Comment by teruakohatu

1 year ago

Is the consensus that third-party AV is worse than no AV, or that any AV (including Windows Defender) is worse than no AV?

In the corperate security "industry", anti-virus use is always recommended and required. The more invasive, buggy and annoying for users the better the AV probably is /s

14 comments

teruakohatu

Reply
loeg  1 year ago

Third party. I don't think anyone is actively opposed to Defender.

  • cobbal  1 year ago

    Microsoft itself recommends developers use a "dev drive" where defender is partially disabled because of how bad it is.

    • stackskipton  1 year ago

      Dev Drive isn't because Defender is so bad but because Dev behavior can look like malicious behavior. Creating a bunch of random executables, connecting to running processes, decompiling files. Stuff that would be malicious behavior from normal user but normal for a dev.

      3 replies →

  • ziml77  1 year ago

    AV Comparatives does testing every few months of performance impact of various AV software and Defender has never scored great there. Third party AV options have always done better while having the same or better scores in protection tests.

    • saghm  1 year ago

      I'm not familiar with AV Comparatives. Do they have any incentives that might influence this result? Offhand, it seems like if Windows Defender is actually the right choice for basically everyone, they wouldn't have any reason to exist, so I can't help but wonder if that would affect their reporting.

      2 replies →

  • londons_explore  1 year ago

    Even defender is dumb. When you control the OS, which (in the default setup) has exclusive control of all disk reads and writes, you can be sure that if you wrote a virus-free file to disk, then it will be virus-free when you go to read the disk again.

    So, why are we doing scan-on-read (with substantial performance overhead) when we should instead be doing scan-on-write (when scanning can, in most cases, be done in idle CPU cycles)?

    • kardos  1 year ago

      1) virus database gets updated, what was written virus-free with the previous database may not be virus-free on the current database.

      2) removable storage devices

      3) the system drive is not controlled during reboots

      You could imagine building a system that tracks which files we wrote and with which virus database version, which resets things to be scanned across reboots and virus database updates, and has exceptions for removable devices and so on, but it screams "attack surface"...

    • bluedino  1 year ago

      Network share, the possibility that a client wrote files while the AV software was disabled, etc

      I always felt the same way about daily/weekly scans. How would anything get there if your client, server, etc all have AV? At that point it probably wouldn't be caught anyway.