Advice Request Windows Defender V.S. Bitdefender or any other AV?

[FireHammer]

Hey, I am no big techie so bare with me.

I have a question how can Windows Defender be as good as the competition when they not update their definitions as often as them?
Bitdefender Total Security update their threat information once 2-5 hours, and Windows Defender update sometimes not even once in 24 hours.
How can Windows Defender keep up?

 

[ForgottenSeer 89360]

Hey, I am no big techie so bare with me.

I have a question how can Windows Defender be as good as the competition when they not update their definitions as often as them?
Bitdefender Total Security update their threat information once 2-5 hours, and Windows Defender update sometimes not even once in 24 hours.
How can Windows Defender keep up?

Windows Defender relies mostly on Machine Learning. Microsoft has trained Defender with a large set of malware.
It has found similarities between malware and malware, malware family A and malware family B, etc.
It has extracted whole "bags" of features typical only for malware and not for safe files.
As soon as you download a file, Windows Defender extracts a "a second bag" full of key attributes, such as where it came from, file, size, metadata, is it packed, is it obfuscated...
The two bags then just get compared. The more similar they are, the higher the chance that your file is malware.

There are many techniques attackers can use to bypass this check. In this case Windows Defender will take the file from your machine and send it to what's known as Automated Malware Analyses and Detonation. This system executes the file and monitors how it behaves - does it behave like a safe file, or does it act malicious.

All this is a very simple explanation for a very complicated set of technologies, only mathematicians can understand in-depth.

The benefit for you is, you are protected without the need of definitions. They are now used only in case your device is disconnected temporarily and to scan the network for suspicious, hacker-attack-like activvity.

 

[RoboMan]

Bitdefender Total Security update their threat information once 2-5 hours, and Windows Defender update sometimes not even once in 24 hours.

That's the default configuration. But you can tweak WD in order for it to search for definition updates in any range between 1-24 hours.

Also, regarding to your question "how can Defender keep up", the answer is there's far more than signatures (static detection) when it comes to preventing and detecting malware. For example, Windows Defender makes use of MAPS, block at first sight, behavioural blocking and several other modules.

 

[ForgottenSeer 85179]

To the great post from @McMcbrad this is the source:

Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection | Microsoft Security Blog

While Windows Defender Antivirus makes catching 5 billion threats on devices every month look easy, multiple advanced detection and prevention technologies work under the hood to make this happen. Multiple next-generation protection engines to detect and stop a wide range of threats and attacker...

www.microsoft.com

And also another nice picture from (click it for full size):

 

[FireHammer]

View attachment 249106
Windows Defender relies mostly on Machine Learning. Microsoft has trained Defender with a large set of malware.
It has found similarities between malware and malware, malware family A and malware family B, etc.
It has extracted whole "bags" of features typical only for malware and not for safe files.
As soon as you download a file, Windows Defender extracts a "a second bag" full of key attributes, such as where it came from, file, size, metadata, is it packed, is it obfuscated...
The two bags then just get compared. The more similar they are, the higher the chance that your file is malware.

There are many techniques attackers can use to bypass this check. In this case Windows Defender will take the file from your machine and send it to what's known as Automated Malware Analyses and Detonation. This system executes the file and monitors how it behaves - does it behave like a safe file, or does it act malicious.

All this is a very simple explanation for a very complicated set of technologies, only mathematicians can understand in-depth.

The benefit for you is, you are protected without the need of definitions. They are now used only in case your device is disconnected temporarily and to scan the network for suspicious, hacker-attack-like activvity.

Hi @McMcbrad that post was really helpfull, I knew in advance that Defender or any other AV was not using Defenitions only, but thanks for the post.

 

[WhiteMouse]

Does network monitoring in Windows Defender behave like an IDS?

 

[ForgottenSeer 89360]

Does network monitoring in Windows Defender behave like an IDS?

It does indeed.

Hi @McMcbrad that post was really helpfull, I knew in advance that Defender or any other AV was not using Defenitions only, but thanks for the post.

If you are looking for easy, yet detailed description on how machine learning works, take a look at the McAfee resources I’ve shared here:
Thread 'Security News and Resources from McAfee'
Update - Security News and Resources from McAfee

If you wonder how it may be just as effective as others, once you understand machine learning and how Microsoft treats unknown files, you’ll have your answer.

You can compare the malware detection process to the way your phone camera detects objects. Once you take a picture, a technology that detects skies, faces, eyes, grass and food, amongst others, is utilised. Every object is then processed separately, instead of over-saturating the blue colour in the whole picture, giving your face a blue tint, it will saturate just the blue colour in the sky. That’s a simple example as well.
To develop this technology a programmer can sit down and write algorithms. He must explain to the machine how each one of these objects looks like, just like in the past developers were explaining how malware looks like in the form of definitions. Whilst this is not mission impossible, it would take ages and its effectiveness won’t be enough for good pictures.
A more effective approach would be to show a machine 10k pictures that have clouds and 10k pictures that don’t. The machine learning will then turn the object “cloud” into a complex mathematical model. Second, smaller set of pictures will be used to validate the model and third set will be used for developers to test how successful the model is. It’s important that all 3 sets are DIFFERENT (no leakage in machine learning)
The picture you just took is a second model, that will just be compared to the other one. If similarly is found, then your picture contains clouds/sky.

Microsoft has fed their machine learning really well, that’s how they keep up with others. It has invested in many other technologies as well, shown in the graphics above.

 

[LDogg]

This is actually amazing!

~LDogg

 

[bsdaddict]

Windows Defender relies mostly on Machine Learning. Microsoft has trained Defender with a large set of malware.
It has found similarities between malware and malware, malware family A and malware family B, etc.
It has extracted whole "bags" of features typical only for malware and not for safe files.

I beg to differ with "not for safe files". Defender is the king of false positives in my experience.

 

[SeriousHoax]

Just adding one thing here about signatures. Microsoft actually release signatures multiple times a day but by default it checks for update once a day on your system or after every restart. Windows 10 has fast startup enabled so turning a PC on isn't really counted as a restart. If you disable fast startup/restart the system then it will check for updates every time the PC turns on. Don't disable fast startup just for this btw. I'm just telling this for the sake of explaining WD's updating pattern.
You can manually change this behavior like RoboMan suggested through regedit/group policy/powershell. But it's not really necessary if the PC is always connected to internet. Micrsoft's offline signatures are usually delayed by few days but the online one is always connected and up to date. Most new threats are detected by their machine learning first with weird looking name and later they create proper signatures with proper famlily name, variant, etc classification and like I said the later stage is delayed by few days. So it's not necessary to check for updates every few hours. If you need to scan a flash drive then you may check for update manually before scanning if you wish.
You can check how many times a day a definition update is released and what signatures they add and update here. The lowest I've seen so far is twice a day to maximum ten times a day.

Antimalware updates change log - Microsoft Security Intelligence

 

[ForgottenSeer 89360]

@SeriousHoax is right.
I just want to add that, by the time they classify one threat, another will already be released. If you followed my thread “How Well are You Protected Against Emotet”, where I created malware to test 0-day detection, I mention how easy and quick it is to create a new form of malware. 30 minutes and it’s entirely new threat, totally unknown.
So my advise, forget about signatures. Defender already offers you many other layers. If Microsoft designed them to update not-so-frequently, trust them. They know what they are doing.