[zaarn]

From experience; no.

A/Vs are largely attack vectors, a huge number of malware already tries to detect if an A/V is present and then uses it to get SYSTEM level privilege fairly easily.

The number of actually good A/Vs is low and in my opinion, simply use Microsoft Defender on Windows. For 0-days it's detection rate is, to my knowledge, not significantly worse than any other A/V and unlike other products they properly integrate into the system and don't disable almost all security measures of the kernel like ASLR and friends so they can inject some garbage DLL into any process.

The best protection for the intranet customer is training and regular software updates. For the average user it's to tighten up security, lock them out and then run regular updates.

[skocznymroczny]

My main reason for using Microsoft Defender is the business model. It's in best interest of A/V companies for people to have viruses, it's in best interest of Microsoft for people not to have viruses on Windows.

[alibert]

But it's not? If people catches viruses with an AV installed, they are not going to be happy with their AV solution...

Also, top AV are better at catching viruses and have less performance impact than Defender.

https://www.av-comparatives.org/tests/real-world-protection-...

https://www.av-comparatives.org/tests/performance-test-april... (Recent Defender has the most impact on system performance on all AV tested)

Obviously, it's up to you to choose between:

* Using Defender and suffer the worse system performance impact of all AV

* Not using AV but a higher risk of catching viruses

* Use third party AV with better detection and less performance impact but risk opening new vulnerability on your system.

[tripzilch]

The difference is that Microsoft has more incentive to optimise their AV against both false positives, and false negatives. And it can afford to stay invisible if there is no threat. A commercial AV has to make its presence known, and most I've seen do this constantly: If you never get a virus and the program remains silent all the time, people will wonder if they really need a commercial AV. If you never experience trouble and Microsoft Defender stays silent, you have a happy user: Windows works without issues.

[kevin_b_er]

So is Defender. The scanner runs as NT AUTHORITY/SYSTEM without any sandbox. One flaw in the scanner is a widespread and nearly wormable exploit. You can infect an entire company by just spamming them if you found an exploit in the file type parsers it uses.

Here's a bug found by Project Zero. The researcher had trouble getting the test case to Microsoft because Defender was running on their middleware boxes and would automatically scan it and die from the exploit testcase.

https://bugs.chromium.org/p/project-zero/issues/detail?id=12...

[zaarn]

Yes and basically all other A/Vs have the same problem.

Defender has some advantages, notably not disabling security settings like ASLR or injecting DLLs.

[tinus_hn]

The standard way to deal with that is putting it into an encrypted zip with a password like ‘virus’. That way it can’t be scanned.

[tripzilch]

True enough, but you don't do that before you run into it :)

[yborg]

Defender turned out to be an attack vector as well.

https://arstechnica.com/information-technology/2017/05/windo...