App Review Windows Defender vs Ransomware 2024 (TPSC)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
The PC Security Channel

monkeylove

Level 13
Verified
Top Poster
Well-known
Mar 9, 2014
609
I have never seen any sort of slowdown that those reports ever show. That's why I'm curious.

You can find out by running benchmarking software and doing things like running apps or browsing folders with lots of files in external drives. In my case, Kaspersky is usually the lightest and Defender the heaviest, with the rest in between. YMMV.

Methodology, etc., for one test:

 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
Although Leo's "video tests" are among the best AV reviews, I am afraid that they have nothing to do with real protection.
The "video test" results are usually much better compared to real attacks. The crucial detection problem follows from 0-hour malware, fileless methods, and loaders (droppers). Those factors are mostly ignored in Leo's "video tests". In a real attack, the ransomware is usually a payload delivered by another malware (like a loader). The loader usually does not execute ransomware in a standard way as a child process, but uses advanced/stealthy methods that are much harder to detect.

So, the real protection follows from detecting the malware types and execution methods mostly skipped in Leo's tests. :confused:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
So in other words he finds another way to bash Defender :)

He usually underestimates the Defender's protection, but when you take this video as a presentation (not a real test), the results are probably OK.
Of course, the presentation does not prove anything except the author's beliefs, but a good presentation can show some real aspects/problems.
In other words, if we want to show that Defender can be improved by tweaking, then it must miss on default settings one sample or more. :)
 
Last edited:

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,487
Tools like ConfigureDefender, DefenderUI, even Hard_Configurator are excellent examples that Microsoft really cares about security, but just doesn't deploy it natively, probably to avoid user confusion or users having to deal with blockings...
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,864
That one miss wouldn't have happened if he manually ran each sample one by one. So, it's nothing to do with increasing Defender's protection. The gangbang approach is a faulty method as we have discussed before. In a perfect scenario of course, Defender should have stopped that ransomware since they already have signatures for it. So, it's a strange behavior to miss that because products like Avast, Bitdefender, ESET, Kaspersky, etc. don't miss detecting samples for which they already have local signatures. But since this testing method is not a real-world scenario, we can somewhat ignore it. Defender have other dangerous issues like malware adding exclusions to it.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
That one miss wouldn't have happened if he manually ran each sample one by one. So, it's nothing to do with increasing Defender's protection. The gangbang approach is a faulty method as we have discussed before. In a perfect scenario of course, Defender should have stopped that ransomware since they already have signatures for it. So, it's a strange behavior to miss that because products like Avast, Bitdefender, ESET, Kaspersky, etc. don't miss detecting samples for which they already have local signatures. But since this testing method is not a real-world scenario, we can somewhat ignore it. Defender have other dangerous issues like malware adding exclusions to it.
Yeah I was thinking flooding the cloud signatures with requests probably lead to it going past the timeout window. With a good internet connection the 10 second timeout should be sufficient for most people who come across malware.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,864
Yeah I was thinking flooding the cloud signatures with requests probably lead to it going past the timeout window. With a good internet connection the 10 second timeout should be sufficient for most people who come across malware.
Yeah, that happens but in this case, Leo tested old samples. So pretty sure that the signature for that ransomware was already present locally. So, the issue is a bit different. Maybe it gets overwhelmed by all that malware at once and let one or two slip away sometimes. This doesn't happen with all products.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,864
I know these continue to come up and get fixed, but I thought this wasn't an issue on W11 and fixed on W10 right now?
Tamper protection has become stronger but from what I see, that doesn't cover exclusions. So, exclusions can still be added on Windows 11 systems. If such malware can bypass Defender's pre-execution static analysis, then it can't stop them from adding exclusions to it. Even some legit programs do this to avoid performance impact.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top