Is Windows Defender really effective in 2024? You would think any virus designer would design their stuff in a way that the default antivirus built into the product they are attacking wouldn't be able to find it...
And before you say "well duh, but signature updates", I will respond with the fact that nearly malware is designed to auto-update... And will obviously make sure that the windows defender signatures fail to auto-update...
> You would think any virus designer would design their stuff in a way that the default antivirus built into the product they are attacking wouldn't be able to find it...
You would think that Microsoft would build mechanisms to prevent this. And they do. Avoiding detection is a key goal, to be fair.
> And before you say "well duh, but signature updates", I will respond with the fact that nearly malware is designed to auto-update...
That's actually very noisy, and an important part of modern malware is avoiding detection - internal and external. Auto-updaters are pretty easy to detect. Even large ISPs will look for auto-update traffic and alert their customers (or in some cases, disable their accounts temporarily!). And once detected, these companies are very well practiced in taking down the hosts of the updates.
So that is a "fact" but it's not so black and white :)
> And will obviously make sure that the windows defender signatures fail to auto-update...
Sounds easy in theory, very hard in practice.
On modern systems, requires kernel mode/system/specific elevated privileges. Using a kernel exploit is rare because they're hard to come by and very valuable - limits scope of who an attacker will bother wasting one on. UAC will complain that an unsigned binary is trying to elevate, and such functionality may even be disabled. In fleet machines, the user often cannot escalate their privileges in such a way that allows defender to be disabled.
Anti-virus is still relevant and useful, although slowly fading into irrelevance - although there will always be a need by vendors to remove malicious software.
The question is: are the competitors more efective in 2024 for the money you pay VS the built-in solution, while also using less resources to boot that Defender?
That's the question people and bean-counters ask before pulling out their wallets.
Do you know what’s better than one antivirus software? Two antivirus softwares. I would not want to calculate the extra cost of additional servers to handle loads from each server just wasting cpu running AV software.
> You would think any virus designer would design their stuff in a way that the default antivirus built into the product they are attacking wouldn't be able to find it...
Why can't that also be true for any antivirus? I would be shocked if that anyone who still makes viruses wouldn't check virus total first
> Windows Defender still flags every other non-trivial Go binary
I believe that is an issue with using reputation based protection rather than an issue with antivirus heuristics, unsigned/unknown binaries get flagged.
