- Feb 25, 2017
- 2,585
Windows Defender vs Malware in 2021 (The PC Security Channel)
- Thread starter Kongo
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Mar 16, 2019
- 3,862
We all know that throwing 2000 malware at the same time on a system is not a real world scenario. But even if I ignore that, as you can see Defender didn't finish its removal process. There were still active threats on the system and it was trying to clean them. Also, there were some PUP detections which requires user's interaction to delete. He didn't do that either. He should've let it complete the removal process, manually tell it to remove the PUPs and then restart the system and do the second opinion scanning. He didn't do any of that which shows once again that Leo doesn't know how Microsoft Defender works. Another useless video.
- Mar 13, 2021
- 462
Conclusion: Windows Defender is much slower than other AVs and requires user interaction, which is always recommendable
- Feb 25, 2017
- 2,585
Slower in removing thousands of malicious files? That shouldn't be a problem for the average user for sure. Also, user interaction is actually a good thing when it comes to PUPs (also seemed to be the case in the video). If it would have removed them without letting the user decide, then a big group of people would have been pissed that their favorite "PUP" just got removed without their knowledge.Conclusion: Windows Defender is much slower than other AVs and requires user interaction, which is always recommendable
- Mar 13, 2021
- 462
Most people don't even know what a PUP is, others just click allow to every thing. The AV must already know what is malicious and what is legit and do everything independently.
- Feb 25, 2017
- 2,585
PUPs normally ain't malicious, they usually just have content that some users don't want to have on their system. (bloat etc.) That's why most antivirus software flags them but doesn't automatically delete them, as they are simply not from malicious origin. A similar issue would be riskware, that isn't necessarily malicious, but can be used by cyber criminals to do malicious things. That's why AVs flag such software if you decide to enable the detection of such tools, cause most people don't really want and need something like that on their system which can bear a risk for them.
- Dec 23, 2014
- 8,510
It seems that Leo has been more cautious this time in his opinion about Defender. He was somewhat surprised that Defender allowed to execute several threads and still one could not be sure if these threads did any harm to the system (except some leftovers).
Some of his words can suggest that he does not fully understand that Defender uses post-execution behavior-based detections. But, he understands that is hard to show the real infection without additional inspection of the network traffic, scheduled tasks, changes in the registry, etc.
Unfortunately, most users will simply look at the number of blocked samples (no execution) which has nothing to do with the actual protection of Defender and many modern AVs.
So, the video is a good (but limited) presentation of how Defender can fight malware via pre and post-execution detections, but like all other such "tests"/presentations, it cannot say how effective is the Defender protection.
Some of his words can suggest that he does not fully understand that Defender uses post-execution behavior-based detections. But, he understands that is hard to show the real infection without additional inspection of the network traffic, scheduled tasks, changes in the registry, etc.
Unfortunately, most users will simply look at the number of blocked samples (no execution) which has nothing to do with the actual protection of Defender and many modern AVs.
So, the video is a good (but limited) presentation of how Defender can fight malware via pre and post-execution detections, but like all other such "tests"/presentations, it cannot say how effective is the Defender protection.
Last edited:
On that basis, antiviruses would not detect PUPs. As has already been mentioned, PUPs are not malicious, so it makes sense to let a user choose what to do with them, rather than automatically quarantining them.
- Mar 13, 2021
- 462
When someone complains about the test method to justify a poor result, it just reminds me of Webroot.
- Aug 22, 2013
- 885
IMHO its not without reasoning so its justified in every sense.
- Apr 1, 2019
- 2,867
One of the more circular arguments on the board. As for me, I have come across maybe 2 suspicious files in the last year. This does not induce panic.
- Dec 23, 2014
- 8,510
This video only shows that the "test" method is slightly archaic. It cannot be considered as a real test, but rather as a presentation.
Even Leo in this video does not consider the number of executed samples as a good indicator of the infection. He probably does not know much about Defender's post-execution protection, so he did not consider allowing Defender to finish the malware remediation (which can last a few minutes per one executed sample). That is why several leftovers could be left on disk. You probably do not know, but Defender's malware remediation is one of the best. He also did not perform any inspection if something really infected the computer (before and after reboot).
Unfortunately, such unclear videos can trigger a long discussion about the protection and poor/good results of the "tested" product. Such discussion does not make any sense because the video does not make much sense in the protection matters (cannot say if the result is poor or good)
.
- Dec 23, 2014
- 8,510
Some of Leo's comments are relevant. The post-execution behavior-based detections are not perfect. They are similar to the human immune system. If we compare computer malware to coronavirus, then we know that in some cases the recovery is not easy and some people can even die.
There is another kind of protection that does not allow the execution of unknown files at all. It can be for example a sandbox in the cloud or file reputation service (like SmartScreen). It can be compared to a protective suit (hazmat suit) which can isolate from COVID invected environment. Of course, in daily work people do not want to use such suits and even have problems with protective masks. Sandboxes in the cloud produce significant execution delays (several minutes, hours, days), so most people simply disable such protection. File reputation service for all unknown PE files is used by default in Norton products (Norton Insight). KIS can be tweaked to block scripts and PE files unknown in KSN. Some solutions use file reputation service only for files downloaded from the Internet (Windows SmartScreen), others include only *.exe files (Avast Hardened Mode).
So, one can easily choose another AV when worrying about imperfect Defender solutions.
There is another kind of protection that does not allow the execution of unknown files at all. It can be for example a sandbox in the cloud or file reputation service (like SmartScreen). It can be compared to a protective suit (hazmat suit) which can isolate from COVID invected environment. Of course, in daily work people do not want to use such suits and even have problems with protective masks. Sandboxes in the cloud produce significant execution delays (several minutes, hours, days), so most people simply disable such protection. File reputation service for all unknown PE files is used by default in Norton products (Norton Insight). KIS can be tweaked to block scripts and PE files unknown in KSN. Some solutions use file reputation service only for files downloaded from the Internet (Windows SmartScreen), others include only *.exe files (Avast Hardened Mode).
So, one can easily choose another AV when worrying about imperfect Defender solutions.
I agree with what's ben said..
TBH Leo doesn't always necessarily have the best approach when it comes to testing AV's and making conclusions. Many times he makes very sweeping generalized comments about an AV without either fully understanding how it works, or doesn't fully explain what is happening. Sadly many people are making AV decisions based on his videos, which can be misleading at times.
In saying this, it does seem that Leo is trying to do a better job. Like @Andy Ful said, he does have some good comments...however he still has some work to do IMHO. I think Leo needs to do some things to make his videos better and more informative:
1. Spend some time offline studying and understanding how a particular AV works. Try to understand what their features do and how they work. If needed, seek clarification from the vendor prior to making the video.
2. Spend time in his videos actually educating people on what they are seeing. I think he needs to stress the fact that throwing 2000 pieces of malware at an AV all at once isn't a real world scenario. Also the fact that malware doesn't just randomly appear in a folder on the desktop
3.He also needs to clarify the results and discuss things like PUPs. As it's already been said, PUPs are not malicious.
4. Try to translate what the test results actually mean when someone is using a product in the real world. In most cases the vast majority of major AVs (including MD) are more than enough to keep most people safe. No product is perfect and all AV's can miss malware. Hence why it's very important to practice good computing/online hygiene along with having an AV. Your overall habits will have a larger impact on your overall security, than which AV you are running...regardless on how well it scores on a test.
TBH Leo doesn't always necessarily have the best approach when it comes to testing AV's and making conclusions. Many times he makes very sweeping generalized comments about an AV without either fully understanding how it works, or doesn't fully explain what is happening. Sadly many people are making AV decisions based on his videos, which can be misleading at times.
In saying this, it does seem that Leo is trying to do a better job. Like @Andy Ful said, he does have some good comments...however he still has some work to do IMHO. I think Leo needs to do some things to make his videos better and more informative:
1. Spend some time offline studying and understanding how a particular AV works. Try to understand what their features do and how they work. If needed, seek clarification from the vendor prior to making the video.
2. Spend time in his videos actually educating people on what they are seeing. I think he needs to stress the fact that throwing 2000 pieces of malware at an AV all at once isn't a real world scenario. Also the fact that malware doesn't just randomly appear in a folder on the desktop
3.He also needs to clarify the results and discuss things like PUPs. As it's already been said, PUPs are not malicious.
4. Try to translate what the test results actually mean when someone is using a product in the real world. In most cases the vast majority of major AVs (including MD) are more than enough to keep most people safe. No product is perfect and all AV's can miss malware. Hence why it's very important to practice good computing/online hygiene along with having an AV. Your overall habits will have a larger impact on your overall security, than which AV you are running...regardless on how well it scores on a test.
- Mar 13, 2021
- 462
He graduated Computer Science and worked as a malware analyst. But surely JoyousBudweiser and other forums users know best
Well to be fair, no one ever said he doesn't have knowledge in this space.... It's just that his presentation of said testing and conclusions really aren't the best.He graduated Computer Science and worked as a malware analyst. But surely JoyousBudweiser and other forums users know best
If he has worked as a malware analyst, well....sorry to say this, but it doesn't always show through in his vidoes. If he truly does have said knowledge/experience (I have no reason to doubt that he doesn't), then my previous post is even more valid, as he needs to do a better job of explaining everything, as that's where his major down fall is...
Also, I wouldn't assume that forum members here don't have knowledge in this space either... Just saying.
- Dec 23, 2014
- 8,510
There is no need to depreciate the knowledge of forum users. Believe me, some forum users are not impressed when someone graduated Computer Science and worked as a malware analyst. Furthermore, it is not possible to make a professional test on YouTube. It would last several days and almost all watchers would not understand what & why happened in the test.He graduated Computer Science and worked as a malware analyst. But surely JoyousBudweiser and other forums users know best
Last edited:
- Sep 8, 2019
- 461
Y'all complain Leo isnt doing it correctly, while claim independent labs, which do the exact same thing as him, is somehow "correct".
- Aug 17, 2014
- 11,093
True, the real way of any malware infection is never like that: running a bunch of samples one after another. But it makes a huge difference when you testing a few samples only, monitoring samples behavior and waiting at least 5 minutes before going to execute the next sample. YouTube testers usually never doing like that for reason almost nobody would like to watch 30-60 minutes full time of malware testing videos. Obviously, it's useless to complain about YouTube testers, but here are always the same discussions on every new malware test video 
To be on topic of MD, the truth is in the middle as almost always. MD isn't really that much weak looks like in this video, but on default settings (that matters the most because average users rarely tweak to improve protection of MD) it's far away from invincible... My personal tests confirms that sometimes MD even on max. protection settings ending up to be infected by one malware sample only, of course happens sometimes also for the most of paid AVs
To be on topic of MD, the truth is in the middle as almost always. MD isn't really that much weak looks like in this video, but on default settings (that matters the most because average users rarely tweak to improve protection of MD) it's far away from invincible... My personal tests confirms that sometimes MD even on max. protection settings ending up to be infected by one malware sample only, of course happens sometimes also for the most of paid AVs
Agreed!My personal tests confirms that sometimes MD even on max. protection settings ending up to be infected by one malware sample only, of course happens sometimes also for the most of paid AVs
I think this is the most important point when it comes to AVs and tests in general. Most of the time in the real world most AVs do fine. That doesn't mean they aren't invincible. I know I sound like a broken record, but every single AV can miss malware, no amount of testing/scoring 99±% on tests is going to change that. That is why it's important to have good habits as well...
The problem with tests in general, is that most people just look at the end result, not taking into account what it means. That's not to say testing cannot provide good information...it's just that testing malware vs AVs isn't as black and white as it seams....
Similar threads
