Which one do you recommend?

  • Windows Defender

    Votes: 27 58.7%
  • Avast Premier

    Votes: 19 41.3%
  • Total voters
    46
List of apps to compare
Windows Defender
Avast Premier
What I am most interested about
Learning curve (Ease of Use)
Graphical User Interface
Exclusive Features & Functionality

shmu26

Level 83
Verified
Trusted
Content Creator
exploit protection can be used with any AV like smartscreen, UAC, windows firewall
it doesn't stick to WD
You are right as regards configuring Exploit protection for specific apps. If the user is willing to get his hands dirty, he can go right ahead and configure those settings for any app he wants.
But AFAIK the ASR Exploit guard protections, which are easily controlled by ConfigureDefender, are only available if WD is the active AV.
 

Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
You are right as regards configuring Exploit protection for specific apps. If the user is willing to get his hands dirty, he can go right ahead and configure those settings for any app he wants.
But AFAIK the ASR Exploit guard protections, which are easily controlled by ConfigureDefender, are only available if WD is the active AV.
really? I always disable WD but I can still do everything with the exploit protection

configuredefender has 3 presets which includes WD settings. After applying a preset, you can turn off WD

I'm not so sure about it but ASR can also be archived by using Syshardener. Different methods, similar end result
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
really? I always disable WD but I can still do everything with the exploit protection

configuredefender has 3 presets which includes WD settings. After applying a preset, you can turn off WD

I'm not so sure about it but ASR can also be archived by using Syshardener. Different methods, similar end result
@Andy Ful is the Guru for this stuff, let's hear what he says...
 
D

Deleted member 178

We, people in security forums, are bunch of paranoids believing every sites/hackers/mails will compromise us; truth is, teach the users some security basics, set them some decent native secured environment (SUA, Smartscreen, UAC at max), then add the "block elevation of unsigned processes" reg tweak and most won't get infected so easily like most here believe.
Did it on some of my friends computers, never got infected since; most of them call me about connectivity issues, and when i do my routine check, no infections... maybe some PUPs/toolbars, but no malware.

I am paranoid, but in truth, i never encounter a serious malware in 20+ YEARS of surfing, i could discard all my additional security apps , i will still be un-compromised, why?

because i'm not stupid clicking every damn links/files/mails i see.

So if i can do it , people can do it too.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
You are right as regards configuring Exploit protection for specific apps. If the user is willing to get his hands dirty, he can go right ahead and configure those settings for any app he wants.
But AFAIK the ASR Exploit guard protections, which are easily controlled by ConfigureDefender, are only available if WD is the active AV.
@shmu26 is right. I tested Defender ASR (all enabled) with disabled Defender using MS Office 2016. Did not worked. Also did not work with disabled Defender realtime protection. But, I am not sure if it is the same thing, when Defender is inactive due to installing another AV. I will test this soon. I am only sure that in this case, one cannot reconfigure ASR settings via PowerShell cmdlets.
Exploit Guard for applications works independently of Defender.(y)
If someone has to activate something similar to ASR for MS Office applications with disabled Defender, then it is possible to turn on 'Do Not Allow Child Processes' mitigation for Office executables (and maybe some other mitigations). Yet, this mitigation will also stop the possibility for Office applications to open the print session. Printing is still possible when the print session was already opened by the Universal application (like Word Mobile, Adobe Reader Touch, Foxit MobilePdf, etc.) - it can be just one blank page.
 
Last edited:
D

Deleted member 65228

I've finally got round to testing Attack Surface Reduction (ASR) and for now I've only tested one policy. For the record, my posts earlier about WDEG was referring to the main visible section in the Windows Defender GUI, not additions like ASR.

I can confirm that while the policy 'Block Office applications from injecting code into other processes' is enforced, any Office Macro attempting to allocate memory through Platform Invocation to NTDLL for NtAllocateVirtualMemory will be unsuccessful. I'll be testing NtWriteVirtualMemory independently soon (e.g. trying to patch without memory allocation prior to it).

I'll continue testing the code injection prevention feature once I have more time.
 

cruelsister

Level 36
Verified
Trusted
Content Creator
never encounter a serious malware in 20+ YEARS of surfing
That is a really important statement, and one with which I totally agree. But the functional part of the statement is "20+ years of experience"; There are many here that do not have such experience.

I remember back to my Barbie days when I was seeking various applications for various tasks- in this search I did not care what I downloaded and installed as I was seeking Nirvana in each area; this activity obviously increased the potential for infection.

Now after all these years I have found Nirvana in these areas (as most with experience have). So an experienced user [who may check their Investments with Goldman Sachs (shameless plug), their Bank account with Whomever, and News at the Wall Street journal or NY Times] would almost by definition need less protection than the Newbie as the potential for infection has radically decreased (I really hope that is clear, but if not it is entirely my fault- I've just finished talking for the past 6 hours and am really zipped).

Point being (yes, I actually do have a Point) that although WD+SUA+UAC may be good for the experienced user, it may (does) leave something to be desired for out newbie Brothers and Sisters for whom we have an Ethical Obligation to protect.

Finally (really)- back to the question that started this thread: asking whether one should go with WD or Avast Premier is like asking whether you you rather be bludgeoned to death by a Tire Iron or a Baseball bat- either choice is really sub-optimal.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
I tested ASR mitigation 'Do Not Allow Child Processes' in the below configurations:
  • Defender disabled, no AV installed.
  • Defender deactivated. Avast free installed.
  • Defender enabled, 'Real-time protection' disabled, no other AV.
In all cases, ASR did not work, nither configured via PowerShell cmdlets nor by GPO.
So it is easy to remember. ASR works only when Defender 'Real-time protection' is turned ON.
 
D

Deleted member 178

That is a really important statement, and one with which I totally agree. But the functional part of the statement is "20+ years of experience"; There are many here that do not have such experience.
Like everybody, i didn't start in security with full knowledge and skills, i cultivated it. But maybe it is my mindset that prioritize "logic" , but i understood very early that you can't trust anything on the net , like you can't trust everyone in real life. Once people understand that , it is a big step in security/safety.

it may (does) leave something to be desired for out newbie Brothers and Sisters for whom we have an Ethical Obligation to protect.
In fact, depends of the noobs, some listen my safety advice then reduce drastically the risks , others don't.
 

shmu26

Level 83
Verified
Trusted
Content Creator
We, people in security forums, are bunch of paranoids believing every sites/hackers/mails will compromise us; truth is, teach the users some security basics, set them some decent native secured environment (SUA, Smartscreen, UAC at max), then add the "block elevation of unsigned processes" reg tweak and most won't get infected so easily like most here believe.
Did it on some of my friends computers, never got infected since; most of them call me about connectivity issues, and when i do my routine check, no infections... maybe some PUPs/toolbars, but no malware.

I am paranoid, but in truth, i never encounter a serious malware in 20+ YEARS of surfing, i could discard all my additional security apps , i will still be un-compromised, why?

because i'm not stupid clicking every damn links/files/mails i see.

So if i can do it , people can do it too.
I bookmarked this post.
It is the best crash course in computer security that I can remember.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
WD at max + Comodo Firewall with your special recipe is definitely a winner!
Integrating Sandbox technology with Firewall, to isolate unsafe processes and automatically cut them from the Internet, is a simple, effective and beautiful idea. But, it seems that Microsoft and many other vendors like the opposite. When I talked with @Recrypt on Malwaretips, this prevented him to isolate in this way Office 365 applications in ReHIPS sandbox. More and more applications are Internet dependent, without sufficient security form the Windows side.:(
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
That is strange, but I know some spectacular examples that can support both @cruelsister and @Umbra standpoints about "Classic" configs like "Defender + UAC + SUA" or any standard AV (and nothing else). The most shocking was 10 years old XP laptop without any AV, that had Opera as a web browser. The guy has only the knowledge of the average computer user. I spent a day checking the computer (also with some additional soft like PowerTool etc.), and even send MBR image to Virustotal. There was only one PUP - unbelievable.
I am sure that the most important factor for the user security is not the software, but simply the common sense, cautiousness, and knowledge. If the inexperienced user (with "Classic" setup) visits only some safe websites, does not click everything, and does not constantly seek for the new software, then his/her computer is probably as safe from the malware, as his/her home from the ordinary thieves.
Does it mean that the user has a good protection? No.
But, is a door in the home a good protection?
If the user is an explorer type and wants to try/share everything that is possible, then the @cruelsister standpoint will be highly recommended.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
@Andy Ful so do you suggest Defender over Avast?
Both are good free AVs on Windows 10. On some computers Defender can behave better, on others the opposite can be true.
Generally, Defender is more stable on Windows 10, and Avast is more friendly.
Watching on your priorities: Learning curve (Ease of Use), Graphical User Interface, Exclusive Features & Functionality , try first Avast.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
Windows 10 with April Update, with Core isolation enabled, causes difficulties for some and maybe all 3rd-party AVs. The details are not out yet. That is a reason to prefer Windows Defender. It doesn't need kernel-level hooks in order to monitor system activity, because it is part of the OS itself.
 
D

Deleted member 65228

It doesn't need kernel-level hooks in order to monitor system activity
A majority of vendors aren't using kernel-level hooks anymore. On 64-bit environments, only the vendors which are working with hardware-assisted virtualization for the hyper-visor, and for 32-bit environments, it is a lot less prevalent now as well.

The prevalent and main techniques for a majority of vendors currently evolves around kernel-mode callbacks and user-mode patching. A combination is sufficient and one is more appropriate than the other depending on the requirements and situation.
 

shmu26

Level 83
Verified
Trusted
Content Creator
A majority of vendors aren't using kernel-level hooks anymore. On 64-bit environments, only the vendors which are working with hardware-assisted virtualization for the hyper-visor, and for 32-bit environments, it is a lot less prevalent now as well.

The prevalent and main techniques for a majority of vendors currently evolves around kernel-mode callbacks and user-mode patching. A combination is sufficient and one is more appropriate than the other depending on the requirements and situation.
Hmm, I am starting to understand this hyper-visor thing now. I tried to fire up a 64x virtual machine in VMWare, and no go, because I enabled core isolation. Bummer.