Windows Defender vs Ransomware 2024
HTML-код
- Опубликовано: 9 май 2024
- Windows Defender vs Ransomware tested in 2024 with tweaks to ASR using Defender UI as well as default settings. Will it survive the onslaught of our well known infamous ransomware like Wannacry, Petya, Ryuk, Darkside etc? Free access to Malware Samples and Live Analysis with Any.Run: intelligence.any.run/plans?TI... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact 
Наука
a huge percentage of Ransomware is stopped by ad blockers.
ye adblockers dont just block ads they block trackers, malware etc too
@@5d4a5 run 3 add blockers. You would be shocked they never match numbers for blocked items on the same page.
Pi hole wins again
I have at least 3 of them.
Mullvad secure DNS with filters.
Portmaster firewall with filters.
And one more which is so popular that YT is ready to ban just for saying about it )
@@user-od4gs3iu4t can you encryp the name please
This DefenderUI is kinda cool. Maybe you should make a video talking about those different switches and what they do ?
Agreed! I've been trying it out, but a more knowledgeable source of info would be wonderful
Huge 'Thank You' for posting this it was a real eye opener.
You left a lot of us hanging. You really need to do a video that goes into more depth on determining the optimal settings of Defender UI for protection and performance, then do a comparison with what you consider are the top 2 other anti-virus software solutions.
He clearly does not recommend using windows defender as the only antivirus.
Get Kaspersky bitdefender etc which are actually good.
Plenty of well known players have free products as well.
Windows defender eats up your system resources too.
There is no meaningful justification to keep using it.
If you're concerned about cost, get Kaspersky free version or some other good product there are plenty
Woot you included DefenderUI!!! I’ve been waiting so long for you to make a video on this 🎉🎉🎉
ASR customization is DefenderUIs best feature, brings it closer to Defender for Endpoint. It just needs a self-defense mechanism.
I'd love to see you do a side-by-side test of WD, one VM with configure defender on the "max" template and the other VM with defender UI on the "aggressive" template
(enterprise user here) ASR is crucial, along with cloud sampling. In the MDE cloud portal, there are additional controls like "device discovery" as well, by default, it acts as a network device scanner to scan the device's subnet and try to grab information and share to MDE portal.
We've got almost all ASR rules set to block. There's new ones in PREVIEW as well.
Thanks for investigating and sharing!... I use a few utilities e.g. Winaero Tweaker but hadn't come across DefenderUI -- looks v. promising though, will be checking it out for sure! 👍🏼
Man, if only DefenderUI was open source :(
Nice video btw, like always.
It is open source, wdym
"Open source is a killer of intellectual property and un-American." - Jim Allchin of Microsoft
@@vr0k3n There's literally zero mention of open source on their website, there's no access TO source code anywhere. Show me a path to the source code and i'll consider it open source after having examined the code. Not a second earlier.
I don't see the source either.
The developer is a great guy and active on his forums though.
Found implementing ASR in an Enterprise context that we had very little compatibility problems by doing so for the vast majority of rules. Honestly, some of those need to become Defender baseline.
As for your question around Cloud Protection Level, it mostly has to do with how long will Defender hold up the process if it can't talk or receive a response. The higher you set it, the more chance a machine can seem to freeze or slow down when executing something.
Should also be noted that Defender now also has a Application Whitelisting style solution called Smart App. Oddly, it can't be set to On if its ever been set to off (some sort of trusted verification chain), but on standard users, this is a really easy way to setup default deny.
The video really need two more parts: impact on app compatibility and relative system performance degradation benchmarking. You have sort of summed up the first. Thanks.
really appreciate you regularly doing windows defender test.
I'd be very interested in how you set up your VMs to be sure that your Hypervisor doesn't get infected. Aswell as where you're getting all those malware samples from.
Cheers!
i only just found ur channel. rly like these videos dont change 👍👍👍👍
Hi, I gratefully follow you about cyber security. I have a very basic/newbie doubt about PIN vs Password, and I'd like to have your opinion. Recently I switched my Windows account to a local one (for security reason), so now I can access on my Windows system by both my local password OR my old Windows PIN, that's redundant IMO. Q: From a security point of view, is it good keeping only the local password, or is it better maintaining both methods?
It is actually a big shame to in 2024 see this type of behavior from WD. If you need to install another app to improve the security of WD then you might as well instead go with a third-party-antivirus. I would never rely my security on an antivirus that in 2024 can't even detect a "well-known threat" and is mostly chanceless against the modern advanced form of threats.
However, good work on the review about this software, keep up the great informative work you provide us with!
I agree. This video is too shallow. The optimal setting combination needs to be explored and then a comparison with the top 2 alternatives made in both protection and effect on system performance.
*@The PC Security Channel*
2:19 Could you run this test again, but slower, give Windows PLENTY of time (several seconds?) to do the network checks & whatnot, and see if the detection ratio improves?
Great info. Let's see if when using the UI, Defender can now compete with other products, given it is free. Buying paid malware protection products can become expensive when one has to protect a number of virtual and non-virtual devices.
Hi, love your video. Can you please test the enterprise Defender for endpoint aka ATP
It's almost the same, but the difference is to enabling the sense process for reporting data to the MS SecurityCenter, but in general the major functionality is exactly the same as for private users.
It's always a good day when you know that the pc security channel uploaded
Thank you. Very good video.
I only use WD and have work wonders, pretty cool to see I can make it better., thank you for the video.
Can you make a detailed video with DefenderUi with different settings and tests?
If the reason you suggested why it misses known samples is correct, then on another exactly the same clean run it should catch that.
would be nice to know exactly which settings were changed to make it block 100%
Could you test the detection ratios of the open source antivirus ClamAV on Windows? Or Linux even. I've never seen a video like this and I have been curious about the detection ratios of this (only?) open source AV.
Clam av is not an antivirus, nor is it designed to be useful as one
Its designed to be a malware scanner for mailboxes
That means you set it up to scan every so often to remove malware people might send
It has terrible detection rates when compared to any reasonable av (because its not an av) and is not something I would ever recommend using outside its intended purpose
(this is the simple version)
@@sylussquared9724 Thanks for the clarification. You're probably right that it is not a realtime antivirus, even tho you could theoretically use it as one. Regardless, I would be interested to see detection results of a folder scan for example in comparison to second opinion scanners such as HitmanPro or Malwarebytes.
Is VBS aka Memory Integrity on? That would be a more fair approach to this
Great video 👍.... Astonishing 😮
Make a video on Ubuntu system 🙂
excellent video!
Does the UAC set up to the max prevent running obscured exe files pretending to be .docx or .pdf and similar? I.e. I download a text document but I don't intend to install anything right now. So denying the crap running.
Can you test MS Defender for Endpoint? would love to see how that holds up
Hello, in your video in the progress of testing windows defender, cpu loaded on 100%
May be Low performance cpu doesn't allow defender delete all Ransom in during
You should turn on control folder access and network protection
Why is there no safe link to Defender UI by the channel in the notes?
can you please make a video between malwarebytes and norton?
Hi Leo, no you definitely have to tweak Windows defender the best way of doing it is going through the edit local group policy if you can do that and tweak the heuristics and tweak the cloud level thisy ites it a little bit more difficult or more stringent more difficult to get t nohrough to the operating system. With that defender tool I'm assuming that you can tweak the settings even if you don't have the pro edition so that makes it even more effective tool to use.
About cloud detection, i use eset and when i want to open suspicious app or file it will block it first then it will do cloud analysis. If the app or file is safe it will let you use otherwise it will remove it. Antivirus should not allow suspicious app to run before analyzing it.
ASR works, but it does break a lot of things, depending on which you enable.
Would you recommend any as a baseline to not break anything but at least increase protection?
@@actuit depends heavily on the office suit, pdf software that you have installed. So the general guideline is to enable max protection by turning on or setting to "warn" in DefenderUI and set high security/privacy in your office/pdf suit as well, and disable those which break your routine work
@@user-od4gs3iu4t I don't work at all really, so it just depends.
Cool thank you 😊
Nice vid
Questions I'd ask is
1. If you just run black claw would windows detect and stop
2. Were the files in one drive and vault effected
3. Is letting python run part of the problem , ( doesn't python nominally get detected by Windows especially when it's doing things like launching a 100 malware programs , and some encryption programs use python ?)
1: No, I just tested it and it missed it (the sample I had was 2 years old)
2: IDK I didn't have onedrive setup but I would not be surprised
3: No
@@sylussquared9724 cheers for reply
It's so insane to me those options aren't enabled by default on Windows Defender O_O What's the point in using it, then? I'd never fall for ransomware but i still have Kaspersky just in case whatever happens.
He explained this in the video...
Basically, it eats more resources and may create more false-positives.
That was what i wanna see, the ins and outs of ui add on, that did better.
Would love to see how Windows Defender react against your ransomware simulators >_
Rather than use third-party tweaks for Windows Defender, I prefer to use ESET security suite, uBlockorigin adblocker, and Quad9 DNS, which blocks malware domains.
I do think there are differences now with the Windows Security (now the basic protection with windows OS) and the MS Defender AV from Microsoft with the Office, it would be nice to test this one to see what it is the differences.
I had to quit fullscreen because the "Ransomware found" alert kept freaking me out lol
thank you! Ransomware was a headache to me with windows defender. Atleast with this defender ui, there will be higher degree of protection...
System idle process takes all cpu when iam idle on my PC. Is that alright? Some people told me.its fine. But i see yours is less than 0.01
Hi. Could you investigate the issue regarding unsubscribing from various anti-virus software packages. I recently wanted to cancel my own very well known product but the option to cancel renewal wasn't even available.
that's a standard practice for many online services. You give your credits once - and it never ends. ALWAYS check if the company has a physical address where you can send a letter which obliges the company to close the contract
Good thing I use Bitdefender instead. I used Defender before, but I did not feel safe. Now I know why- Crappy default settings.
I don't understand why you disable the ransomware protection feature (Controlled folder access)? The whole idea of that to protect against you know Ransomware?
I think it's because controlled folder access is disabled by default, and he wanted to run a test specifically with the default settings, assuming a user has never changed any of them. But you are correct, if you want to protect against ransomware, its advised to turn this feature on even if you don't do anything else.
Controlled folder access stops ALL programs accessing the files
A: See the above comment ^
B: That would make the test unfair and completely pointless as it would not block the ransomware but stop it from encrypting the files
I have customized ASR rules such as show allow from USB, block cred stealing from Lsass in Pro or enterprise windows editions(benchmate or any app that stores creds in plaintext excluding will fail post http method) and warning for psexec wmi and process creation.
Have you heard a malware type where its main file is somehow immune to a simple delete command if found?
Yep, those are called polymorphic malware and certain fileless malware also could be considered immune to that
So is 98% considered good compared to other protection software? Is it enough to just have defender on my system? There was no comment about the overall performance of defender, would appreciate your input (or anyone else in the comments). Thank you!
yes, it's good. But if you plan to use it without tweaking its optional protection, you better go through ALL security/privacy settings in all your pdf/office/mail software and enhance them by: disabling scripts and macros by default, and enhancing other security settings, like disabling access to internet for pdf/office
In fact, it's better to do it anyway, cause it's another layer of protection
Bear in mind this was a TINY test against just ransomware samples and has nothing to do with defenders overall protection
As well as that, the world of ransomware even one sample being missed is game over
you need also bear in mind that it's not normal to run a script executing one malware after another. It's much more reallstic to EXTRACT a big pile of (possibly) malware files, which simulates a more likely situation. That's why many AV testers do exactly such kind of test instead of running a script. Though it does not deny that a method used in this channel is not relevant. It is relevant in some situations. And the result of 98% simply stands for a fact that windows defender under heavy load is much more capable when you give it a lot of time and/or system resources and a good internet access to online cloud test
you need also bear in mind that for a purpose of simplification of his test the owner of this channel runs his script under admin account, and possibly with minimal UAC security settings. Which no normal user should do )
Is it possible to test Morphisec?
Controlled folder access being turned on should stop this correct ?
Yes, but it will also stop all other programs from accessing said folders
Only use it on files you really cannot risk loosing
@@sylussquared9724 I always have it on, will pop up if blocked and u just turn it off for that moment. Really isn't that bad IMO
@@ZachsnotboardIts a constant frustration though, with continued "allow deny" options popping up all the damn time (kinda like how macs ship).
@@zybch that actually seems like a nice feature to ship defult
@@Zachsnotboard Showing file extensions in explorer would also be nice feature to ship default
Do a deeper dive on the defenderui to see what exactly gave ya that 100%. Or ill have to set up a vm to try your script on, if its downloadable.
Can you try Microsoft Defender for Endpoint?
Transformative content, I like that the malware sandbox domain allows you run a virtual machine all the way to Windows 7 32-Bit
The one back at my house is 64 bit though
Last time I checked, the free tier allows ONLY Win7 32bit. And the cheapset paid tier costs hundreds.
4:01 Gibberish is poetic, not my school essay topic!
Can u review Ikarus Security ?
Please do another free AV matchup :)
Without context, this test is not telling us much.
Yes, carefully tuned, Defender improves, but at the same time consumes more resources.
Without a comparison to other virusscanners, this does not tell us anything.
It consumes more resources cause it tries to make a careful analysis of every file. Don't you find this natural? Or you prefer that your AV just let some files go?
The reasonable conclusion is only one: don't start many applications in a short period of time, especially one suspicious file after another, to let your AV make a good analysis, and generally let your system to distribute the system resources. Just like we normally do, right?
The initial reaction after watching the video also.
Is the DefenderUI safe and legit to optimise Windows / Microsoft Defender?
Yes and its free
yes, in case if you are the owner of the computer and OS Windows )
Thanks for testing Defender. While I prefer to use paid resources it is still interesting to see Defender's capabilities.
Does anyone know how to uninstall that 'copilot' thing? Please.
Recently purchased a new laptop this week. It came with McAfee pre-installed, and initially, I was pleased to receive a free 1-year subscription. However, after conducting some research, I decided to fully delete it and am now using Defender to protect it from internal threats like McAfee.
please do more videos about this
Oh no -should not have watched this video - I am trusting Defender everyday !!! Great video - thanks
Only people who watched this video or already know about ASR rules will be able to follow it. I don't think it's enough for most computer users, since using Defender UI is already complicated for normal users, NOT US.
But it's always good to know that at least we can reduce some cost for AV solutions for some computers that we don't poke random Internet websites. ;p
Windows is an operating system. Leave it that an don't trust it for other tasks.
You won't let your plumber repair your car.
Each software is dedicated and (mostly) optimized for it's task.
Leo, I'm sorry if this sounds petty, but will you kindly in the future please not use dark mode? It really strains my eyes and makes it harder for my autistic brain to process the information. I'm having the same issue with ControlD DNS, who I loyally pay for and love, but I requested an option for light mode and Yegor (CEO) says its already in the works. :)
u forget Sandboxie?
My PC is so slow that Defender will have enough time to Get all the info it needs from the cloud before Ransomware can do anything:)
nice joke ) I'm sure that any normal use of PC will give enough time for WD/cloud to check if the file is safe or not.
So running script that executes one file after another is no way a good estimation of AV capabilities. It's an extreme sport
And when WD was a bit tweaked, it had all the time to check carefully every file executed, and was able to block all of them
is it safe to use defenderUI showed in the video?
seems like so (take into account what is said at 4:11)
That's good enough! Random bloke says install this angelic software and someone else we don't know says also.
@@stupossibleifygo check yourself if you think its the opposite
im pretty sure yeah but cranking up the settings can create more false positives and eat more of your resources
@@5d4a5 i know, but i prefer to deal with false positives than with a miss, also i dont mind if uses more resources if keeps the computer more secure
Bitdefender FTW
Leo make a review of the free public DNS services that block malware domains
Try turning on ransomware protection inside windows defender
That is controlled folder access. I remember it breaking things.
@@valkaielod No, you don't.
@@davidhoward4715 Actually, depending on the way you look at the feature, it is a trouble maker. Controlled Access Folder doesn't work like regular folder protection modules in market antiviruses, it's far more agressive and thefore less usable in the real world. Last time I checked, if you protected a folder, you couldn't even make yourself a modification in a document or use the space as an administrator, say decompress a zip file in the protected folder. User interaction with the mentioned folders was painful, resulting in a huge percent of the users disabling the feature.
@@gonzalozamorak I just checked that it is off by default.
@@gonzalozamorakYeah, I would like to have it turned on but if I do I can't even play games because it doesn't let them save savefiles on the Documents folder
I just installed DefenderUI on windows 11 and I do not have all of those options tabs. Only a basic screen that looks like the Home tab in this video. Any idea why not?
A reboot took care of it. I have all of the same options now.
@@kjisnot I had the same problem. I uninstalled it and reinstalled it by running as Admin, which worked. I didn't think of trying a reboot first. Thanks for that tip.
Interesting
Pretty cool but I'm going to stick with Bitdefender
If you look the last entry before the first test concludes it has processed 63 files an has a detection ratio 98.41%. I'm sure the final result was just a tad higher which means it basically tested to be just as effective as bitdefender and Kaspersky. How come that wasn't mentioned in the video. How come when bitdefender and Kaspersky tests to have the same 98% detection ratio we say oh that's great an then recomend them but when windows defender does it we say see told you defender was a piece of crap. The result shows that windows defender is clearly not crap.
The bitdefender and kaspersky test was on many more files.
@@JohnDoe-uw9nq How does that affect a percentage.
Pretty sure he's sponsored by Kaspersky. There's literally no other way this makes sense, even US CISA recommends against using Kaspersky in enterprise.
@@IPendragonI please don't fool around in those test unknown files were used and here known ransomware from past decade was used where anything less than 100% is bad. and moreover the end result matters the defender could not save the files whereas others (kaspersky , bitdefender) blocked it somehow or the other using other protection mechanisms .... And moreover the US apps also collect data and if we the outer nation peoples are not worried why US hiccups when apps from other nation collects there data..Hypocritical Bs of a nation...Also he never mentioned name of kaspersky like that in this video so clear of your eye lenses and check your ears....
any free antivirus is no better than WD. Testing antiviruses by running a script which runs one after another viruses undermines the idea of cloud based analysis. No normal user will run many suspicious program at once, so your pc/internet bandwidth will be enough to research one file and get a good answer is it safe for it to run. Just like expected, in second scenario with 100% result it took much more time to run all the viruses. Which means that in reality your WD will also have close to 100% detection rate
Question: Do we yet have any idea how many ransomeware that windows defender or any other antiviirus actualy encounter on a minute to minute basis under normal conditions. one has to wonder if any antivirus regularly encounters 1500 ransomware in less than 1 second like happens in the video. Question 2: How should home users have their windows defender set up?
2: just go through all menus and enable max protection )
if some programs that you need won't work properly, disable some of this overprotection. Temporally )
You know how they test the safety systems in cars, using crash dummies and actually crashing them? You know that’s not what’s happening with cars under normal conditions on a minute to minute basis, right?
We're interested in efficacy under what would be considered typical usage scenario's. if you can use windows defender for 3 years an never have any issue but it fails a barrage of 1500 ransomeware in less than 1 second in a test how does that constitute an accurate appraisal of it's efficacy!! To say it's not good enough would be like saying because a UFC champion couldn't fend off 1500 thugs at once he's not a good fighter! @@stephenwakeman3074
@@stephenwakeman3074 Is this really the argument you're going to have? Cars and computers are not equal. Apples and Oranges...
When a car crashes it's usually totaled. When a computer crashes just hit the "reset" button.
Your normal, every day cars are put through that to save your life and test their safety systems.
Your normal, every day computer is not, because when it crashes or some documents get encrypted you just restore a back up or hit the reset button. You can back up your documents, you can't back up time, car crashes and death.
Why would you ignore Controlled Folder Access, which is literally labelled as "ramsonware protection"?
Because it is not a good option in the real world. If you have to whitelist every little thing, it becomes so annoying that you just disable it again. Get a real antivirus
@@pootispiker2866its not a hassle to use. You get a notification that something has been blocked. If its a wanted change, click on the notification and allow it.
This feature alone keeps all the folders protected that you want.
@@pootispiker2866 Being using it for years, both at work and at home (I use both computers constantly). Yes, I had to whitelist a couple things initially, but it's been smooth sailing for years now.
Is DefenderUI trust worthy?
It's bad it doesn't block it with a huge attack like that but could It block it if it was the only ransomware loaded?
It said "Ransomware Found"
2024 all antivirus review?
Automating the execution really defeats the purpose though doesn't it ?
Ransomeare is a user issue, as are a good percentage of incidents.
Its the low hanging fruit.
The purpose here is to check detection rate.
Does uac block it
it won't but it might anyway notify/ask your permission to use a 3rd party software
UAC does not block anything, UAC is that thing that pops up asking you if you want to let a program change data on your device
It pops up when a program wants to do something with administrator permissions, so its up to the user ¯\_(ツ)_/¯
the user will probably just click yes tho
"Zero trust" 😂 Can the OS run at that level? lol
I don't get why you use defenderui that's the same as download any other security software.
There is also configure defender, does exactly the same but its portable.
Antiviruses generally have no change aganist good zero day malwares even if they are best but after few days later they got detected generally.
Also you testing aganist known samples.
just don't use those security/antivirus packages which come without zero trust. It's that plain simple
Well, yes and no - behavior analysis usually stops alot of risky sh*t.
Depends on which. The ones with good behavior protection can beat almost any form of malware. Windows Defender however, is a big exception.
Love your testing's, l've come upon suspicious discord server but l don't dare click on any links and my pc is not going very well with virtual machines, tried to contact you somehow but there seem to be no way.
I tried to put Windows Defender on my Linux Mint desktop and laptop, but couldn't make it work - so I just said to hell with it ;-)
AppLocker would have defeated most of it with a simple rule 😂
Only MS signed executables
Impossible in production, Still vulnerable to lolbins exploitations. No simple answer here.
@@slapme3582 Why would it be impossible in production? What kind of environment are you thinking about?
About the other part(lolbins), yeah AppLocker doesn't block it. There is a similar program on Linux called fapolicyd and its approach is to not let interpreters even read the file.
Even though I love your content, I hobe future videos will concentrate more on security concepts rather than just retesting antiviruses
Can you test Avast Free vs ransoware?
I just got hacked.. how can i decrypt my files which have been caught by the attacker
no way you can do it it is encrypted with a symmetric encryption algorithm until you get the key u could not decrypt it that key is further sent to attackers server via a asymmetric encryption algorithm ....So no way you can revert your data unless you have a backup
there are decryption tools for some ransomwares. maybe look into that
I am waiting in vain... I got rid of the ransomware only that my stuff are compromised
@@akalabayapal9634 should I mail them and ask nicely instead ?
Man just admit that you lost in this game
You are on the right way where to look for a help.
People here cannot restore your data, but you can learn many good things about securing your PC and backupping data
So if Windows Defender wont protect, then should we use Malwarebytes?
Kaspersky Free
@@realVampyToast
That's a good choice, BitDefender free is pretty decent too.
Eset and Kaspersky Are the goats dont use other AV's
ITS ONLY 30 DAYS@@realVampyToast
Malwarebytes is not ready for prime time. It slows down systems big time
With so many obvious shills dissing Windows Defender and/or spreading ransomware, I shall stick to WD.