Andy Ful

Level 44
Verified
Trusted
Content Creator
Someone made the exaggerated claim that Windows Defender at default settings has only definition checking . This is a mistake. At default settings it has behavior monitoring and script scanning and more. These functions may not be as robust as in certain other AVs, but they do exist. Those who want more aggressive protection from Windows Defender can use ConfigureDefender to enable additional mitigations and higher levels of protection. While ConfigureDefender may not be appropriate for those who think that their computer is a toaster, it is quite appropriate for anyone participating in this discussion.
Using ConfigureDefender is simpler and safer than using a toaster.
Run, click HIGH, click REFRESH, click Close.:giggle:
 
wd was too heavy for my old i3 computer, it slowed it down to a crawl. on my atom computer, it was virtually unusable. some other solutions are simply lighter (and actually score better in the labs). don't get me wrong, i like wd, i'm just saying, there are good reasons some people don't use it.
 

oldschool

Level 30
Verified
wd was too heavy for my old i3 computer, it slowed it down to a crawl. on my atom computer, it was virtually unusable. some other solutions are simply lighter (and actually score better in the labs). don't get me wrong, i like wd, i'm just saying, there are good reasons some people don't use it.
I'm curious how long ago you tried it, and what OS version were you on?
 

Cortex

Level 9
it's true. people with some knowledge use their PCs entirely different from average users
average users usually bloated with millions of unorganized icons on desktop and a long list of enabled startup items
How do you know how my partner has her desktop? I thought she was meeting someone in secret. If you are meeting her help me out & sort her desktop out when you meet her, it's too much for me, though I try endlessly ;) ;) ;)
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
Evjl's Rain ,

I repeated my old test with WD BAFS samples.
  1. Apply WD default settings.
  2. Turn on Shadow Defender to prevent local AI learning.
  3. Use Edge browser and WD Demo page to generate fresh samples detected as malicious by WD BAFS.
  4. Recover the samples from quarantine, copy to the c:\zzz folder and commit the folder in Shadow Defender. It is not easy, because many samples will be deleted by WD (not quarantined).
  5. Reboot the computer and open c:\zzz folder (nothing happen, samples are ignored by signatures, local AI, and cloud-delivered protection).
  6. Turn off the Internet connection, and use RunBySmartSreen to add MOTW to each sample (do not run samples).
  7. Turn on the Internet connection and open c:\zzz folder (nothing happen, samples are already cached).
  8. Reboot the computer and open c:\zzz folder. WOW, the samples are now checked on access by cloud-delivered protection and removed as malware.
I think that this test proves that cloud-delivered protection can work on access, assuming that files are recognized by WD as downloaded from the Internet.
It also shows that already cached files are not checked against the cloud AI until the cache is not cleared.
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
While all you argue about security things and beat the same topiks to death over an over here, peoples like me are having fun and really good time with much more important things
I am glad that such a kind and wise person as you have got some fun while reading posts here.
You can PM your preferences about posting, and I will try to post something especially for you.:oops:

Edit.
Did you notice that your post was off topic? (oops, my post, too.) :emoji_thinking:
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
Evjl's Rain thanks for a very interesting malware test:
The important factor can be the fact that the test with malware execution, which infected the system, was performed before the BAFS test.
As usual with WD, there can be two or more interpretations of the results:
  1. BAFS has a better detection (on access, file with MOTW) than WD detection on execution (when the file does not have MOTW).
  2. Both have the same detection, but the result can be better for the second. Why?
    The user has already executed the malware which infected the computer and the WD telemetry alarmed the cloud. AI in the cloud finished the analysis and recognized the malware before starting the BAFS test, but was not fast enough to stop the infection in the previous test.
Here is the video on the second possibility (thank Sunshine-boy):

Anyway, the test shows how quickly WD AI can recognize the never-seen malware.
 
Last edited:

Evjl's Rain

Level 41
Verified
Trusted
Content Creator
Malware Hunter
Evjl's Rain thanks for an interesting malware test:

As usual with WD, there can be two or more interpretations of the results:
  1. BAFS has a better detection (on access, file with MOTW) than WD detection on execution (when the file does not have MOTW).
  2. Both have the same detection, but the result can be better for the second. Why?
    The user has already executed the malware which infected the computer and the WD telemetry alarmed the cloud. AI in the cloud finished the analysis and recognized the malware before starting the BAFS test, but was not fast enough to stop the infection in the previous test.
Here is the video on the second possibility (thank Sunshine-boy):

Anyway, the test shows how quickly WD AI can recognize the never-seen malware.
the problem is I saw microsoft detection on VT hours before the test => they already recognized this malware
in this test, I found out WD's latest signatures are slightly outdated compare to VT. This is interesting (clicked check for update 3 times)
also MS engine on VT has different detection name from WD cloud

I wish to test a sample completely unseen by MS to see how WD reacts to it

do you know anything about behavior monitoring in default settings? I've never seen it working perhaps only works in high settings
=> I will try to test WD in high settings, offline mode to check out behavioral monitoring, unless it depends on the cloud
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
...
do you know anything about behavior monitoring in default settings? I've never seen it working perhaps only works in high settings
=> I will try to test WD in high settings, offline mode to check out behavioral monitoring, unless it depends on the cloud
WD uses local behavior monitoring which is probably connected with local machine learning module. The same is true in the extended form, for AI in the cloud.
When the AV uses AI, then the traditional meaning of heuristics, Behavior Blocker, etc. is not precise because the machine learning uses them all as a basis for calculating how malicious is the sample.
 

Evjl's Rain

Level 41
Verified
Trusted
Content Creator
Malware Hunter
WD uses local behavior monitoring which is probably connected with local machine learning module. The same is true in the extended form, for AI in the cloud.
When the AV uses AI, then the traditional meaning of heuristics, Behavior Blocker, etc. is not precise because the machine learning uses them all as a basis for calculating how malicious is the sample.
according to what I read from MS and MS' supporters, Behavior monitoring is like a telemetry tool for the cloud
so WD may not have a true local BB (like avast)
 

Raiden

Level 12
Verified
Content Creator
Lots of good points on either end. You'll always get mixed reactions, especially when it comes to WD.

IMHO WD has improved significantly both on the protection side and the performance side. I have had zero issues with WD, no FP issues and on both my systems I don't even notice it. Everyone will have different experiences and the same can be said for any product. TBH I've had more issues/annoyances with 3rd party AVs compared to WD. Furthermore, 3rd parties are getting more and more in the news for causing issues/conflicts compared to WD.

Tools like Configure defender make it super easy to tweak it if you so choose. If one wants to there are other programs such as syshardener, hard configurator, VS, OSA, etc... to further lock down the system and cover any gaps that WD doesn't cover.

Does that mean WD is perfect, no, it definitely has room for improvement, but it's far better now compared to when it first came out. For the record, every product has room to improve.

I also agree with @Andy Ful, some 3rd parties may do a slightly better job than WD for those who like to download cracks and stuff, but as we all know, this habit will still get them into trouble, as every product will miss things. It's why I'm not a fan of using a product as a substitute to educating users. One should never assume that if they use x product that they will never get infected, it will never be true unfortunately.

At the end if the day, choose which ever product works best for you, there are many great choices out there, but like it or not WD has improved enough that it is more than capable of replacing 3rd parties IMO.
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
according to what I read from MS and MS' supporters, Behavior monitoring is like a telemetry tool for the cloud
so WD may not have a true local BB (like avast)
I do not think so.
From the above article, it is clear that WD has local behavior monitoring module. It is showed in the picture (Figure 2. Layered machine learning defenses in Windows Defender AV ) as Client ML (Local ML models, behavior-based detection algorithms, generics and heuristics). (y)
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
Here is a nice summary of WD local and cloud features:
215521



It is worth to remember that some of these features are available only in Windows E3 or E5 editions (for example Detonation-based ML, Reputation ML, Smart rules).
 
Last edited:

Local Host

Level 17
Verified
Here is a nice summary of WD local and cloud features:
View attachment 215521


It is worth to remember that some of these features are available only in Windows E3 or E5 editions (for example Detonation-based ML, Reputation ML, Smart rules).
That is extremely misleading, cause that is for the Windows Defender ATP, which is a Professional Suite, is far more advanced and secure than the Home Version of WD.

The Home Version Behaviour Blocker is non-existent, Microsoft never mentioned Behaviour Blocker in the Home Version either, everytime they talk about it they addressing Windows Defender ATP (and how it detected the latest malware, etc).

All the settings you all so desperate to use and activate with custom configurators are all in the Windows Defender ATP with a proper UI and logs.
 
Last edited:

Raiden

Level 12
Verified
Content Creator
The Home Version Behaviour Blocker is non-existent, Microsoft never mentioned Behaviour Blocker in the Home Version either, everytime they talk about it they addressing Windows Defender ATP (and how it detected the latest malware, etc).
I may be wrong, maybe @Andy Ful can clarify, but from my understanding the home and enterprise versions are interlinked when it comes to cloud based protection, so if the home version finds something the business version is automatically protected and vice versa. I could be wrong though.
 

Local Host

Level 17
Verified
I may be wrong, maybe @Andy Ful can clarify, but from my understanding the home and enterprise versions are interlinked when it comes to cloud based protection, so if the home version finds something the business version is automatically protected and vice versa. I could be wrong though.
The cloud is connected, but the feature set and protection are entirely different different, he's trying to sell Windows Defender with a Windows Defender ATP article (which is far superior, and something I would recommend to companies, contrary to what I would do on Home Environments).

All this keeping in mind even the Cloud on WD in Home Environments is slow to update, the majorly of you are probably on outdated samples right now (which makes sense, considering Professional Environments that face 0-day, not Home Environments).
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
That is extremely misleading, cause that is for the Windows Defender ATP, which is a Professional Suite, is far more advanced and secure than the Home Version of WD.
Yes, the article is generally misleading, but not in the context of comparing Client ML with Cloud ML.
The Home Version Behaviour Blocker is non-existent, Microsoft never mentioned Behaviour Blocker in the Home Version either, everytime they talk about it they addressing Windows Defender ATP (and how it detected the latest malware, etc).
...
You are wrong. But it is probably not your fault, but Microsoft's. MS uses Windows Defender ATP in two different meanings.
  1. As Windows built-in features.
  2. As the software that can be installed on Windows Pro, E3, E5, etc. (but not on Windows Home) to manage 1.
Furthermore, the MS articles are usually related to the Enterprise editions and MS software (paid & not cheap) used in Enterprises.
In fact, Microsoft does not use the terminology 'Behaviour Blocker' but rather behavior monitoring.

Please read carefully the comparison table published by MS, and mentioned several times on MT forum:
especially the entry 'Runtime behavior monitoring' in the second table (Next Generation Protection).(y)
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
The cloud is connected, but the feature set and protection are entirely different different, he's trying to sell Windows Defender with a Windows Defender ATP article (which is far superior, and something I would recommend to companies, contrary to what I would do on Home Environments).
That is true. Most MS articles do not mention that many advanced features are not available in Windows Home (as I already noted).
All this keeping in mind even the Cloud on WD in Home Environments is slow to update, the majorly of you are probably on outdated samples right now (which makes sense, considering Professional Environments that face 0-day, not Home Environments).
WD Cloud is updated on MS servers and any computer with WD and Internet connection can use it. What other clouds do you have in mind?
 
Last edited:

Raiden

Level 12
Verified
Content Creator
All this keeping in mind even the Cloud on WD in Home Environments is slow to update, the majorly of you are probably on outdated samples right now (which makes sense, considering Professional Environments that face 0-day, not Home Environments).
I guess the next question would be, does changing the cloud block level and cloud lookup time make a difference in terms of speed? Furthermore I think you can change the default signature update interval to 1 hour via powershell if you wanted too.

I agree with @Andy Ful, MS doesn't always explain themselves very well, hence all the confusion as to how WD really works and the technology is has. Dispite all the confusion, WD for home does share some of it's capabilities. It's just not the full feature set, but some its underlying technology is there in the home version, if I'm not mistaken.

Further on your last point. You are 100% correct about zero day malware. The chances of a home user running into a true zero day piece of malware is pretty much close to zero, no pun intended. Now if you are a business/enterprise, your chances are far higher, as the hackers leave their zero days for them, not home users.

The way I look at it, if there are people who like to download cracks and stuff and one feels like they won't change their habits you really only have 2 options IMO.

1. If they aren't relent on Windows, switch them to a Chromebook, or a linux distro.

2. If they need Windows, lock it down. No product will keep them infection free forever if they continue to practice poor habits.

Everyone blames the software for their troubles, but it's often what the person was doing that got them infected.;) Even most major security breaches are the result of someone opening an email/attachment, or falling to a phishing scam, meanwhile the AV is sitting idly by not aware of anything going on.