The new anti-malware features added by Microsoft in Windows 8.1 are not working well, and Windows 8.1 users are better off if they install third-party antivirus (AV) software, AV-Test told TabletPCReview this week, basing these recommendations on test scores turned in for the Windows 8 and 8.1 versions of Defender. Meanwhile, researchers from Cisco and other organizations point to rising needs for effective AV protection for PCs, tablets, and other devices.
“In general, one can say that [Windows Defender] offers the same level of protection on Windows 8 and Windows 8.1 — however, the level is not very high,” said Andreas Marx, CEO of AV-Test, in an email to TPCR.
“I would say that Microsoft (as developer of the operating system) is offering a baseline protection, but you can increase the level of security for your system by installing a free or paid-for third-party party anti-malware protection.”
Introduced along with hundreds of other features in Windows 8.1, the new security capabilities include PC or tablet-based “behavioral monitoring,” along with the cloud-enabled, server-based Provable PC Health (PPCH). Both technologies are designed to protect against “Zero Day” threats and other exploits that haven’t shown up yet in antivirus databases.
For full views of the charts at right, please click on the images.
“Anti-malware solutions that rely solely on signature based detection face big challenges in detecting polymorphic malware and keeping up with new varietals of malware that are released daily. To address this in Windows 8.1 we introduced behavior monitoring capability in Windows Defender. With it we can detect polymorphic and repackaged malware families based on familiar patterns of malicious behavior on the device,” said a Microsoft spokesperson, in another email to TPCR.
“Our end user goal of PPCH, as with Windows Defender, is to protect our customers with little or no user interaction and to leverage existing user workflows. Therefore PPCH doesn’t include new user experiences and notification mechanisms. We leverage the existing infrastructure and enable them to surface new notifications and actions. For example, if an active keylogger were found and removed from the user’s PC, the notification would be presented to the user in the Action Center. In addition, the cloud could initiate an account remediation action like a password reset since the MSA would be at risk. If a more serious malware infection was detected by our cloud Service, we will send immediate signatures to the client which could also trigger a user notification for advanced remediation action. The protection enhancements are designed to be seamless with the current user’s experiences.”
Microsoft: Last Place on ‘Real World Protection’
According to AV’s test results for Windows 8.1, conducted from May through December of 2013, Defender continues to turn in high scores for speed and low scores for “false positives” (which, of course, is a good trait).
“In case of speed,” said Marx, “we can attest that Windows Defender on 8.1 is slightly faster than on Windows 8.”
However, Windows Defender also continued to come in dead last on measures of “real world protection” — or protection against new and unknown malware — and to finish somewhat below average in detecting the sorts of known malware that are already included in virus databases.
More specifically, Defender received scores of 64 percent in November and 76 percent in December for real world protection, vs/ an industry average of 94 percent.
In contrast, seven of the 24 other products tested in November received scores of 100 percent: Kaspersky, Symantec/Norton, Bitdefender, Avira Internet Security, F-Secure, Comodo, and Panda Cloud-Free.
Defender’s scores came in at 91 percent in November and 93 percent in December — as opposed to a 96 percent average — for detection of “widespread and prevalent malware discovered in the last four weeks,”
Defender did fare better in December than November. Why? The Microsoft spokesperson told TabletPCReview that Microsoft updated the cloud analysis components of PPCH in December, and that Microsoft is “continuing to enhance the analysis notification services.”
AV-Test, though, isn’t sure whether or not the update influenced the test scores.
“The results we’ve measured back in November with Defender on Windows 8.1 were much lower than usual (with Security Essentials, e.g. on Windows 7),” Marx told TPCR.
“For example, in Sep/Oct 2013, the protection score was already on the December level. It’s possible that the much-higher protection score in December is related to the enhancements Microsoft made. However, if you compare the results with the pre-November levels, it still doesn’t look very good for Microsoft.”
AV-Test conducted its December testing from December 1 through December 23, Marx said.
The Microsoft spokesperson contacted by TPCR wouldn’t say when Microsoft first activated PPCH. “We have nothing to share right now, but we will follow up if we have any more to share,” she replied.
More Results in May
Marx noted that, for Windows AV testing, AV-Test alternates among various releases of Windows. “So for example, for Sep/Oct we used XP, in Nov/Dec 2013 we switched to Windows 8/8.1 and for Jan/Feb 2014 we started to review products on Windows 7. We plan to test all products on Windows 8.1 again in Mar/Apr, so the final results will be available by mid-May,” he illustrated.
For its part, Microsoft didn’t give a direct answer to the question of whether Windows 8.1 users need to install third-party AV software, despite the existence of the built-in Defender.
“Windows Defender is a free, easy-to-use anti-malware program that helps protect against viruses, spyware, and other malicious software and is built directly into Windows 8/8.1 Windows Defender will be automatically activated from the first time the Windows 8/8.1 device is turned on, and will only deactivate if another AV app is running,” the Microsoft spokesperson said.
“Freedom of choice has always been the hallmark of Windows and Windows 8.1 is no different in that regard. Several of our AV partners are offering Windows 8/8.1 AV apps that are compatible with Windows 8/8.1. Those apps are available via the Windows Store as well as through other retail locations.”
Malware on Legitimate Sites
Third-party vendors offer additional arguments for using their products instead of Defender. Although some users think that they can stay safe by visiting only legitimate web sites and not opening suspicious-looking emails, this isn’t necessarily so, said Catalin Cosoi, chief security strategist at Bitdefender, in an interview with TPCR.
Indeed, according to the Cisco 2014 Annual Security Report, at least 20,000 legitimate web sites using Apache HTTP server software got compromised in 2013 by DarkLeech, a Secure Shell daemon backdoor which allowed attacker to “upload and configure malicious Apache modules.” These sites were then used to launch malware attacks against web site visitors.
Meanwhile, spam attacks are decreasing in volume but increasing in sophistication. After the Boston Marathon bombing last April, for example, spammers launched two attacks aimed at attracting email users who wanted news about the impact of the event. The spam masequeraded as messages from CNN.
“Because breaking news spam is so immediate, email users are more likely to believe the spam messages are legitmate. Spammers prey on people’s desire for more information in the wake of a major event. When spammers give online users what they want, it’s much easier to trick them into a desired action, such as clicking an infected link,” the Cisco researchers wrote.
In another interview, Gary Davis, McAfee’s VP of global consumer marketing, pointed out that Defender only provides full protection for Internet Explorer (IE), as opposed to Mozilla and other browsers — and that, unlike many third-party software providers, Microsoft doesn’t offer software for protecting mobile devices such as Android-based smartphones and tablets.
According to Cisco’s report, mobile malware targeting specific devices made up only 12 percent of all web malware encounters in 2013. “[Yet] although not a signficant percentage, it is still worth noting because mobile malware is clearly an emerging — and logical — area of exploration for malware developers,” researchers stated in the report.
Andr/Adplugin-AT was the most frequently encountered mobile malware, at 43.8 percent. Users typically encountered the bug by downloading re-packaged copies of legitimate apps from “unofficial marketplaces.”
Also this week, AV-Test released test results for Android security apps, with ten of the 30 apps receiving six out of a possible eight points for performance and usability: McAfee Mobile Security 3.1; Avira’s Free Android Security 3.0; Bitdefender’s Mobile Security 2.6; G Data’s Internet Security 25.0; Kingsoft’s Mobile Security 3.3; KSMobile’s Clean Master 4.0; KSMobile’s CM Security 1.0; Qihoo’s 360 Mobile Security 1.5; Trend Micro’s Mobile Security 3.5; and TrustGo’s Mobile Security 1.3.