Differences

This shows you the differences between two versions of the page.

--- antimalware_software [2026/05/29 06:24] – ultracomfy
+++ antimalware_software [2026/05/29 17:22] (current) – ultracomfy
@@ Line 85: / Line 85: @@
 There is a pervasive myth that common sense plus Windows Defender are enough to keep you safe. Or that Windows Defender is as safe or safer than other products on the market. Safety, of course, is measured in risk, and the only truth here is that different combinations of precautions lead to different levels of //risk//. But still, the idea is that common sense plus Windows Defender is enough for the risk to be "low enough" for these people.
-Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.” The only real shift is that now we’re debating Defender itself.
+Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.”
 Defender has been a properly horrible antimalware product for the longest time. Keeping a signature list of known malware is the most basic form of antimalware and any respectable antivirus product should ace this //by default//. However, Defender consistently missed well-known, widely publicized malware, including samples that were years old. Back then, tests showed detection rates around ~70% (([[https://www.youtube.com/watch?v=iWL9cHgYfRw|The PC Security Channel - Windows Defender vs Malware in 2021]], retrieved on 29.05.2026)), while products like Kaspersky or Bitdefender hit 98%. Despite that, people insisted Defender was “good enough", indicative of a complete lack of understanding of risk management or cybersecurity.
-Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative.
+Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative. It's really annoying, because the people who think Defender is enough are often the same people who would never pass up an opportunity to talk about how terrible Microsoft products are. They genuinely despise Microsoft - and for good reason. But, all of the sudden, when it comes to the antivirus, they'll turn around and say that Defender is //great//, because it's an OS level antivirus. Somehow, the possibility that Defender is deeply broken and dysfunctional because, well, it's a Microsoft product, just doesn't enter their mind. And of course it doesn't, because they don't care that much about the actual protection Defender provides. In their mind, //you// are the antivirus and Defender is a nice to have. Obviously, under these conditions it really doesn't matter whether it has a 95% detection rate like it has these days, or a 60% detection rate like back in the olden days.
-Even so, Defender still has major shortcomings. Its scanning is largely signature-based, with minimal static analysis and weak behavioral detection. There’s some anti-ransomware with protected folders, but it has questionable reliability. It's actually worse - A single shell command can disable it completely, delete Defender's its signature definition files, or set the whole PC as an exception. Registry tweaks and group policy edits allow malware to bypass it. And these are //not// obscure attacks - they’re widely known in the cybersecurity community. Most of these exploits still exist and properly advanced malware //will// get through.
+And yeah, it doesn't perform well. Its detection is largely signature-based, with minimal static analysis and weak to non-existent behavioral detection. There’s some anti-ransomware with protected folders, but it is unreliable. Protected Folder Access can be bypassed by malware using a single shell command. Defender does also not provide any resistance to malware that deletes Defender's signature definition files. It is even possible for malware to just set the whole PC as an exception. Registry tweaks and group policy edits allow malware to bypass it and, worst of all, none of the attack vectors I just named require any kind of privilege escalation or user input (beyond running the malware sample of course). And finally, these are //not// obscure attacks - they’re widely known in the cybersecurity community. Most of these exploits still exist and properly advanced malware //will// get through.
+Lastly, I would like to address a point made about Defender that supposedly sets it apart from other security vendors. I am not going to explain what these terms mean and my response I meant for the kind of people who don't need these terms explained to them. Some supporters of Defender suggest that, because it is "OS level" or even "kernel level", that it makes it a more tamper resistant and potent antimalware product.
+Now, it is true that Defender is "OS level" and "kernel level", but you may be surprised to heart that this does not mean very much. Let's disregard the fact that Defender is just a poor product and is easy to tamper with, with or without OS protection. Even if it was properly programmed software that couldn't just be bypassed by well known bypasses that have been around for years... Windows offers an API that lets other antimalware register themselves as a security vendor inside of your machine. Using this integration, third party security software can get largely similar access to protections as Defender((Some keywords here are PPL and ELAM.)). However, as far as tamper protection is concerned, third party vendors have been able to protect their own resources for a long time now.
+That brings us to the "kernel level" argument for Defender. I suspect that people misunderstand what a "kernel" is and how they are treated in the real world. Any respectable antivirus product from the last two decades that offers "real-time protection" does so, in part, by scanning the memory and activities of active processes on the machine. The antivirus has kernel level access. That's part of behavioral protection, as detailed earlier. Kernel level access has been employed in endpoint protection ever since and Defender is not special by using it. This is why the whole "OS level" idea doesn't make a lot of sense anyway. When you have kernel level, you //have// OS level.