No Installation Required
Microsoft Defender differs from other free antivirus tools in that there’s no installation required; it’s already present. When you click the Defender icon in the notification area, it opens the full Security Center. The main security screen displays large icons for virus protection and six additional feature collections. Clicking one of those icons (or its corresponding item in the left-rail menu) brings up a page for the selected security features. I’ll go into detail about these features below.
Microsoft Defender focuses mainly on real-time protection. Where many other antivirus products put a big Scan button front and center, Windows makes you work to even find the on-demand scan choices. In testing, a full scan finished in just under an hour. That’s better than the current average of 66 minutes and vastly better than its previous time of almost two hours. A repeat scan finished in less than 15 minutes.
In addition to the expected Quick, Full, and Custom scan options, Microsoft Defender offers what it calls Offline Scan. Designed to handle persistent malware that defends itself against removal by a normal scan, this scan reboots the system and runs before Windows fully loads. That also means it runs before any malware processes load, so in theory, the malware is defenseless. If you feel that you still have a malware problem after a regular scan, give the offline scan a try.
It’s true that after that initial full scan, real-time protection should handle any new attacks. However, many users like to schedule an occasional full scan for added security. You won’t find that functionality in Microsoft Defender, though. If you want to schedule a scan, you’ll have to dig into the unwieldy, threatening Task Scheduler app. Most competing products make scheduling scans much easier.
Mixed Lab-Testing Results
Some years ago, Windows Defender (as it was then called) routinely earned truly rotten scores from the independent testing labs, coming in below zero at times. At present, all four of the labs that I follow include Microsoft Defender in their regular test reports. Its scores run the gamut from perfection to failure.
Security experts at AV-Test Institute rate antivirus programs on three criteria, Protection, Performance, and Usability. An antivirus can earn up to six points for each of these, for a maximum total of 18. In the latest report, Defender takes the full six points in all three categories, for a perfect 18 points. Several other products likewise earn a perfect score in the latest test, among them Avast, AVG, and Kaspersky Security Cloud Free.
London-based SE Labs awards five levels of certification, AAA, AA, A, B, and C. Microsoft Defender aces this one, earning AAA certification. But then, all the products I follow take home AAA certification this time around, except for a lone AA for Webroot SecureAnywhere AntiVirus.
Antivirus products don’t receive a numeric score or letter grade from the researchers at AV-Comparatives. A product that passes a test gets Standard certification; one that doesn’t pass gets the label Tested. Those that do more than the minimum can rate Advanced or Advanced+. I follow three of this lab’s many tests, and Microsoft appears in the latest report for two of those. Microsoft Defender earns the basic Standard certification in both of those tests. That’s uncommon; less than a quarter of the scores I track come in below the Advanced level. Bitdefender Antivirus Plus is the only product to take Advanced+ in the latest runs of all three tests.
British testing firm MRG-Effitas runs two tests that I track. One is a pass/fail test that challenges antivirus products to defend against attacks on online banking. In the latest banking protection test, almost half the tested products fail, Defender among them.
The other test from this lab measures defense against a full range of malware types. In this test, a product that completely thwarts all the malware attacks earns Level 1 certification. A product that remediates the attacks within 24 hours gets Level 2 certification. Along with Bitdefender and F-Secure Anti-Virus, Microsoft Defender earns Level 2. Here, too, nearly half the products fail.
Each lab uses its own scoring system, which makes comparisons tough. I’ve devised an algorithm that maps them all to a 10-point scale and generates an aggregate score. The current aggregate score for Microsoft Defender is 8.8, down from 9.1 at my last review. Also tested by all four labs, Kaspersky scores a near-perfect 9.9, Norton scores 9.6, and Avast Free Antivirus takes 9.5. Looking at all products that receive scores from at least two labs, two-thirds earn a better aggregate score than Microsoft’s.
Very Good Hands-On Test Results
If you never installed any other form of malware protection, or if the antivirus you did install expires, Defender steps in and does its best to keep you safe. As we’ve seen, lab tests suggest it does a decent job, not an outstanding one. I also put it through my regular hands-on malware protection test for a real-world view of its effectiveness. I made sure to configure it to detect lower-risk items such as adware and potentially unwanted programs (PUPs). I also enabled the permission-based ransomware protection.
To start my hands-on testing, I open a folder containing my current set of malware samples. Shortly after I did so, Microsoft Defender began very slowly picking off those that it recognized as malware. In most cases it quarantined the found threats, but it treated a handful of them as if they were actively running on the test system, despite the fact they’d never been launched. Eventually it stopped finding new samples to quarantine. At that point, it had eliminated 76% of the samples.
Next, I exposed Microsoft Defender to hand-modified copies of my sample set. To create these copies, I change the filename, append zeroes to change the file size, and overwrite some non-executable bytes. Looking just at the ones whose originals it caught on sight, Defender missed 28% of the tweaked samples. Somewhat surprisingly, it caught a couple of the modified samples whose originals slipped the net.
I took the remaining samples and launched them one by one, noting Defender’s reaction. It caught many of the remaining samples at this point, detecting 96% of them one way or another. That’s decent, but Emsisoft Anti-Malware, Malwarebytes, and McAfee all detect 100% of the samples in this collection. A product can lose points from its overall score by leaving behind traces of the malware it detected. Malwarebytes doesn’t lose a thing, coming in with a perfect 10 points, while McAfee is very close with 9.9.
Microsoft Defender scores 9.6, which is quite a good score. It’s better than any other free product tested with this same sample set. Adaware, Avast, and Bitdefender Antivirus Free Edition all score 9.2, while Kaspersky, Panda, and Avira score still lower.
I did run into one odd problem. Microsoft Defender kept finding certain malware threats over and over, even after it eliminated them. Completely deleting the folder that once contained the problem files didn’t help. A little research revealed that this is a fairly common problem, solved by deleting a detection history folder that Defender maintains. You’d think Microsoft would fix this known problem.
My malicious URL blocking test uses an ongoing feed of the newest malware-hosting URLs discovered by researchers at MRG-Effitas. These are typically no more than a few days old. I launch each URL and note whether the antivirus blocks all access to the page, eliminates the downloaded malware, or does nothing at all. Technically, SmartScreen Filter provides this protection, both for Edge and Internet Explorer, but Defender manages SmartScreen Filter. It’s worth noting that most competing products apply malicious download protection to all popular browsers, while Microsoft only protects its own.
Out of 100 malware-hosting URLs, SmartScreen Filter blocked access to 23% at the URL level and prevented download of the malware payload for another 76%. When it detected a dangerous URL, the filter diverted the browser to a warning page. The file-level protection took several forms. For some it reported the download was blocked “because it could harm your device.” Others received the label “blocked as unsafe by Microsoft Edge.” In just one case, the regular real-time antivirus detected and quarantined a threat after the download finished.
SmartScreen Filter’s overall 99% protection score, shared with Sophos Home Free and a few others, is excellent. At the very top we find McAfee and Bitdefender Free, both with 100% protection.
Poor Phishing Detection
The creators of phishing websites don’t bother learning to code. They don’t toil at creating clever Trojans to steal login credentials. Instead, they attack the weakest link—the user. Phishing pages try to fool you into giving up login credentials for your email provider, banking website, even dating and gaming sites. They do so by creating a page that looks exactly like the real thing. These sites get blacklisted and shut down quickly, but the fraudsters just gin up new ones.
To test phishing protection, I gather reported phishing URLs from various websites. I make sure to include those so new they haven’t yet been analyzed and blacklisted. After all, it’s no great feat to block websites that are on a blacklist. A real antiphishing solution needs the ability to detect frauds in real time. In addition to reporting the product’s detection rate for verified phishing pages, I compare its rate to that of the phishing protection built into Chrome, Firefox, and Edge. In this case, the product in question is SmartScreen Filter, managed by Microsoft Defender for Microsoft Edge, so I only had to compare Edge with the other two browsers.
By observation, detection rates for Edge’s built-in protection vary across a wide range. Luckily, I have an easy way to smooth out that variation. Rather than launch a new round of testing, I aggregated the results for Chrome, Edge, and Firefox from my last half-dozen phishing tests of other products.
As I expected, Microsoft’s results don’t look great. It detected just 78% of the verified phishing pages, 10 percentage points behind Firefox and 12 points behind Chrome. This score is better than the 68% Microsoft earned when last tested, but it’s still in the bottom half. At the top, F-Secure and McAfee AntiVirus Plus detected 100% of the frauds in their respective tests. Bitdefender, Norton, and Webroot came very close, with 99%.
Simple Ransomware Protection
Buried in the antivirus settings is a hidden gem that offers a degree of ransomware protection. It’s turned off by default. If you want ransomware protection (and who doesn’t?) you must scroll down to “Controlled folder access” and turn it on. By default, it protects your Documents, Pictures, Videos, Music, and Favorites folders, blocking any unauthorized attempt to modify files in these locations.
At the time of my last review, Ransomware Protection also extended to the Desktop by default, which I found annoying. I have a habit of running test programs from the desktop—Defender prevented my programs from writing to their output files. It also blocked any installer attempting to place a program icon on the desktop. By observation, Desktop is no longer included by default.
To test this feature, I used a tiny text editor that I wrote myself. I don’t know exactly which programs Microsoft has pre-authorized, but I know my TinyEditor isn’t on the guest list. When I tried to save an edited text file in the Documents folder, I got a message, “Stream write error,” and a popup from Microsoft Defender noting that it prevented the change. It also prevented my simple-minded ransomware simulator from modifying protected text files.
The similar file-protection feature in Trend Micro, Panda Free Antivirus, and a few others lets you extend trust to an unrecognized program directly from the popup warning. With Microsoft Defender, that’s not an option. To add an exception for a valid program you must awkwardly dig into the settings.
See How We Test Security Software
Windows Security Dashboard
As noted, the overall Windows Security dashboard serves as a central location to manage various security features. Clicking the icons at the left side of the main window brings up pages of security information and settings. Do note that, with a few exceptions, you don’t need to change the associated settings. In most cases Windows comes configured for proper security.
I’ve already covered features of the Virus & threat protection page. As noted, the main thing you should change here involves ransomware protection—you need to turn it on.
The Account protection page links to system settings related to your Microsoft account, including Windows Hello for logging in and the optional Dynamic lock, which locks the PC when a paired device isn’t nearby. If your PC supports Windows Hello, you can configure it to log you in based on facial or fingerprint recognition. And configuring the system to lock when your phone (or other paired device) goes out of range is smart.
From the Firewall & network protection page, you can check the status of Windows Firewall and perform simple tasks like allowing an app through the firewall. It also offers quick access to network troubleshooting and firewall configuration. Windows Firewall is effective enough that you may not need a third-party firewall.
You use the App & browser control page to configure aspects of SmartScreen Filter. It comes configured to warn if you download dangerous files or venture to dangerous websites. SmartScreen also checks web content used by Windows Store apps. Just leave these turned on. Expert users can dig in to configure exploit prevention technologies including CFG, DEP, and ASLR. If you don’t already know what those abbreviations stand for, you’re not qualified to meddle with the settings. Likewise, most users probably won’t grasp details of the information displayed on the Device security page.
The Device performance & health page includes checks for any issues with Windows update, storage capacity, and device drivers, offering help to resolve any detected issues. On this page, you can also click for a “fresh start,” a full reinstallation of Windows that retains your documents and some settings and restores your Windows Store apps. However, the process wipes out desktop apps, including Microsoft Office and third-party antivirus, so you don’t want to use it without serious consideration.
The final page, Family options, tracks the parental control options built into Windows 10. Parental control features include content filtering, screen time control, and limiting kids to age-appropriate apps, as well as locating the children’s mobile devices. However, it works only on Windows and only in Microsoft browsers. It’s of little use in this modern multiplatform world. Certainly, it can’t compare with the best third-party parental control software.
An Able Defender
Making sure that every Windows PC has at least some degree of antivirus protection is a good move on Microsoft’s part. We used to say Windows Defender isn’t good, but it’s better than nothing. At present, we’re willing to say that Microsoft Defender is good. Some of its lab test scores are excellent now, though it took a while to reach this point. It earned a good score in our hands-on malware protection test, but it didn’t do so well at detecting phishing frauds.
The very best free antivirus utilities give you even more protection, and they earn great scores from the independent testing labs. Avast Free Antivirus and Kaspersky Security Cloud Free are our Editors’ Choice products for free antivirus protection. Kaspersky consistently gets perfect or near-perfect lab scores. Avast comes with a network inspector, a password manager, and a passel of security bonus features. You’re free to try these two, or any of our other top-rated free antivirus tools, and choose the one that suits you best. If your choice proves to be Microsoft Defender, go ahead and run with it.