1. 14

This recent story about how Avast was selling their customer’s data made me wonder if those kind of products are just smoke, something that the Windows 10’s default security performs just as well, or if there’s something of value in them that I’m missing.

My personal experience is: Me and many people I know have been living without any of those products, only using Windows 10’s default security mechanisms, and had no problem at all (as far as I know).

A point of view from security professionals would be really appreciated.

  1. 20

    I’ve heard from pen-testers in my building that they now recommend Windows Defender because it’s the default one everywhere and therefore have a much user base for detection and reports.

    I have no idea if this is what the security community agrees with, but I thought it made sense.

    1. 12

      Yup, I can confirm that. There was a test here in Germany by a respected security firm and they found that Windows Defender really upped its game since Vista days, being the best from all tested solutions in regard to detection, speed and security. There’s no reason to use anything else other than wanting to unnecessarily slow one’s system down or having their data sold. :P

      1. 8

        Penetration Tester here, yep I agree with that. The other AV vendors have a tendency to do some crazy kernel module behaviour that would normally be considered pretty crazy/risky whereas Defender is now much better and clearly more sanely integrated. I will say, it still feels odd suggesting Defender though, it used to be the worst.

        I should also add a note that if you are talking about Windows production servers or things that are a bit more in the “change management” role, most of the time I still suggest using Application Whitelisting over AV (or as a supplement).

        1. 1

          That’s similar to my thoughts. Makes sense too.

          1. 1

            In my personal experiencing pentesting (although I do far less of it now than I used to), the paid software rarely offers anything over Windows Defender, but often comes with a bunch of overheads. Most people think AV does something it doesn’t. In over 20 years of testing AV hasn’t stopped me once. That’s not AV’s fault, it’s just not generally designed to stop the workarounds people use. What is AV’s fault is that it’s marketed as a catch-all.

            Having said that, MalwareBytes is one of the better set and forget antimalware tools I’ve used. For people who need that confidence or are attacked it’s something I’ve been comfortable with suggesting for peace of mind in some cases.

            1. 5

              I have seen a number of offensive security researchers argue that antivirus is a major source of vulnerabilities (they do a lot of parsing with elevated privileges, which is a recipe for trouble).

              Windows Defender seems to have a decent reputation among them, though I believe it was still subject to a significant vulnerability a year or two ago.

              Here’s a thread collecting a few opinions: https://news.ycombinator.com/item?id=22160620.

              1. 4

                I don’t work in the security field but I have been dabbling around the edges of security for decades. My take: I don’t run Windows or Mac but if I did, I would never use any anti-virus that isn’t built into the OS. Reasons why:

                1. Anti-virus products substantially lower the performance of machines they are installed on. Not only do you have regular disk scans, but the anti-virus product itself becomes a choke-point for all data flowing into, out of, and within the machine.

                2. Anti-virus products actually increase your attack surface because they themselves can (and do!) contain vulnerabilities that bad guys can exploit to take control of your machine. They’re a very juicy target for hackers because all data and network traffic flows through them and they often have hooks into the OS kernel, TLS certificate store, etc.

                3. The companies who make anti-virus products are often inept. A few years back a major laptop manufacturer shipped an anti-virus product with their own self-signed certificate in the key store. Unfortunately, they also shipped the private key.

                4. The companies who make anti-virus products are often evil. The old adage “if it’s free, you are the product” applies. Like you mentioned, Avast was discovered to be selling all of its users’ web browsing activity to marketing companies. It is extremely unlikely that they are the only ones doing it.

                If you follow good security practices, keep your shit patched and up to date, and stay away from the shady side of the Internet, you aren’t guaranteed never to get hit with something, but the chances are very, very slim.

                1. 1

                  If you follow good security practices

                  Well… if you know karate, you don’t need to defend yourself with a pepper spray. Does that mean pepper sprays are useless for those who don’t know karate?

                  but the chances are very, very slim.

                  From my POV it’s similar to guns and vaccines. If everyone is doing it, then 1 individual can think it’s pointless to use guns and take vaccines – because this individual lives in a society who uses guns and vaccines, so even if this individual doesn’t use them personally, he benefits from security/health conditions created by other people. So even if this person will stop using guns and vaccines altogether, most probaby nothing will happen. Now, if everyone would stop using guns or vaccines…

                  1. 1

                    I don’t think the equivalencies are apt here. There is also no guarantee of catching a bad thing with non-OS antiviruses. (I reply with understanding that the author wrote the quoted sentences assuming OS provided antivirus is running).

                2. 2

                  You can check various AV test sites that simply compare the products. This is one test of many:


                  Plus, the fact that you didn’t have any problems doesn’t imply that nobody had any problems with malware. A bad link in an e-mail is clicked by e.g. 1 person among thousands; in such scale, there is a low probability that you will know the person who clicked the link. But such click ratio is still very profitable if the spam campaign is being sent to millions of users. So, the “knows a person that had problems with malware” or “doesn’t know such person” is not a good indicator of the rationale for existence of AV products.

                  1. 1

                    Of course, that’s why I said “My personal experience:”, just to give a context. I know it’s not a wide enough user base for making assumptions :)

                  2. 2

                    You might get a bit of an improvement from using other Anti Virus than Windows Defender, but it’s likely not a big change. At most, you’ll get less false positives, but not a better coverage of real positives.

                    It used to be a big difference years ago, but nowadays the difference of Windows Defender to the other AVs is only a tangential improvement (if any) so not worth the trouble in many cases. The business model of security companies that are only AV based have been crumbling, most of them now are investing in intelligence features, and are rebranding themselves as “endpoint” protection to avoid the obvious : AVs don’t make that much sense anymore.

                    1. 1

                      Personally I use *NIXes, but at my parents’ and aunts’ machines, I used Windows Defender. Plus I instructed them to do backup once a week to an external USB-harddrive, and leave the on machine afterwards overnight (windows updates have a chance to transmit their data over the substandard DSL).

                      The business case for MS’s own Defender is also much clearer: they want Windows to be seen as a safe platform. Others do this: https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation

                      1. 1

                        In the olden days where malware was written by bored kids and lazy spammers, and were blatantly destructive/infected executables, they were probably more effective. Nowadays, the issues are often things like exploits (patch your systems), software violating privacy (…as the example points out, often the anti-malware software itself, and our unfortunate tolerance for this), and cryptolockers. Much of this is emergent and often backed by state level actors.

                        Counterpoint: signature based detection (instead of heuristic or whatever techniques) will probably be fine against the kind of malware the average person will encounter.

                        1. 1

                          I used to work on an anti-malware/PUA software a few years ago. I always found Windows Defender was doing a good job, but was still a bit limited to what it handled. They probably aim not to annoy the user, so it would make sense for them to avoid false positive as much as possible. I would probably use it on a windows machine.

                          I also have a good opinion of the ESET engine, but is not free (Although a small part of it runs on most people computer).

                          But in the end, not downloading and running junk as admin is the best protection…