App Review Windows Defender vs Ransomware 2024 (TPSC)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
The PC Security Channel
monkeylove

monkeylove

Level 13
Verified
Top Poster
Well-known
Mar 9, 2014
617

Options to Optimize Gaming Performance in Windows 11 - Microsoft Support

support.microsoft.com support.microsoft.com
Windows provides choice and control for users to configure their PCs to meet their specific needs, including the ability to turn Windows features like Memory Integrity and VMP on and off. Gamers who want to prioritize performance have the option to turn off these features while gaming and turn them back on when finished playing. However, if turned off, the device may be vulnerable to threats.
Click to expand...
 
  • Like
Reactions: Dave Russo and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
laython said:
It does not protect well against zero hour malware,
Click to expand...

I am afraid that there are no such tests for any AV. In known Real-World tests, there are some 0-day samples (but not zero-hour). The rest are 1-day or even a few days old malware. If I correctly recall, about 2/3 of samples in the wild can be 0-day malware. But when tested in the lab, the ratio can rapidly drop with any hour (many 0-day samples became dead or 1-day samples). If the test is done one time a day, the ratio can drop probably to one 0-day sample per 10 samples.

laython said:
and fails utterly against banking trojans
Click to expand...

That is true, but only if the banking trojan is run in the already infected environment. Such a scenario is probable in Enterprises via lateral movement. At home, the banking trojans are delivered by other malware types that are well-detected. So, the chances of banking trojan infection are very small (combined chances of initial_malware_infection * chances of banking_trojan_infection).

laython said:
Anything beyond normal attacks and it is more probable that Microsoft Defender will fail to protect a system. This is confirmed by testing by MRG Effitas and AVLab.
Click to expand...

That is more or less true for a free version (similarly to other free AVs), but I would not say that it is confirmed by MRG Effitas and AVLab.

MRG Effitas (360° Protection) does test only the business versions. It can confirm that Defender Antivirus Enterprise is an average protection layer against malware simulation on the already infected system (not good in the Banking Simulator Test) and as good as the top solutions in other banking tests (Real Botnet Test and Financial Malware Test). The overall protection against banking malware is better than Trend Micro Security and Avira Antivirus Pro.

The AVLab testing procedure is somewhat flawed for Microsoft Defender, because the "Block at first sight" feature does not work properly. It is rather a custom protection level (different from the real protection) used as a reference for other tested AVs.
Anyway, the results of the last test in January 2024 (2 missed samples) would be probably the same as with a fully functional "Block at first sight. The missed samples are legal PUAs (XMRIG, ReksFN) and Defender was tested with disabled PUA protection. Those PUAs were probably used as payloads and abused by initial malware. It is not clear if AVLab tested also the initial malware, if so then they were detected and Defender might score with 100% protection in the wild.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

I can confirm from my experience, that Defender can miss some legal adware and PUAs even when PUA protection is enabled.
 
Last edited:
  • Like
  • Thanks
  • +Reputation
Reactions: Dave Russo, Game Of Thrones, roger_m and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
laython said:
Most users are not going to employ a utility to tweak Microsoft Defender so the rationale, at least for Windows Home, is to test Defender at 100% defaults.
Click to expand...

"Block at first sight" is a default setting of Microsoft Defender free. It does not work properly in AVLab tests because of a specific testing procedure. This topic was discussed a few times on MT.

laython said:
Is MD a decent baseline when considering security from a general perspective? Sure it is. Is it good enough? That depends to a large extent upon the person using the system.
Click to expand...
I think so. (y)
 
  • Like
  • +Reputation
Reactions: Dave Russo, oldschool and simmerskool
L

likeastar20

Level 9
Verified
Mar 24, 2016
423
SeriousHoax said:
I know Kaspersky use their own hypervisor which is required for some specific malware detection functions, but not aware of other security programs using something like this. Just as I was writing this I remembered, Avast uses hardware assisted virtualization (default but optional) for CyberCapture but that is a very different thing from Kaspersky's hypervisor. Personally, I think if you have a PC with very high config, then you should enable it, especially if you're not using Kaspersky.
Click to expand...
@Trident Any knowledge on this? Or is it used only for safe browsing?
 
  • Like
Reactions: roger_m, Dave Russo, simmerskool and 2 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,868
likeastar20 said:
@Trident Any knowledge on this? Or is it used only for safe browsing?
Click to expand...
Not for/not just for safe browsing.
Before moving on we should note a different approach taken by Kaspersky to hook the kernel it made use of its own hypervisor.
This comes with several downsides as it requires virtualization support
Click to expand...
I found this info in this endpoint test. At that time, I even saw their interview on YouTube after the test was released. A University professor and his student if I remember correctly:


Also, there is this demo and probably others too using Kaspersky's hypervisor to hook system calls:
github.com

GitHub - iPower/KasperskyHook: Hook system calls on Windows by using Kaspersky's hypervisor

Hook system calls on Windows by using Kaspersky's hypervisor - iPower/KasperskyHook
github.com github.com
 
  • Like
  • +Reputation
Reactions: roger_m, Sunshine-boy, Dave Russo and 4 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Kaspersky hypervisor to my knowledge is not used in malware detection because kaspersky does not have a sandbox. The hardware assisted virtualisation in Avast is used for the sandbox and on the foundation of the sandbox steps DeepScreen that runs the app sandboxed for certain period of time, which is part of the Cyber Capture routine.
It prevents sandboxed apps from accessing non-sandboxed regions or simply said “escaping the sandbox”.

Kaspersky does use dynamic emulator but this emulator, like all other vendors, lives in the memory space, in user mode, which means it will not require hypervisor. Furthermore, most of the vendors’ dynamic emulators are ephemeral and go away when there is nothing more to emulate.

The Kaspersky hypervisor is used mainly to isolate the browser from the rest of the system and to protect it from injection, from what Kaspersky explains in documentation. It is possible to find other uses for the code (it allows kernel access after all) but Kaspersky does not seem to be using it for malware detection.
 
  • Like
  • +Reputation
Reactions: roger_m, Dave Russo, SeriousHoax and 4 others
zidong

zidong

Level 2
Jul 15, 2024
69
Moonhorse said:
Gives less fps on lower hardware, but really not issues with high end rigs, its dependant on the setup you have
Click to expand...
In CPU intensive games Memory Integrity affects performance a lot. I guess that Kaspersky Hardware Virtualization affect performance too, but AV-Comparatives and others independent organization wouldn't mention that.
 

Attachments

  • Screenshot (4).png
    Screenshot (4).png
    748.3 KB · Views: 50
  • Screenshot (5).png
    Screenshot (5).png
    829.3 KB · Views: 46
  • Screenshot (6).png
    Screenshot (6).png
    3.4 MB · Views: 36
  • Screenshot (7).png
    Screenshot (7).png
    3.2 MB · Views: 34
  • Screenshot (8).png
    Screenshot (8).png
    3.3 MB · Views: 33
  • Screenshot (9).png
    Screenshot (9).png
    4.4 MB · Views: 38
  • Screenshot (10).png
    Screenshot (10).png
    4 MB · Views: 34
  • Screenshot (11).png
    Screenshot (11).png
    3.8 MB · Views: 42
  • Like
  • Thanks
Reactions: roger_m, Sunshine-boy, Dave Russo and 2 others

Similar threads

NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
490
Video Reviews - Security and Privacy
bazang
bazang
L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
415
Video Reviews - Security and Privacy
oldschool
oldschool
NB InfoTech
    • Like
App Review PC Matic Home Review | PC Matic Home Security Antivirus vs Ransomware | 2024
Replies
4
Views
800
Video Reviews - Security and Privacy
Dave Russo
Dave Russo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top