Ramblings

Introspective narcissism since the 2000s.

User Tools

Site Tools

Trace: Antimalware Software
antimalware_software

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
antimalware_software [2026/05/29 05:55] ultracomfyantimalware_software [2026/05/29 17:22] (current) ultracomfy
Line 14: Line 14:
 ====== How protection works ====== ====== How protection works ======
 ===== 0. Basics ===== ===== 0. Basics =====
-In general, the objective of an antivirus is to (1) prevent malicious code from ever executing on your system in the first place or, failing that, to (2) terminate a process if it is deemed to be malicious.+In general, the objective of an antivirus is to (1) prevent malicious code from ever executing on your system in the first place or, failing that, to (2) terminate a process if it is found to have done something malicious.
  
 ===== 1. Signature Detection ===== ===== 1. Signature Detection =====
Line 23: Line 23:
 Obviously, this is a (1) type of approach. Every time you want to run a program or open a file, the antivirus will check if the signature of that program or file matches with any of the signatures from its database. The advantages of this are overwhelming: Immunization on a massive scale. Once a malicious program is found, it is added to the list and within an hour the entire world can be immune against it, as your antivirus product will stop the execution of the program before it ever gets a chance. Obviously, this is a (1) type of approach. Every time you want to run a program or open a file, the antivirus will check if the signature of that program or file matches with any of the signatures from its database. The advantages of this are overwhelming: Immunization on a massive scale. Once a malicious program is found, it is added to the list and within an hour the entire world can be immune against it, as your antivirus product will stop the execution of the program before it ever gets a chance.
  
-Most of the cheap antivirus products on the market rely almost entirely on signatures. Windows Defender, for example, relies on cloud-based protection which is essentially just a very long list of known malicious file signatures. Extremely scalable, light on resources, it's great.\\+Most of the cheap antivirus products on the market rely almost entirely on signatures. Windows Defender, for example, almost exclusively relies on cloud-based protection which is essentially just a very long list of known malicious file signatures. Extremely scalable, light on resources, it's great.\\
 The downside, of course, is that to be protected from a piece of malware, you have to know about it in advance, at which point you might just check file signatures yourself. Still, there is value in automating that process and having a pool of millions of users and companies that can submit samples for a "crowdfunded" signature pool, curated by cybersecurity experts that can tell between real malicious and false positives. In the field of signature-based detections, good antivirus products and bad antivirus products differ only in the completeness of their signature database. More is better. The downside, of course, is that to be protected from a piece of malware, you have to know about it in advance, at which point you might just check file signatures yourself. Still, there is value in automating that process and having a pool of millions of users and companies that can submit samples for a "crowdfunded" signature pool, curated by cybersecurity experts that can tell between real malicious and false positives. In the field of signature-based detections, good antivirus products and bad antivirus products differ only in the completeness of their signature database. More is better.
  
Line 30: Line 30:
 However, until a signature is known to be malicious, a signature-based approach will //not// stop a malicious program((Windows Defender is already checking out at this point, because it has almost nothing to offer beyond signatures.)). This is, however, not a reason to dismiss signature-based detection, or antiviruses as a whole. //Most malicious files are known//. You, as an individual, are unlikely to run into a piece of software that isn't already on someone's signature list. Yes, unknown malware not yet in someone's signature list exists, but on the internet it is vastly, //vastly// outnumbered by software we already know is malicious. On the internet, malware can easily linger, sometimes for months, sometimes for years. I'm sure the malicious [[Minecraft]] 1.6.4 Portal mod that I downloaded back then can still be downloaded today, and that's been over 10 years ago! And sure, nobody still downloads mods for Minecraft 1.6.4, but the point is that files that old are still making their rounds today. It can be 10 years, it can be 1 year, it can be a month or barely even a day - in cybersecurity terms these are all old files. Detections roll in very, very quickly (we are talking hours), and mass immunization //is// a valid tool against malware. However, until a signature is known to be malicious, a signature-based approach will //not// stop a malicious program((Windows Defender is already checking out at this point, because it has almost nothing to offer beyond signatures.)). This is, however, not a reason to dismiss signature-based detection, or antiviruses as a whole. //Most malicious files are known//. You, as an individual, are unlikely to run into a piece of software that isn't already on someone's signature list. Yes, unknown malware not yet in someone's signature list exists, but on the internet it is vastly, //vastly// outnumbered by software we already know is malicious. On the internet, malware can easily linger, sometimes for months, sometimes for years. I'm sure the malicious [[Minecraft]] 1.6.4 Portal mod that I downloaded back then can still be downloaded today, and that's been over 10 years ago! And sure, nobody still downloads mods for Minecraft 1.6.4, but the point is that files that old are still making their rounds today. It can be 10 years, it can be 1 year, it can be a month or barely even a day - in cybersecurity terms these are all old files. Detections roll in very, very quickly (we are talking hours), and mass immunization //is// a valid tool against malware.
  
-Critics will harp on and on about "Zero-Days", with which they mean "malware that isn't yet detected" as if that was the only thing out there. Yes, undetected malware is a thing, but for the home user that signature list is still extremely valuable. You are much, //much// more likely to run into malware already in someone's signaturesas opposed to something unknown. But even then, signature-based detection is not the only way to defend against malware.+Critics will harp on and on about "Zero-Days", with which they mean "malware that isn't yet detected" as if that was the only thing out there. Yes, undetected malware is a thing, but for the home user that signature list is still extremely valuable. A good signature list is basically like a vaccine that makes you immune to 98% of known pathogens. Undeniablya strong first line of defense. But even then, signature-based detection is not the only way to defend against malware.
  
 ===== 2. Static Analysis ===== ===== 2. Static Analysis =====
-Back to the start. We are an antivirus product. We are trying to protect the user from malicious code. The user is attempting to open a program. We stopped that attempt for nowbecause before we let a program execute we want to make sure that it is safe. So, the first thing we did was to run the program against our signatures. That test comes back negative. Well, cool, this means that we haven't already confirmed this program to be malicious - but that does not mean that it is //not// malicious. We only know that we don'already know about its maliciousnessWhat do we do now?+Back to the start. We are an antivirus product. We are trying to protect the user from malicious code. We have our signature list and we're using it. Imagine now that the user is trying to open a program. Of coursewhat we do is we first halt the execution process and wait to check whether that program is in our signatures. If it is not then that's a good sign, but it doesn'guarantee that the program is safe to use.
  
-The next step is to take an actual look at the program. Our list is a quick and easy way to rule out known offenders before having to put in any actual work, but now that this is not a known offender, we have to make sure it isn't an offender at all. The way to do this is by taking the program apart and look inside, see what they are programmed to do. The difficulty here is to distinguish between actually malicious acitivity and activity that just looks funny. The problem with malware is that they do things that in principle could also be done by non-malicious software. Uploading your login credentials/cookies to a server is what a password manager might do. Encrypting your files is just normal and otherwise valid cryptography, but used against you. Any kind of action that is evil in this context can be friendly in any other context. An action can never be inherently tied to malice, and it is the job of an antivirus to make an educated guess based on the information available to it. Of course, sometimes it's quite obvious: Does the program use any known exploits? Does it want connect to any server infrastructure that we already know is controlled by bad actors? That information can sometimes be numerous and paint a very clear picture (that's the easy ones), but more often than not they're sneaky and make it look like their program is just "one of those programs". Creating a tool that can determine this without human oversight is hard. But - at the end you will have a tool that is capable of detecting malwareeven if it is previously unknown. No signatures.+The next step is to take an actual look at the program. Our signatures are a quick and easy way to rule out known offenders before having to put in any actual work, but now that this is not a //known// offender, we have to make sure it isn't an offender at all. The way to do this is by taking the program apart and look inside, see what they are programmed to do. The difficulty here is to distinguish between actually malicious acitivity and activity that just looks funny. The problem with malware is that they do things that in principle could also be done by non-malicious software. Uploading your login credentials/cookies to a server is what a password manager might do. Encrypting your files is just normal and otherwise valid cryptography, but used against you. Any kind of action that is evil in this context can be friendly in any other context. An action can never be inherently tied to malice, and it is the job of an antivirus to make an educated guess based on the information available to it. Of course, sometimes it's quite obvious: Does the program use any known exploits? Does it want connect to any server infrastructure that we already know is controlled by bad actors? That information can sometimes be numerous and paint a very clear picture (that's the easy ones), but more often than not they're sneaky and make it look like their program is just "one of those programs". Creating a tool that can determine this without human oversight is hard. But - and that's the really cool thing about this - at the end you will have a tool that is capable of detecting malware **even** if it is previously unknown. No signatures.
  
 But, if that fails, we still have one more tool in our arsenal: Comparison. Malware is often changed only slightly, which leads to a myriad of different "strains" that, ultimately, are still the same piece of malware, just slightly altered. Authoring a completely new type of malware would not only take, well, authoring a novel piece of malware, it would also mean finding and then using a new attack vector. But these are limited. There are only so many vulnerabilities open at any time before new ones are found and the old ones are closed. This means that most malware is most often just a "strain" of already known malware, just slightly altered, which means their programming will be similar.\\ But, if that fails, we still have one more tool in our arsenal: Comparison. Malware is often changed only slightly, which leads to a myriad of different "strains" that, ultimately, are still the same piece of malware, just slightly altered. Authoring a completely new type of malware would not only take, well, authoring a novel piece of malware, it would also mean finding and then using a new attack vector. But these are limited. There are only so many vulnerabilities open at any time before new ones are found and the old ones are closed. This means that most malware is most often just a "strain" of already known malware, just slightly altered, which means their programming will be similar.\\
 We can use this to our advantage. If we can't find anything in the program that is obviously malicious, we can just check if the program is generally similar to other programs we already know are malicious. We can use this to our advantage. If we can't find anything in the program that is obviously malicious, we can just check if the program is generally similar to other programs we already know are malicious.
  
-The advantage to this approach is that it can get a pretty good insight into what a program may do without loading it into memory yet. This is critical because conventional malware can remain dormant on disk without causing harm; it is when it is loaded into memory (be it through the user executing it, or because of a scheduled task or through an autorun entry) that it starts doing malicious things. Analysing software without loading it into memory lets us look at the program without worrying too much.+All of this is called //Static Analysis//The advantage to this approach is that it can get a pretty good insight into what a program may do without loading it into memory yet. This is critical because conventional malware can remain dormant on disk without causing harm; it is when it is loaded into memory (be it through the user executing it, or because of a scheduled task or through an autorun entry) that it starts doing malicious things. Analysing software without loading it into memory lets us look at the program without risking getting infected.
  
 ===== 3. Sandboxing ===== ===== 3. Sandboxing =====
-In cybersecurity terms, a sandbox refers to a protected virtual environment segmented off from the rest of the system, filled with all the sand imaginable but, ultimately, constrained to the sandbox. The box part here is the important partas it means that nothing from inside that box can get out. Criticallythis means a sandboxed program cannot access your dataThis makes it perfect as a testing ground - throw a software sample in there and let it do its thingObserve its behaviorDoes it do anything scary?+In cybersecurity terms, a sandbox refers to a protected virtual environment segmented off from the rest of the system, filled with all the sand imaginable but, ultimately, constrained to the sandbox. Basically, it's a simulated environment in which programs can freely run //as if// it was running on your machinewithout actually running on your machineWell, of course it is running "on your machine", but it's sequestered away in a protected environmentThe goal of doing this is to just.. observe. If we //let// the program run, would it do anything objectionableThe sandbox offers the advantage of testing out a program without the risk of infection((Yes yes I know actually making sure your samples don't escape the sandbox is a whole different story.)).
  
-Static analysis is the analysis of a program as it sits on disk - statically. Static analysis is limited by programming restraints - reverse-engineering an entire program is extremely resource-intensive, if possible at all, so the insight you can gain from it is limited. But now we are working with a live sample and can observe its behavior as it unfolds. When you actually just run the program and let it do its thing, you can log virtually everything it does. The cool thing is: if it does do anything malicious, its damage remains constrained to the sandbox and all data outside of the sandbox is safe.+Static analysis is the analysis of a program as it sits on disk - statically. Static analysis is limited by programming restraints - reverse-engineering an entire program is extremely resource-intensive, if possible at all, so the insight you can gain from it is limited. But in the sandbow we are now working with a live sample and can observe its behavioras it unfolds. When you actually just run the program and let it do its thing, you can log virtually everything it does. The cool thing is: if it does do anything malicious, its damage remains constrained to the sandbox and all data outside of the sandbox is safe.
  
 Sandboxing is already a standard in smartphones. On operating systems like Android and iOS, pretty much everything on those phones runs sequestered in individual sandboxes which can barely, if at all, interact. Since all damage is always limited to the scope of an application's sandbox, there is very little damage malware can cause on those platforms. The real threats on those platforms lies in hijacking otherwise friendly apps whose sandbox contains valuable data (your browser, for example) or socially engineering the user into doing the malicious thing themselves.\\ Sandboxing is already a standard in smartphones. On operating systems like Android and iOS, pretty much everything on those phones runs sequestered in individual sandboxes which can barely, if at all, interact. Since all damage is always limited to the scope of an application's sandbox, there is very little damage malware can cause on those platforms. The real threats on those platforms lies in hijacking otherwise friendly apps whose sandbox contains valuable data (your browser, for example) or socially engineering the user into doing the malicious thing themselves.\\
Line 52: Line 52:
 Anyway, the point of sandboxing is to give a program room to do its things so we can see what it does. There is a problem though - if we sandbox every program the user wants to open, how much time do we want to sandbox before deciding that the program is OK? What if the malware is programmed to wait for a minute? This is not acceptable and makes it one of the major weaknesses of sandboxing. Additionally, lots of malware can recognize sandbox environtments, including [[Virtual Machines]], and will refuse to execute in them. This is a recognized sign in and of itself, but it still eats into the effectiveness of sandboxing as a detection tool. Of course, doing it like smartphones do - running everything in a sandbox by default instead of only using the sandbox for analysis - would still be really useful, but that is not where we are. Anyway, the point of sandboxing is to give a program room to do its things so we can see what it does. There is a problem though - if we sandbox every program the user wants to open, how much time do we want to sandbox before deciding that the program is OK? What if the malware is programmed to wait for a minute? This is not acceptable and makes it one of the major weaknesses of sandboxing. Additionally, lots of malware can recognize sandbox environtments, including [[Virtual Machines]], and will refuse to execute in them. This is a recognized sign in and of itself, but it still eats into the effectiveness of sandboxing as a detection tool. Of course, doing it like smartphones do - running everything in a sandbox by default instead of only using the sandbox for analysis - would still be really useful, but that is not where we are.
  
-The cool thing about sandboxing, though, is that it too is able to independently identify malware, even if sample wasn't previously known.+The cool thing about sandboxing, though, is that it too is able to independently identify malware, even if sample wasn't previously known. It's yet another layer of defense.
  
 ===== 4. Behavioral Detection ===== ===== 4. Behavioral Detection =====
-Behavioral detection is what truly distinguishes good products from terrible ones. However, it is also the hardest to get right, if you get it working at all. Of course we as humans don't care about cybersecurity in terms of software or code. As company, what you care about is to prevent data exfiltration, not the semantics used to get thereThe malware sample used to do nefarious things is just that - a sample used to do nefarious thingsWe don't care about the sample, we care about what it does. If you understand thisBehavioral Detection is just for you.+Behavioral detection is what truly distinguishes good products from terrible ones. However, it is also the hardest to get right, if you get it working at all.\\ 
 +As humans don't care about cybersecurity in terms of software or code. The ones and zeroes in play are just means to an endWhat we are really trying to stop is hackers getting ahold of your login credentialsYour company's top secret files, or perhaps encrypting all your files and demanding money for their decryption. In short, we care about what end malware is working towardstheir //behavior//.
  
 When Signatures, Static Analysis and Sandboxing all return negative, it probably is time to let the program execute. But, behavioral detection keeps watching. If a program acts up and starts doing funny things - for example if it starts encrypting files - it will notice and shut that program down. If a program suddenly starts deleting a bunch of shit, or gives orders to another program to delete a bunch of shit - shut it down. If a program does funny things with your boot configuration, your autoruns, downloading files from the internet or uploading stuff from your PC - very suspicious. Behavioral detection is my favorite type of detection, because it addresses the exact thing that we, you and I, are ultimately talking about: the malicious action itself. When Signatures, Static Analysis and Sandboxing all return negative, it probably is time to let the program execute. But, behavioral detection keeps watching. If a program acts up and starts doing funny things - for example if it starts encrypting files - it will notice and shut that program down. If a program suddenly starts deleting a bunch of shit, or gives orders to another program to delete a bunch of shit - shut it down. If a program does funny things with your boot configuration, your autoruns, downloading files from the internet or uploading stuff from your PC - very suspicious. Behavioral detection is my favorite type of detection, because it addresses the exact thing that we, you and I, are ultimately talking about: the malicious action itself.
Line 71: Line 72:
 You are perfectly right, humans are the biggest threat to their PC. [[People are the Problem]]. Therefore, we should not trust humans with keeping a PC safe. Not this guy, not your mom, not you - regardless of how good you think you are. Get proper antimalware. You are perfectly right, humans are the biggest threat to their PC. [[People are the Problem]]. Therefore, we should not trust humans with keeping a PC safe. Not this guy, not your mom, not you - regardless of how good you think you are. Get proper antimalware.
 </WRAP> </WRAP>
-Common sense is the single most frequent advice that can be found on the internet. And it's true - human judgement can be a good and sometimes even the most effective layer of protection against threats of all kind. In all cases, common sense should be the first layer of defense. But, human judgement is prone to failure - that's why car accidents happen all the time. That's why most plane crashes happen. To say that you should primarily use common sense is to say that you should just drive better, that you should just "not make mistakes". This is not how reality works.+Common sense is the single most frequent advice that can be found on the internet. And it's true - human judgement can be a good and sometimes even the most effective layer of protection against threats of all kind. In all cases, common sense should be the //first// first layer of defense. But, human judgement is prone to failure - that's why car accidents happen all the time. That's why most plane crashes happen. To say that you should primarily use common sense is to say that you should just drive better, that you should just "not make mistakes". This is not how reality works.
  
 With heavy and potentially dangerous machines, operator training and safe handling standards are one half of the equation. The other half sits in the design department with skilled and knowledgeable people who recognize that even the most knowledgeable and experienced operator will make a mistake. A brief moment of distraction, inattention. Tiredness, exhaustion or sometimes maybe just plain stupidity. Any number of cognitive biases. Confirmation bias for example, pilots will know best that the biggest threat to modern airplanes is the human sitting in the cockpit, and they are extensively trained to resist the kind of errors humans often make. To deny this reality is to deny decades of statistics and the science of risk management. Human factor is rule number #1. Don't fall victim to rule #1. With heavy and potentially dangerous machines, operator training and safe handling standards are one half of the equation. The other half sits in the design department with skilled and knowledgeable people who recognize that even the most knowledgeable and experienced operator will make a mistake. A brief moment of distraction, inattention. Tiredness, exhaustion or sometimes maybe just plain stupidity. Any number of cognitive biases. Confirmation bias for example, pilots will know best that the biggest threat to modern airplanes is the human sitting in the cockpit, and they are extensively trained to resist the kind of errors humans often make. To deny this reality is to deny decades of statistics and the science of risk management. Human factor is rule number #1. Don't fall victim to rule #1.
Line 84: Line 85:
 There is a pervasive myth that common sense plus Windows Defender are enough to keep you safe. Or that Windows Defender is as safe or safer than other products on the market. Safety, of course, is measured in risk, and the only truth here is that different combinations of precautions lead to different levels of //risk//. But still, the idea is that common sense plus Windows Defender is enough for the risk to be "low enough" for these people. There is a pervasive myth that common sense plus Windows Defender are enough to keep you safe. Or that Windows Defender is as safe or safer than other products on the market. Safety, of course, is measured in risk, and the only truth here is that different combinations of precautions lead to different levels of //risk//. But still, the idea is that common sense plus Windows Defender is enough for the risk to be "low enough" for these people.
  
-Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.” The only real shift is that now we’re debating Defender itself. +Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.” 
  
 Defender has been a properly horrible antimalware product for the longest time. Keeping a signature list of known malware is the most basic form of antimalware and any respectable antivirus product should ace this //by default//. However, Defender consistently missed well-known, widely publicized malware, including samples that were years old. Back then, tests showed detection rates around ~70% (([[https://www.youtube.com/watch?v=iWL9cHgYfRw|The PC Security Channel - Windows Defender vs Malware in 2021]], retrieved on 29.05.2026)), while products like Kaspersky or Bitdefender hit 98%. Despite that, people insisted Defender was “good enough", indicative of a complete lack of understanding of risk management or cybersecurity. Defender has been a properly horrible antimalware product for the longest time. Keeping a signature list of known malware is the most basic form of antimalware and any respectable antivirus product should ace this //by default//. However, Defender consistently missed well-known, widely publicized malware, including samples that were years old. Back then, tests showed detection rates around ~70% (([[https://www.youtube.com/watch?v=iWL9cHgYfRw|The PC Security Channel - Windows Defender vs Malware in 2021]], retrieved on 29.05.2026)), while products like Kaspersky or Bitdefender hit 98%. Despite that, people insisted Defender was “good enough", indicative of a complete lack of understanding of risk management or cybersecurity.
  
-Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative.+Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative. It's really annoying, because the people who think Defender is enough are often the same people who would never pass up an opportunity to talk about how terrible Microsoft products are. They genuinely despise Microsoft - and for good reason. But, all of the sudden, when it comes to the antivirus, they'll turn around and say that Defender is //great//, because it's an OS level antivirus. Somehow, the possibility that Defender is deeply broken and dysfunctional because, well, it's a Microsoft product, just doesn't enter their mind. And of course it doesn't, because they don't care that much about the actual protection Defender provides. In their mind, //you// are the antivirus and Defender is a nice to have. Obviously, under these conditions it really doesn't matter whether it has a 95% detection rate like it has these days, or a 60% detection rate like back in the olden days.
  
-Even soDefender still has major shortcomings. Its scanning is largely signature-based, with minimal static analysis and weak behavioral detection. There’s some anti-ransomware with protected folders, but it has questionable reliabilityIt's actually worse - A single shell command can disable it completely, delete Defender'its signature definition files, or set the whole PC as an exception. Registry tweaks and group policy edits allow malware to bypass it. And these are //not// obscure attacks - they’re widely known in the cybersecurity community. Most of these exploits still exist and properly advanced malware //will// get through.+And yeahit doesn't perform well. Its detection is largely signature-based, with minimal static analysis and weak to non-existent behavioral detection. There’s some anti-ransomware with protected folders, but it is unreliableProtected Folder Access can be bypassed by malware using a single shell command. Defender does also not provide any resistance to malware that deletes Defender's signature definition files. It is even possible for malware to just set the whole PC as an exception. Registry tweaks and group policy edits allow malware to bypass it and, worst of all, none of the attack vectors I just named require any kind of privilege escalation or user input (beyond running the malware sample of course). And finally, these are //not// obscure attacks - they’re widely known in the cybersecurity community. Most of these exploits still exist and properly advanced malware //will// get through
 + 
 +Lastly, I would like to address a point made about Defender that supposedly sets it apart from other security vendors. I am not going to explain what these terms mean and my response I meant for the kind of people who don't need these terms explained to them. Some supporters of Defender suggest that, because it is "OS level" or even "kernel level", that it makes it a more tamper resistant and potent antimalware product. 
 + 
 +Now, it is true that Defender is "OS level" and "kernel level", but you may be surprised to heart that this does not mean very much. Let's disregard the fact that Defender is just a poor product and is easy to tamper with, with or without OS protection. Even if it was properly programmed software that couldn't just be bypassed by well known bypasses that have been around for years... Windows offers an API that lets other antimalware register themselves as a security vendor inside of your machine. Using this integration, third party security software can get largely similar access to protections as Defender((Some keywords here are PPL and ELAM.)). However, as far as tamper protection is concerned, third party vendors have been able to protect their own resources for a long time now. 
 + 
 +That brings us to the "kernel level" argument for Defender. I suspect that people misunderstand what a "kernel" is and how they are treated in the real world. Any respectable antivirus product from the last two decades that offers "real-time protection" does so, in part, by scanning the memory and activities of active processes on the machine. The antivirus has kernel level access. That's part of behavioral protection, as detailed earlier. Kernel level access has been employed in endpoint protection ever since and Defender is not special by using it. This is why the whole "OS level" idea doesn't make a lot of sense anyway. When you have kernel level, you //have// OS level.
antimalware_software.1780034105.txt.gz · Last modified: by ultracomfy
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki