Monday, March 26, 2018

Microsoft Defender - out of the darkness into the light

Often customers ask me for advice in regards of Antivirus. The next I explain in general is the difference between user-mode and kernel-mode. To make a long story short. Antivirus solutions use in general kernel-mode filter drivers. When you do there a mistake then you will see a bluescreen. Internal studies for reasons of bluescreens reveal 70% bugs in filter drivers from 3rd parties.

There are some AV vendors out there with a very poor code quality in filter drivers. I will not blame here specific vendors. The users of these vendors often raise complaints to me about them. Unfortunately these vendors have extra ordinary enterprise management capabilities. So you see pros and cons.

On the other side I hear often the "old" stories about Microsoft Windows Defender in terms of AV scanning results. Its absolutely true that these results were in the past - before June 2015 - very bad (specifically the tests from independent (how independent they are in reality I can neither proof nor deny!)). 

MS did a complete rewrite of the code and structure they are using. Combining with new technologies like block on first sight, machine learning and many more. This brought up a very good AV solution right now.

In the past I used for example AVIRA for my personal computer. But now I can state there is no other paid AV solution necessary for me. I started also in trusting Microsoft Windows Defender and its companion SystemCenter Endpoint Protection (actually the same engine. Only the management plugin makes the defender enterprise ready.)

To get the full story also checkout this blog entry from Brad Anderson.