Total Defense*...5+19+1+4.........1,3,1,2
McAfee ............ 0+11+19+7+0.........1,2,3,2,1 (worse clusters than F-Secure)

Hard to classify
Trend Micro......1+0+0+82+175...... 1,1,1,4,4

When we see that Microsoft product scored better than McAfee, Kaspersky, Eset Vipre, and K-7 both in AV-Test (Real-world Protection) and AV-Comparatives (Malware Protection), then we cannot say that it is useless.
In my opinion, these results rather show that such tests cannot say much about the AV protection, but can say two important things:
  1. Most of the popular AVs have probably very similar protection in the home environment.
  2. The test scorings are probably close to random. For example, it is hard to understand how the top AV on the first list (Trend Micro) is the last (and far away) on the second list.:unsure:

Edit
The cumulative data in AV-Test does not include years, so it happened that only the 3 Eset tests were from the year 2020 and the rest were from 2016-2017. That is why I removed Eset from the AV-Test list.

Post updated.
Corrected the error in the Kaspersky scorings in AV-Test.
Added the results for AV-Comparatives Malware Protection test (September 2018) and AV-Test August and October.
 
Last edited:

LDogg

Level 33
Verified
May 4, 2018
2,193
It is true that WD/MSD on default settings cannot compete with the commercial AV business versions. Simply, it is not designed for the business environment. But, from the OP it does not follow that WD/MSD is useless. On the contrary, it is easy to see that WD/MSD on default settings can compete with commercial AV Home versions, for example:

FIRST LIST
AV-Test June 2018 - June 2020

--------------------- 6 5.5 5
Norton...........13...0...0
Trend Micro..12...1...0
Bitdefender...11...2...0
*F-Secure......11...0...0
Avast.............10...3...0
Avira..............10...3...0
Microsoft........9...4...0
McAfee...........7...3...3
Kaspersky.......6...6...10
*Eset...............2...6...4


SECOND LIST
AV-Comparatives Malware Protection
(March 2019, September 2019, March 2020, September 2020):

----------------Missed samples----Clusters/Awards
Group 1

Avast, AVG........1+0+2+0.............1,1,1,1
Norton...............(2)+(2)+0+2.......1,1,1,1
Bitdefender.......1+5+2+1.............1,1,1,1
K7......................5+5+1+2.............1,1,1,1
Avira ................0+4+3+4............1,1,1,2

Group 2
Panda ................1+1+4+11.........1,1,1,3
Microsoft...........2+4+12+0..........1,1,3,1
VIPRE ................4+10+3+4 .........1,2,1,2
F-Secure ...........14+9+0+1.......... 2,2,1,1
Kaspersky......... 13+9+3+1..........2,2,1,1
ESET...................15+12+1+2 .......2,2,1,1
Total Defense*...5+19+1+4.........1,3,1,2

Group 3
McAfee ............11+19+7+0.........2,3,2,1

Hard to classify
Trend Micro......0+0+82+175...... 1,1,4,4


When we see that Microsoft product scored better than McAfee, Kaspersky, and Eset both in AV-Test (Real-world Protection) and AV-Comparatives (Malware Protection), then we cannot say that it is useless.
In my opinion, these results rather show that such tests cannot say much about the AV protection, but can say two important things:
  1. Most of the popular AVs have probably very similar protection in the home environment.
  2. The test scorings are probably close to random. For example, it is hard to understand how the top AV on the first list (Trend Micro) is the last (and far away) on the second list.:unsure:

Edit
The cumulative data in AV-Test does not include years, so it happened that only the 3 Eset tests were from the year 2020 and the rest were from 2016-2017. That is why I removed Eset from the AV-Test list.
The argument for beating two AV company on AV-Test does have some favour for WD, but I can't see it changing the minds of users outside of MWT. They still didn't beat the other(s) mind. :p

~LDogg
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
The argument for beating two AV company on AV-Test does have some favour for WD, but I can't see it changing the minds of users outside of MWT. They still didn't beat the other(s) mind. :p

~LDogg
The argument was not in favor of Microsoft or any AV which scored better than Kaspersky. On the contrary, It suggests that all these results probably do not reflect the real protection of AVs in-the-wild. It also suggests that one cannot say which AV has better protection in-the-wild depending only on these tests. :)

KIS uses similar technology as MSD, but has additional features as compared to WD/MSD free (default settings). So, it is stronger. But, these tests cannot show the difference in the home environment. You could see the difference in the targeted attacks and banking protection like in MRG Effitas tests (2019 Q1, Q2, Q3) when WD was tested without ATP.
 
Last edited:

mazskolnieces

Level 3
Jul 25, 2020
116
The CTW hackers told the CEO to use software restriction policy (SRP)= AppLocker and other static default deny (Group Policy Object\GPO). Also attack surface reduction (ASR\disable programs).

If these static default deny protections are so obsolete, cause so many breakages, and are so ineffective and problematic, then why is it that even ATP hackers are advising people to use them ? Why does the IT security industry as a whole keep telling people to use such protections - most notably Microsoft itself ?

:ROFLMAO:
 
Last edited:

monkeylove

Level 6
Mar 9, 2014
270
I was using KSC but noted a slowdown in several PCs, so I switched back to Defender. I decided to test the performance in one machine using NovaBench, and noted that Defender now has the best performance, followed by free versions of Avast (a close second), Bitdefender, and Kaspersky (now the slowest). I did the same test several months ago, and it was the other way round.

I tried the controlled folders feature, but it caused more problems, especially for average users, and core isolation didn't work. So now I'm back to Avast.

Meanwhile, performance in terms of system impact and protection goes up and down for various AVs every year or so, with changes in Windows or updated versions of AVs leading to that.

That means Defender needs a lot of improvement. Meanwhile, given the price of AVs for several PCs and changes in performance, practical users will have to switch from one free version of a top AV to another.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,159
More info please
You used to be able to get only a Windows Defender ATP trial. Unless it has changed, ATP license requires Volume Licensing agreement first. I don't think individual consumer Windows 10 Pro license holders can purchase ATP.
You can't, is only sold to the enterprise in volume licenses, so you can't legit get a license for it (you need either a E5 or A5 license).

Plus Windows Defender ATP is used to protect an entire network, not one PC, is a waste of time and money to use it against Home threats.
From the year 2020 there is something like a standalone version of MSD ATP. It seems that it is available for home use (minimum Windows Pro) but it requires creating Azure AD tenant (needs Azure subscription). So, this solution will cost much more than other solutions. Windows Pro and MSD ATP are rather for SMBs:

"The minimum requirement for MD ATP is Windows 10 Pro. This is because the machine must be AADJ or Hybrid AADJ to apply the MD ATP license. For server licensing, you’re supposed to have a minimum of 50 client licenses."

"Can this be for home use? I am a security researcher and this would be helpful.
  1. a60c7307d707b65fe6ead2008d93892e

    Dan Chemistruck

    Reply
    July 30, 2020 at 1:27 am
    Sort of, yes. You’d need an Azure AD tenant and you would need to purchase via CSP, but there’s nothing to stop you from using this at home.
    "
 
Last edited:

monkeylove

Level 6
Mar 9, 2014
270
Which Windows build did you use?

Core isolation is enabled for me

Thanks for reminding me. I'm using Win 10 Home, but I had to search online to find out how to enable Hyper-V in Home:

 
Top