App Review Windows Defender Hardening test vs Malware

[cruelsister]

A Word of Warning concerning this video- please note that at 7:53 the author essentially blows off the warning box. This should have been taken more seriously as this was an indication of what most assuredly was the persistence mechanism of a worm; although the worm itself was apparently deleted (by a definition) the persistence mechanism was not stopped. The issue here would be that if that worm was recoded a bit to make it a zero day (easy, easy), the full infection would have been apparent.

Additionally, running second opinion scans with HMP and NBE proves nothing about the health of the system as both are totally oblivious to many Scriptor infections (including worms).

KVRT really is the best for checking for persistent infections and really should have been used to verify what actually occurred.

 

[blackice]

Generally i think that.Web protection module is the most important line of deference of AV software this is the first line which face malware attacks which generally be phishing attacks/malicious mails/social engineering in corporate / enterprises.
in real scenario all protection modules are active and try to prevent the malware,not it pushed to the machine then it is been discovered.
yes this occur after failure of all web protection then signature/heuristic/behavior detection came after that as second line to prevent the infection)

This is where WD can be an issue since it works great with smartscreen if you use Edge, but most people use chrome, probably why they made their browser protection extension just for Chrome. This is probably why ESET and Bitdefender work as solutions for a lot of people, because they have superb web filtering, even though they aren’t the best in other areas.

 

[blackice]

A Word of Warning concerning this video- please note that at 7:53 the author essentially blows off the warning box. This should have been taken more seriously as this was an indication of what most assuredly was the persistence mechanism of a worm; although the worm itself was apparently deleted (by a definition) the persistence mechanism was not stopped. The issue here would be that if that worm was recoded a bit to make it a zero day (easy, easy), the full infection would have been apparent.

Additionally, running second opinion scans with HMP and NBE proves nothing about the health of the system as both are totally oblivious to many Scriptor infections (including worms).

KVRT really is the best for checking for persistent infections and really should have been used to verify what actually occurred.

He generally approaches tests assuming that a user would just click through anything they see. He always ignores UAC prompts and assumes users will make bad decisions. I don’t know if I agree with that approach, but it’s his thing.

 

[Chuck57]

I stopped watching Leo long ago, for the very reason that he assumes too much. People are click happy, and some panic when a warning pops up and they'll click it without thinking. But a good tester would also warn the viewer that random clicking is not wise. Maybe add something showing what happens if you do not click. If it prevents the infection, that's the lesson. The video wouldn't be as exciting if nothing happens, but is he doing it to show a software's ability, or for dramatic effect?

 

[DDE_Server]

This is where WD can be an issue since it works great with smartscreen if you use Edge, but most people use chrome, probably why they made their browser protection extension just for Chrome. This is probably why ESET and Bitdefender work as solutions for a lot of people, because they have superb web filtering, even though they aren’t the best in other areas.

Agree completely with that and i am one of those people.most infection today come from web/social engineering attacks/phishing website/planting botnets etc
if you could stop this in earlier stage (web protection) you will not heavily depend on the other modules(real time protection)

He generally approaches tests assuming that a user would just click through anything they see. He always ignores UAC prompts and assumes users will make bad decisions. I don’t know if I agree with that approach, but it’s his thing.

that what i am not convinced.yes worst case scenario is required but the assumption that all factors to bypass any protection mechanism is valid is not realistic scenario for me.if you want to test.then test each module separately and then make overall score .that is why i like computer solution test more than this)

 

[fabiobr]

Generally i think that.Web protection module is the most important line of deference of AV software this is the first line which face malware attacks which generally be phishing attacks/malicious mails/social engineering in corporate / enterprises.
in real scenario all protection modules are active and try to prevent the malware,not it pushed to the machine then it is been discovered.
yes this occur after failure of all web protection then signature/heuristic/behavior detection came after that as second line to prevent the infection)

And some behavior blockers score files based where it came, if it was download from malicious site then score are higher.

Disabling modules is old mentality when AVs only had one defense layer.

.that is why i like computer solution test more than this)

I like them too, but would be better if they speak.

 

[DDE_Server]

One has to make the assumption that a user is going to do all the stuff that will get them into trouble. Only that way can the protection be appropriately measured.

Yes you are right to test non experienced user and expect worst case scenarios from them but those users also doesnot have the sufficient knowledge to disable all real time protection especially in WD which is considered hard to tune/with non initiative user interface (some parameters also is configured only using group policy editor) that not realistic at all.
Also consider in most cases those people used more automated / user friendly solutions which remove malware and users are always trust then blindly and remove the threat which is natural reaction when any AV find a threat(except some cases where user may trust the malicious file such as crack and follow the instructions to disable real time protection although the AV tell the user there a virus and that user should be punished by the infection )

 

[Vitali Ortzi]

Yes you are right to test non experienced user and expect worst case scenarios from them but those users also doesnot have the sufficient knowledge to disable all real time protection especially in WD which is considered hard to tune/with non initiative user interface (some parameters also is configured only using group policy editor) that not realistic at all.
Also consider in most cases those people used more automated / user friendly solutions which remove malware and users are always trust then blindly and remove the threat which is natural reaction when any AV find a threat(except some cases where user may trust the malicious file such as crack and follow the instructions to disable real time protection although the AV tell the user there a virus and that user should be punished by the infection )

Users who use cracks can be very annoying best case scenario you can take a whole day of your life trying to educate them way its not moral
Worst case you gotta except it teach them how te get vlean ones and set a good as possible and low false positive config as they can always change to sites who have malware in them !

 

[DDE_Server]

Microsoft and software publishers just need to disable pirated software. They most surely can put an end to Windows, Office and other cracks. And stop charging higher prices like in Europe so what we pay subsidizes MIcrosoft for all the software thievery that it allows.

it isn't something easy
please note cracks also push users to use windows which benefits Microsoft. huge data telemetry and huge market share against free windows alternative such as Linux.Also even they have malware they will make consumer purchase AV which partner with Microsoft or will use WD which will feed its cloud about new virus

 

[DDE_Server]

Microsoft can easily do it and no there would not be a mad rush to adopt Linux. What would happen is people would actually start paying for Windows, Office and other products at cost-reduced prices for those markets.

i don't defend piracy in any way.but i think this is deliberately permitted by Microsoft as some tactics.
an no Linux became more and more increasing especially in Enterprises such as red hat and servers such Ubuntu server edition it is more customization and safe and more feature.see for example Canonical Live patch Service which make system reliable especially servers by increasing it is up time while updating the kernel without any process disruption .please pay attention most paid Microsoft consumer are enterprise and business which has good revenue to compensate the loses using cracked OS/Office by home users so not only increases the licence prices for home users is the way they compensate their loses for cracked version (or it will lose many customer if this its strategy)
you think that Microsoft couldn't make their OS more protected??.one simple method it could force you to activate only through Microsoft account or your MAC address or some mean using your hardware print such as many AV preventing cracking their software using this method such as Norton

 

[Local Host]

i don't defend piracy in any way.but i think this is deliberately permitted by Microsoft as some tactics.
an no Linux became more and more increasing especially in Enterprises such as red hat and servers such Ubuntu server edition it is more customization and safe and more feature.see for example Canonical Live patch Service which make system reliable especially servers by increasing it is up time while updating the kernel without any process disruption .please pay attention most paid Microsoft consumer are enterprise and business which has good revenue to compensate the loses using cracked OS/Office by home users so not only increases the licence prices for home users is the way they compensate their loses for cracked version (or it will lose many customer if this its strategy)
you think that Microsoft couldn't make their OS more protected??.one simple method it could force you to activate only through Microsoft account or your MAC address or some mean using your hardware print such as many AV preventing cracking their software using this method such as Norton

Microsoft couldn't care less about Windows Piracy, they not even focusing on Windows anymore but on services and APPs.

Not to mention the majorly of their income comes from Enterprise, which is the only place Microsoft take action when it sees pirated activations in bulk.

 

[DDE_Server]

Every home user that buys a new Windows PC pays $50 to $100 for the OEM installed Windows image. Plus, if they want to upgrade from Home to Pro, it is a 75 Euro upgrade if they buy a completely legit license.

Microsoft already ties the Windows image to the hard drive serial # and MAC address among other things. So that is irrelevant. Microsoft still allows illegal Windows licenses to be used. And it compensates for the piracy loses by raising the prices of Windows in rich countries like in Europe. So I have to pay higher prices because Microsoft wants to allow piracy in its own interests. Now, I don't know about anyone else, but that sure is considered ripping people off where I live.

Most of the Windows piracy is done by home users who will not switch to Linux. Basically all of India, SE Asia, China, all of Africa, most of South America, all those geographic areas the home users use cracked software.

What Microsoft does is wrong. We have to pay much higher prices because it allows piracy. We pay higher prices to compensate for the losses that Microsoft creates. I should not have to pay higher prices because of what Microsoft allows. Most people would agree that Microsoft has ripped users off in this regard.

Then they should provide good price according to each country state . some AV do that for their AV licence's price depend on their regions

 

[Fuzzy_Bunny]

Let me put it another way. In Ireland, Microsoft can and does sue businesses for using illegal Windows licenses, Office piracy, Visual Studio subscription license scams, illegal eBay listings. Yet Microsoft would never do the same in a country like India, China, Argentina or South Africa.

You can't use illegal software for businesses purposes. Period.
Not only that Microsoft would go after you, but goverment would too (taxes).
For personal purposes MS doesn't care what you do. I asked their support if i can buy serial number on ebay and they said yes, as long as key is accpeted by server.
I bought over 10 keys on ebay and all works fine for years now.

 

[fabiobr]

Microsoft couldn't care less about Windows Piracy, they not even focusing on Windows anymore but on services and APPs.

Not to mention the majorly of their income comes from Enterprise, which is the only place Microsoft take action when it sees pirated activations in bulk.

A Rio de Janeiro private University had to sell their headquarters and got bankrupt because Microsoft caught them with Pirate Windows and got into justice, they had to pay a millionaire fee.

A former employee made the complaint to Microsoft.

 

[fabiobr]

You can't use illegal software for businesses purposes. Period.
Not only that Microsoft would go after you, but goverment would too (taxes).
For personal purposes MS doesn't care what you do. I asked their support if i can buy serial number on ebay and they said yes, as long as key is accpeted by server.
I bought over 10 keys on ebay and all works fine for years now.

Same for Adobe Software.

Microsoft makes paying customers pay higher prices to subsidize all the losses that Microsoft allows through piracy.

That's true too.

 

[TheBlueCreeper512]

i donot know why but i have the same opinion

Me too, today I hardened Windows Defender like Leo did in the video and went to amtso.org to test if it was working, Defender detected all of them, but repeatedly failed to remove one of the EICAR test samples, I just don't feel protected with Defender as a standalone, not to mention that the Windows Security application itself is very buggy with the "Start Actions" button doing nothing in most scenarios.

 

[Thales]

Windows Defender is fine only if you use ConfigureDefender by @Andy Ful
Also an extra protection like OSArmor is important/necessary.

 

[Gandalf_The_Grey]

Windows Defender is fine only if you use ConfigureDefender by @Andy Ful
Also an extra protection like OSArmor is important/necessary.

Or go full @Andy Ful and use Hard_Configurator
That's what I'm doing lately (will update my security config later this weekend).

 

[oldschool]

I hardened Windows Defender like Leo did in the video

I just don't feel protected with Defender as a standalone,

Leo is one of the last people I would trust for info on Windows Defender. He regularly bashes it in his videos and clearly doesn't understand how it works or how to test it. See his Windows Defender Sandbox test as a prime example. He makes his living producing clickbait and scaremongering. Millions of people use it and stay secure. Respected forums like Bleeping Computer, Ten Forums and many MalwareTips members recommend using Windows Defender.

ConfigureDefender will allow you to easily configure its advanced settings and add ASR rules to thoroughly harden WD. You are perfectly safe with it if you practice safe online habits.

Everyone should use the AV or other security that suits them, but please make your decision an informed one. If you feel you need more protection you may use OSArmor, VoodooShield or other OS hardening. Finally, remember that there is a certain amount of paranoia on security forums. My motto is "Stay safe, not paranoid!"

 

[TheBlueCreeper512]

Leo is one of the last people I would trust for info on Windows Defender. He regularly bashes it in his videos and clearly doesn't understand how it works or how to test it. See his Windows Defender Sandbox test as a prime example.

Yes, Leo tends to bash Windows Defender even if it's doing a good job like in the video, however, one thing is that like I mentioned in my original post, I feel that the Windows Security application is very buggy and has lots of room for improvement.