Google Chrome Engineer Says Windows Defender 'the Only Well Behaved Antivirus', Cites 'Tons of Empirical Data'

Days after former Firefox developer Robert O'Callahan said that antivirus security suites are not necessary, and AV vendors are of little help. A Google Chrome engineer has echoed the same message, reaffirming that Microsoft's built-in software is indeed the most well-behaved security suite. From a report: Apparently the disdain for 3rd party AV solutions runs deep amongst browser developers, as in response to the threads a Google engineer, Justin Schuh, had this to say: "Browser makers don't complain about Microsoft Defender because we have tons of empirical data showing that it's the only well behaved AV."

I'd agree

I tend to agree. I used to have third party anti-virus on the wife's machine and the kids' machine, but really the most effective malware prevention is to take away root/admin privileges altogether. Anti-virus doesn't protect against the stupidity of users. If they install malware, no anti-virus will stop them. Almost everything that the anti-virus software caught was benign and were false alarms. And despite being useless, the crap software was a resource hog.

I have since uninstalled anti-virus. I will do an occasional malware bytes scan, but have done so less and less frequently as I find little but tracking cookies.

So, yes, I agree with this report.

Re:I'd agree

[RogueyWon]

Same here, to be honest. AVG became unusable due to bloat a couple of years ago. Avast can have some serious issues when presented with a combination of Windows 10 with Anniversary Update and a Skylake CPU. The remainder all seem to be as bad as much of the malware they ostensibly protect you from.

I confess I spent a while feeling paranoid after I finally gave in and uninstalled Avast, but a few months on, I've had no problems with a combination of Windows Defender and a weekly Malwarebytes scan.

Re: I'd agree

[TheRaven64]

Doing nothing is an improvement over many third-party antivirus products. Remember the fun Norton bug last year, where they had a buffer overflow in their image parser that meant that someone sending you an email with an image attachment (even if you never opened the attachment) could run arbitrary code with kernel privilege? Quite why they thought that the part of their program that parses and inspects data that's expected to be malicious should run with kernel privilege instead of in a deprivileged sandbox was never revealed. I don't want to particularly pick on Norton here - most of the other vendors have had remotely exploitable vulnerabilities that leave you worse off than if you didn't bother with their products at all.

Add to that, most antivirus products still use system-call interposition mechanisms that have been shown to be trivial to bypass for a decade (we used to set it as an exercise for undergrads).

Re:I'd agree

[xxxJonBoyxxx]

>> I keep all my email viruses in a folder to see how long it takes AV software to catch up. It can take weeks. Sometimes they never do.

I do this too. I also have a folder on Google Drive called "Viruses" for exactly the same purpose. It's been getting pretty full lately; I feel a little like Egon with his neighborhood-sized twinkie.

I don't know about that

I have a friend who's a Windows Defender and he just goes on and on about how great Microsoft's products are. Pretty intrusive if you ask me.

Disable ad-blocker for a paragraph of twitter crap

[bignetbuy]

I clicked on the link, get a popup asking me to disable my ad-blocker...fine. Done. Turns out the article is about a paragraph and just regurgitates some twitter garbage. Utterly useless site.

Conflict of interest

[sjbe]

The problem is that every company other than Microsoft has a built in conflict of interest. The AV software companies profit motives are not aligned with providing a good user experience. A good anti-virus system should be nearly invisible. Hard to convince customers to pony up a lot of money for security software unless you are always in their face and an anti-malware system that does this inherently results a bad product. Worse they have to keep tacking on extra "features" and products to convince customers their product is better than the next guys. Their business model is based on scaring customers so they buy their product based on perceptions rather than actually keeping them safe.

Re:Disable ad-blocker for a paragraph of twitter c

[AmiMoJo]

These engineers forgot the most effective, powerful anti-virus product that is an absolutely essential install; the ad blocker.

As a security guy, I mostly agree...

[xxxJonBoyxxx]

All the AVs today pretty much catch the same low-hanging fruit, and there's no good reason to buy a third-party bolt-on anymore.

That said, I'm getting annoyed with AV packages still not being able to flag things like base-64-encoded Powershell scripts or Office doc VBS scripts that make direct references to system libraries. Almost all the malware that's made it through our defenses in the past six months has used one of these two techniques (plus a little code obfuscation, but still), and none of the AV packages I've tested (via sites that scan against dozens of packages) have ever flagged any of the most effective offenders.

I tend to agree as well.

[wierd_w]

Far too often, antivirus products follow the "cable television" market strategy:

"Yes, we know you already pay us for a subscription, but we can get so much more out of you by forcing you to see all kinds of shit you really don't want, including adverts for all our other services."

And, in the case of free antivirus, this too:

"We can see that you really dont want our full package, otherwise you would have bought it instead of opting for the free version-- but we feel compelled to try to upsell you each and every possible opportunity, and wont relent at all. We will even be really obnoxious with your notification area, and make your system play audio adverts, because that's how much we really want you to have a subscription (but see the prior market strategy-- we wont let up on the ads even if you do!)"

They invest tons of resources (both computational and time-wise) into making needlessly flashy UIs with big colorful buttons, and scary "CSI: Miami"-esque dialogs, when really--- the part that really matters-- how well they can trap execution events without bogging the system down-- seems to get nearly no love, and appears to get shittier and shittier.

Then you have Windows Defender. It's so plain, you instinctively ignore its presence. Excepting on older XP systems, (where there was a CPU utilization bug), it runs with a very modest system footprint. It does not constantly vomit spam into your system tray, and does not try to milk you for additional service agreements, or to switch to a paid version. It behaves itself very well.

If Avast or AVG behaved like that, instead of trying to be garishly tawdry and whorishly self-promoting like prostitutes, and reduced their system resource consumption habbits accordingly, they would win hands down.

But no, fleecing idiots is much more profitable.

As an insider, can confirm

[TodPunk]

I used to work for an AV vendor in their IT department. Others in my family have continued working in the software security industry for decades. They really are just bloated resource suckers with little value. As such, I haven't run anti-virus beyond windows defender for a little over 10 years, not even on my kids computers. They're kept up to date, ads are blocked on my network, and I have taught my kids how to recognize an executable from other kinds of files (thank god for re-enabling file extensions being shown, the stupidest Windows default of them all).

We had one virus when my daughter opened an email that gave her some nasty popups constantly. She learned a valuable lesson that day, but I was able to reverse it in less than an hour booting into safe mode and removing the files. Been fine otherwise.

Re:I did a complete 180 on AV software

[Piata]

AV software forging SSL certificates is downright baffling. A client of mine kept having his website marked as insecure despite having an SSL certificate and all tests showing it was working properly. Turns out it was a false positive from his AV software and there's literally nothing you can do about it besides telling someone to uninstall their AV.

Re:Least effective too

https://chart.av-comparatives.org/chart1.php
Just to summarize with a few popular AVs
Microsoft: 97% detection rate, 23 false positives
McAfee: 97.9% detection rate, 57 false positives
Kaspersky: 99.8% detection rate, 1 false positives
Avast: 99.6% detection rate, 13 false positives
F-Secure: 99.9% detection rate, 140 false positives
Doesn't look like MS is particularly bad.

Use GNU/Linux

[zakzor]

I don't use any AV software. I don't need to. I have ClamAV in a live session for customers. And that way there's no files locked.

Re: MicroShaft

They're not glorifying effectiveness (though most testing shows they all are pretty equal now) instead they're explaining that Microsoft's solution behaves well with applications which is generally true as it's less invasive.

As a former developer of web browsers (6 years of it), I can confirm that from a developer's point of view, Microsoft hooks more cleanly into the sockets API than the other's I've used.

Don't get your panties in a bunch.

Re:Disable ad-blocker for a paragraph of twitter c

[Zocalo]

Black-holing garbage domains (ad sources and trackers especially) is definitely a good idea but the problem with a hosts file is that you can't do wildcards, so while you can easily block "foo.domain.com" and "bar.domain.com", you can't block "{random string}.domain.com" unless you know what "{random string}" is in advance - to do that requires either a DNS based blocklist or some other software tool. That's getting to be a problem given that marketing/tracking companies are slowly (and it's taken them long enough) waking up to the possibilty that you can use "{random string}" as a wildcarded DNS entry to track whether a link was looked at or not just as effectively as a custom URL or cookie.

Also, to add to the GP's comment about the importance of an Ad-Blocker, let's not forget blocking auto-run of certain browser plugins and the ability to whitelist sites that can run JavaScript / save cookies.

Re: MicroShaft

[MightyMartian]

I think it's a bit more than just "Microsoft unfair advantage". Other AV products have always been monstrously bloated affairs, and have become all the worse over then last decade as they throw all kinds of other shit like firewalls and the like in. Products like mcafee and Norton have become almost as bad as the disease they purport to treat. So far as I can tell, Defender really doesn't do much more than sniff out viruses and malware, and while I agree Microsoft's insider knowledge probably gives it a bit of an edge, I think the narrower intent of the software has a lot to do with its better performance.