This article will answer the question if Windows Defender is enough as protection and what Microsoft could do to improve the product. As I stated earlier I’m not a big friend of Antivirus products but I do believe in layer-security which means we take a serious look into WD’s defending mechanism.
The article is based on Windows 10 x64 Build 1709, some changes were made on WD in Redstone 4 (RS 4 1803), please keep in mind that I will mention this later as a side note!
The answer is no, network filtering and signature-based scanning is included into Windows Defender together with EMET integration since EMET is EOL Microsoft decided to migrate the features and implement it directly into WD. Not a bad thing I might add here.
These are the most things people complain about the program itself among the detection ratio seems for most user not a real problem, especially because WD acts here like most scanners, on-demand/access scanning which means it idles until something happened like you get a new file on your HDD/SSD, network scan or schedule scan happened.
The user interface is designed so that even beginners can understand the options, so don’t expect some fancy toggles or design backgrounds with flowers and hello kitty background, less is sometimes more and personally I have no problem with it, however the description could be improved here since the given links (the blue reference links) pointing to an online page, I would expect that there is at least some basic explanation.
The “Controlled folder” access acts like a ransomware protection shield here because some folders getting restricted.
After you turned the protection on, these folders getting protected you can, of course, add other folders too.
The exclusions option is useful if you want to exclude specific, files, processes or folders from the on-access scanning engine.
Windows Defender and the Windows Firewall are connected since Windows RS 3 (1709) so you can directly setup some notification settings like you want.
Basically this is just a graphical user interface (GUI) for the transition between the event viewer and the notification to Windows Defender, it collects the data and displays it in red or green dots, there are only details given if there is a problem (red dot) and whenever it’s green it doesn’t display anything.
Nothing special here too, as mentioned earlier WD and the firewall going hand in hand together, so you have basically some toggles here to play with. The three profiles are still the same since earlier Windows times, Public should be preferred since it gives you the strongest default settings.
These settings proving a toggle to take control over Windows SmartScreen, system-wide and Browser wide.
[caption id=”attachment_2236” align=”alignnone” width=”1282”] Settings are grayed out for me because I control those toggles via gpedit.msc. The default policy is “Warn” (on).[/caption]
The Exploit protection is the most interesting function in WD, it’s the EMET migration and allows you to protect your application system-wide or per-application. I see this option as very important and it offers the layered security I mentioned at the beginning of my article.
[caption id=”attachment_2238” align=”alignnone” width=”1282”] The defaults aren’t the strongest settings but if you turn everything on some applications might crash.[/caption]
The default lists protects Microsoft related internals like the script engine, internet explorer & co. You could add here your own applications or Browser if you want but from my experience, it’s not needed because every modern Browser already has such mechanism integrated however it can cause an issue to add them if they not properly coded to support e.g. cf-guard & co. You need to test if your application crashes or not, other programs like Anti-Exploit & Co. using the same technique which means you don’t need them because WD does exactly the same here.
Nothing to control here, the links pointing to a Microsoft page and there you can configure and add devices which you want to track, these works over Microsoft server and it allows you to see what pages you kids watched among the other shown protection mechanism, in my opinion, this is total bullshit but I don’t have kids so what do I know right?! It’s not that kids can bypass this anyway or are smarter than their parents when it comes to tech, but okay.
As you can see the engine doesn’t need much system resources, even if everything is turned on, the GDI handles are almost perfect only the memory consumption is something which could be improved here, but 131 MB is still not bad compared to other solutions I saw in my test years.
Scanning single files is also not a problem, the engine calls “SecHealthUI” and “SmartScreen” to inspect the object, NirSvr is the network scanner only requires some resources once the file is unknown and submitted to the cloud.
Th engine does a good but not a perfect job, the older problems with I/O performance is something which is depending on several factors like if there is a signature update during the scan process or how many files are really scanned and submitted to the cloud. SmartScreen by default doesn’t use many resources here and you can opt-out and opt-in back at any time, people constantly say that this act like a keylogger (nonsense) because it submits stuff into the cloud, I can’t confirm this, the updates which are called from svchost.exe to update certificates among the unknown samples are really light way and I doubt that this submits something important because if you capture the traffic you see not even 100 KB per each 12 hours.
Microsoft improved the engine in RS 4 and fixed several known issues which are directly related to the scanning performance, this is something which is really great. In my test I could reveal that if you’re on an older processor/Bios which has no or a disabled visualization technology it had a direct impact on the overalls performance, this is however only if you enabled the new “Windows Defender Application Guard” technology, which is grayed out if your CPU/BIOS disabled the VT technology, that for a reason, it requires Hyper-V and costs more resources. However, it also adds another layer of defense to isolate each process against exploits.
[caption id=”attachment_2244” align=”aligncenter” width=”555”] New in 1709, the optional opt-in function which requires Hyper-V to isolate IE, Edge and your other apps against known exploitation techniques.[/caption]
[caption id=”attachment_2249” align=”aligncenter” width=”1369”] New options are coming, Account protection, Device security & Device integrity are new, the WD Icon on the Settings UWP App Menu is right now missing[/caption]
Some options are good especially the EMET option and provide a good layer of protection, this is basically enough to harden your daily application. The rest is a matter of taste, you might want SmartScreen or not, everything can be configured and I found really less which makes me think to disable WD.
Kaspersky is of course only one example, I see this product as well-known, popular and one of the pioneers when it comes to Antivirus solutions, so I pick this specific one but it represents all other AV products too - They say Windows makes it harder for developer to keep up with the changes and at this point I agree but is that the real reason why they’re mad at Microsoft? The truth is that Microsoft can survive without WD while Kaspersky and Co need malware to survive, no malware no product needed right?! Windows Defender got better and better with each major Windows version and Kaspersky & Co. simply not want that it gets better because why should you use another company when the integrated solutions are as good as theirs? Ask yourself why you need to trust unknown strangers when you already trusted Microsoft by using Windows? If you distrust Microsoft why you use their product and try to fix their ‘mess’ with others which are not better in any way? Just think about it. They sell products MS solution is free, now people say you pay with your privacy but is that true - After I configured WD it not made any connection to MS, so at this point the better advise is to inform others about the given possibilities instead of trusting random Russians and their own cloud which basically also collects the same amount of data.
As always nothing I only show possibilities and want to open your mind to re-think about certain things but I do say WD is not a bad product for beginners. Advanced users might going the nerd way working with AppLocker, GPO, secpol & co. but at some point, you have to think about the normal user and they might want/can spend that much time to mess with all the other options. I think when Microsoft would finally fix the known problems WD is a real alternative and I would see no argument to not use it if you want a basic on-access solution. It’s again only a matter of trust, you can choose Microsoft or other Provider but nothing changes on this, you never know and you simply must trust their words once you decided that you use their products and services, nothing is perfect and it matter how fast these providers fixing the known problems and Microsoft is a little bit too slow here but it’s not impossible to fix this, I think Microsoft changed already a lot with each new release and many changes make sense while others are pure gimmick.
Go ahead check it out report back if you’re satisfied and tell me what are your wishes.