What are you recommending for AV in 2025?
Posted by juciydriver@reddit | sysadmin | View on Reddit | 103 comments
Hey all,
Pretty much what the subject asks...
I was using S1. I've used Threatdown OneView (basically Malwarebytes) for the last year just to learn about it (mild review). I've yet to try Huntress (my understanding is it's to be used in addition to an AV). I'm currently using Guardz Cyber Security and considering switching back to S1 as they now offer integration with S1.
I'd love your feedback on what's just the best right now.
MagicBoyUK@reddit
Windows Defender.
juciydriver@reddit (OP)
Just the baked in Defender or Defender for Office 365?
Dandyman1994@reddit
It's important to clarify some terms here, because it's Microsoft and they like silly naming schemes. Also, m365maps.com is your friend.
Just Defender - comes built into OS. Will provide basic AV functionality to endpoints, but no centralised reporting and management. This is for consumers, don't rely on this as a business
Defender for Endpoint P1 - this comes as either a separate license or built into Microsoft 365 E3. This provides centralised mgmt and attack surface reduction rules, but crucially no EDR (Endpoint Detection & Response). You should be aiming for EDR as a business to provide the basic protection for endpoints.
Defender for Endpoint P2 - this comes as either a separate license, or built into either Microsoft 365 E5, or certain aspects crucially EDR, but not all of P2) as part of Business Premium. This provides EDR as well as other functionality. Of you have BP or E5, there's no real reason not to go with this
Defender for O365 P1 - this comes as either a separate license, or part of Microsoft 365 E3 or BP. This does not protect the endpoint, but provides advanced phishing and link protection, I.e. will filter emails. If you have BP or E3 licensing, this can replace (for the most part) a separate email gateway. The P2 step up includes attack phishing simulation, amongst other features.
FlavonoidsFlav@reddit
I would like to reinforce this post. This person is correct and this license information is correct. This is something you can rely on and it accurately describes what Microsoft Defender options there are in this particular realm.
AmateurishExpertise@reddit
Reading this laid out really emphasizes the utter insanity of Microsoft branding and marketing strategy.
It genuinely seems like their goal is to create as much confusion among customers as possible. Absolutely impenetrable product naming. Why not just rename Windows into Microsoft Defender for End User Hardware, at this point.
BoltActionRifleman@reddit
You forgot something in that name…it shouts be named CoPilot Defender for CoPilot User Hardware CoPilot.
HKLM_NL@reddit
Copilot not CoPilot no extra capital letter needed.
Akamiso29@reddit
CoPilot Defender for O365 Teams Premium (Extra Queso) (No Tomato)
sliverednuts@reddit
That’s how they eat from full wallets by Obfuscation!!! They need to be sued and nailed to the ground for being so silly !!!
UCB1984@reddit
I can definitely understand how some big companies have a person who only does Microsoft licensing. It's so damn confusing.
I_ride_ostriches@reddit
It’s intentionally confusing.
yaminub@reddit
I moved all of my staff that are provisioned computers to the business premium license primarily for this reason. Considering the difference between the license upgrade from standard, and the expense of renewing the 3rd party AV that was purchased by my predecessor, it made sense to go further into 365 (nonprofit rate, to be clear).
StaticFanatic3@reddit
P2, included in Business Premium, has been very good to us
NSFW_IT_Account@reddit
Is this all you run for AV or do you supplement with 3rd party as well?
Smotino1@reddit
Business premium does not include p2, it includes a sort of in between p1 and p2. Technically it is called Defender for Business.
MagicBoyUK@reddit
Baked in is fine.
MaK_1337@reddit
Defender P1 if you can
hso1217@reddit
Defender P1 doesn’t include EDR so don’t do this and get P2 or business version.
FlavonoidsFlav@reddit
This. Thank you internet stranger for spreading the word.
YeOldeWizardSleeve@reddit
Hey big spender! Windows defender! Dig this blender!
joshghz@reddit
Compromise suspenders!
BlockBannington@reddit
Confirm cooooooooooompromised on endpoint 3
joshghz@reddit
WE! SUR-RENDER!
GullibleDetective@reddit
S1 works well, so does bit def.. They can be aggressive and require tuning
Avoid McAfee, webroot, Symantec, avast, avg, cylance
Why did s1 not work for you
Masterchief1307@reddit
BitDefender, but previously and preferably Kaspersky.
Itguy1252@reddit
Huntress
staze@reddit
We've been very happy with MDE (Microsoft Defender for Endpoint). Deployment was cake.
Biggest problem really is MS doesn't care enough to "sell" it. We spent multiple years trying to replace out craptastic McAfee setup and Bitdefender and others would submit great proposals, but MS would just be like "here's out website".
We finally bought A3 (then A5) for other reasons, and were like "let's just roll this out".
Defender for Server is kind of expensive though, so servers are on S1. It seems fine? I only deal with endpoints, but S1 admin said it's fine. Our ISO wants to move everything to S1 and we keep asking why... of course, no answers. And no money...
Canoe-Whisperer@reddit
Crowdstrike Falcon
HJForsythe@reddit
Crowdstrike doesn't seem to actually *do anything*. We are a customer of theirs and use Falcon on everything. Every time I've ever asked them a question about what Falcon actually protects against they tell me that I should go in there and go threat hunting manually for IOCs. They also email me all of the time telling me how I can use Falcon to 'track Scattered Spider moving through my organization' but they don't actually prevent anything from happening? lol. What the fuck is the point?
Drakoolya@reddit
Are you actually in IT or middle management? That is the most NON-IT take I have ever seen?
HJForsythe@reddit
Yeah yeah the difference is im not a shill
AmateurishExpertise@reddit
Ever tried running any lab testing with live malware? CS is pretty darn good...
Perfect_Eye2062@reddit
I’m trying to find a good way to evaluate the performance of CrowdStrike, and I was really interested to see your comment about lab testing with live malware. How can I go about running a lab test like that safely and effectively? I’d really appreciate any guidance or best practices you can share.
hondakevin21@reddit
Take a look at the MITRE Caldera (https://caldera.mitre.org/) or Atomic Red Team (https://www.atomicredteam.io/) for testing you can run in a lab to test your security stack.
Perfect_Eye2062@reddit
Thank you!
Cookie_Eater108@reddit
Seconding this.
Might be a bit pricier than other solutions but it works great.
AmateurishExpertise@reddit
Thirding this. EDR is the way, and CS has the formula for EDR.
r3almaplesyrup@reddit
Fourthing this. It’s definitely pricey, but it works great and never noticed by any user. Their support team is terrific too
cosmos7@reddit
Crowdstrike is definitely great and has caught bad actors for us. However it doesn't play nice with a number of our build nodes and severely hampers performance unless we disable it... which defeats the whole thing.
r3almaplesyrup@reddit
Interesting, out of curiosity, and if you don’t mind sharing, what OS are you running on your build nodes?
Will also add for context, our company joined after the Crowdstrike incident, so was never impacted by that.
cosmos7@reddit
It's the Windows build nodes that suffer performance issues, the linux ones don't have the same problems. We've gone through and worked to create exclusions, but we see about a 40% performance hit with CS enabled.
Drakoolya@reddit
That is wild.
AmateurishExpertise@reddit
Have you tried raising this with CS support? Without knowing the details I would imagine there are some configuration changes and narrow exclusions you could craft to eliminate this problem without dropping your shields too much.
Canoe-Whisperer@reddit
*Works great, nice and light and keeps the security people at my shop quiet (credits to them, they decide what AV we use).
*Except when the intern is let loose, pushes an update and takes down half the worlds computers and servers haha
enigmaunbound@reddit
The guy who fired off that update had privileges to bypass the pipeline. Look for the exceptional employees not the intern.
sexybobo@reddit
The fact that an employee had privileges to bypass the pipeline shows their internal processes aren't good and not someone I would choose to do business with.
enigmaunbound@reddit
Agreed. Also, find me one place where there are no exceptions.
yanni99@reddit
Crowdstrike f'ed up by doing worse than what they were supposed to prevent.
They are a no go for me no matter how much they've improved their processes.
sexybobo@reddit
Yeah, the fact that they pushed a patch that blue screened every device that got the update puts them on my do not purchase list. I know they have to be quick with pushing out updates but it would have taken 15 min to test in a lab to make sure they didn't cause a global computer outage. It shows a real lacks of good processes inside the company.
No_Investigator3369@reddit
Honestly this is just Agile shit software era. Have you not been to haveibeenpwned yet? This whole era of "lets use open source because others can inspect the code and contribute" and then never spend any time contributing has led to less developers being hired for the money they should be paid and now with AI and low code or low effort coding this is going to be a fast race to the bottom.
vppencilsharpening@reddit
Crowdstrike Falcon is the one the team seems to be most happy with. Their quarterly (I think) review was a nice feature that allowed us to ensure we had things setup correctly. S1 is close, though I feel like we are getting more false positives.
Not thrilled with Malwarebytes, but the business wants to move to that with Windows Defender for Endpoint.
I'm close enough to the teams managing this to hear their feedback, but not in it day-to-day, so take my input with that info.
PlayfulSolution4661@reddit
Defender + Huntress
SpotlessCheetah@reddit
SentinelOne here. I am happy with it. Easy to deploy on Mac and PC, configure and setup.
juciydriver@reddit (OP)
I agree. The deployment was great. Threatdown was good too but, I really don't hear much about it and, I'd prefer to trust my security to industry leaders.
SpicyCaso@reddit
Inherited an environment with SentinelOne and it’s been smooth along with integration to ArcticWolf for MDR.
Rawme9@reddit
S1 is absolutely at the top of the industry.
Comfortable_Store_67@reddit
+1 for S1
hitosama@reddit
SentinelOne is pretty much a security leader when it comes to EDR. Along with MS, CrowdStrike and Palo Alto.
funnystone64@reddit
Why do you have the impression that its not a “industry leader”? It’s right up there with crowdstrike and MS defender. Many people have talked about it on this subreddit.
bbell6238@reddit
Sophos central
gtachecker@reddit
ESET
chum-guzzling-shark@reddit
been using it for years and havent had issues. also havent had it catch much of anything. I think the layers of security, primarily application whitelisting, has done the heavy lifting
j5kDM3akVnhv@reddit
We use layered defense with Defender P1 and P2 for email and ESET for AV. ESET has been a great product for us for years for the AV side but recently their Outlook add-in (for Classic Outlook not new Outlook) has started interfering/overriding Defender's ability to remediate spam emails but not for everyone in our org - only for a handful out of about 70 users. Even after disabling the add-in in ESET policy configuration on the local machine. I'm really stumped on how to correct this.
AdmMonkey@reddit
ESET would be my choice.
neldur@reddit
ESET is great. It’s been reliable and has successfully defended us many times.
mikerg@reddit
Another vote for Eset. It has a small footprint and great central management.
Mindestiny@reddit
Anything marketed as AV is generally crap these days. You need an EDR solution that's also AV/AM.
Microsoft Defender is a great, affordable option for those already hip deep in the MS stack
vane1978@reddit
S1 Vigilance Respond Pro
theveganite@reddit
Cybereason
Glittering_Wafer7623@reddit
We used Sophos with Huntress for years with good success. We recently swapped Sophos out for SentinelOne (still kept Huntress) and it's been a great combo.
MidninBR@reddit
I’m with windows defender and E3 licenses. Turn on everything you can
dstranathan@reddit
Huge SentinelOne fan personally for EDR.
DevinSysAdmin@reddit
You should go with Huntress per your comments you've made in this post.
seeker1321@reddit
Public Library, we tried S1 and it was great but ended up being out of our budget. We have had Huntress with Windows Defender for almost a year now, and have been pleased with the service and level of protection
bratch@reddit
Nothing, just don't be an administrator. Or Defender along with that.
Gold-Antelope-4078@reddit
Kaspersky my comrade. 😜
cor315@reddit
We use Malwarebytes(now Threatdown) Nebula. Been using it for 5 years now. Pretty happy with it.
xendr0me@reddit
So, your mixing terms, some of these are AV and some are NGAV/EDR. I think you need to decided on what level of product you are asking about/looking for before continuing down the task.
Regular_IT_2167@reddit
it seems that most traditional AV vendors also have an EDR product at this point as well
juciydriver@reddit (OP)
You are absolutely correct. I should have clarified I need EDR. What do you recommend for small offices? None of my customers have more than 20 workstations.
SpotlessCheetah@reddit
Since you're an MSP, then I would really recommend S1 because you can separate and manage multiple tenants in your console.
Ape_Escape_Economy@reddit
Don’t sleep on Check Point, great products and ecosystem!
Also throwing a resource out for you, MITRE ATT&CK results:
https://attackevals.mitre.org/
raffey_goode@reddit
ctrl+F "Trend" 0 results damn. we use trend micro, it keeps us safe, their vision one platform has really gotten better over time
drpopkorne@reddit
Defender for Endpoint P2
Financial_Gur5994@reddit
Watchguard EPDR.
Bronze-Playa@reddit
Not a recommendation but we use Sophos
Suck_my_nuts_Dave@reddit
Their EDR hasn't let us down yet and not too pricey
Ok_Camp_9140@reddit
Crowdstrike ESET BitDefender Gravityzone Malwarebytes Threat down Acronis Cyber Protect Cloud Sophos XDR
malikto44@reddit
Recently, for a SOHO/SMB shop that needs to have enterprise tier protection, they went with P2 and CS. Just one person, but with the work they are doing, they need to sign off that they have a high tier of protection.
JwCS8pjrh3QBWfL@reddit
Doing it right isn't hard when you're starting from a clean sheet, it's just difficult to rework 20-30yrs of bullshit to make it right.
ViperThunder@reddit
we use Symantec Endpoint Protection (now owned by Broadcom), and altho I cant really recommend it because I don't like the UI, it does work and it does catch all the shady things, connects to our SIEM rapid7 nicely, and we use it like app locker to block users from running exe, bat, etc
Bezos_Balls@reddit
I personally think e5 / P2 Defender is better than Crowdstrike but that’s just my opinion. And if you’re using M365 it’s a no brainer. Without P2 it kinda sucks.
Tymanthius@reddit
On personal PC? or in the work deployment?
juciydriver@reddit (OP)
Starting with my office but, something I'd like to roll out to my customers.
Smotino1@reddit
I would also lean towards defender as its easier to manage cross tenant if its a requirement for you. Not to forgot that there is a lot of connector for entra if you are building a security stack and looking for other solution integrations as well
zzmorg82@reddit
CrowdStrike 🗿
/s
But for real; we’ve been using Huntress with built in Defender and it’s been pretty solid.
theekls@reddit
Defender for end point 2. If you can convince them to roll into e5 licences or e5 security bolt on, all the better!
Fallingdamage@reddit
eSet Suite.
We recently had a Blue Team pentest of our environment. Windows Firewall is turned off on our domain joined PCs and we had eset firewall and antivirus running. Across 200 workstations, they found exactly 0.
We pulled out eset console logs the next day and there were 70,000 total exploits attempts made against those workstations. Eset caught every single one.
comerReto@reddit
I wish I had more hands on experience with products mentioned here, but I think the difference between desktop AV and EDR is an important distinction.
Your best bet may be to reach out to a sales rep and see what sort of trial options they have.
At any rate, W11 defender should be suitable for most personal use cases.
Secure DNS or web filtering are important in all cases.
Banluil@reddit
ESET here, works fairly well, deployment is easy and setup for any exceptions are easy as well.
swissthoemu@reddit
Defender
cryonova@reddit
Defender.
fp4@reddit
Defender for Endpoint P2 if you’re already in the 365 ecosystem.