Differences

This shows you the differences between two versions of the page.

--- antimalware_software [2025/08/28 13:00] – ultracomfy
+++ antimalware_software [2026/05/29 17:22] (current) – ultracomfy
@@ Line 1: / Line 1: @@
-Information Technology/Cybersecurity/ Antimalware
+<WRAP column right 18%>
+{{page>Templates:Secularization}}
+</WRAP>
+~~Title:Antimalware Software~~
+<WRAP centeralign>Information Technology/Cybersecurity/\\
+<fs xx-large>Antimalware Software</fs></WRAP>\\
-An antimalware program is a type of software used in the detection of and defense against malicious programs and exploits. Electronic devices can store all kinds of data, most importantly login credentials, financial information and personal information such as pictures, chats, and sensitive files about or from their bank, work, family or other private matters. This makes those devices valuable targets for either destruction, theft or holding them hostage. In some cases, it's not about the value of the files on the device, and more about the device itself - some attacks exploit them for cryptomining, botnetting and other nefarious activities where it is more about the devices resources as an independent machine, rather than anything specific //on// that machine.
+An antimalware program is a type of software used in the detection of and defense against malicious programs and exploits.
+Electronic devices can store all kinds of data, most importantly login credentials, financial information and personal information such as pictures, chats, and sensitive files about or from their bank, work, family or other private matters. This makes those devices valuable targets for either destruction, theft or holding them hostage. Sometimes it's not about the value of files on the device, but more about the device itself - some attacks exploit them for cryptomining, botnetting and other nefarious activities where it is more about the devices resources as an independent machine, rather than anything specific //on// that machine.
 Most commonly, this is done through software, which is then called "[[Malware]]" (Malicious Software). The defining feature of malware is that the actions it takes are unauthorized by the device owner, unwanted and generally destructive in one way or another, and it will typically not notify the user or give them a choice in the matter((Unlike stuff like kernel-level anticheat, which does notify you and which does give you a choice.)). Not all attacks are carried out with malware though, a lot of times this is a matter of exploiting bugs in (oftentimes outdated) software and gaining control over a machine that way. Keep your devices and software up-to-date. Other attacks are carried out by other machines on the network scanning for vulnerable devices or by a bad actor inserting themselves between the user and the internet.
-############################## How protection works\\
+====== How protection works ======
-################### 0 Basics\\
+===== 0. Basics =====
-In general, the objective of an antivirus is to (1) prevent malicious code from ever executing on your system in the first place or, failing that, to (2) terminate a process if it is deemed to be malicious.
+In general, the objective of an antivirus is to (1) prevent malicious code from ever executing on your system in the first place or, failing that, to (2) terminate a process if it is found to have done something malicious.
-################### 1 Signature Detection\\
+===== 1. Signature Detection =====
-Files are identifiable. With fancy mathematics, any computer file can be broken down into a numerical value that, in most cases, is enough to identify identical files((No, it's a heuristic. The content of a file gets simplified down into a numerical string in a way that is extremely //lossy//. That's a one-way operation and cannot be reversed. Would be cool, though.)). A //signature//. The cool thing about being able to identify identical files is that all you need now is a list of files you already know are malicious. Once you have that, you can just compare that list against any computer of your choice and you'll be able to weed out all the malicious programs you already know are malicious, quickly and efficiently.
+Files are identifiable. With fancy mathematics, any computer file can be broken down into a numerical value that, in most cases, is enough to identify identical files. A //signature//. The cool thing about being able to identify identical files is that all you need now is a list of files you already know are malicious. Once you have that, you can just compare that list against any computer of your choice and you'll be able to weed out all the malicious programs you already know are malicious, quickly and efficiently.
 From here on, your life is simple. If someone gets infected, they call you and say "hey, we got infected by something, we don't know what", you find the source of the infection, you determine the signature of the file, add it to your list and with the next hourly "Intelligence Update" everyone using your product will be immunized to that particular sample.
@@ Line 16: / Line 23: @@
 Obviously, this is a (1) type of approach. Every time you want to run a program or open a file, the antivirus will check if the signature of that program or file matches with any of the signatures from its database. The advantages of this are overwhelming: Immunization on a massive scale. Once a malicious program is found, it is added to the list and within an hour the entire world can be immune against it, as your antivirus product will stop the execution of the program before it ever gets a chance.
-Most of the cheap antivirus products on the market rely almost entirely on signatures. Windows Defender, for example, relies on cloud-based protection which is essentially just a very long list of known malicious file signatures. Extremely scalable, light on resources, it's great.\\
+Most of the cheap antivirus products on the market rely almost entirely on signatures. Windows Defender, for example, almost exclusively relies on cloud-based protection which is essentially just a very long list of known malicious file signatures. Extremely scalable, light on resources, it's great.\\
 The downside, of course, is that to be protected from a piece of malware, you have to know about it in advance, at which point you might just check file signatures yourself. Still, there is value in automating that process and having a pool of millions of users and companies that can submit samples for a "crowdfunded" signature pool, curated by cybersecurity experts that can tell between real malicious and false positives. In the field of signature-based detections, good antivirus products and bad antivirus products differ only in the completeness of their signature database. More is better.
@@ Line 23: / Line 30: @@
 However, until a signature is known to be malicious, a signature-based approach will //not// stop a malicious program((Windows Defender is already checking out at this point, because it has almost nothing to offer beyond signatures.)). This is, however, not a reason to dismiss signature-based detection, or antiviruses as a whole. //Most malicious files are known//. You, as an individual, are unlikely to run into a piece of software that isn't already on someone's signature list. Yes, unknown malware not yet in someone's signature list exists, but on the internet it is vastly, //vastly// outnumbered by software we already know is malicious. On the internet, malware can easily linger, sometimes for months, sometimes for years. I'm sure the malicious [[Minecraft]] 1.6.4 Portal mod that I downloaded back then can still be downloaded today, and that's been over 10 years ago! And sure, nobody still downloads mods for Minecraft 1.6.4, but the point is that files that old are still making their rounds today. It can be 10 years, it can be 1 year, it can be a month or barely even a day - in cybersecurity terms these are all old files. Detections roll in very, very quickly (we are talking hours), and mass immunization //is// a valid tool against malware.
-Critics will harp on and on about "Zero-Days", with which they mean "malware that isn't yet detected" as if that was the only thing out there. Yes, undetected malware is a thing, but for the home user that signature list is still extremely valuable. You are much, //much// more likely to run into malware already in someone's signatures, as opposed to something unknown. But even then, signature-based detection is not the only way to defend against malware.
+Critics will harp on and on about "Zero-Days", with which they mean "malware that isn't yet detected" as if that was the only thing out there. Yes, undetected malware is a thing, but for the home user that signature list is still extremely valuable. A good signature list is basically like a vaccine that makes you immune to 98% of known pathogens. Undeniably, a strong first line of defense. But even then, signature-based detection is not the only way to defend against malware.
-################### 2 Static Analysis\\
+===== 2. Static Analysis =====
-Back to the start. We are an antivirus product. We are trying to protect the user from malicious code. The user is attempting to open a program. We stopped that attempt for now, because before we let a program execute we want to make sure that it is safe. So, the first thing we did was to run the program against our signatures. That test comes back negative. Well, cool, this means that we haven't already confirmed this program to be malicious - but that does not mean that it is //not// malicious. We only know that we don't already know about its maliciousness. What do we do now?
+Back to the start. We are an antivirus product. We are trying to protect the user from malicious code. We have our signature list and we're using it. Imagine now that the user is trying to open a program. Of course, what we do is we first halt the execution process and wait to check whether that program is in our signatures. If it is not then that's a good sign, but it doesn't guarantee that the program is safe to use.
-The next step is to take an actual look at the program. Our list is a quick and easy way to rule out known offenders before having to put in any actual work, but now that this is not a known offender, we have to make sure it isn't an offender at all. The way to do this is by taking the program apart and look inside, see what they are programmed to do. The difficulty here is to distinguish between actually malicious acitivity and activity that just looks funny. The problem with malware is that they do things that in principle could also be done by non-malicious software. Uploading your login credentials/cookies to a server is what a password manager might do. Encrypting your files is just normal and otherwise valid cryptography, but used against you. Any kind of action that is evil in this context can be friendly in any other context. An action can never be inherently tied to malice, and it is the job of an antivirus to make an educated guess based on the information available to it. Of course, sometimes it's quite obvious: Does the program use any known exploits? Does it want connect to any server infrastructure that we already know is controlled by bad actors? That information can sometimes be numerous and paint a very clear picture (that's the easy ones), but more often than not they're sneaky and make it look like their program is just "one of those programs". Creating a tool that can determine this without human oversight is hard. But - at the end you will have a tool that is capable of detecting malware, even if it is previously unknown. No signatures.
+The next step is to take an actual look at the program. Our signatures are a quick and easy way to rule out known offenders before having to put in any actual work, but now that this is not a //known// offender, we have to make sure it isn't an offender at all. The way to do this is by taking the program apart and look inside, see what they are programmed to do. The difficulty here is to distinguish between actually malicious acitivity and activity that just looks funny. The problem with malware is that they do things that in principle could also be done by non-malicious software. Uploading your login credentials/cookies to a server is what a password manager might do. Encrypting your files is just normal and otherwise valid cryptography, but used against you. Any kind of action that is evil in this context can be friendly in any other context. An action can never be inherently tied to malice, and it is the job of an antivirus to make an educated guess based on the information available to it. Of course, sometimes it's quite obvious: Does the program use any known exploits? Does it want connect to any server infrastructure that we already know is controlled by bad actors? That information can sometimes be numerous and paint a very clear picture (that's the easy ones), but more often than not they're sneaky and make it look like their program is just "one of those programs". Creating a tool that can determine this without human oversight is hard. But - and that's the really cool thing about this - at the end you will have a tool that is capable of detecting malware **even** if it is previously unknown. No signatures.
 But, if that fails, we still have one more tool in our arsenal: Comparison. Malware is often changed only slightly, which leads to a myriad of different "strains" that, ultimately, are still the same piece of malware, just slightly altered. Authoring a completely new type of malware would not only take, well, authoring a novel piece of malware, it would also mean finding and then using a new attack vector. But these are limited. There are only so many vulnerabilities open at any time before new ones are found and the old ones are closed. This means that most malware is most often just a "strain" of already known malware, just slightly altered, which means their programming will be similar.\\
 We can use this to our advantage. If we can't find anything in the program that is obviously malicious, we can just check if the program is generally similar to other programs we already know are malicious.
-The advantage to this approach is that it can get a pretty good insight into what a program may do without loading it into memory yet. This is critical because conventional malware can remain dormant on disk without causing harm; it is when it is loaded into memory (be it through the user executing it, or because of a scheduled task or through an autorun entry) that it starts doing malicious things. Analysing software without loading it into memory lets us look at the program without worrying too much.
+All of this is called //Static Analysis//. The advantage to this approach is that it can get a pretty good insight into what a program may do without loading it into memory yet. This is critical because conventional malware can remain dormant on disk without causing harm; it is when it is loaded into memory (be it through the user executing it, or because of a scheduled task or through an autorun entry) that it starts doing malicious things. Analysing software without loading it into memory lets us look at the program without risking getting infected.
-################### 3 Sandboxing\\
+===== 3. Sandboxing =====
-In cybersecurity terms, a sandbox refers to a protected virtual environment segmented off from the rest of the system, filled with all the sand imaginable but, ultimately, constrained to the sandbox. The box part here is the important part, as it means that nothing from inside that box can get out. Critically, this means a sandboxed program cannot access your data. This makes it perfect as a testing ground - throw a software sample in there and let it do its thing. Observe its behavior. Does it do anything scary?
+In cybersecurity terms, a sandbox refers to a protected virtual environment segmented off from the rest of the system, filled with all the sand imaginable but, ultimately, constrained to the sandbox. Basically, it's a simulated environment in which programs can freely run //as if// it was running on your machine, without actually running on your machine. Well, of course it is running "on your machine", but it's sequestered away in a protected environment. The goal of doing this is to just.. observe. If we //let// the program run, would it do anything objectionable? The sandbox offers the advantage of testing out a program without the risk of infection((Yes yes I know actually making sure your samples don't escape the sandbox is a whole different story.)).
-Static analysis is the analysis of a program as it sits on disk - statically. Static analysis is limited by programming restraints - reverse-engineering an entire program is extremely resource-intensive, if possible at all, so the insight you can gain from it is limited. But now we are working with a live sample and can observe its behavior as it unfolds. When you actually just run the program and let it do its thing, you can log virtually everything it does. The cool thing is: if it does do anything malicious, its damage remains constrained to the sandbox and all data outside of the sandbox is safe.
+Static analysis is the analysis of a program as it sits on disk - statically. Static analysis is limited by programming restraints - reverse-engineering an entire program is extremely resource-intensive, if possible at all, so the insight you can gain from it is limited. But in the sandbow we are now working with a live sample and can observe its behavior, as it unfolds. When you actually just run the program and let it do its thing, you can log virtually everything it does. The cool thing is: if it does do anything malicious, its damage remains constrained to the sandbox and all data outside of the sandbox is safe.
 Sandboxing is already a standard in smartphones. On operating systems like Android and iOS, pretty much everything on those phones runs sequestered in individual sandboxes which can barely, if at all, interact. Since all damage is always limited to the scope of an application's sandbox, there is very little damage malware can cause on those platforms. The real threats on those platforms lies in hijacking otherwise friendly apps whose sandbox contains valuable data (your browser, for example) or socially engineering the user into doing the malicious thing themselves.\\
@@ Line 45: / Line 52: @@
 Anyway, the point of sandboxing is to give a program room to do its things so we can see what it does. There is a problem though - if we sandbox every program the user wants to open, how much time do we want to sandbox before deciding that the program is OK? What if the malware is programmed to wait for a minute? This is not acceptable and makes it one of the major weaknesses of sandboxing. Additionally, lots of malware can recognize sandbox environtments, including [[Virtual Machines]], and will refuse to execute in them. This is a recognized sign in and of itself, but it still eats into the effectiveness of sandboxing as a detection tool. Of course, doing it like smartphones do - running everything in a sandbox by default instead of only using the sandbox for analysis - would still be really useful, but that is not where we are.
-The cool thing about sandboxing, though, is that it too is able to independently identify malware, even if sample wasn't previously known.
+The cool thing about sandboxing, though, is that it too is able to independently identify malware, even if sample wasn't previously known. It's yet another layer of defense.
-################### 4 Behavioral Detection\\
+===== 4. Behavioral Detection =====
-Behavioral detection is what truly distinguishes good products from terrible ones. It is, however, also the hardest to get right, if you get it working at all. Of course we as humans don't care about cybersecurity in terms of software or code. As a company, you don't want internal documents to be exfiltrated to a hacker group - what you want is a system that can stop //that//, not just "programs that look like they're evil". The malware sample used to do nefarious things is just that - a sample used to do nefarious things. What you care about is stopping the nefarious thing. If you understand this, Behavioral Detection is just for you.
+Behavioral detection is what truly distinguishes good products from terrible ones. However, it is also the hardest to get right, if you get it working at all.\\
+As humans don't care about cybersecurity in terms of software or code. The ones and zeroes in play are just a means to an end. What we are really trying to stop is hackers getting ahold of your login credentials. Your company's top secret files, or perhaps encrypting all your files and demanding money for their decryption. In short, we care about what end malware is working towards, their //behavior//.
 When Signatures, Static Analysis and Sandboxing all return negative, it probably is time to let the program execute. But, behavioral detection keeps watching. If a program acts up and starts doing funny things - for example if it starts encrypting files - it will notice and shut that program down. If a program suddenly starts deleting a bunch of shit, or gives orders to another program to delete a bunch of shit - shut it down. If a program does funny things with your boot configuration, your autoruns, downloading files from the internet or uploading stuff from your PC - very suspicious. Behavioral detection is my favorite type of detection, because it addresses the exact thing that we, you and I, are ultimately talking about: the malicious action itself.
-The cool thing about behavioral detection is that it works entirely independently and does not discriminate. Even the most trusted corporation on the planet might one day get hacked and publish a malicious update that will harm your computer/data - but behavioral detection does not care whether something is done by a program from a trusted source or by a program your internet friend told you to download((And then "disable your firewall before running".)). The location in which your browser's session cookies are stored is //sacred// and nobody should get to access it and then just casually make a sneaky transmission over the internet without someone raising a hand. That's potentially an infostealer. No program should be able to load hundreds of files into memory per minute, garble their contents and then save them back to disk. That's definitely ransomware. Windows does //not// like programs that it does not know. It is quite hard these days to run scripts and programs you, or someone you know, made. Sometimes it will just refuse outright. But behavioral detection can genuinely make a difference here.
+The cool thing about behavioral detection is that it works entirely independently and does not discriminate. Even the most trusted corporation on the planet might one day make a mistake and publish an update to their software that has a vulnerability. Or maybe they got hacked and are now being used in a supply chain attack - behavioral detection does not care whether something is done by a program from a trusted source or by a program your internet friend told you to download((And then "disable your firewall before running".)). Games on Steam are generally considered to be "safe", but fake Steam games exist and can live for over a month before being taken down. The location in which your browser's session cookies are stored is //sacred// and nobody should get to access it and then just casually make a sneaky transmission over the internet. No program should be able to load hundreds of files into memory per minute, garble their contents and then save them back to disk. Windows does //not// like programs that it does not know. It is quite hard these days to run scripts and programs you, or someone you know, made. Sometimes it will just refuse outright. But behavioral detection can genuinely make a difference here.
-The advantage of this approach is that, regardless of whatever program you throw at it - known or not, popular or not, new or not, published by a trusted source or not, system online or not, downloaded from a shady website or not, ran from an unknown USB drive or not - behavioral detection can spot them all (while non-malicious programs are fine). Additionally, behavioral detection can spot all other kinds of exploits not delivered directly through an executable file. Even if a trusted program is weaponized, even if the source of the problem is a malicious image file or sound file, [[https://en.wikipedia.org/wiki/Log4Shell|even if the source of the problem is a programming oversight in the code of a programming library which lets remote hackers send arbitrary code to your machine, which it will then execute]] - behavioral detection sees that. Even supply chain attacks wherein bad actors gain access to a trusted program's development structure and insert malicious code into it, which will then be distributed quickly to a vast number of people, especially businesses, can be caught by behavioral detection.
+The advantage of this approach is that, regardless of whatever program you throw at it - known or not, popular or not, new or not, published by a trusted source or not, considered perfectly safe or not, system online or not, downloaded from a shady website or not, ran from an unknown USB drive or not - behavioral detection can spot them all (while non-malicious programs are fine). Additionally, behavioral detection can spot all other kinds of exploits not delivered directly through an executable file. Even if a trusted program is weaponized, even if the source of the problem is a malicious image file or sound file, [[https://en.wikipedia.org/wiki/Log4Shell|even if the source of the problem is a programming oversight in the code of a programming library which lets remote hackers send arbitrary code to your machine, which it will then execute]] - behavioral detection sees that. Even supply chain attacks wherein bad actors gain access to a trusted program's development structure and insert malicious code into it, which will then be distributed quickly to a vast number of people, especially businesses, can be caught by behavioral detection.
 The downside is that behavioral detection is //hard//. To understand which system operations exactly are //malicious// is already difficult enough for humans to agree on. Then putting that from words on paper into actual code, all the while working around the limitations and kinks of the operating system's own security measures... yeah, it's a pain. But - the ambition is there and some of the results are quite impressive. It is, like all other things, just yet another layer of protection, and all layers of protection have cracks and weaknesses. Seriously, as much as I am praising behavioral detection here, I am praising the //concept// of behavioral detection - actual implementations vary in quality and are often held back by serious capability restrictions or just plain poor quality - current behavioral detection products on the market are //not// to be relied upon. In fact, no one single product should ever be solely relied upon.
-############################## How protection doesn't work
+====== How protection doesn't work ======
-################### 1 Common Sense
+===== 1. Common Sense =====
-Common sense is the single most frequent advice that can be found on the internet. And it's true - human judgement can be a good and sometimes even the most effective layer of protection against threats of all kind. But.. who doesn't use common sense? I don't think most people would say that they are being irrational as they carry out an act that is irrational. Human judgement is prone to failure - that's why car accidents happen all the time. That's why most plane crashes happen. To say that you should primarily use common sense is to say that you should just drive better. Giving common sense as advice is to say "just don't make mistakes". Clearly, this is not how reality works.
+<WRAP box right centeralign 18%>
+{{::human.png?nolink&100|}}\\
+You are perfectly right, humans are the biggest threat to their PC. [[People are the Problem]]. Therefore, we should not trust humans with keeping a PC safe. Not this guy, not your mom, not you - regardless of how good you think you are. Get proper antimalware.
+</WRAP>
+Common sense is the single most frequent advice that can be found on the internet. And it's true - human judgement can be a good and sometimes even the most effective layer of protection against threats of all kind. In all cases, common sense should be the //first// first layer of defense. But, human judgement is prone to failure - that's why car accidents happen all the time. That's why most plane crashes happen. To say that you should primarily use common sense is to say that you should just drive better, that you should just "not make mistakes". This is not how reality works.
-With heavy and potentially dangerous machines, operator training and safe handling standards are one half of the equation. The other half sits in the design department with skilled and knowledgeable people who recognize that even the most knowledgeable and experienced operator will make a mistake. Just a lapse of judgement. A brief moment of distraction, inattention. Tiredness, exhaustion or sometimes maybe just plain stupidity. Confirmation bias, pilots have to learn about this a lot. In fact, pilots will know best that the biggest threat to modern airplanes is the human sitting in the cockpit, and they are extensively trained to resist the kind of errors humans often make. To deny this reality is to deny decades of statistics and the science of risk management. Human factor is rule number #1. Don't fall victim to rule #1.
+With heavy and potentially dangerous machines, operator training and safe handling standards are one half of the equation. The other half sits in the design department with skilled and knowledgeable people who recognize that even the most knowledgeable and experienced operator will make a mistake. A brief moment of distraction, inattention. Tiredness, exhaustion or sometimes maybe just plain stupidity. Any number of cognitive biases. Confirmation bias for example, pilots will know best that the biggest threat to modern airplanes is the human sitting in the cockpit, and they are extensively trained to resist the kind of errors humans often make. To deny this reality is to deny decades of statistics and the science of risk management. Human factor is rule number #1. Don't fall victim to rule #1.
-As I said, proper education and training //are// a crucial part of protecting users from cybersecurity threats, but it is terrible advice to give, especially if expressed as "common sense" (which everyone thinks they have, unlike education and training) or if it is described as "enough" precaution (or anything close to it). It is not enough, it isn't even close to enough.
+Proper education and training //are// a crucial part of protecting users from cybersecurity threats, but it is terrible advice to give, especially if expressed as "common sense" (which everyone thinks they have, unlike education and training) or if it is described as "enough" precaution (or anything close to it). It is not enough, it isn't even close to enough.
 Risk management, a proper science that would //never// even //think// about suggesting something as ridiculous as this, is about minimizing risks at every stage of the process - at the human level, sure, but also at the mechanical level. That's why 50% of the resources of product design go into researching how humans could possibly fuck up using the product, and then minimizing the ways in which it can happen in the first place or how to minimize the potential damage.
-And I haven't even talked about the things that are //outside// of your control. Supply chain attacks are one such thing, but other devices on your network are a thing as well. Do you trust your family to know what they're doing? Your partner? Your colleagues at work? Other students at school? Do you trust that the companies who write the software you are using have proper cybersecurity measures in place themselves? There is an obscene amount of attack vectors in the digital realm beyond the "download an executable and run it".
+And that still doesn’t cover risks beyond your control. Supply chain attacks, insecure devices on your network, careless family members, colleagues, or even vendors whose own security might be weak, remote code execution vulnerabilities, all of these are threats you cannot fix with judgment alone. The digital landscape has countless entry points far beyond simply “not downloading shady files", and treating common sense as the primary defense ignores the true scale of the problem.
+===== 2. Windows Defender? =====
+There is a pervasive myth that common sense plus Windows Defender are enough to keep you safe. Or that Windows Defender is as safe or safer than other products on the market. Safety, of course, is measured in risk, and the only truth here is that different combinations of precautions lead to different levels of //risk//. But still, the idea is that common sense plus Windows Defender is enough for the risk to be "low enough" for these people.
-################### 2 What not to rely on: Windows Defender?
+Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.”
-There is a pervasive myth that common sense plus Windows Defender are enough to keep you safe. Or that Windows Defender is as safe or safer than other products on the market. Now obviously, "safe" isn't a binary. It's not that you are either "safe" or "not safe", the only truth here is that different combinations of precautions lead to different levels of //risk//. But still, the idea is that Common Sense plus Windows Defender is enough for the risk to be "low enough" for these people.
-And... I don't know, maybe? Funnily enough, despite arguing against it, that particular combination //is// what I rely on((And even that only because I can't disable Defender without some drama from the operating system.)). How much risk is acceptable risk for you? Either way, the reason I don't like that claim is because Common Sense is terrible advice on its own and, for the longest time, Windows Defender was terrible advice as well.
+Defender has been a properly horrible antimalware product for the longest time. Keeping a signature list of known malware is the most basic form of antimalware and any respectable antivirus product should ace this //by default//. However, Defender consistently missed well-known, widely publicized malware, including samples that were years old. Back then, tests showed detection rates around ~70% (([[https://www.youtube.com/watch?v=iWL9cHgYfRw|The PC Security Channel - Windows Defender vs Malware in 2021]], retrieved on 29.05.2026)), while products like Kaspersky or Bitdefender hit 98%. Despite that, people insisted Defender was “good enough", indicative of a complete lack of understanding of risk management or cybersecurity.
-The truth is that the people who say "Common Sense + Defender" are the same people who, before Windows Defender was a thing, just said "Common Sense". So, for us this is about the merits of Defender itself, and here we need a bit of a reality check:
+Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative. It's really annoying, because the people who think Defender is enough are often the same people who would never pass up an opportunity to talk about how terrible Microsoft products are. They genuinely despise Microsoft - and for good reason. But, all of the sudden, when it comes to the antivirus, they'll turn around and say that Defender is //great//, because it's an OS level antivirus. Somehow, the possibility that Defender is deeply broken and dysfunctional because, well, it's a Microsoft product, just doesn't enter their mind. And of course it doesn't, because they don't care that much about the actual protection Defender provides. In their mind, //you// are the antivirus and Defender is a nice to have. Obviously, under these conditions it really doesn't matter whether it has a 95% detection rate like it has these days, or a 60% detection rate like back in the olden days.
-For the longest time, Defender was a //terrible// cybersecurity product. Think about it - the easiest and cheapest way to do antimalware is to keep a list of files you know are malware. If you cannot do that, you have failed as an antimalware product. And... Defender was not able to do that. The most common and most infamous pieces of malware are signatures that absolutely //everyone// should have. A few years ago, in tests against even the most well known and infamous pieces of malware, Windows Defender was not able to pick up most of these. It's a test that every malware security product should ace 100% by default, before you're even considered for further examination. Sure, knowing recent samples and reacting quickly to malware that appeared just a few hours or even days ago is a different beast... but having signatures for malware older than 5 years that was so popular it even made international news headlines... that's the least we should be able to expect.
+And yeah, it doesn't perform well. Its detection is largely signature-based, with minimal static analysis and weak to non-existent behavioral detection. There’s some anti-ransomware with protected folders, but it is unreliable. Protected Folder Access can be bypassed by malware using a single shell command. Defender does also not provide any resistance to malware that deletes Defender's signature definition files. It is even possible for malware to just set the whole PC as an exception. Registry tweaks and group policy edits allow malware to bypass it and, worst of all, none of the attack vectors I just named require any kind of privilege escalation or user input (beyond running the malware sample of course). And finally, these are //not// obscure attacks - they’re widely known in the cybersecurity community. Most of these exploits still exist and properly advanced malware //will// get through.
-In those old tests, Windows Defender would score around 40% to 60% detection rates (depending on the pool of samples chosen), which was already way behind Bitdefender and Kaspersky's 98% at the time. It was in those times that people already threw around the claim that Windows Defender is perfectly fine and that there is no reason to buy a different one. The people who said that had no clue in the slightest on what they were talking about. Again: profession of risk management, profession of cybersecurity - both are serious business, don't sully them with your ignorance.
+Lastly, I would like to address a point made about Defender that supposedly sets it apart from other security vendors. I am not going to explain what these terms mean and my response I meant for the kind of people who don't need these terms explained to them. Some supporters of Defender suggest that, because it is "OS level" or even "kernel level", that it makes it a more tamper resistant and potent antimalware product.
-One annoying part about this now is that Defender has actually been catching up over the years. It now passes the well known and infamous malware test like any other respectable product, and even its general detection rate is beginning to get to where other products are and, frankly, should be. 95% I think? There or thereabouts. The annoying thing about this is that the people are still thinking in their wrong and simplistic ideas of how the world works. The started out being utterly wrong, but over time the facts have begun to shift into aligning with some of what they say. So, now their wrong calculation just happens to spit out the right result, but they're still fundamentally wrong.
+Now, it is true that Defender is "OS level" and "kernel level", but you may be surprised to heart that this does not mean very much. Let's disregard the fact that Defender is just a poor product and is easy to tamper with, with or without OS protection. Even if it was properly programmed software that couldn't just be bypassed by well known bypasses that have been around for years... Windows offers an API that lets other antimalware register themselves as a security vendor inside of your machine. Using this integration, third party security software can get largely similar access to protections as Defender((Some keywords here are PPL and ELAM.)). However, as far as tamper protection is concerned, third party vendors have been able to protect their own resources for a long time now.
-The reality is that Defender, despite having caught up as a cheap antimalware product that has a register of signatures, doesn't have much else. The "scan" you can do with defender is still mostly a signature lookup, //not// static analysis. There is no sandboxing and barely any behavioral detection. There is some anti-ransomware with protected folders, which may or may not work. Beyond that, there are - to this day((August 28, 2025)) - massive, gaping security holes that you wouldn't believe until shown: A single shell command can set the entire PC as a scanning exception for Defender, a single shell command can just disable the Defender product as a whole or, if you want to be sneaky, you can just delete the Windows Defender definitions (the files that contain the signatures and other metrics it uses to detect malicious files) and render it utterly useless that way. Want more? Registry changes, Group Policy edits, the ways to defeat Windows Defender are so artistic they just do it for sport at this point. It does take a bit of sophistication and I'm sure Microsoft is working hard to fix those holes, so they'll closed any day now, but those things are out there.
+That brings us to the "kernel level" argument for Defender. I suspect that people misunderstand what a "kernel" is and how they are treated in the real world. Any respectable antivirus product from the last two decades that offers "real-time protection" does so, in part, by scanning the memory and activities of active processes on the machine. The antivirus has kernel level access. That's part of behavioral protection, as detailed earlier. Kernel level access has been employed in endpoint protection ever since and Defender is not special by using it. This is why the whole "OS level" idea doesn't make a lot of sense anyway. When you have kernel level, you //have// OS level.