App Review TPSC - Windows Defender vs Avast: Do you need Free Antivirus?

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
That's another problem I always had as well, a huge rate of false positives from Microsoft Defender (something that doesn't happen with Kaspersky), I got tired of sending samples to Microsoft.
I think that this could be a problem one year ago, but now Defender's false positive rate is very low.
In my case, the issue is probably related to using Autoit which creates the .tmp binaries in the user Temp folder.
I think that such blocks are welcome from the security viewpoint.
 

kC77

Level 5
Verified
Well-known
Aug 16, 2021
230
No. During the compilation, the .tmp files are created and this is blocked in the user Temp folder. Defender does not like when Autoit creates .tmp binaries.
Ah, understood... althought I would of thought this is the idea of a "process exclusion".
if autoit was added as a process exclusion, then in theory anything that process does should be ignored? (but im guessing not in your case, and that defender is just being fussy!)
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Ah, understood... althought I would of thought this is the idea of a "process exclusion".
if autoit was added as a process exclusion, then in theory anything that process does should be ignored? (but im guessing not in your case, and that defender is just being fussy!)
Defender's exclusion allows running the excluded file. I think that one cannot safely exclude in Defender the files/processes that do not yet exist and never were executed.
Microsoft could probably whitelist the creation of files by the AutoIt compiler, but this could be easily abused by malc0ders.

Post edited.
There is a limited way to exclude files/processes that do not yet exist and never were executed (see my next post).
 
Last edited:
  • Like
Reactions: Moonhorse and kC77

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
The Defender's exclusions for processes and file types allow some wildcards. So in theory I could exclude the temporary files made during the compilation by using a pattern with wildcards. Yet, this could decrease the Defender protection. Some AVs can use the option to trust unknown files created by the trusted installers, but I am not aware of a similar feature in Microsoft Defender.
It is interesting that my blocked files are automatically checked not only by local signatures but also by the cloud backend. I am not sure why, but this increases the Defender protection.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top