Tomasz Zajda - Fotolia
What Microsoft Defender Antivirus features are on Windows?
While there are plenty of viable enterprise-grade third-party desktop security platforms, Microsoft has built out a strong array of native features that IT admins can utilize.
Microsoft Defender Antivirus, formerly known as Windows Defender, is a built-in antivirus and antimalware service that comes with Windows 10, Windows 11 and some versions of Windows Server.
In its early days, IT administrators met Microsoft Defender Antivirus with a fair amount of skepticism. The perception was that it didn't provide adequate protection, especially when compared to many third-party security products and services.
Over the years, however, Microsoft has added key features that have made Microsoft Defender Antivirus a more valuable service, protecting against threats such as spyware, adware, ransomware and viruses. Because the service is built into the Windows OSes, there is no special software to deploy or maintain. But users and administrators can still configure the service's features to meet their specific needs.
Before IT administrators dive into the configuration process, they should learn the strongest features that come with the Microsoft Defender Antivirus service.
Real-time protection
Microsoft Defender Antivirus can locate and stop malware from running or installing itself on a device running Windows 10 or Windows 11. The service uses heuristic, behavioral and machine learning (ML) techniques to catch various emerging threats. It can detect new malware in suspicious files and block it within seconds. In addition, it can also detect and block potentially unwanted applications, as well as unusual changes to the file system or registry keys used for automatic startup.
Microsoft Defender Antivirus includes multiple settings that control how to address certain types of threats, when to remove them or whether to create a restore point before remediating. The service can also send notifications about device security.
Automatic and manual scanning
Integral to Microsoft Defender Antivirus is its scanning capabilities, which provide always-on protection by regularly scanning the local environment. Users and administrators can also run scans manually or schedule them to run at specific times.
These can range from quick scans, full scans, custom scans to offline scans, and they can exclude specific files or processes from their scanning operations. In addition, Microsoft Defender Antivirus can filter scanning results and specify the number of days to retain the scan history. These scans can display information about the security intelligence version running on their devices and check for updates.
Cloud protection
Microsoft Defender Antivirus utilizes cloud protection services that help to ensure more accurate and intelligent results. These services -- referred to as Microsoft Active Protection Service (MAPS) -- build on Microsoft Intelligent Security Graph, AI systems and advanced ML models. Microsoft uses MAPS to analyze large sets of interconnected data to identify new threats and deliver faster, more complete protection. Cloud integration is enabled by default, but IT can disable it at any time.
Sample submissions
The Microsoft Defender Antivirus service automatically sends sample files to Microsoft to determine whether the files represent a threat. If a file appears to contain personal information, Microsoft will notify the user. The sample submission feature is enabled by default, but administrators or users can disable it at any time.
They can also submit files manually if they suspect they might be malware or classified incorrectly as malware. The sample submission feature also helps to enhance the cloud protections available with Microsoft Defender Antivirus.
Ransomware security
Organizations with critical or proprietary business data should look into the ransomware protection features that work in conjunction with Microsoft OneDrive. If a user stores files on OneDrive and Microsoft Defender Antivirus detects a ransomware threat, the service will notify the user, remove the ransomware and help recover the user's files if possible. To work effectively, ransomware protection requires IT to configure OneDrive and folder access controls.
Access controls
Along with the ransomware tied to access controls, Microsoft Defender Antivirus includes the Tamper Protection feature based on access control, which prevents malicious applications from tampering with the service. Tamper Protection is on by default, but users and administrators can easily disable this feature.
Microsoft Defender Antivirus also offers folder access controls, which protect files and folders from unauthorized changes by malicious applications such as ransomware. This feature is off by default, but users or administrators can enable it at any time with the proper admin credentials. They can also specify which folders to protect so that only trusted apps can access those folders.
Microsoft Defender Antivirus management
If the IT management policies permit, users can configure Microsoft Defender Antivirus options through the Windows Security app in Windows 10 and Windows 11. Another option for users to manage these settings is to edit the local Group Policy settings, which they can find in Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
Desktop administrators can also use Group Policy to manage Microsoft Defender Antivirus on managed Windows endpoints. But Microsoft Endpoint Manager (MEM), PowerShell, Windows Management Instrumentation (WMI) and the mpcmdrun.exe command-line utility are also valid options.