Microsoft Defender's protective capabilities suffer offline

Martin Brinkmann
Apr 22, 2022
Updated • Apr 23, 2022
Security
|
44

Microsoft Defender, the default security solutions on modern versions of the Windows operating system, has been doing well in recent antivirus tests of independent organizations such as AV-Comparatives. In 2019, it was revealed that Windows Defender had a market share of more than 50% already on Windows.

microsoft defender preview app

The most recent test by AV-Comparatives confirm the high detection and protection rate of Microsoft Defender, but it also highlights that the program's offline detection rate is weaker than the detection rate of most of the competing antivirus solutions.

According to the results of the test, Microsoft Defender had one of the worst offline detection rate results; it managed to detect 60.3% of all threats on offline devices. Only Panda Free Antivirus, with a detection rate of 40.6% , and Trend Micro Internet Security, with a detection rate of 36.1% , scored worse in the offline detection test.

The remaining 14 antivirus solutions offer better offline detection rates according to the test. Bitdefender and Total Defense Essential Antivirus, the latter uses Bitdefender's engine, detected 97.8% of all threats in tests. Many antivirus solutions detected over 90% on offline devices.

microsoft defender offline antivirus test
via AV Comparatives

Microsoft Defender fared better on Internet-connected devices. The default Windows security solution detected 98.8% of all threats and had a protection rate of 99.96%, good test results but not the best result of all tested products.

AV Comparatives switched from reporting detection ratings to reporting detection and protection ratings for all tested products. Antivirus programs may not always detect inactive malware samples, but they may recognize them when they are active; this explains the higher percentage of the protection rates in the table.

Avast and AVG, the latter is owned by Avast, scored 99.5% and 99.98% respectively, McAfee got 99.3% and 99.97% detection and protection rates, and G Data 98.6% and 99.99%.

Microsoft Defender had 4 false alarms in the test. Five products had fewer false positives, one the same result as Microsoft. ESET's Internet Security program was the only product with no false positive alarms.

Closing Words

Many devices have permanent Internet connections. The result of the offline detection test highlights how important cloud connectivity and testing is for Microsoft's security product.

Now You: which security solutions do you use to protect your devices?

Summary
Microsoft Defender's protective capabilities suffer offline
Article Name
Microsoft Defender's protective capabilities suffer offline
Description
Microsoft Defender had a weak offline detection rate in the latest AV Comparatives Windows antivirus test.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. John Sutherland said on September 13, 2022 at 2:40 pm
    Reply

    Microsoft Defender’s detection rate for push up bras and edible panties is presently unsurpassed so it’s highly unlikely I’ll be switching to another “Detector” anytime soon.

  2. Anonymous said on April 28, 2022 at 10:52 am
    Reply

    “Came across this script and finally got my Windows 11 activated github.com/devtree3/windows-11-activator-new leaving it here for anyone who needs help. It’s a new bug. You just run the .bat file and allow cmd to do it.”

    Just one recent malware campaign, where the mighty Defender, ATP, Tamper Protection, SmartScreen, Control Flow Guard, Core Isolation & ~~insert more buzzwords~~, DOES NOT BLINK AN EYE, because the malware 1st phase script simply added exceptions via built-in commandline control interface (no other mainstream AV does that, for obvious reasons).
    But Defender sure likes to WARN about the lack of Microsoft Account…

    What do all the tech journalists and by extension common folks do?
    Eat the 98.8% paid advertisements figures in av-comparatives av-test and other sell-out outlets without giving it a second thought. But the reality is that Defender is pure garbage still and much more closer to 0%, easily neutered by mildly sophisticated malware (and most malware today even from script kiddies is masquerading as useful thing, that only later on do malware things).

  3. Crow said on April 24, 2022 at 11:16 pm
    Reply

    Defender’s capabilities suffer when offline….

    Ok? And how many viruses are you getting when you’re offline? Are you just plugging in every USB you see laying around? Does anyone really use USBs anymore?

    Seems like a bit of a non issue that defender isn’t great at stopping viruses in environments where Viruses are extremely uncommon.

  4. Zardoz said on April 24, 2022 at 1:27 am
    Reply

    Now You: which security solutions do you use to protect your devices?

    Zorin OS

    You’re welcome.

  5. Linux 4 EVA said on April 24, 2022 at 1:23 am
    Reply

    Basically this means microsoft defender is completely useless, which we already knew. Its only job is to keep the datalines open to microsoft servers for datamining and advertising. Actually, it has another function as well: to flag every adobe crack as a virus =) Adobe have paid good money for this windows feature, as well as a few other companies whose overpriced products are also very easily cracked. One could say that Microsoft Defender is actually nothing more than a bribed prison guard. Then again this fits Redmond today perfectly. Dirty mafia.

  6. John said on April 24, 2022 at 12:03 am
    Reply

    Let me see if I am understanding this article correctly:

    When you are online, Microsoft Defender has a better protection rate even when scanning local files and running programs on your hard drive than it would while off-line, because it can connect with additional cloud resources not present in the local program. When you are off-line, however, Microsoft Defender’s detection rate drops, even when it comes to local stored files and locally run programs, because it can only use the Windows Defender program you have stored locally and can not connect with additional cloud resources.

    Is that a correct reading of these results?

    Initially when I read the article, it sounded like Microsoft’s detection rates for webpages and emails were good, but they were not as good at detecting malicious running programs and files. Now, I don’t think that’s what the article was saying.

    I have to admit as a non-expert, sometimes this stuff isn’t crystal clear to me, but I find it very much worth reading about and getting clarification about when I am not sure if I understand it correctly.

    1. Martin Brinkmann said on April 24, 2022 at 6:41 am
      Reply

      John, yes that is correct.

      1. John said on April 25, 2022 at 7:50 am
        Reply

        Thanks! I appreciate the confirmation. Keep up the good work.

  7. KeissP said on April 23, 2022 at 5:14 pm
    Reply

    I notice that MS Defender still false-triggers on some of the NirSoft tool.

  8. Shiva said on April 23, 2022 at 11:47 am
    Reply

    While I was checking the ‘Malware Protection Rate’ archive, to everyone’s curiosity there is a recent special test regarding uninstallation of these products commissioned by PC Magazine Germany (the same magazine that had also ordered the report ‘Data transmission in Internet security products’ which wouldn’t hurt to update after so many years).

    OT but not so much thinking about all the unnecessary additional features of antivirus: yesterday I was updating the portable build of CCleaner… (…).

  9. Bill Dietrich said on April 23, 2022 at 10:57 am
    Reply

    Typo: in “Microsoft Defender had one of the worst online detection rate results; it managed to detect 60.3%” you mean to say “offline”, not “online”.

    1. Martin Brinkmann said on April 23, 2022 at 11:38 am
      Reply

      Bill, thank you. I corrected the typo.

  10. Tachy said on April 23, 2022 at 6:18 am
    Reply

    If your device is not connected to the internet, you don’t need AV /doh!

    1. owl said on April 23, 2022 at 7:51 am
      Reply

      > If your device is not connected to the internet, you don’t need AV /doh!

      In general, this is theoretically true, but those with evil intentions are devious. They have a different capacity for thought than good people, and they come up with things that good people would not assume.
      https://www.ghacks.net/2022/04/12/microsoft-windows-security-updates-april-2022-overview/#comment-4519338
      https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-a-modified-version-of-vlc-and-exploited-it-for-malware-attacks/#comment-4519247

      The risk is not limited to software: seven years ago, a backdoor was secretly embedded in a legitimate Lenovo product and sold. The astonishing incident made headlines because the backdoor code was “indestructible” even after the system was initialized, then the operating system was cleanly installed.
      Lenovo Turns Off Superfish PC Adware Following Customer Complaints – Personal Tech News – WSJ
      http://blogs.wsj.com/personal-technology/2015/02/19/lenovo-turns-off-superfish-pc-adware-following-customer-complaints/
      Lenovo: Companies working in China may have to install local backdoors | Hacker News
      https://news.ycombinator.com/item?id=18025645

      Even “closed programs” are potentially unreliable because the circumstances are similar.
      https://www.ghacks.net/2022/04/16/google-chrome-emergency-update-patches-0-day-vulnerability/#comment-4519655
      https://www.ghacks.net/2022/04/01/opera-gx-video-pickup-and-gx-profiles/#comment-4518733

      In this life, we cannot let our guard down under any circumstances. Do not be overconfident, but be vigilant.

      1. owl said on April 23, 2022 at 8:34 am
        Reply

        About the Lenovo incident case:
        Worst of all, Superfish stores the CA signature (private key) in the Superfish program, and Superfish certificates and Superfish CAs are being diverted to be common to all the world. This means that by extracting the Superfish CA private key from Superfish on a Lenovo PC, a malicious attacker can attack as much as he/she wants.
        Errata Security: Extracting the SuperFish certificate
        http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
        Lenovo has issued an official statement in response to the Superfish issue. According to the statement, “Superfish was pre-installed on Windows laptops shipped between September and December 2014, but pre-installation was stopped in January 2015. Though the original official statement was that “Superfish had been pre-installed since at least June 2014. In short, They want to fade out the case, not get to the bottom of it.
        Lenovo Newsroom | LENOVO STATEMENT ON SUPERFISH
        http://news.lenovo.com/article_display.cfm?article_id=1929

  11. Yanta said on April 23, 2022 at 3:08 am
    Reply

    Back in the day when email was text based; no images, no script, no html if one was sensible about how one conducted themselves on the net you were pretty safe. Then some damn fool said let’s imbed all of the above in email and all of a sudden a mass of malware, phising, tracking and viruses.

    Then A/V products exploded. It’s the same strategy as with medical conditions – don’t fix them – keep people sick and addict them to machines and drugs.

    Then the A/V vendors decided A/V protection was a secondary priority. Advertising, telemetry data collection and the sale of that data became the focus.

    We have now come full circle where A/V products are the virus.

    I stopped using such products in 2012. I have not had one virus that I’m aware of since then. My email will never be cloud based (cloud is by definition insecure), and all “features” of email are disabled. Plain text might not look pretty, but at least I can easily read the content that the author wanted to communicate without all the bloat.

  12. jeff-66 said on April 23, 2022 at 2:24 am
    Reply

    I just recently got 2 years of Malwarebytes for $32 (total), not bad, but after seeing the AV comparatives chart, I kind of wish I’d gone with Eset or Bitdefender. Eset looks strong, and I like their 0 false positives.

  13. Sir Chasm said on April 22, 2022 at 11:13 pm
    Reply

    I’m sure you are 100% safe and protected if you use a Microsoft account.

  14. Bill Gates LOL said on April 22, 2022 at 10:05 pm
    Reply

    Haven’t used an AV since about 2012. Haven’t updated Windows since about 2018. Running 7 and 10. A firewall is enough. I bet 80% of the “viruses” Defender tells people it found are false positives. It kept blocking legit files I was downloading that’s why I turned it off. It is mostly useless. I use virustotal to scan suspicious files occasionally.

  15. Mothy said on April 22, 2022 at 8:14 pm
    Reply

    Now You: which security solutions do you use to protect your devices?

    I use Windows Defender as one layer of defense. Other layers are as follows:

    – blocking hosts file (currently Steven Black adware+malware) that blocks connections to known bad Internet sites and ad networks (some of which have been known to re-direct to malware sites)
    – hardware firewall that blocks all incoming connections
    – software firewall on each computer in white list mode (only approved programs are allowed outbound network access)
    – always use a non-administrator account for daily use so should something make it past other layers of security the potential impact is limited to just that user account and not the whole system
    – always use critical thinking when using the computer as the person behind the keyboard (one of the most important security layers) could affect any other security measures

  16. abc123 said on April 22, 2022 at 8:13 pm
    Reply

    I wish I could use Kaspersky. They had a excellent reputation, until the Ukraine war…

  17. John G. said on April 22, 2022 at 5:19 pm
    Reply

    I think that MS won’t stop till they destroy Defender completely. Thanks for the article! :]

  18. Some1 said on April 22, 2022 at 2:52 pm
    Reply

    What is the meaning of online detection? Is it when the sample file is uploaded for analysis?

    1. Martin Brinkmann said on April 22, 2022 at 3:27 pm
      Reply

      It means that the cloud is involved in one way or another, including uploading hashes of files or uploading entire files.

      1. some1 said on April 22, 2022 at 11:27 pm
        Reply

        Thanks for the clarification.
        Why on earth does Microsoft make Windows Defender less effective offline?
        It should perform the same if you have the latest updates. this is crazy…

      2. Steve said on April 23, 2022 at 4:03 am
        Reply

        Automatic online detection is what Martin explained, and also a serious bad idea.

        Your AV solution could potential leak personal information, intellectual property, or just any other compromising stuff to these companies. And depending who accesses that you could be reported to authorities, your employer, or being black mailed.

      3. Haakon said on April 23, 2022 at 1:26 am
        Reply

        The updates for the offline tests aren’t the latest, but x days old on purpose and I don’t have the time to look up how many days that is. This is about the best way in a “real world” test for a system that has been offline for a while and put into use offline where new files are introduced via an external device (e.g. USB stick) or on a LAN without WAN internet.

        On the average, MS updates sigs/defs every four hours.

  19. owl said on April 22, 2022 at 2:11 pm
    Reply

    > Now You: which security solutions do you use to protect your devices?

    I stopped relying on “Anti-Virus Solutions” two years ago.
    Based on many years of skill, most of the risks can be prevented by avoiding potential hazards and disabling JavaScript.

    Specifically,
    Regardless of sites that are untrustworthy (cannot prove trustworthiness).
    I do not click on the URL, but check it with a tooltip (Popup ALT Attribute). For unknown sites, I check site trustworthiness with “IndicateTLS”, “Flagfox”, and “IP Address and Domain Information”.
    I use “ClearURLs” and “LocalCDN” to prevent unauthorized redirects, “uBlock Origin” to block JavaScript, and “VoodooShield” to lock down the system and block (control) all executable programs.

    Anything that requires downloading must be from the official site, and I always check the “GPG Signature” and the hash value. “Unchecky” is useful for adware protection.

    In my use case, I have not had any malware or other problems with the above techniques.
    Just to be safe, I run full scans with “Microsoft Defender”, “Start Emergency Kit Scanner”, and “Malwarebytes” on an irregular basis.

    1. BM said on April 23, 2022 at 5:47 am
      Reply

      @owl – would be good to hear how you handle your phone?

      All that for a desktop computer, but hopefully you are as thorough about your phone.

      I wouldn’t expect anything less.

      1. owl said on April 23, 2022 at 7:57 am
        Reply

        @BM,

        I got rid of my phone a long time ago.
        The only one in my possession is an iPhone loaned to me by the company for business use. It is governed by an enterprise group policy and is not customizable.
        https://www.ghacks.net/2022/01/30/what-happens-to-all-the-windows-10-devices-that-are-incompatible-with-windows-11-in-2025/#comment-4514402
        https://www.ghacks.net/2022/03/31/adduplex-windows-11s-usage-share-rise-slowed-down-to-a-crawl-in-march-2022/#comment-4518530

    2. owl said on April 23, 2022 at 4:49 am
      Reply

      About the “AV full scans” that I run irregularly:
      As a general rule, I disable “Real-time Protection” and “Cloud-delivered Protection”.
      In short, I run offline scans after manually updating the definition files.
      The reason for this is followed to @Steve’s comment.
      https://www.ghacks.net/2022/04/22/microsoft-defenders-protective-capabilities-suffer-offline/#comment-4520024

    3. owl said on April 23, 2022 at 4:26 am
      Reply

      PS,
      “uBlock Origin” can be used with the mail client “Mozilla Thunderbird”.
      gorhill/uBlock · GitHub
      https://github.com/gorhill/uBlock/releases

    4. Haakon said on April 23, 2022 at 1:14 am
      Reply

      FLAGFOX has been dysfunctional for a year or more.

      Numerous sites display the default green-globe flag with the mouse hover reporting “Unknown site / CDN” and the mouse click Geotool displaying marginal or no data.

      The forum’s “How to report a bug” links to flagfox dot servehttp dot com are 404.

      Emails daveg dot extensionfeedback at gmail com gets an auto reply with a link to that same forum’s “How to report a bug.”

      It looks like DaveG’s last post on the forum was in Jan. 2018.

      Which leads one to wonder, who’s doing the location database updates and posting on flagfox dot wordpress dot com??

      The right-click tools remain a viable and customizable feature that I use quite often.

      1. owl said on April 23, 2022 at 1:59 am
        Reply

        @Haakon,
        > FLAGFOX has been dysfunctional for a year or more……….

        It’s strange !?
        I rechecked, my current situation and there are no problems in the areas you pointed out, and it is functioning as expected.
        By the way, it is as follows.
        https://i.imgur.com/zzuqde2.png
        Flagfox
        Author: David Garrett
        Version 6.1.49
        Last Updated March 30, 2022
        Homepage??https://flagfox.wordpress.com/
        https://addons.mozilla.org/en-US/firefox/addon/flagfox/versions/

      2. Haakon said on April 23, 2022 at 8:56 pm
        Reply

        It’s an existing and recent recurrence of an old issue:
        https://flagfox.net/viewtopic.php?f=3&t=670
        The fixes discussed there need to be revisited and it seems that’s not going to happen as it’s been discussed elsewhere by others, not just by me here, for quite a while. (Since that forum topic, the checked green dot flag was replaced by a green “globe” and “unknown site” to “unknown site / CDN.”)

        Your “current situation” is pointless. Instead of investigating for yourself that the Flagfox bug reporting site (hosted by a dynamic DNS service, BTW) is expired or commenting on the extended DaveG’s absence from the forum, you post up a link to the Mozilla’s Add-ons site and some copy/pasted data pulled from the Add-ons Manager. Yup, that explains it all!

        We do get IPv4 & IPv6 address location database updates, which is welcome. But the afflicted Geotool enhancements will continue to disappoint. But, as I said, the right-click tools remain a viable and customizable feature.

        I hope some tragedy hasn’t befallen DaveG and all is well in his camp.

        End of discussion. I won’t be revisiting this thread.

    5. Frankel said on April 22, 2022 at 6:50 pm
      Reply

      > Now You: which security solutions do you use to protect your devices?

      I stopped relying on “seatbelts” two years ago.
      Based on many years of skill, most of the risks can be prevented by avoiding potential hazards and not speeding.

      Specifically,
      Regardless of roads that are untrustworthy (cannot prove trustworthiness).
      I do not drive on the interstate, but check it with a roadmap (TomTom One). For unknown routes, I check road trustworthiness with “Shell Map of Kentucky”, “Sunoco Road Map”, and “Mobilgas Washington”.
      I use “GPS” and “GLONASS” to prevent unauthorized redirects of my car, “Radar warner” to block attempts at estimating my driving speed, and “obd2 shield” to lock down the CAN bus system and block (control) all engine subroutines.

      Anything that requires biofuel must be from the official site, and I always check the “GPS Signature” and the octane value. “Petrol checker” is useful for E10 protection.

      In my use case, I have not had any accident or other problems with the above techniques.
      Just to be safe, I run full road checks with “Car buddy”, “Drive Safely™”, and “Headlights” on an irregular basis.

      Wait till i get started about the blunder that condoms are!
      /s

      1. Ben said on June 9, 2022 at 6:41 am
        Reply

        This is awesome

      2. owl said on April 23, 2022 at 1:13 am
        Reply

        @Frankel,

        That is quite a light-hearted “paraphrase”.
        Instead of “seatbelts,” I think “autopilot function” would be more appropriate.

        By the way, I own some motorbike and some sports car.
        They are not the latest model with automatic driving function, but they’re that requires steering wheel operation with a manual transmission.
        For safety, I need to check tire pressure and tread remaining.
        While driving, it is essential to pay attention to the surroundings with mirrors, etc., and to check the gauges (oil pressure, oil temperature, water temperature, tachometer).
        Driving is fun & intense pleasure, but driver awareness (safety awareness and accident prevention) is essential.
        Well, that’s the way it is.

      3. Frankel said on April 23, 2022 at 9:31 am
        Reply

        @owl

        Indeed, autopilot systems are a complete blackbox to me. Ars had a good article recently how little a LIDAR picks up, and that it usually fails already in rain. I have not to strong opinions on automatic, but I always switched gears manually in my life and don’t find it uncomfortable.

        Regarding steering wheels I prefer classic ones: The potentiometric ones just won’t feel the same to me. A few good servos and hydraulics make for the sweetest steering.

        Just my 2 cents.

    6. Trey said on April 22, 2022 at 6:20 pm
      Reply

      Your methods aren’t even remotely realistic for 99.9% of computer users.

      1. owl said on April 23, 2022 at 1:29 am
        Reply

        @Trey,
        > for 99.9% of computer users.

        I was only commenting on my methodology.
        I do not intend to say to others that they should do so.
        It just needs to be an example of “diverse methods”.
        Well, I’m not saying all of them, but I do believe that “you can (and do) share some of them”.

      2. JDR said on June 2, 2022 at 4:29 pm
        Reply

        Thanks much. Us non hacks DO need 2 self protect & learn more. That said; can u keep it simple 4 us? How (& when) 2 disable java script. We will run Full scans more. Can we load (& run) different AV Off line while still having window defender On-line? Just purchased Asus laptop: ASUS TM420U . Been off line since win.7. (but with phone).

    7. owl said on April 22, 2022 at 2:41 pm
      Reply

      Correction of sentences:
      Wrong,
      Regardless of sites that are untrustworthy (cannot prove trustworthiness).
      Correct,
      Avoid untrustworthy (cannot prove trustworthiness) sites.

    8. owl said on April 22, 2022 at 2:31 pm
      Reply

      By the way,
      Do not neglect “vulnerability measures” for your system.
      Updates to browsers and application software should be proactively applied.
      https://www.ghacks.net/2022/04/02/microsoft-update-catalog-downloads-are-now-using-https/#comment-4518855
      Google Safe Browsing:
      https://www.ghacks.net/2021/11/05/create-custom-firefox-installations-with-firefox-profilemaker/#comment-4507967
      False Positive:
      https://www.ghacks.net/2022/04/04/recover-windows-and-program-passwords-with-extpassword/#comment-4518862
      We need to learn to “Don’t rely on something”. In short, end-users themselves must self-learn and improve their knowledge and experience.
      https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-a-modified-version-of-vlc-and-exploited-it-for-malware-attacks/#comment-4519247

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.