App Review TPSC - Windows Defender vs Avast: Do you need Free Antivirus?

[Andy Ful]

That's another problem I always had as well, a huge rate of false positives from Microsoft Defender (something that doesn't happen with Kaspersky), I got tired of sending samples to Microsoft.

I think that this could be a problem one year ago, but now Defender's false positive rate is very low.
In my case, the issue is probably related to using Autoit which creates the .tmp binaries in the user Temp folder.
I think that such blocks are welcome from the security viewpoint.

 

[kC77]

No. During the compilation, the .tmp files are created and this is blocked in the user Temp folder. Defender does not like when Autoit creates .tmp binaries.

Ah, understood... althought I would of thought this is the idea of a "process exclusion".
if autoit was added as a process exclusion, then in theory anything that process does should be ignored? (but im guessing not in your case, and that defender is just being fussy!)

 

[Andy Ful]

Ah, understood... althought I would of thought this is the idea of a "process exclusion".
if autoit was added as a process exclusion, then in theory anything that process does should be ignored? (but im guessing not in your case, and that defender is just being fussy!)

Defender's exclusion allows running the excluded file. I think that one cannot safely exclude in Defender the files/processes that do not yet exist and never were executed.
Microsoft could probably whitelist the creation of files by the AutoIt compiler, but this could be easily abused by malc0ders.

Post edited.
There is a limited way to exclude files/processes that do not yet exist and never were executed (see my next post).

 

[Andy Ful]

The Defender's exclusions for processes and file types allow some wildcards. So in theory I could exclude the temporary files made during the compilation by using a pattern with wildcards. Yet, this could decrease the Defender protection. Some AVs can use the option to trust unknown files created by the trusted installers, but I am not aware of a similar feature in Microsoft Defender.
It is interesting that my blocked files are automatically checked not only by local signatures but also by the cloud backend. I am not sure why, but this increases the Defender protection.