Advice Request Why are we even messing with anything other than WD these days?

[Andy Ful]

...
All the settings you all so desperate to use and activate with custom configurators are all in the Windows Defender ATP with a proper UI and logs.

What do you mean by WD ATP? The MS software (not available on Windows Home) or Windows built-in features (some available on Windows Home)?
The second can be conveniently configured (without any desperation) with a few mouse clicks via the custom configurator: https://malwaretips.com/threads/why...ng-other-than-wd-these-days.93326/post-821405

By the way, what custom configurators (except ConfigureDefender) do you have in mind?
The user could also use the reg tweaks or PowerShell, but this would not be an acceptable way for most of the home users.

...
The way I look at it, if there are people who like to download cracks and stuff and one feels like they won't change their habits you really only have 2 options IMO.

1. If they aren't relent on Windows, switch them to a Chromebook, or a linux distro.

2. If they need Windows, lock it down. No product will keep them infection free forever if they continue to practice poor habits.
...

And how they could install/run pirated software?
That is why they use Windows (unrestricted) in the first place.

 

[ForgottenSeer 72227]

And how they could install/run pirated software?
That is why they use Windows (unrestricted) in the first place.

Hehe touche

 

[Local Host]

There's only one designation for ATP and is Advanced Threat Protection, it also doesn't address in-built features (outside the new tools to manage them) as costumers pay premium for the extra features and tools.

The Updates are also way faster with no delays, compared to the normal channels (and that includes the cloud, believing everyone is kept up to date 24/7 is insane, is made in waves and Enterprise takes priority).

Claiming otherwise is wrong.

 

[SumTingWong]

Actually, much of the protection comes from the cloud, which is why by default it does not update signatures often. Its other default settings are what make it seem weak, e.g. 10 sec timeout period for cloud check vs. 60 sec. And Smartscreen is quite powerful, especially when implemented across the entire OS (forced Smartscreen). Testing in the Hub gives only the snapshot view under extreme conditions vs. everyday usage for the average user.

I see 3rd party AV zero day defense mechanisms kick in more than Windows's Smartscreen at default.

 

[Andy Ful]

There's only one designation for ATP and is Advanced Threat Protection, it also doesn't address in-built features (outside the new tools to manage them) as costumers pay premium for the extra features and tools.

That is not true for 'Windows Defender Advanced Thread Protection'. Just look at the name of the first table in : https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv .
Microsoft clearly shows in this document that some WD ATP features are available in Windows Home. In the same time you can look at what MS writes about licensing:

Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:

• Windows 10 Enterprise E5
• Windows 10 Education E5
• Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  
  
  

  Minimum requirements for Microsoft Defender for Endpoint - Microsoft Defender for Endpoint

  Understand the licensing requirements and requirements for onboarding devices to the service

  docs.microsoft.com

So, it is clear that the term "Windows Defender Advanced Threat Protection" is used by MS in a different meaning. The first (in the comparison document) includes Windows Home, Pro, and E3. The second (Licensing requirements) does not. Furthermore, there is also Azure ATP and Office 365 ATP.
But those details are not important for the home users, The important fact is that some valuable features (like behavior monitoring or ASR rules) are already present and can be configured in Windows Home, despite the common belief that it is not possible.

The Updates are also way faster with no delays, compared to the normal channels (and that includes the cloud, believing everyone is kept up to date 24/7 is insane, is made in waves and Enterprise takes priority).

Claiming otherwise is wrong.

We did not talk about WD updates in Enterprises as compared to home users, so there is no need to defend.
Still, I do not understand what cloud you have in mind. Do you try to say that Enterprises have some preferences in accessing WD cloud (it is not the same as updating the cloud)?
I do not know if this can be true (maybe it is, who knows) and how this difference could diminish the home user protection.

 

[Evjl's Rain]

I performed a re-test of yesterday sample (1.exe), test 2 & 3
the results were identical
- Extracted with 7-zip: WD didn't scan the file with cloud (no new connection) -> executed -> infected and after a while, blocked
- Extracted with File explorer/bandizip: immediately blocked by cloud during extraction

I was surprised that WD's signature was ~1-day old although I clicked "check for update" 6 times
so there has been no change since my last test

 

[Andy Ful]

I performed a re-test of yesterday sample (1.exe), test 2 & 3
the results were identical
- Extracted with 7-zip: WD didn't scan the file with cloud (no new connection) -> executed -> infected and after a while, blocked
- Extracted with File explorer/bandizip: immediately blocked by cloud during extraction

I was surprised that WD's signature was ~1-day old although I clicked "check for update" 6 times
so there has been no change since my last test

The test is still inconclusive (but this result surprised me). You should repeat the test with extracting the file both with bandzip and 7-ZIP, without executing anything.
After that, you can execute the file extracted via 7-ZIP.

 

[Evjl's Rain]

The test is still inconclusive (but this result surprised me). You should repeat the test with extracting the file both with bandzip and 7-ZIP, without executing anything.

I have done this type of test 4 times in total. Still get the same result
extracting with 7zip doesn't spawn any connection while with file explorer or bandizip, there is clearly a new connection
I left the file executed by 7z for 2 minutes, nothing happened, CPU usage was low, like it didn't do anything

I even tested with high settings (reboot) and extracted with 7zip
- 1st time: blocked shortly after executed, no encryption
- 2nd time: files were encrypted, blocked late
=> inconsistent

offline + high settings
Very high CPU during analysis (~70%), encrypted, no action from WD

I guess WD strictly depends on cloud. There is no block component except signatures which works offline

 

[Andy Ful]

The results are strange.
What is exactly the result of the extraction by 7-ZIP and Bandzip without executing anything? I mean the test on the system which did not see those executables before extracting.
Is the file extracted by bandzip quarrantined?

 

[Andy Ful]

Threads are like a comedian strip.

One person wants to promote windows defenders, other person wants to say it is weak.

What gain does peoples get from these absurd threads, except for the ones posting over and over and aggressively promoting their point of view ?

Most peoples just spectate and shakes their head.



Not exaggeration. Script scanning is pattern matching. So sure, it's detection via "signature" of script or pattern same with behavioral tracking. This is in documentation. Test before you post. Write known malicious scripts and watch how windows defender detects them. It's by signature or pattern matching via amsi.

Lots of nonsense as usual on the 1000th windows defender thread.



Microsoft's fault. It realease these articles with only it pro in considerations, while complete disregard for home user. I think MS very deliberate in its confusing market materials and purposefully does not release working notes.

All of waste efforts with these debates of "I am right and you are wrong," because most people on forums are like me - they don't care who is right and who is wrong. We users are going to use what we're going to use and these long, argument threads like this result in nothing for us.

No comment.

 

[Evjl's Rain]

The results are strange.
What is exactly the result of the extraction by 7-ZIP and Bandzip without executing anything? I mean the test on the system which did not see those executables before extracting.
Is the file extracted by bandzip quarrantined?

extract file with bandizip, WD will block it immediately, before it finishes extracting. no more file for execution. Then WD caches it. Extracting the file using anything from this point will be deleted

7z: removes MOTW, so WD only uses signatures for scanning this file before execution. File is untouched

 

[Andy Ful]

extract file with bandizip, WD will block it immediately, before it finishes extracting. no more file for execution. Then WD caches it. Extracting the file using anything from this point will be deleted

7z: removes MOTW, so WD only uses signatures for scanning this file before execution. File is untouched

Thanks. That (and previous tests) proves that files with MOTW are better detected by WD than files without MOTW on execution. So, using BAFS and the software that does not bypass it (like Bandzip) is recommended for better protection.

 

[Andy Ful]

...
7z: removes MOTW, so WD only uses signatures for scanning this file before execution. File is untouched

This does not follow from your tests. WD could use all local WD features (signatures + local AI).

 

[ForgottenSeer 72227]

All of waste efforts with these debates of "I am right and you are wrong," because most people on forums are like me - they don't care who is right and who is wrong. We users are going to use what we're going to use and these long, argument threads like this result in nothing for us.

Well to be fair this happens all the time, not just with WD. Your're absolutely right that overall the vast majority of people who use computers in general don't really care for this type of thing and they will use whatever they want. This back and forth (especially for WD) has been going on for a while now. People sometimes get passionate about certain products one way or another, so it definitely seems like we are beating a dead horse, over and over.

When it comes to WD, I think part of the problem is that while it has improved significantly on many fronts over the years and continues to do so, there are those who don't feel comfortable yet (which is understandable), those who no matter what one says will still ignore the facts and those who haven't tried it since windows 8. Naturally those who have been using for a while and keep using it have a lot of experience with it and have seen the improvements, so its understandable that one may get frustrated and post their side in hopes to dispel some of the mis-information. Like I said however, this will apply to all products and you can find threads with these exact arguments for other products other than WD.

Like it has already been said, MS has done a poor job of explaining how the different versions compare to one another and what each version is capapable of. Naturally this has lead to a lot of confusion and misunderstanding on how it works, which is very evident in this thread.

In keeping with the purpose of this thread, my feeling is that yes, WD is more than capable of replacing 3rd parties for the reasons I mentions previously. It's not perfect, no product is, but it's more than enough. like I said the chances of a home user running into a true zero day piece of malware is pretty much zero. Unfortunatly and naturally, the fear and paranoia in security forums kick in and all that people focus on is zero day, rather than education on how to prevent malware infections in the first place. Doesn't mean it cant happen, but as the saying goes, an ounce of prevention is worth a pound of cure.

At the end of the day security products can't always protect users from themselves, it's why I always preach good security habits. After it's all said and done, there are tons of great options out there, pick one that works best for you, practice safe habits and chances are you will remain infection free, no matter which product one uses.

 

[monkeylove]

For performance, these videos may be considered:





Versus malware:

 

[blackice]

For performance, these videos may be considered:





Versus malware:

To be fair his methods are skewed a bit to certain types of use and he definitely favors certain products. I like his videos and find his opinions insightful. But the system impact of WD on one computer doesn’t give the whole picture. Also certain tasks that a lot of people don’t do are more impacted than others. So the way a user is interacting with the system can cause the impact of using WD to vary for them.

 

[Andy Ful]

This thread is in some parts redundant because many topics were discussed several times on similar threads. I tried to make a summary about Windows Defender on the thread:

The truth about Windows Defender on Windows 10 (Home & Pro).

I noticed on many MT threads, that one post about Windows Defender (WD) can start the long discussion about its cons and pros. The discussion is usually off topic and simply bloats the particular thread. So, I thought that it might be more fruitful to open the separate thread for such...

malwaretips.com

But still, it seems that many people have a little knowledge about how WD works on Windows 10 and what are its real capabilities on Windows Home.
Here are some myths (related to WD on Windows 10):

1. WD is a stellar AV which can compete with any Enterprise solution.
   That can be true on Windows E5 edition with additional Microsoft services (not cheap) like Azure ATP, but not true on Windows Home. Furthermore, there are no native convenient tools which could allow configuring WD on Windows Home. One has to use PowerShell cmdlets, reg tweaks, or rely on 3rd party configurator.
2. WD has poor performance.
   Partially true for tasks related to computer management (installing/uninstalling applications, copying many executables, performing a full scan, etc.). Not true for the common daily tasks (web browsing, opening usual applications, starting the system, watching films, reading/editing documents, etc.).
3. WD on Windows Home is poor protection for the home users.
   Not true. WD is a good free AV. Furthermore, It has better anti-script protection than most AVs (AMSI active by default, ASR rules can be activated). It has also special protection for executables from the Internet Zone (BAFS activated by default).
4. Users on Windows Home cannot activate any ATP features.
   Not true. They can activate some ATP features (like cloud block timeout period, ASR rules, Network Protection, etc.) by using PowerShell, tweaking the Registry, or using ConfigureDefender.
5. Block At First Sight (BAFS) feature works the same in all Windows 10 editions.
   Not true. It can depend on some cloud features which are available only on Windows E3 or E5 (for example detonation in the sandbox).
6. WD on Windows Home does not use heuristics and behavior monitoring.
   Not true. Both are activated by default.
7. WD on Windows Home cannot benefit from machine learning algorithms.
   Not true. It can use ML both locally and in the cloud. Although Windows E3 and E5 have access to more advanced ML algorithms.
8. Users on Windows Home do not benefit from detections made by advanced WD protection on Windows E3 and E5.
   Not true. The detections from Enterprises are shared with home users via BAFS.

That is all I could recall for this moment.

 

[blackice]

This thread is in some parts redundant because many topics were discussed several times on similar threads. I tried to make a summary about Windows Defender on the thread:

The truth about Windows Defender on Windows 10 (Home & Pro).

I noticed on many MT threads, that one post about Windows Defender (WD) can start the long discussion about its cons and pros. The discussion is usually off topic and simply bloats the particular thread. So, I thought that it might be more fruitful to open the separate thread for such...

malwaretips.com

But still, it seems that many people have a little knowledge about how WD works on Windows 10 and what are its real capabilities on Windows Home.
Here are some myths (related to WD on Windows 10):

1. WD is a stellar AV which can compete with any Enterprise solution.
   That can be true on Windows E5 edition with additional Microsoft services (not cheap) like Azure ATP, but not true on Windows Home. Furthermore, there are no native convenient tools which could allow configuring WD on Windows Home. One has to use PowerShell cmdlets, reg tweaks, or rely on 3rd party configurator.
2. WD has poor performance.
   Partially true for tasks related to computer management (installing/uninstalling applications, copying many executables, performing a full scan, etc.). Not true for the common daily tasks (web browsing, opening usual applications, starting the system, watching films, reading/editing documents, etc.).
3. WD on Windows Home is poor protection for the home users.
   Not true. WD is a good free AV. Furthermore, It has better anti-script protection than most AVs (AMSI active by default, ASR rules can be activated). It has also special protection for executables from the Internet Zone (BAFS activated by default).
4. Users on Windows Home cannot activate any ATP features.
   Not true. They can activate some ATP features (like cloud block timeout period, ASR rules, etc.) by using PowerShell, tweaking the Registry, or using ConfigureDefender.
5. Block At First Sight (BAFS) feature works the same in all Windows 10 editions.
   Not true. It can depend on some cloud features which are available only on Windows E3 or E5 (for example detonation in the sandbox).
6. WD on Windows Home does not use heuristics and behavior monitoring.
   Not true. Both are activated by default.
7. WD on Windows Home cannot benefit from machine learning algorithms.
   Not true. It can use ML both locally and in the cloud. Although Windows E3 and E5have access to more advanced ML algorithms.
8. Users on Windows Home do not benefit from detections made by advanced WD protection on Windows E3 and E5.
   Not true. The detections from Enterprises is shared with home users via BAFS.

That is all I could recall for this moment.

Although redundant, sometimes getting "into the weeds" about the details of how WD works can expose people to new knowledge. You have to rehash a little or a lot to get everyone on the same page, but we definitely gain insight when the discussion gets deep about the inner workings. Especially when they make changes.

 

[ForgottenSeer 72227]

To be fair his methods are skewed a bit to certain types of use and he definitely favors certain products. I like his videos and find his opinions insightful. But the system impact of WD on one computer doesn’t give the whole picture. Also certain tasks that a lot of people don’t do are more impacted than others. So the way a user is interacting with the system can cause the impact of using WD to vary for them.

I agree 100%

Performance tastings isn't as easy as it's made out to be. Running a benchmark test (especially in a VM) doesn't really tell you the whole story. There are too many variables (software/hardware configurations) to say with 100% certainty how it will work out for everyone. Everyone will have different experiences with various products, and that's why its important to test the program(s) for yourself on your system. That's the only true test in how it will perform on your system.

For me I can tell you with 100% certainty that on my systems I don't even notice WD. It's faster than Eset on my systems. Nothing against Eset, it's a fantastic program with very good performance, but even with Eset I notice a lag when opening programs, I don't notice this with WD and actually I haven't used a 3rd party that hasn't slowed something down, that I find faster with WD. This is just my experience and I know that everyone's will be different.

 

[LDogg]

On the topics of resource slow down, reliance on signatures, low detection rates & other reasons, I think this is why people are very reluctant to use WD, let alone considering WD as a choice.

~LDogg