App Review Windows Defender vs Ransomware 2024 (TPSC)

[Andy Ful]

The "gang bang" approach can be a valid test method if the author mentions that the video is a special stress-kind test. The results of such a test can hardly impact overall protection and it should be mentioned in the test.
Of course, the stress test with ransomware does not make any sense. It should be done on general malware samples or even better on "monster installer" samples (if such exists in considerable numbers).

Even such a test would not be a challenging stress-kind for AVs. To make it more interesting one could use the known samples, but slightly modified to get new signatures without changing the malware behavior. That can be done in several ways. In my tests with WDAC ISG, I used known samples and modified the samples by only one letter in a particular text string. I noticed that in many cases Defender suspends the execution of such files and shows the well-known alert :

or

Execution of many such files at once can be a problem for Defender and other AVs.

 

[blackice]

Defender's low performance in the last AV-Comparatives test mostly follows from archiving/unarchiving. So, most users will not see the difference. Some users can feel the difference, but the reasons are unclear and this can happen also for other popular AVs. On one of my computers, Avast has slightly better performance than Defender.

View attachment 281989

Edit.
In older performance tests, Defender had lower performance related to file copying and installing applications. Also in these cases, many users will not see slowdowns in daily work.
For average users, the important performance factors are:
Launching Applications, Downloading Files, and Browsing Websites.
Those factors are related to 99% of daily actions.

I would also note two more things. People will probably notice more of a performance hit in certain situations from processor flaw security mitigations (like Spectre). Also, because of continual updates to the OS and processor microcode, as well as UEFI, I can't compare old results to current results. I'd have to retest everything. I'm kind of done with that. I don't have time to reimage multiple times like I used to. Thankfully I don't often unarchive anything large, when I do it seems snappy enough. I archive files even more rarely.

 

[monkeylove]

Honestly I probably deleted the screenshots because they had served their purpose of my own personal information gathering. My comment was anecdotal. But as a long time user of Microsoft Defender I have not seen the impact they show. I know certain developers do see severe IO issue. That’s not something I ever do. Opening apps, startup, and most daily tasks are pretty much the same with any solution I’ve tried. When Avast/AVG was rated as very low impact by AV-Comparatives I saw an approximate 8% worse performance in CPU intensive tasks like handbrake, or benchmarking like Cinebench. The only security software I have experienced that was demonstrably lighter on CPU load was ESET, and that was about 2%. That’s with a fairly modern 8 core 16 thread processor. Laptops or less powerful desktops might see much higher impacts. Again I was giving my experience from memory. I’m not trying to convince you of anything, just noting that I have found the AV-Comparatives performance metrics mostly useless for my use case.

I don't see the logic in claiming that AV-Comparatives results are mostly useless given recalled anecdotes.

 

[monkeylove]

I am afraid that It would be an invalid method. Defender (and some other AVs) can miss a sample for several reasons (not necessarily due to "gang bang"), but the detection can be sometimes corrected after a few minutes. So when you test the samples missed in the first test, some of them will be correctly detected even when "gang-bang" was not the reason for initial failure.
A better method would be to test initially all samples in default mode, and then use the "gang-bang" test on correctly detected samples.

Sometimes can, and after a few minutes. That doesn't sound convincing.

 

[blackice]

I don't see the logic in claiming that AV-Comparatives results are mostly useless given recalled anecdotes.

That’s fine. I’m just saying I have seen no difference in speed of opening apps, transferring files, FPS in games, CPU benchmarks, or better yet actual Handbrake performance with Defender vs the 4-5 other solutions I’ve personally tried. If I had I would definitely be finding the best for my use case. If you see it slow things down then I can understand why you would find something else more efficient. In my experience AV-Comparatives performance ratings were not helpful.

 

[ForgottenSeer 107474]

Same here, this week I played with a few AV's (MBAM, AVAST, Bitdefender free) because I use WHHL and read in an old thread (posted by a ForgottenSeer) that it might have benefits to use a different AV (than MD) when using the whitelisting of WDAC-ISG. I honestly felt no difference on my laptop (I did not measure anything so it is only the impression, not based on hard data).

With Avast I had to disable DLL protection of MD's exploit protection (only allowing M$ signed dll's in M$ userland processes is something which I value highly), Bitdefender to often told me it blocked something (for example Github and even streaming TV connections of Ziggo/UPC) because of suspicious certificates and I really liked MBAM V5, but it did poor in Cruel Sister's test, so I returned to Defender again.

Anyway Defender on MAX with WHHL adding WDAC-ISG and SRP blocking risky file extensions, I think I am well protected considering I am not a risky surfer and have recently added only one (1) program in the last four years (WinOptimiser25 full version freebie posted in MT giveaway's thread).

 

[SeriousHoax]

Administrator rights are required, so it is not so easy on SUA.

I ignore the administrator requirement part because Windows comes with admin account by default and if a user think they are running a legit program, then they'll click yes to the UAC prompt anyway. Also, there are users like me who would never switch to SUA unless MS forced users to do so.

Anyway, I think that it should be an option in Tamper Protection to disable adding exclusions. In this way, the exclusions would be protected and the user could still add some exclusions after disabling Tamper Protection temporarily.

Yeah, that's what we want. I find it odd that they haven't made this possible yet.

@Andy Ful I went ahead and submitted your feature request. All MT members are encouraged to upvote this on the Feedback Hub, FWIW.

Nice

 

[monkeylove]

That’s fine. I’m just saying I have seen no difference in speed of opening apps, transferring files, FPS in games, CPU benchmarks, or better yet actual Handbrake performance with Defender vs the 4-5 other solutions I’ve personally tried. If I had I would definitely be finding the best for my use case. If you see it slow things down then I can understand why you would find something else more efficient. In my experience AV-Comparatives performance ratings were not helpful.

I've read other tests, and the results were similar; it's the same in my case, for both a Win 10 machine that's seven years old and a Win 11 PC that's two months old. Recently, using NovaBench (the higher the score the better):

Kaspersky - 2494
Windows Security - 2467
Windows Security with Core Isolation, etc - 2218

That's besides perceived slowdowns when I load the browser, etc.

 

[Templarware]

Yup. If you're a gamer, you really should disable core isolation.

 

[monkeylove]

I ignore the administrator requirement part because Windows comes with admin account by default and if a user think they are running a legit program, then they'll click yes to the UAC prompt anyway. Also, there are users like me who would never switch to SUA unless MS forced users to do so.

Yeah, that's what we want. I find it odd that they haven't made this possible yet.

Nice

That's what I mean: when the UAC prompt was on, I became increasingly annoyed and eventually gave up and used TweakUAC to set it in quiet mode. It's the same problem I have when using a non-admin account.

It's worse for friends and relatives who are novices (as in, they don't notice even indicators in the system tray), as they kept complaining about it.

I'm aware that security risks go up, but similar happens when one wants more features, use advanced hardware, etc.

 

[monkeylove]

Yup. If you're a gamer, you really should disable core isolation.

I think it has to be turned off given virtualization in some third-party security programs, anyway. And some of them have a gaming mode.

 

[blackice]

I’ve never turned on core isolation. It seems to cause more problems than it’s worth. 2494 and 2467 are within margin of error. Core isolation is clearly a deal breaker.

 

[SeriousHoax]

I think it has to be turned off given virtualization in some third-party security programs, anyway. And some of them have a gaming mode.

I know Kaspersky use their own hypervisor which is required for some specific malware detection functions, but not aware of other security programs using something like this. Just as I was writing this I remembered, Avast uses hardware assisted virtualization (default but optional) for CyberCapture but that is a very different thing from Kaspersky's hypervisor. Personally, I think if you have a PC with very high config, then you should enable it, especially if you're not using Kaspersky.

 

[Kongo]

I'd call myself a gamer and never had any issues with core isolation

 

[Freki123]

I'd call myself a gamer and never had any issues with core isolation

Same here. Yes core isolation takes a bit of extra time to start everything but as long as it afterwards runs with a speed that is ok for me I will just stick with it.

SUA fun/problems may depend on the type of software that is used. For my usage after I installed stuff under the admin account it works like 90+% flawless under SUA. Biggest problems: devs doing strange ways to install/revoke licenses for paid software and niche games that had wanted adminright (e.g Swtor). UAC set to max.

Is SUA a bit more work with switching accounts? Yes but it forces me to rethink when I install stuff what I am doing (logging out of SUA, logging into Admin).

 

[Templarware]

I'd call myself a gamer and never had any issues with core isolation

Nobody said anything about issues. It just gives you less fps. If you're not informed, you're not aware.

 

[Moonhorse]

Nobody said anything about issues. It just gives you less fps. If you're not informed, you're not aware.

Gives less fps on lower hardware, but really not issues with high end rigs, its dependant on the setup you have

 

[Kongo]

Nobody said anything about issues. It just gives you less fps. If you're not informed, you're not aware.

@blackice was definitely talking about issues related to core isolation

 

[Shadowra]

I'll make a video to counter his.
(later this month, I don't have any 0-day Ransomware at the moment)

 

[blackice]

Maybe worth a revisit. It’s been over a year since I tried it. FPS can be deal breaker issue for me.