Using Defender as your first line of defense

Andy Ful

Level 80
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,970
...
What VS will add? nothing much, so basically wasting resources and offering surface attacks.
That is right. Using both H_C and VS can hardly be recommended, for many reasons.
Anyway, many users will choose VS (over SRP/H_C) because it seems more user-friendly. Windows built-in SRP blocks some processes silently, so the user who is not trained/accustomed to security Logs can have a problem to see if something was blocked and what concretely was blocked.
It is much easier with H_C because it uses NirSoft FullEventLogView (with custom config) to see the blocked entries, but it is still easier with VS because the info about the blocked process can be seen in the VS alert.
On the other side, some users will prefer SRP, if they do not like too much prompting about things they already know.
 

RoboMan

Level 34
Thread author
Verified
Top poster
Content Creator
Well-known
Jun 24, 2016
2,344
It is a simple real-time scanner with some cloud capabilities, what did you expect?
Take all the 3rd party vendors AVs, remove every components except the real-time scanner, i bet maybe only ESET or Kaspersky would do well.
WD was made to offer basic, decent, free protection to ALL Windows' users without any hassle or setup to do.
This. Just imagine Defender offering Application Control or SRP capabilities directly from the antivirus GUI. That would lead to thousands of novices breaking their systems or worse, Defender breaking everything in an attemp to protect retar** users.
 

Andy Ful

Level 80
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,970
This. Just imagine Defender offering Application Control or SRP capabilities directly from the antivirus GUI. That would lead to thousands of novices breaking their systems or worse, Defender breaking everything in an attemp to protect retar** users.
That is true for SRP/AppLocker/ApplicationControl in their current form. But, Microsoft could easily introduce something similar to H_C profiles, which can safely apply/remove the complex security settings via one mouse click.
 

blackice

Level 36
Verified
Top poster
Well-known
Apr 1, 2019
2,557
That is true for SRP/AppLocker/ApplicationControl in their current form. But, Microsoft could easily introduce something similar to H_C profiles, which can safely apply/remove the complex security settings via one mouse click.
What a beautiful world that would be. I would appreciate it, but I don’t expect it to happen.
 

blackice

Level 36
Verified
Top poster
Well-known
Apr 1, 2019
2,557
The irony .:rolleyes:

As-is with no install or set-up, Defender is the easiest to use.

For maximum effectiveness and efficiency, Defender is the most complicated and obscure. By far.
The other funny thing. For most users, with decent online hygiene, default is probably all they need, maybe increased time for cloud lookup. It’s the happy clickers who need the advanced settings, and they’re the most likely to be on default.
 

Andy Ful

Level 80
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,970
The other funny thing. For most users, with decent online hygiene, default is probably all they need, maybe increased time for cloud lookup. It’s the happy clickers who need the advanced settings, and they’re the most likely to be on default.
Most average users even do not know that they are happy clickers.:)
 

Andy Ful

Level 80
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,970
Yes in some cases, and No in some cases. This will be true for most AVs. The AV has a chance to stop it when executed from disk, like in malware tests. But not necessarily, if it will be loaded into memory by another malware/exploit on the already infected system, which probably will be the case in the wild. Many Phoenix samples do not try to obtain persistence and can detect a virtual machine environment. So, Phoenix will be hard to detect by the AV.
The better chances have security solutions based on NIDS, that can monitor network traffic.
Such malware cannot magically appear on your computer. It has to be delivered, usually via phishing + exploits. The best method to avoid it, will be updating Windows and installed software.

"Delivery Method

By default, Illusion supplies the Phoenix keylogger to their buyers as a stub. The buyer must use their own methods to deliver the stub to the target machine. The majority of Phoenix infections we observe originate from phishing attempts that leverage a weaponized rich text file (RTF) or Microsoft Office document. These deliveries do not use the more popular malicious macro technique, but instead use known exploits. Most commonly, they exploit the Equation Editor vulnerability"
.

 

South Park

Level 8
Verified
Jun 23, 2018
398
In my experience, a content blocker like uBO or Nano blocker is even more important than an antivirus. I've had a few warnings and blocked pages from content blockers when seemingly trustworthy sites tried to redirect me to suspicious places. That said, I feel confident using Defender and the built-in Exploit Guard in Windows 10 (plus a NVT product on the side).

In the 15 years that I've used Windows Defender, its forerunner MSE, and Avast free on various computers, I've never had an infection as determined by a second-opinion scanner. The only time I got infected was while using Norton in 2003, and I once picked up an inert Java RE virus when using the now-defunct CA antivirus.
 

Users who are viewing this thread