Hot Take Windows Defender is very silly and I am flabbergasted.

[Khushal]

 

[Parkinsond]

I suggest installing Bitdefender free, as a control measure, and to report if getting the same FP detections or not or more.

 

[Andy Ful]

The author wrote:
"As a person who collects malware, writes malware, and pokes malware with a stick, Windows Defender is a big stinky dork who isn't cool and gets in my way."

So, MD works as intended.

 

[Parkinsond]

MD works as intended

It's hyperworking.
And some 3rd AVs such as B throws much more FP detections than MD.
The reason I do not consider the results of a test of a solitary AV seriously; the audit must include at least two AVs exposed to the same exact set of malware.

 

[Wrecker4923]

I think in the OP, the author was complaining about users' control over MD — i.e., turning the protection off doesn't mean it's always off. I think it's generally true that MS doesn't make it easy for general computer users (without help) to turn MD off, and in this case the expert failed to turn it off permanently as well.

I had a user who actually quitted, permanently, installing pirated MS Office products (which likely contained serious malware) because MD got in the way at every step without them being able to disable it. Haha, no (easy) control, but worked as intended!

 

[Parkinsond]

turning the protection off doesn't mean it's always off.

True; even if I turn off tamper protection, turned off real time protection turns itself back on after a while or after reboot.

I had a user who actually quitted, permanently, installing pirated MS Office products (which likely contained serious malware) because MD got in the way at every step without them being able to disable it.

Only novice users do so.

 

[Divergent]

Defender flagged its own YARA rules is a notorious false-positive trap. YARA rules literally contain the exact strings, hex patterns, and byte sequences of the malware they are designed to catch. If those rules are sitting as raw, unencrypted text files on a C: drive, Defender's real-time protection will absolutely scan them, see the malicious strings, and nuke its own signatures.

The author’s operational security practices strongly suggest an amateur rather than a seasoned researcher. The most glaring red flag is the maintenance of a multi-terabyte malware zoo on a daily-driver host OS where the native antivirus can unexpectedly re-enable itself. Standard industry practice dictates that active analysis be strictly confined to an isolated, air-gapped virtual environment, not a primary machine used for casual web browsing such as YouTube.

 

[Wrecker4923]

Defender flagged its own YARA rules is a notorious false-positive trap. YARA rules literally contain the exact strings, hex patterns, and byte sequences of the malware they are designed to catch.

I did have MD detecting a "severe trojan" in one of these strings from a VirusTotal report .

Spoiler: MD Report

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.

 For more information please see the following:

https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Boxter.HHP!MTB&threatid=2147962999&enterprise=0

     Name: Trojan:PowerShell/Boxter.HHP!MTB

     ID: x

     Severity: Severe

     Category: Trojan

     Path: file:_C:\Users\x\AppData\Roaming\Mozilla\Firefox\Profiles\x\storage\default\https+++www.virustotal.com\cache\morgue\129\{x}.final

     Detection Origin: Local machine

     Detection Type: Concrete

     Detection Source: User

     User: x\x

     Process Name: Unknown

     Security intelligence Version: AV: 1.445.225.0, AS: 1.445.225.0, NIS: 1.445.225.0

     Engine Version: AM: 1.1.26010.1, NIS: 1.1.26010.1

 

[oldschool]

The author’s operational security practices strongly suggest an amateur rather than a seasoned researcher. The most glaring red flag is the maintenance of a multi-terabyte malware zoo on a daily-driver host OS where the native antivirus can unexpectedly re-enable itself. Standard industry practice dictates that active analysis be strictly confined to an isolated, air-gapped virtual environment, not a primary machine used for casual web browsing such as YouTube.

You're being too kind to the this tester, whoever he/she/they is/are. "Clown" is more accurate.