The truth about Windows Defender on Windows 10 (Home & Pro).

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
It was recently tested with the sandbox feature as well, the result was the same, Video - (Sandboxed) Windows Defender vs Zero Day Malware
One correction. In this case the malware did not disabled WD. The initial document was detected (malicious content), but WD allowed to download/run the payload. The final payload was not detected and remained persistent after reboot.

Anyway, that can be a good example to show that WD on default settings (even in sandbox) is not the best solution for people who use MS Office and allow macros for documents downloaded from the Internet. That behavior is like crossing the street with eyes closed.

Edit.
@RoboMan, thanks for the interesting video.:giggle:
 
Last edited:
E

Eddie Morra

About the above comments...

1. Windows was designed for administrators to make changes and as such, overrule things like security configurations. This means that administrators can enable and disable Windows Defender/Firewall, or modify the configuration. Therefore, malware running with administrative rights has and always will be able to overrule Windows Defender, the same way it has more opportunity to attack third-party AVs on the machine.

2. The sandbox container which was implemented into Windows Defender was never supposed to do anything in regards to preventing Windows Defender from being disabled by software running with administrative rights on the environment. It was implemented to help restrict malicious code being executed under the context of Windows Defender processes which are under the sandbox container post-exploitation to prevent the attackers from being able to do as much as they could before whilst masking the operations as being from Windows Defender's compromised process/es. Furthermore, I imagine it also uses exploit mitigation techniques more aggressively/effectively to make old exploits fail until updated and new future vulnerabilities possibly harder to exploit.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Well, is it worth to run Windows Defender sandboxed, then? A little worth it? A lot? I went to the horse's mouth and 4th paragraph under "Why sandbox? Why now?" basically says what goes in the box, stays in the box. Sounds great; however, I now see that testing here suggests this system is neither fail-safe nor 100% fool proof. Is anyone currently running WD sandboxed? I chose "no"--I have an anti-exe plus I run vulnerable programs like Media Player in Sandboxie. Plus, like I harped on before, this feature currently isn't enabled by default, you have to look for it. Eeww!
 
E

Eddie Morra

The Windows Defender sandbox container is never going to be 100% full-proof, no sandbox container ever will be. Anyway, I would say that it is not recommended to enable it at this point in time because it is still early days and it is only available as an opt-in experimental feature (as far as I am aware).

Until extensive testing has been done, and the feature has definitely been released as "officially released" with proper documentation to the changes it makes and how it works, along with strong testing by people experienced in vulnerability research and exploitation (e.g. Google Project Zero), it is probably best to just avoid it for your own sake.
 
F

ForgottenSeer 72227

About the above comments...
2. The sandbox container which was implemented into Windows Defender was never supposed to do anything in regards to preventing Windows Defender from being disabled by software running with administrative rights on the environment. It was implemented to help restrict malicious code being executed under the context of Windows Defender processes which are under the sandbox container post-exploitation to prevent the attackers from being able to do as much as they could before whilst masking the operations as being from Windows Defender's compromised process/es. Furthermore, I imagine it also uses exploit mitigation techniques more aggressively/effectively to make old exploits fail until updated and new future vulnerabilities possibly harder to exploit.

Thanks for the clarification, this was my understanding as well!

The Windows Defender sandbox container is never going to be 100% full-proof, no sandbox container ever will be. Anyway, I would say that it is not recommended to enable it at this point in time because it is still early days and it is only available as an opt-in experimental feature (as far as I am aware).

Until extensive testing has been done, and the feature has definitely been released as "officially released" with proper documentation to the changes it makes and how it works, along with strong testing by people experienced in vulnerability research and exploitation (e.g. Google Project Zero), it is probably best to just avoid it for your own sake.

I agree(y)

I gave it a try just to see what it was all about, it didn't slow down my system anymore than what WD does which is great. I think it is a good feature to have in order to help keep the OS more secure from malicious code trying to take advantage of an exploit via WD.

However, like you said it's still very experimental at this point and I think Microsoft still has some things to iron out before its ready for prime time. I have since disabled it as I found out (while doing very basic tests via ATMSO and the WD Testing grounds) that some of WD detection capabilities stopped working (on some tests) when the sandbox was enabled. Even though the sandbox should not have any impact whats so ever on WD detection capabilities, currently it seems to be conflicting with some of them (at least for me on 1809). Since disabling the sandbox, WD was able to pass those tests without issue, compared to when it was enabled. Personally I think people should wait until its all ironed out and officially rolled out before using it, just in case it is (unintentionally) affecting WD's protection capabilities negatively.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
... it has been proven over time - across decades - that people are better off with 3rd party security over Windows security. That was true 20 years ago and it is certainly true today despite all the "improvements" to Windows security.
...
That would be certainly true, if Windows 10 did not hate 3rd party security.
I like the fact of WD improvements, because it can now compete with 3rd party AVs. The competitive pressure and diversity are usually advantageous for the customers.
So, I wish WD to improve and make 3rd party security better. If I have to buy 3rd party, real-time security, I would rather choose AppGuard alongside Defender. (y)
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I have found things on my computer in the Recycle bin and AppData that Windows Defender never detected. Thank mother nature for Emsisoft Emergency Kit.
For me the main issue is that I have had issues with the definition updates. They would corrupt and there is no way to troubleshoot and reset Windows Defender. I cannot rely on an AV that cannot even update its signatures. My heart was racing. What kind of trash was on my computer. So I disabled WD in Group Policy for eternity and have always used 3rd party AVs since Windows 10 1607 (Anniversary Update).
 

toto

Level 4
Verified
Well-known
Oct 15, 2014
164
Great post with useful information.
Just to add something,
I believe that even if Microsoft is nobody's friend, business wise they will want to make their operating system more secure, with the increase in popularity of Linux (mainly because of security reasons) and mac os Microsoft knows they have competition even if it's relatively small. The users will want a more secure system because the average user, the professional or better yet 99.9% of people that use Windows will not enjoy removing malware from their system or getting files encrypted and Microsoft knows that if they don't offer a secure system then they will lose more and more users in the long run.

"It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest" (Adam Smith)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I have found things on my computer in the Recycle bin and AppData that Windows Defender never detected. Thank mother nature for Emsisoft Emergency Kit.
For me the main issue is that I have had issues with the definition updates. They would corrupt and there is no way to troubleshoot and reset Windows Defender. I cannot rely on an AV that cannot even update its signatures. My heart was racing. What kind of trash was on my computer. So I disabled WD in Group Policy for eternity and have always used 3rd party AVs since Windows 10 1607 (Anniversary Update).
Your experiment with highly restricted system + WD was not especially successful. I used highly restricted system too, and I know that it can cause some problems. Now, I prefer only some well tested restrictions like SRP (administrators excluded).
Did you try the system refresh? I am curious if it could repair Defender. That would be not good if it could not.
You will have the similar problems with most of advanced AVs, because they are not prepared to run on highly restricted systems. The system can work well several months and after some Windows or AV updates it can have a problem, anyway. But, you probably like solving the problems, so I wish you to find the balance between restrictions and compatibility/stability.
Be safe.(y)
 
5

509322

That would be certainly true, if Windows 10 did not hate 3rd party security.
I like the fact of WD improvements, because it can now compete with 3rd party AVs. The competitive pressure and diversity are usually advantageous for the customers.
So, I wish WD to improve and make 3rd party security better. If I have to buy 3rd party, real-time security, I would rather choose AppGuard alongside Defender. (y)

In my testing, just about every 3rd party security soft out-performs Windows security. In short, people are better off using a 3rd party security solution. For one, even though they can be complex, they are not the hassle that Windows security is. Computer illiterates just cannot wrap their heads around Windows security. However, they can buy an internet security suite, install it, and run with the defaults. And those defaults offer significantly better protection than Windows security.

The way that Microsoft does things causes quite a lot of problems for consumers. This is like, what ? - a 30 year fact ?

Competition is good, but Microsoft uses its position to make it difficult and problematic for 3rd parties. In short, 3rd parties are a distinct competitive disadvantage. It's the reason that Kaspersky and others are suing Microsoft.
 
5

509322

Just playing devils advocate here, but do 3rd parties really have the best interest for users in mind? Like you said they are making money off it, so it's a business, and we all know that businesses do not always have the best interests of their customers in mind (this includes Microsoft). My point being, do you honestly think that if Microsoft fixed all these issues that 3rd parties won't cry and complain about it, saying it's a monopoly? They cried when Microsoft was adding kernel protection to vista, saying Microsoft is trying to block them out of doing their thing. They cried when they added WD saying Microsoft is going to have a monopoly, etc...

Point is, despite the fact that they claim to "protect users" and are champions of security, they cannot applaud Microsoft for at least trying to make things more secure. There's always backlash and it has nothing to do with them trying to improve things, its always about companies saying Microsoft is trying to put them out of business. So the question is, is it really due to Microsoft being lazy, or is it that no matter what they do some how they are being labelled as trying to have a monopoly and putting people out of business, or a combination of both?

People started to complain about Microsoft security way before there was ever an antivirus product for consumers to purchase.

3rd parties provide better protection than Microsoft. That's all that matters.

And yes, Microsoft does things unilaterally and uses its position to make things much more difficult and problematic for 3rd party publishers... way more difficult than they need to be. That stifles competition and\or causes inordinately difficult problems.

Microsoft would like nothing more than to make the entire world a 100 % Microsoft product-only world. If you don't believe that is true, then I don't know what to tell you. Because that is exactly what it is trying to do. And it will do whatever it can to accomplish that.

Anyway you cut it, Microsoft is a monopoly. It has a grip (some would say stranglehold) on most things IT like no other.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
In my testing, just about every 3rd party security soft out-performs Windows security. In short, people are better off using a 3rd party security solution...
I could say:
From my experience, Windows Defender out-performs every 3rd party real-time security (on system stability & compatibility). In short, people are better off when avoiding 3rd party real-time security solution.
But this would not be a sound reasoning. Simply, the first sentence may be true, but not the second. I think that your second sentence is also not true.

My personal view is slightly more complicated:
  1. For many people who prefer stability & compatibility over usability, WD will be a reasonable solution. Many of them will be also interested in system hardening.
  2. For people who prefer usability over stability & compatibility, some 3rd party software will be better.
  3. Other people, will often choose 3rd party security, because there is one WD and many 3rd party security applications.
I am glad that we do not agree on something. The world would be boring if people would agree on everything.:giggle:(y)
 
5

509322

I could say:
From my experience, Windows Defender out-performs every 3rd party real-time security (on system stability & compatibility). In short, people are better off when avoiding 3rd party real-time security solution.
But this would not be a sound reasoning. Simply, the first sentence may be true, but not the second. I think that your second sentence is also not true.

My personal view is slightly more complicated:
  1. For many people who prefer stability & compatibility over usability, WD will be a reasonable solution. Many of them will be also interested in system hardening.
  2. For people who prefer usability over stability & compatibility, some 3rd party software will be better.
  3. Other people, will often choose 3rd party security, because there is one WD and many 3rd party security applications.
I am glad that we do not agree on something. The world would be boring if people would agree on everything.:giggle:(y)

A typical home user does not visit security soft forums or research how to tweak Windows Defender. So they are better off using a 3rd party security solution. Protection-wise, Windows security has, by design, holes in it. Plus, consumers will get better support from a 3rd party solution. There is no support for Windows Defender... not unless the user is wiling to pay the $100 support fee.

From my field observations, it is Microsoft that causes the most number of problems - and not 3rd party software. If Microsoft wouldn't constantly change things, then users wouldn't find themselves in the predicament of Windows breaking stuff all the time. 3rd parties do a good job, but it is Microsoft that ruins it for everyone.

All one need do is keep track of the number of people using W10 security in malware removal assistant threads across the web, and the picture is clear. Windows Defender just isn't what it is hyped up to be. The two leading AVs found in malware removal assistance threads are default Windows Defender and Malwarebytes. One cannot argue with this kind of data.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top