Why Windows Defender may be one of the best AVs but it seems it isn't?

[Winter Soldier]

Hello

We know that WD offers a basic protection, but Microsoft has money, know-how, thousands of good programmers and who better of them knows Windows internals.
But it seems WD can't compete with top rated products such as Kaspersky, Emsisoft, etc.
By considering that certainly it is not a technical problem, which could be the reason, marketing agreements with AV vendors, or what else?

 

[brod56]

Interesting question. I guess it is because they don't want to end the paid antivirus competition, as it gives them money (certificates, tests, etc)

 

[Bryan Lam]

Microsoft's main focus isn't Windows. They've got an expanding variety of physical products such as the Surface and such. Windows Defender keeps away malware and that's what it was designed to do. It comes with windows and is free for lifetime.

Windows 10 – Windows Defender - Microsoft

Virus protection and removal

Malware protection and removal

Spyware detection and removal

Boot-time protection

Real-time protection

Cloud-based protection

Network inspection

FREE automatic updates*

The above is what is available in Windows Defender.

Sure, it's not as good as competitors but here's the main issue that arises again, and again. Most of your average home users have no idea what Malware even is and the most typical types people get infected with (Adware) can be easily removed with Windows Defender

Also, Windows is seriously slow enough already xD

 

[SHvFl]

A good antivirus will have a ##### load of work to do and it will give 0 profit to MS considering WD is free. So from a financial support it only makes sense to provide basic security that will give users the less issues and alerts humanly possible.

If users put UAC at max(or MS patches the exploits for normal level UAC),you have smartscreen on and don't allow anything you don't understand why they are running at that moment and also finally download stuff from safe locations 95% of users will never get infected.

 

[reboot]

I believe @cruelsister posted her insights on this subject sometime back... and I can't for the life of me find her excellent post! Can anyone help?

 

[Nheo_Linkin]

Interesting Q. Sometimes I just wonder who understand Windows the best? Microsoft or AV Vendors?
And why AV Vendors can build a shield to analyze any activities to protect windows (Behavior shield) but Microsoft can not? All they have is just a poor signature and now the cloud-base stuff which is ofc useless without internet connection (just like Mrs.Contana).

 

[Deleted member 178]

Interesting Q. Sometimes I just wonder who understand Windows the best? Microsoft or AV Vendors?
And why AV Vendors can build a shield to analyze any activities to protect windows (Behavior shield) but Microsoft can not?

they can, they will do for Win10 Enterprise. Also if they do what you said, people (and 3rd party vendors) will start whining and complaining, look at UAC when it was released in Vista (people crybaby) , look at WD when introduced in Win8 (vendors crybaby)

All they have is just a poor signature and now the cloud-base stuff which is ofc useless without internet connection (just like Mrs.Contana).

Use Win8/10 with smartscreen and you will see the difference, WD is part (complement and be complemented) of the native security of Windows, not supposed to be used alone.


Windows Defender is the most stable AV , none can compare with it, and it is the most important aspect an AV should have. An AV breaking my system is not better than a malware.

 

[Jake Miguel]

Open platform OS depend upon third parties protection. Android and Windows are example. Windows Defender offers basic protection against viruses/malwares/spywares etc and same goes with Android.

If you’re following common sense and other good security practices, Windows Defender may be fine, depending on your risk tolerance. However, if you’re regularly downloading pirated applications or engaging in other high-risk behaviors, you may want to skip Windows Defender and get something that does better against the collection of obscure malware samples used to test antivirus software.
Read it from HowtoGeek on Windows 10 WD protection.

 

[Ink]

My theory.

If Microsoft dominated the Antivirus (security) sector for Windows 10, then the Others Vendors would complain to the European Commission about being unfair.

If you owned a business in this sector, you would find and market ways to make sure your product and services were better than stock Windows 10 security.

Kaspersky already made their view clear:
Kaspersky Accuses Microsoft of Playing Dirty with Antivirus Apps in Windows 10 - Updated
Russia Starts Microsoft Antivirus Investigation After Kaspersky Complaint

There's a paragraph under, Why Microsoft Still Struggles.
Tested: Microsoft’s Windows Defender antivirus is less awful than it used to be

Every Windows system with Windows Updates get MSRT to scan for prevalent malicious software, usually one a month.
What is the Malicious Software Removal Tool and Do I Need It?

In all seriousness, Windows Defender will not be the best of it's category. Period. That's why you hear "Windows 10's Defender is crap", Internet vs Reality, it's your call. Competition.

 

[Jake Miguel]

Way to go @Spawn!

 

[Nheo_Linkin]

they can, they will do for Windows 10 Enterprise. Also if they do what you said, people (and 3rd party vendors) will start whining and complaining, look at UAC when it was released in Vista (people crybaby) , look at WD when introduced in Windows 8 (vendors crybaby)

I hope so.

Use Windows 8/10 with smartscreen and you will see the difference, WD is part (complement and be complemented) of the native security of Windows, not supposed to be used alone.

Smartscreen's enabled all the time for me. But how it protects me?
First the smartscreen just detect unrecognized apps but doesn't know they are safe or not.
Second, smartscreen's web protecting and downloaded file scanning is just apply to Microsoft Edge while I'm using Chrome mostly.

 

[Ink]

while I'm using Chrome mostly

You use Google Safe Browsing on Chrome (Fast and Secure)
Google Safe Browsing  |  Google Developers

 

[ozone]

Smartscreen's enabled all the time for me. But how it protects me?
First the smartscreen just detect unrecognized apps but doesn't know they are safe or not.
Second, smartscreen's web protecting and downloaded file scanning is just apply to Microsoft Edge while I'm using Chrome mostly.

smartscreen detect more
if there is no message, than file should be safe,
if there is message, than file is unknown or malicious

smartscreen can only warn you but the decision is on you
if that unknown file is malicious than that is work for AV to detect it

and as @Spawn said you can use Google safe browsing, you can enable it in setting

 

[Nheo_Linkin]

smartscreen detect more
if there is no message, than file should be safe,
if there is message, than file is unknown or malicious

smartscreen can only warn you but the decision is on you
if that unknown file is malicious than that is work for AV to detect it

Yes, just as I said, Smartscreen can not tell us the file is safe or not but that's WD work.

 

[Handsome Recluse]

I hope so.


Smartscreen's enabled all the time for me. But how it protects me?
First the smartscreen just detect unrecognized apps but doesn't know they are safe or not.
Second, smartscreen's web protecting and downloaded file scanning is just apply to Microsoft Edge while I'm using Chrome mostly.

Microsoft is ubiquitous. They probably have the largest database so their whitelists is vast. You can probably already say that the unknown file is unsafe.

 

[Deleted member 178]

Smartscreen's enabled all the time for me. But how it protects me?smartscreen's web protecting and downloaded file scanning is just apply to Microsoft Edge while I'm using Chrome mostly.

On Win10 , Smartscreen tag any download (Chrome , IE, edge, etc..) with the "mark of the web", then the file is compared to a whitelist and a prompt is delivered to a user if the file is unknown or suspicious.

Q&A - What is Smartscreen? (Windows 8/10)

Microsoft is ubiquitous. They probably have the largest database so their whitelists is vast. You can probably already say that the unknown file is unsafe.

Or the file lack of a valid certificate so potentially unsafe.

 

[Wave]

We know that WD offers a basic protection, but Microsoft has money, know-how, thousands of good programmers and who better of them knows Windows internals.

Believe it or not, this is not entirely true. Yes, Microsoft do have money and yes they do have thousands of good programmers, but I can guarantee you now that the people behind Windows Defender are most likely not the same ones who are doing work on the actual Windows OS Kernel (which is where all the Windows Internals will come into play).

The most powerful thing I have seen Windows Defender do is protect it's processes from kernel-mode, and they also utilize kernel-mode for some other things, such as monitoring the file-system for file write attempts, etc... But that doesn't mean the programmers there are familiar with windows internals like some employees from other vendors who literally spend all their time reverse engineering and studying it.

I bet most of the programmers there are only familiar with Win32 API (user-mode), and then they probably have a small percentage of developers with a kernel-mode development skill-set... They also probably use freelance hire, who knows.

I mean I could be wrong, who knows? But I highly doubt that even a majority of the WD team will be sophisticated with the Windows Internals, the people who will have experience in that will be the ones behind the kernel development, or the user-mode NTDLL wrapper, etc. Then again, they probably all work together... I am not sure as I do not work there, but maybe I should.

By considering that certainly it is not a technical problem, which could be the reason, marketing agreements with AV vendors, or what else?

It would cause too many problems. Beginner users don't want alerts telling them that a process is attempting to inject into another, etc... They aren't used to this. They wouldn't understand how to respond to the alerts properly, especially in the case of a false positive.

People who change to products like Emsisoft usually know a bit about what to expect and what they are doing, others stick to install and forget products like Avast, AVG and Bitdefender where it'll auto-block new detected threats without the user needing to have experience with BB/HIPS, sandboxing and the such.

Not to mention that if they implemented such functionality, there would be an increase in performance reduction.

But it seems WD can't compete with top rated products such as Kaspersky, Emsisoft, etc.

They can definitely compete with other "top rated products such as Kaspersky, Emsisoft, etc.". The problem is the expectations; in reality Windows Defender is more than enough for primary protection alongside User Account Control and SmartScreen (all built-in to Windows 10) as long as you are careful and make good choices. Then again, even with the other vendors' products which have all these fancy dynamic protection components, you'll become infected regardless if you are not careful and make good choices... Mathematics is all worked out there.

If you are a user who needs a sandbox/virtualization, Behavior Blocker/Host Intrusion Prevention System, etc... Then go for another vendor, feel free. However Windows Defender is pretty good for simple protection, which is all that is really needed with the other built-in protection components and a bit of brain.exe.

Just my 2 cents/personal views, take it or leave it.

 

[Winter Soldier]

Believe it or not, this is not entirely true. Yes, Microsoft do have money and yes they do have thousands of good programmers, but I can guarantee you now that the people behind Windows Defender are most likely not the same ones who are doing work on the actual Windows OS Kernel (which is where all the Windows Internals will come into play).

The most powerful thing I have seen Windows Defender do is protect it's processes from kernel-mode, and they also utilize kernel-mode for some other things, such as monitoring the file-system for file write attempts, etc... But that doesn't mean the programmers there are familiar with windows internals like some employees from other vendors who literally spend all their time reverse engineering and studying it.

I bet most of the programmers there are only familiar with Win32 API (user-mode), and then they probably have a small percentage of developers with a kernel-mode development skill-set... They also probably use freelance hire, who knows.

I mean I could be wrong, who knows? But I highly doubt that even a majority of the WD team will be sophisticated with the Windows Internals, the people who will have experience in that will be the ones behind the kernel development, or the user-mode NTDLL wrapper, etc. Then again, they probably all work together... I am not sure as I do not work there, but maybe I should.


It would cause too many problems. Beginner users don't want alerts telling them that a process is attempting to inject into another, etc... They aren't used to this. They wouldn't understand how to respond to the alerts properly, especially in the case of a false positive.

People who change to products like Emsisoft usually know a bit about what to expect and what they are doing, others stick to install and forget products like Avast, AVG and Bitdefender where it'll auto-block new detected threats without the user needing to have experience with BB/HIPS, sandboxing and the such.

Not to mention that if they implemented such functionality, there would be an increase in performance reduction.


They can definitely compete with other "top rated products such as Kaspersky, Emsisoft, etc.". The problem is the expectations; in reality Windows Defender is more than enough for primary protection alongside User Account Control and SmartScreen (all built-in to Windows 10) as long as you are careful and make good choices. Then again, even with the other vendors' products which have all these fancy dynamic protection components, you'll become infected regardless if you are not careful and make good choices... Mathematics is all worked out there.

If you are a user who needs a sandbox/virtualization, Behavior Blocker/Host Intrusion Prevention System, etc... Then go for another vendor, feel free. However Windows Defender is pretty good for simple protection, which is all that is really needed with the other built-in protection components and a bit of brain.exe.

Just my 2 cents/personal views, take it or leave it.

Thanks, I think your objective observation is supported from my point of view, couldn't agree more!

 

[Vipersd]

Anti monopoly legislation got them to go for low and quiet approach after last debacle with EU and IE browser.

 

[509322]

Windows Defender performance isn't that great. In testing, it varies from about 50 % to 90 %s. It needs to be supplemented. Software Restriction Policy fortifies Windows Defender quite a bit.