Anti-virus recommendations

[Brick1026]

So I recently upgraded my rig and have been too lazy thus far to transfer my Mcafee over and have been running on Windows defender (which has worked fine) do I need to look into a new anti-virus/malware and if so what do you guys recommend?

[RonnieOP]

I personally havent used an anti virus other then defender in years and havent had any issues.

 

Use common sense and you are good imo.

[Oshino Shinobu]

Windows defender for active protection and something like Malwarebytes for system scans will do fine really. 

 

Personally, I have FortiClient running which is managed through a central EMS server, but that's largely because I'm testing some of its features for work on my own environment. 

[Roswell]

18 minutes ago, RonnieOP said:

I personally havent used an anti virus other then defender in years and havent had any issues.

 

Use common sense and you are good imo.

Common sense isn't a valid security strategy.

 

I'll link the same quote I always do in these threads:

 

Quote

Infected ads, compromised commenting systems, hijacked web platforms (WordPress/Joomla), infected office files in professional settings and a multitude of other things are out of most users control.

 

Hell, how about the millions that got infected with Trojans when CCleaner's servers got hacked and they injected the official installers?

 

"Don't download sketchy stuff" is one of the more ignorant things that can be said about computer security.

So in short, if you're blocking all JavaScript and never install a single executable, then go ahead and use common sense. Otherwise, you're vulnerable just like everyone else, and Defender ranks among the absolute worst in protection.

[LividPanda]

Stick with Windows Defender, Microsoft has been doing a surprisingly great job with it as of late, at least in my testing. 

 

• Decent malicious PowerShell detection's, not the best but it is free and a lot better than McAfee
• Pretty remarkable MSBuild.exe, CSC.exe, or other trusted developer utilities running malicious code. It does a pretty good job detecting stock payloads out of something like Koadic.
• I would say excellent detection's of any stock Meterpreter payload, an attacker is going to have to heavily modify their payload to sneak it past Defender.
• In the past I've had to do some work to get MSHTA.exe to load my malicious HTA files with Defender. Again, stock payloads off tools on Github aren't going to work.
• Surprisingly good detection's of payloads generated by Cobalt Strike, not great but seeing as it is free, not terrible. You wouldn't expect it to be amazing because it is also a pay for red team tool.
• Webshells achieved through the browser or command and control over lesser known protocols like HTTP/2 with something like Merlin, Defender does a pretty bad job but almost everything does a piss poor job of this until you get into the enterprise solutions and they are still at best mediocre. You always need to be careful what you click.
• Windows does a decent job of protecting your credentials, make sure you have LLMNR turned off and other antiquated DNS-like protocols. Stock mimikatz is going to get lit up by Defender. An attacker is going to have to modify it to dump your creds, here's a video on what is involved in doing that. Things like an Internal Monologue attack will still work. 
• Not allowing unsigned executable's to run is really your best bet. Windows Defender combined with some sort off application whitelisting solution is a powerful combination. Applocker, Software Restriction Policies, some third party tool etc. 
• Every A/V vendor does a piss poor job of protecting your clipboard. People copy and paste out of their password managers. I don't know how paranoid you are so I mention this.
• Defender has good detection's with things like WMIC and WMI, close to the best I've seen period. Certainly better than McAfee.
• Defenders in memory detection's are precisely meh but generally so is everybody else. This is a whole other rabbit hole of links that I won't go into.

McAfee is worse in almost every way. Windows has made some big strides in the last two years. I deal with bypassing AV regularly at work, it has gotten harder in that AV overall has gotten better but the state of AV generally speaking is still pretty bad and it is certainly not a silver bullet. I wrote this response making no assumptions about what data you have or where the computer is etc so some of this might not be relevant. 

 

Quote

Defender ranks among the absolute worst in protection.

I can tell you this is demonstrably not true. I'm not saying Defender is good, or even in the top 5, not even close, but there are a lot of AV's that would rank worse than it. Symantec, there is little difference from having Symantec on your computer and not in terms of detection's. BitDefender, really not a good product. A lot of stock/generic malicious PowerShell will sail right through. There would probably be another 5 or 6 maybe more that I'd rank below Defender, including McAfee. 

[PineyCreek]

Mmmm...best AV is common sense, but I've never depended on that alone since I started using Windows for the first time.  Malwarebytes is good for scanning.  About 7 years or so ago most people I knew swore by Eset AV, but I've never used them.  Currently I use Trend Micro AV Titanium...haven't had any issues with it.  Full disclosure: I'm eating my own dog food there though since I work for them (Spokesperson is not my role, nor do I even work for their software divisions).  No, I don't care to open a discussion on its other merits, I just use it (and not the included password manager).  I think having a secondary manual scanner is a good thing (not two realtime scanners though).  McAfee let me down at a personal level back when I was on a 486 and I haven't trusted them since.  I used to use Windows 7's built-in AV and never had a massive complaint, though I was always cautious (again, common sense is your best defense).  I didn't fully trust the built-in AV, but I never really cared enough either (multiple backups including offsite backups, and then having a prepped image for deployment whenever).

[RonnieOP]

30 minutes ago, Vitamanic said:

Common sense isn't a valid security strategy.

 

I'll link the same quote I always do in these threads:

 

So in short, if you're blocking all JavaScript and never install a single executable, then go ahead and use common sense. Otherwise, you're vulnerable just like everyone else, and Defender ranks among the absolute worst in protection.

And yet in years ive had no issues...

[Roswell]

13 minutes ago, RonnieOP said:

And yet in years ive had no issues...

That's what you call anecdotal evidence.

[Roswell]

56 minutes ago, LividPanda said:

I can tell you this is demonstrably not true. I'm not saying Defender is good, or even in the top 5, not even close, but there are a lot of AV's that would rank worse than it. Symantec, there is little difference from having Symantec on your computer and not in terms of detection's. BitDefender, really not a good product. A lot of stock/generic malicious PowerShell will sail right through. There would probably be another 5 or 6 maybe more that I'd rank below Defender, including McAfee. 

It's absolutely true, it's among the worst: https://www.av-comparatives.org/latest-tests/

 

There are a host of other independent labs out there testing this stuff too, just Google it.

[Guest]

2 hours ago, Brick1026 said:

So I recently upgraded my rig and have been too lazy thus far to transfer my Mcafee over and have been running on Windows defender (which has worked fine) do I need to look into a new anti-virus/malware and if so what do you guys recommend?

NOD32 from ESET. It's lightweight, reasonably priced and can be used on my mobile device as well. I also allow Windows Defender to be active as well, and coupled with some common sense I feel I have a very well rounded defense. Accidents happen and it's nice to have a safety net for the what-if-just-in-case.

[LividPanda]

47 minutes ago, Vitamanic said:

It's absolutely true, it's among the worst: https://www.av-comparatives.org/latest-tests/

 

There are a host of other independent labs out there testing this stuff too, just Google it.

First off, I wouldn't make any purchasing decisions based off these results and definitely not if I was evaluating AV for an enterprise. There methodology is far from comprehensive even when it comes to their Enhanced Real-World Test 2019 – Enterprise. That test leaves tons of TTP's (Tactic's Techniques & Procedures) off the MITRE ATT&CK Framework. They use a subset of 15 different TTP's, this is terrible coverage, especially since it's all they do - compare AV solutions. I would expect a systematic comprehensive evaluation of as many TTP's as possible when it comes to the enterprise. There are free tools on Github like the Atomic Red Team that will test more TTP's then they do. It will also do it in an automated fashion that you can do at home. There are also pay for enterprise tools they could be using that test a lot more then 15 TTP's, like Scythe. Any enterprise making a purchasing decision off their methodology is deeply misguided.

 

Windows Defender isn't at the bottom of their list at least not their Real-World Protection Test July-October 2019 or Real-World Protection Test February-May 2019. In fact in both it is basically in the middle of pack next to a bunch of other turds. Did you actually read their reports?

 

July-October 2019 followed by February-May 2019

 

 

In terms of protection rate Defender actually comes in 3rd out of 11. It does have a high false positive rate.

 

I don't think any of this actually matters though. Again,  I'd call their methodology into question.

Quote

We aim to use visible and relevant malicious websites/malware that are currently out there...

How? By what means? Out of the malware they tested what was the coverage of the MITRE ATT&CK Framework? How many of them had duplicate TTP's? These are only some of the questions I have that they don't really explain.

 

Quote

We usually try to include as many working drive-by exploits

Why? I understand they are a very common attack vector but there are tons of other ways to infect a box not involving drive-by downloads. This scope seems extremely narrow.

 

Fundamentally how you evaluate a home AV solution and an enterprise AV solution are the same, against the MITRE ATT&CK Framework. Why do they use a small portion of MITRE for the enterprise test but not for the consumer stuff? It really shouldn't make a difference. While real world samples should certainly play into the calculus of picking AV software, it shouldn't be the primary one. Rather then testing live samples, testing the individual techniques that any given commodity malware would try and do is much more effective, hence the MITRE ATT&CK Framework.