App Review Windows Defender (Buffed with Defender UI) vs Malware

[Khushal]

Content source

https://youtu.be/-Vb3GIcCRx0

 

[Parkinsond]

No a single notification by ASR rules; Defender UI only contribution was cloud block level.

 

[Khushal]

No a single notification by ASR rules; Defender UI only contribution was cloud block level.

u should comment on his video.

 

[Parkinsond]

u should comment on his video.

You mean on YT?

 

[Khushal]

You mean on YT?

yeah

 

[Halp2001]

Thanks for sharing the video! It's interesting to see the Recommended profile of Defender UI in action, though more restrictive profiles might have changed the results.

Personally, I’ve always leaned towards Hard_Configurator by Andy Ful, and it would be great to see a head-to-head comparison between the two in community tests. If user-friendliness is the main goal, Defender UI seems like a solid choice, though that's just my impression since I haven't used it myself.

Regardless, the video is a very useful contribution for comparing these different security approaches.

 

[simmerskool]

Thanks for sharing the video! It's interesting to see the Recommended profile of Defender UI in action, though more restrictive profiles might have changed the results.

Personally, I’ve always leaned towards Hard_Configurator by Andy Ful, and it would be great to see a head-to-head comparison between the two in community tests. If user-friendliness is the main goal, Defender UI seems like a solid choice, though that's just my impression since I haven't used it myself.

Regardless, the video is a very useful contribution for comparing these different security approaches.

you mean compare DefenderUI with ConfigureDefender, because comparing DUI to Hard_Configurator seems like apple and oranges...??

 

[Halp2001]

you mean compare DefenderUI with ConfigureDefender, because comparing DUI to Hard_Configurator seems like apple and oranges...??

You’re right that, although all these tools are related to security, their nature is not the same and it wouldn’t be fair to put them on the same level. Even so, I think it would be interesting to try out the settings each one offers and see the results in different scenarios. That might help both more advanced users and those who are less experienced. My way of expressing myself earlier probably wasn’t broad enough to make my point clear, but what I wanted to convey was precisely that curiosity to see how they perform in practice.

 

[ForgottenSeer 123960]

Because standard operating procedure for every user is to kindly disable their antivirus right before downloading a virus. Makes total sense.

Testing methodology=flawless

 

[rashmi]

No a single notification by ASR rules; Defender UI only contribution was cloud block level.

I'm not an expert, but I believe that most ASR rules are relevant in infection chains or when malware exploits programs or services, except for script rules. In such tests, you might not observe much interception or protection. I'd at least enable the "Block executables..." rule if I'm looking to strengthen Microsoft Defender without hardening SRP/LOLBins.

Thanks for sharing the video! It's interesting to see the Recommended profile of Defender UI in action, though more restrictive profiles might have changed the results.

Personally, I’ve always leaned towards Hard_Configurator by Andy Ful, and it would be great to see a head-to-head comparison between the two in community tests. If user-friendliness is the main goal, Defender UI seems like a solid choice, though that's just my impression since I haven't used it myself.

Regardless, the video is a very useful contribution for comparing these different security approaches.

Hard_Configurator includes SRP and other security measures and is significantly more powerful than DefenderUI and ConfigureDefender. DUI and CD are both tools designed to strengthen Microsoft Defender, applying similar hardening techniques. For instance, the settings labeled DUI Recommended and CD High (Recommended) implement the same level of hardening.

 

[Parkinsond]

I'd at least enable the "Block executables.

Never encountered a single block by such a rule in any of the videos for tests using ASR rules; only in real-life it can block the installers of PeaZip and Media Player Classic when a new version is released, to be allowed later after days or weeks.

I can feel the this specific rule is exactly the SmartScreen but for files even without mark of the web.

 

[Andy Ful]

Never encountered a single block by such a rule in any of the videos for tests using ASR rules; only in real-life it can block the installers of PeaZip and Media Player Classic when a new version is released, to be allowed later after days or weeks.

That is because this rule is inactive in almost all tests.
I have a similar experience with blocking benign applications, but the reasons are different compared to SmartScreen.
For benign application installers, the overall rate of false positives is similar. However, the ASR rule can produce more false positives for fresh updaters and no false positives for those older than one day.
In the case of malware, the difference is dramatic. SmartScreen cannot block payloads, and this ASR rule can block almost all fresh payloads.

 

[Parkinsond]

That is because this rule is inactive in almost all tests.

Unfortunately, most testers of MD do not enable ASR rules, but I can recall a test by @Shadowra for MD with ConfigureDefender rules applied with not notitications regarding ASR rules block; all by MD.

My explanation is MD has improved to the extent it carries the heavy lift with almost nothing left for ASR rules.

 

[Andy Ful]

Unfortunately, most testers of MD do not enable ASR rules, but I can recall a test by @Shadowra for MD with ConfigureDefender rules applied with not notitications regarding ASR rules block; all by MD.

My explanation is MD has improved to the extent it carries the heavy lift with almost nothing left for ASR rules.

It is true in tests with a small number of samples (like this one). In Real-World tests, MD on default settings can usually miss 0-3 samples per 300 total samples.