App Review Windows Defender vs Ransomware in 2022

[Kongo]

Content source

https://www.youtube.com/watch?v=1DG3y3q8_9M

 

[Jan Willy]

MS Defender just gained confidence. See:

AV-TEST - 26 Security Solutions Undergo an Advanced Threat Protection Test Against Ransomware

In a test involving real attack scenarios, 26 protection solutions for consumer users and corporate users demonstrate their performance. In the series of Advanced Threat Protection tests, the lab investigates how successfully the products protect against ransomware. Each step of the malware...

malwaretips.com

Now it seems I can't trust it anymore.

 

[Kongo]

@Andy Ful

 

[Andy Ful]

It seems to be the first test when Leo's comments about the Defender protection seem to be objective like in the case of other AVs.

 

[Andy Ful]

MS Defender just gained confidence. See:

AV-TEST - 26 Security Solutions Undergo an Advanced Threat Protection Test Against Ransomware

In a test involving real attack scenarios, 26 protection solutions for consumer users and corporate users demonstrate their performance. In the series of Advanced Threat Protection tests, the lab investigates how successfully the products protect against ransomware. Each step of the malware...

malwaretips.com

Now it seems I can't trust it anymore.

Leo knows it. He was surprised that one sample managed to compromise the Defender's online protection.
Anyway, the AV-Test test is very different from this presentation. Here is an important difference:

[..] All the products have to successfully defend against ransomware in 10 real-life scenarios under Windows 10. The test involves threats such as files containing hidden malware in archives, PowerPoint files with scripts or HTML files with malicious content.

[..] The following images show the performance of Defender for home users in the 10 tested scenarios. Defender was able to detect the infection in the very first initial access phase in all but one case.

The above fragments are from the AV-Test. They mean that Defender was able to stop the ransomware attacks in the real-life scenario by blocking the attacks mostly at the initial stage. This usually happens when the malicious or suspicious actions of the weaponized documents, scripts, etc. are detected/blocked before the ransomware executable could be delivered or executed. In Leo's test, the initial stage is skipped, because such tests are not related to the real-life scenario. The tests with many EXE files cannot be interpreted in the context of real life - they are more appropriate for the Enterprise scenario when the environment is already compromised and ransomware is delivered/executed by another malware.