Battle Windows Defender vs Avast Premier

Heyye

Level 1
Thread author
Feb 18, 2016
13
Hello. Before I was using Windows 7, with Avast Antivirus and Comodo Firewall combo. Today i upgraded my PC to Windows 10. I bought Windows 10 license and they also send me Avast Premier key like promotion. I couldnt decide which one is more effective and stable.

I think that Avast has more features but Defender is more compatible with Windows 10.

And the gold question is which one do you recommend?

Sorry for my English.

Best regards.
 

amico81

Level 21
Verified
Top Poster
Well-known
Jan 10, 2017
1,061
in my opinion windows defender is not enough for a standalone-solution. He needs a wingman for more protection layers,...like OSArmor, Syshardener, etc.
I would test your trial version of Avast Premier. If you don't have any issues or bugs, you can renew the license
 
  • Like
Reactions: Heyye

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Whilst I use Windows Defender on Windows 10, I cannot say what would be better for you. Have you created your PC Config thread before?

Remember not everything under Avast Premier is covered by the license, some are additional costs.
 

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
If you choose Windows Defender (which is a really good choice!), you can combine it with one of these tools. Many complain here that Defender very often accesses the hard disk, slowing down the system. But the $50 is better invested in an SSD than in a 1-year Avast license, because an antivirus is not there to make the system faster.
  • Hard_Configurator or
  • Comodo Firewall or NoVirusThanks OSArmor or
  • Zemana AntiMalware (paid) or MalwareBytes Anti-Malware (paid) or Immunet
The first tools will make your system much more secure than the last, but they also cost more time for the right configuration.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Many complain here that Defender very often accesses the hard disk, slowing down the system
it also happens on an SSD. It's just harder to notice
continous scanning of the same files will degrade your SSD/HDD faster
it's suitable for someone who just browses the web or gaming and doesn't frequently work with files
 
D

Deleted member 65228

Windows Defender has advanced features for anti-exploit and more, it has mitigations that you can't get with another AV.
It's exploit mitigation capabilities are different to the approach some other vendors take though.

Windows Defender Exploit Guard (WDEG) is designed to help make existing vulnerabilities for software become non-functional when deployed (and thus the exploitation attack is prevented), and prevent new vulnerabilities from being exploited if the exploit attack isn't prepared for the enforced policies.

Why is this?
It is because if an attacker is targeting a vulnerability using a hard-coded address (which Address Space Layout Randomization (ASLR) can break), or the assumption that they can gain code execute due to lack of Data Execution Prevention (DEP), then the exploit attack can fail unless it is flexible and has a work-around for ASLR/DEP/Any other mitigation's enforced by the person handling the configuration of WDEG.

However, some Anti-Virus vendors take the approach of not trying to replicate what EMET did in the past (which is quite similar to Windows Defender Exploit Guard now), and actually trying to mitigate actual vulnerabilities individually, instead of trying to make it harder to exploit existing ones or develop new ones for the future. Alternatively, they may take both the approach Microsoft did as well as a different approach.

For example, look at Malwarebytes Anti-Exploit. While it supports Bottom-Up ASLR and DEP enforcement, it also has a monitoring scope of trying to prevent heap-spray exploitation (and/or protecting against known Java exploits). It may prevent things that WDEG won't even be aware of, because WDEG works completely differently.

I do not believe Microsoft inject code into monitored processes by WDEG like they did with monitored processes by EMET and patch the memory of various API routines in NTDLL (for example). I think that WDEG is strictly process mitigation policies, and while it can be great if you know what you are doing and understand how you are using it for which software (since some applications are developed with a bad design which makes them break when features like ASLR or Control Flow Guard are utilized), it won't work identical to the other products which take alternate approaches and monitor behavior to mitigate known and zero-day vulnerabilities.

I could be wrong though, so please let me know if I am. So far this is my understanding of WDEG however it never really worked that well for me in my testing (unlike Malwarebytes Anti-Exploit which works superbly for me in my testing) so I am definitely open-minded on this.

Personally, if possible, I'd recommend using WDEG where applicable for policy enforcement as long as it is compatible with the software target, as well as an alternate anti-exploit component should it be compatible (e.g. if the enforced policies by WDEG does not break the other anti-exploit which is likely performing RCE) which takes a different approach (e.g. covers areas that WDEG does not and does not try to replicate what WDEG is doing).

As a final note though, I'd recommend avoiding any software packages which have been poorly designed in the first place. Sometimes you may make exceptions but features like ASLR and DEP alone are important so I'd watch out for the usage on those, I cannot stand applications which avoid using them intentionally. You can also look into whether the software is regularly targeted and commonly loved by malware authors, that can be a sign of whether to ditch and find an alternate or not as well... not to mention you can do research on vulnerability history and public disclosure/patch timing for the software/vendor you're considering of relying on for something.
 
D

Deleted member 65228

One more thing... the virtualization support Microsoft have been working on for Enterprise, that's allegedly really good. I haven't used it myself but it does seem exceptionally nice. I've heard good things.

Device Guard and Credential Guard also seem like nice features.

Of course these aren't for an average user though, but it goes without saying, the technology Microsoft focuses on maintaining and developing for Enterprises can be really good sometimes. I do not know how popular Microsoft are in the Enterprise department but their Enterprise technology must be going well for some to cause enough income and make them focus on it even more.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Shmu- Absolutely. There is no real reason to ever shut off WD, but there is also no real reason to think that it is "all one needs"

Perhaps a "Classic" user (like Aristotle in Athens?) may be comfortable with WD+UAC+SUA. but Meghan from NYC can (and has) breached this combo at will (actually it was Ophelia).
 
D

Deleted member 65228

WD at max + Comodo Firewall with your special recipe is definitely a winner!
Do you want to know what COMODO Firewall could be really good for? Preventing data ex-filtration post-infection. Furthermore, some malicious software will halt any damage attempts prior to communicating with the Command and Control (C&C) server/s, and COMODO Firewall when configured nicely can allow you to prevent this operation as well, causing the sample in a scenario like this to end up doing no harm, even if code execution had been compromised.

When you think about it, it is all about network security... and backups. If you have good network security then you can identify breaches which have already occurred through network traffic monitoring (e.g. suspicious data bandwidth usage for download/upload) or prevention of general C&C communication (and all of this in the end can save your ass from having sensitive and critical documents from being ex-filtrated to an attacker who's after them, or more malware being downloaded to the system), and if you have good and consistent backups then you're a lot more prepared to fight ransomware/general wipers or even virus infections from the past.

Of course there's more to it... but your post about WD and COMODO Firewall just forced me to think about it on a deeper level.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
OpCode- Great Minds Think Alike!. Although I had no intention to do another video (like ever), there is one thing that I never addressed- that is installing CF on a system that MAY be infected, instead of one that is assumed to be clean.

Specifically I re-coded a little fileless beauty that utilized scrcons to connect out, with persistence within WMI root. If CF is set up as I suggest (with the assumption that the system is clean), the connection out by scrcons would continue; but with the Firewall set at "Custom Mode" instead, hundreds (or potentially thousands) of Outbound connections to Blackhat Control would be blocked.

So how would a typical Home User know if their system is currently infected? The answer is normally a 2nd opinion scanner, but in the case I present above only HMP had any clue (and I'm sure a bit of thought would have bypassed that issue).

Anyway, for an existing system (which may or may not be already infected) when the User is not a Super-Geek the initial CF setup should be with the Firewall on Custom Mode; noting hundreds of connections here after install would be a tip-off to an existing infection and would prevent, as you superbly stated:

Preventing data ex-filtration post-infection
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
OpCode- Great Minds Think Alike!. Although I had no intention to do another video (like ever), there is one thing that I never addressed- that is installing CF on a system that MAY be infected, instead of one that is assumed to be clean.

Specifically I re-coded a little fileless beauty that utilized scrcons to connect out, with persistence within WMI root. If CF is set up as I suggest (with the assumption that the system is clean), the connection out by scrcons would continue; but with the Firewall set at "Custom Mode" instead, hundreds (or potentially thousands) of Outbound connections to Blackhat Control would be blocked.

So how would a typical Home User know if their system is currently infected? The answer is normally a 2nd opinion scanner, but in the case I present above only HMP had any clue (and I'm sure a bit of thought would have bypassed that issue).

Anyway, for an existing system (which may or may not be already infected) when the User is not a Super-Geek the initial CF setup should be with the Firewall on Custom Mode; noting hundreds of connections here after install would be a tip-off to an existing infection and would prevent, as you superbly stated:
And thanks for bringing our attention once again to that little devil called scrcons.exe.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Windows Defender has advanced features for anti-exploit and more, it has mitigations that you can't get with another AV.
Use Andy Ful's ConfigureDefender to access many of the advanced features.
exploit protection can be used with any AV like smartscreen, UAC, windows firewall
it doesn't stick to WD

WD itself only has signatures, cloud and ransomware protection
it's extremely weak at default settings. Smartscreen saves it from being destroyed
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top