Advice Request Why are we even messing with anything other than WD these days?

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
it depends on user type. For example, in my country, the number people being infected with WD is countless since they frequently look for cracks, patches which are delivered via password-protected zip/rar files
in this case, WD only functions as a signature scanner, no more. Cloud can't save it as I demonstrated in some of my tests
advanced features like block at first sight and smartscreen are intentionally bypassed
forget about tweaking because 99% of WD users don't know about tweaking. If they know, they are unlikely to be infected in the first place

WD is a highly conditional AV, which functions in certain situations but doesn't in others (USB, password-protection archives, or anything not coming from your browser)
There is no security that could save people who frequently use cracks, illegal patches and intentionally bypass AV protection. But anyway, Malware Hub tests support the choice of another AV (to replace WD) for such users. I think that something like Kaspersky free would be a good choice.

Edit.
Such users, will not benefit much from Kaspersky, because they simply will use more cracks to get a similar infection rate per month as with WD.:(
 
Last edited:

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
I have WD on 3 desktop PCs and 6 laptops. No problems at all.
I have WD on 28 PCs in company and no problems at all. Over 80 people using PCs and we never got infected, which is really weird since WD is such a garbage as some claim.

I had a BMW M5, a very nice car, I never liked it & now have another car, the M5 could never be described as garbage but I never did like it. We don't have to hate a product to prefer an alternative, even if others love it.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
WD will be a perfect AV if:
- MS adds caching mechanism to WD => no more re-scanning of a file in 1 logon
- Better behavioral blocker in default settings. I found it always sleeping in default settings, very reactive in tweaked settings, thanks to ConfigureDefender
- Faster signature update. I found it slow and resource-consuming when I clicked check for update
- Add an option to include BAFS (or smartscreen) in all conditions regardless of file origin => better hybrid default-deny
- Faster and more stable removal speed. I found it very slow and frequently reverted some my registry tweaks :unsure:
- More compact UI
- Better exclusion menu: more detail and more specific (like Avast's old settings)
- More stable web filter. Sometimes works, sometimes doesn't
- More options in the main UI
- Better/more usable folder/ransomware protection

(optional) all the latest features for older windows versions: 8.1 and 7. It won't happen, though

There is no security that could save people who frequently use cracks, illegal patches and intentionally bypass AV protection. But anyway, Malware Hub tests support the choice of another AV (to replace WD) for such users. I think that something like Kaspersky free would be a good choice.
I know. That's why I never recommend WD for any people in my country because I know our daily routine and most people are still using HDD with low specs
as soon as I opened task manager, I always saw WD trying to read/write something to HDD, heavily (dark orange color disk %). Average users are unable to notice it since WD is enabled by default and they use it since the beginning

since I switched all of them to highly-tweaked kaspersky security cloud free and avast (performance is no.1 priority), that never happens again
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Yes, there is a lot of space for WD improvements. :giggle:

...
as soon as I opened task manager, I always saw WD trying to read/write something to HDD, heavily (dark orange color disk %).
...
This issue was reported by some other people too (but many do not have such issues at all). When I am looking at my task manager I can mostly see 0% disk usage and 1% CPU usage. So, the issue reported by you depends on the hardware or installed software. It can be also related to the hard disk drivers.:unsure:

Edit.
Similar performance issues were reported for other AVs (also for BitDefender and Kaspersky) and some users feel better with WD.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
This is what I can see only in the posts of some other people (many do not have such issues at all). When I am looking at my task manager I can mostly see 0% disk usage and 1% CPU usage. So, the issue reported by you depends on the hardware or installed software. It can be also related to the hard disk drivers.:unsure:
it's true. people with some knowledge use their PCs entirely different from average users
average users usually bloated with millions of unorganized icons on desktop and a long list of enabled startup items. Some have suspicious processes running in task manager
That's what I observed when repairing windows 10 PCs/laptops. Similar conditions
some PCs took 5 mins to boot into W10 login screen

an AV with caching mechanism will behave better in those PCs, but still slow due to too many background processes running
certainly, WD is a huge burden in these cases. Even repairing them is slow with WD on. I always disable WD to speed up the repairing process and it does make a huge huge difference
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I think that better caching would be an advantage for most users. But personally, I am not sure If I would like it. The problem with caching is that for many hours the cached files are not checked as thoroughly as the new files. That can have an impact on security.:unsure:
 
L

Local Host

I think that better caching would be an advantage for most users. But personally, I am not sure If I would like it. The problem with caching is that for many hours the cached files are not checked as thoroughly as the new files. That can have an impact on security.:unsure:
I believe it won't affect security, cause if the files are changed the cache is ignored and the files are rescanned like new. If you talking network security, they tend to be monitored regardless if cached or not.

Of course it all depends on the implementation, knowing Microsoft they would do it poorly and half done for a few years before getting it right, and as I said before since WD is only updated with Windows 10, features and fixes tend to implemented extremely slowly (again, a problem that also plagued Microsoft Edge).
 

ncage

Level 3
Thread author
Verified
May 20, 2017
103
as soon as I opened task manager, I always saw WD trying to read/write something to HDD, heavily (dark orange color disk %). Average users are unable to notice it since WD is enabled by default and they use it since the beginning

Usually when i have seen the high cpu / high disk usage it hasn't been WD instead it has been "Microsoft Compatibility Telemetry". I hate it to because even if you lower telemetry to the lowest levels i've never been able to lessen its impact.

I think that better caching would be an advantage for most users. But personally, I am not sure If I would like it. The problem with caching is that for many hours the cached files are not checked as thoroughly as the new files. That can have an impact on security.:unsure:

And caching can lead to other problems like memory usage. I mean i would assume we are only caching hashes but it how long would the cache expiration policy be? Also like you said when does AV need to rescan a file? As you said security could be lessoned. A file scanned 5 minutes ago could now be identified as malware.

- Better behavioral blocker in default settings. I found it always sleeping in default settings, very reactive in tweaked settings, thanks to ConfigureDefender

When you say BB i assume you mean Block at first sight? If not i wasn't aware that WD had any local BB functionality.

in this case, WD only functions as a signature scanner, no more. Cloud can't save it as I demonstrated in some of my tests
advanced features like block at first sight and smartscreen are intentionally bypassed
Any way to tweak this? If so which setting?
 

Dave Russo

Level 21
Verified
Top Poster
Well-known
May 26, 2014
1,041
It is the user choice, what security choose to feel safe. The same is when someone prefers beer over the wine. In most cases, the preferences are based on personal experience, which cannot be generalized.
It is OK that there is WD built into Windows, and it is OK that there are other AVs. Diversity of products is welcome.:giggle:
The WD fans should keep their fingers crossed to support 3-rd party AVs, which are probably responsible for improving WD (and vice versa). :emoji_pray:
Well written,no doubt competition brings out the best,3rd party software fighting against a beast{monopoly in the making} I admit ,its just fun trying different products,one day,I think as soon as the new Edge Browser is stable,I will go with Windows Defender/and tweaks and be content.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Most people around me want Windows to work as a toaster. They have absolutely no interest in tweaks or to pay for extra security. They want a very dependable toaster. Nothing to read or watch to make it run. Like an

This is the bottom-line truth.

The WD fans should keep their fingers crossed to support 3-rd party AVs, which are probably responsible for improving WD (and vice versa). :emoji_pray:

Also this. Variety is the spice of life! Now I'm off to another thread. :barefoot::barefoot::barefoot::emoji_popcorn::emoji_beer:
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I think that better caching would be an advantage for most users. But personally, I am not sure If I would like it. The problem with caching is that for many hours the cached files are not checked as thoroughly as the new files. That can have an impact on security.:unsure:
there is no problem with caching because most of the AVs cache something until a reboot or a signature update are triggered. Then, caches will be wiped and the file will be scanned again with new signatures. No point of re-scanning a file again and again with the exact same database because the result will be always negative
if I'm not mistaken, WD only uses cloud engine when a file is executed. Contextual scan (sure) or on-access (not sure) won't touch cloud engine, entirely offline
Usually when i have seen the high cpu / high disk usage it hasn't been WD instead it has been "Microsoft Compatibility Telemetry". I hate it to because even if you lower telemetry to the lowest levels i've never been able to lessen its impact.
we use our PCs differently from other users. WD is heavy on disk usage due to the lack of caching, which is crucial for lowering resource usage. IF we have SSD or we know how to use our PCs like a intermediate level user or above, resource impact of WD will be hard to observe
And caching can lead to other problems like memory usage. I mean i would assume we are only caching hashes but it how long would the cache expiration policy be? Also like you said when does AV need to rescan a file? As you said security could be lessoned. A file scanned 5 minutes ago could now be identified as malware.
caching virtually never affects memory usage because as I know, a file after being scanned will generate a hash, which is stored in memory or a file in disk. hash = text, text consumes tiny space
after a signature update or a reboot, this cache will be wiped and the file will be re-scanned
I explained a bit more on my reply to Andy above
in 1 report, MS acknowledged this problem and they will include some types of caching into WD in a future version. Don't know when
Capture.PNG
When you say BB i assume you mean Block at first sight? If not i wasn't aware that WD had any local BB functionality.
Block at first sight is not BB as I mentioned. BB is like other AV's behavioral blocker
block at first sight is like a cloud file rating/analysis system while BB is offline behavior analysis
Any way to tweak this? If so which setting?
you can download ConfigureDefender from Andy_ful and simply apply High settings
Note: WD will be a bit heavier after apply high settings but significantly more powerful, I mean really really more powerful
configure-defender-windows.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
When you say BB i assume you mean Block at first sight? If not i wasn't aware that WD had any local BB functionality.
It is not Block At First Sight. WD has a separate behavior monitoring feature. It is enabled by default and can be configured via PowerShell Set-MpPreference cmdlet:
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 1

Any way to tweak this? If so which setting?
Use ConfigureDefender or PowerShell.

...
if I'm not mistaken, WD only uses cloud engine when a file is executed. ...
I do not think so. It is on access and that is why the WD is so slow when opening the folder with many executables. I tested this some time ago with files generated by WD demo page for BAFS. I generated many such files with disabled WD and copied them to the pen drive. Next, I plugged the pen drive to another computer with WD and opened the folder with these files. Most of them were quickly recognized as malicious and deleted.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I do not think so. It is on access and that is why the WD is so slow when opening the folder with many executables. I tested this some time ago with files generated by WD demo page for BAFS. I generated many such files with disabled WD and copied them to the pen drive. Next, I plugged the pen drive to another computer with WD and opened the folder with these files. Most of them were quickly recognized as malicious and deleted.
I don't think it's a correct test in this case
I think this is better: use TCPview, open a folder full of safe files, and look for new connections from WD processes
during my test of WD long ago, context scan didn't generate any new connection while executing did
I have tried on-access yet
I remember WD did block something when I opened the folder of malwares after being scanned
WD had poor detection rate with contextual scan, <5 over 20 malwares tested but on execution, it immediately blocked most of them with cloud
the context scan was turbo fast so I do think it didn't check anything with cloud
emsisoft is the same, no cloud on contexual scan
kaspersky, avast, norton do have a noticeable pause on contextual scan when they scan a malware. Very fast for safe file. They clearly note the cloud message in the detection (UDS in KIS, filerepmalware in avast)
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
WD will be a perfect AV if:
1. MS adds caching mechanism to WD => no more re-scanning of a file in 1 logon

2. Add an option to include BAFS (or smartscreen) in all conditions regardless of file origin => better hybrid default-deny

3 More stable web filter. Sometimes works, sometimes doesn't

4 Better/more usable folder/ransomware protection

1. In older (win7) version of WD the Microsoft signed executables were treated differently, e.g. startup of internet explorer caused lower peak of WD than a program startup of Chrome, so M$ cheats a little. In our nearly Microsoft only software PC's at home even a weak Z3750 CPU feels crispy with WD (faster than most premium third-party AV's).

2. Valid point, I have disabled execution from other sources (except SSD) through registry and ACL tweaks, so only way executables can end up on my disks are through internet.

3. Agree, when you refer to Network Protection - Windows Defender Testground in the past it seemed to be iffy sometimes I it works sometimes it does not. With latest Edge Chromium BETA it seems work well (it also suffered on-off behaviour in first DEV-builds).

4. I had to allow only one non-M$ program for folder protection on one of our three PC's, so what is wrong with it?

On all three PC's (ASUS Transformer Atom Z3740 - 2GB, Yoga 520 Pentium 4415U - 4GB and Desktop i720 - 6 GB) Hard Configurator and Configure Defender do they heavy lifting in terms of security. Only on my Desktop I also run OS_Armor with only my block and exception rules enabled (that is block all from user space, allow Microsoft signed in all user folders and FileZilla plus SyncBack Free to run from Temp folder for updates). On all our PC's WD is set to block (cloud protection) :). Using mostly M$ software this works fine.
 
Last edited:

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
4. I had to allow only one non-M$ program for folder protection on three PC's, so what is wrong with it?
according to my past experience, it caused some problems with my VM
shortcut icons were all missing and I was not able to interact freely with the folder
I don't know about the situation now because I have never turned it on since I identified the problem caused by ransomware protection
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I don't think it's a correct test in this case
I think this is better: use TCPview, open a folder full of safe files, and look for new connections from WD processes
...
This is not the correct test. WD connects with the cloud when the detection based on local machine learning algorithms has recognized the file as suspicious. So, most safe files will not be checked against the cloud.
I did the test when opening the folders with malware files and TCPview. In many cases (it can take several seconds), I could see the increasing number of the sent packets by MsMpEng.exe to Remote Adress 137.117.144.39 (Microsoft servers). Checking the folder can take several seconds per file (about 15 sec./file in my case).
If I did not open anything, the MsMpEng.exe simply disappeared from the TCPview after some time.
My conclusion is that WD on access detection is based on the local resources supported by cloud (if needed).
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Any way to tweak this? If so which setting?
Someone made the exaggerated claim that Windows Defender at default settings has only definition checking . This is a mistake. At default settings it has behavior monitoring and script scanning and more. These functions may not be as robust as in certain other AVs, but they do exist. Those who want more aggressive protection from Windows Defender can use ConfigureDefender to enable additional mitigations and higher levels of protection. While ConfigureDefender may not be appropriate for those who think that their computer is a toaster, it is quite appropriate for anyone participating in this discussion.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top