Microsoft has stuck to it with Windows Defender. For several years it kind of sat there and didn’t do much. (I’m sure some Microsoft person just cringed.) But now it’s a full-fledged antivirus, antimalware, anti-ransomware protection machine that is built-in and free. It is specifically designed to protect Windows 10 and does so by protecting not only against drive-by downloads, definitions, and definition-less behavior tracking but it also protects against fileless malware running in memory via bad WMI, PowerShell, vbscript, and DLL’s. I’m going to argue that it’s the best way to protect your Windows 10 computers — in my MSP practice we’ve made the decision to not install any third party A/V onto Windows 10 computers. In fact, Defender was recently credited with averting what could have been a massive worldwide cyberattack.
For those of you who aren’t there yet, you should know that Microsoft has made a big deal about Defender playing nice with other antivirus applications, but what that means is that Defender takes a backseat and you lose some significant security features. Let’s take a look at what happens when you install another A/V product onto Windows 10.
Windows Defender passive mode
Windows Defender has two modes, active and passive. The mode is switched automatically depending on whether another A/V is present on the machine or not. That other A/V has to be Defender aware. Certainly, by now they should all be, but you could encounter some that aren’t. I would call into question their modernity if that is the case.
Active mode: This is when Defender is on and no third-party A/V is installed. You get Enhanced rootkit and bootkit detection, offline scanning and cleaning, online scanning and cleaning, real-time protection from virus, malware, rootkits, and spyware. It also has cloud-delivered protection for near instant updates and dedicated protection based on Microsoft’s Big Data learning.
Passive mode: This is when a third party antivirus product is installed. When this occurs Windows Defender A/V will be disabled. However, you do have one option. You can manually enable something called “limited periodic scanning.” Consider it a fail-safe. When enabled, Defender will do a quick scan occasionally. To enable this open Windows Defender, go to Anti-Virus Protection Settings. Here you’ll see your antivirus software listed. Expand the Windows Defender options and toggle periodic scanning to On.
Many of the blogs you’ll see on the Internet say that Windows Defender antivirus gets disabled automatically when you install a third party A/V product. This is true, but it isn’t as straightforward as it sounds. What is frequently missed is an understanding that other defensive features are also disabled because they are part of the A/V feature set in Defender.
Malware protections get disabled, too
Below is a chart showing that attack surface reduction, network protection, and controlled folder access are also disabled when real-time protections are not enabled. (This is another way of saying that Defender is in passive mode.)
You’ll note in the table above that Defender comes in two flavors. It’s either with ATP (Advanced Threat Protection) or without (standard). To get the ATM version, you need to have one of the following license types. For the rest of us, it’s the standard version of Defender, which is what I’m going to be talking about for the rest of this article because ATM is really a different animal that includes a single pane of glass management, threat hunting, remediation, and more.
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- ATM add-on
The real question is, of course, what did I really lose? To answer that question you need to understand what attack surface reduction, network protection, and controlled folder access do to protect Windows 10. We have the following definitions:
Attack surface reduction measures consist of:
- Block executable content from email client and webmail.
- Block Office applications from creating child processes.
- Block Office applications from injecting into other processes.
- Block execution of potentially obfuscated scripts.
- Block Win32 imports from macro code in Office.
Controlled folder access is Microsoft’s answer to the ever-increasing number of ransomware infections. Controlled folder access allows only a list of known applications to write in user folders like Documents, Pictures, or the like. Users can extend the list of folders to protect and whitelist applications that are allowed to do file creation or editing.
Windows Defender Network Protection uses SmartScreen technology to block any executable from connecting to potentially malicious HTTP-based sources on the Internet. Network protection extends SmartScreen from an Internet Explorer and Edge solution to the system level, allowing protection of other browsers and potential malware.
And also potentially AMSI, too
The Anti-Malware Scanning Interface will be disabled as well. Your antivirus product may be modern enough to have picked up this functionality on its own. It was Microsoft’s intention that any third-party antimalware tool can use this interface. But if not, then you’ve also lost a very important tool. AMSI protects you against malicious code. As I type this, there is a rash of so-called fileless infections occurring. A fileless infection is when an attacker gains access to the machine (through brute force, phishing, social engineering…the usual culprits), launches PowerShell (for example) and loads their code into memory. No file was written to, there’s nothing on your machine except in RAM, from where it does its dirty work. AMSI is designed specifically to protect you from PowerShell scripts, group policy WMI calls, and VBscript that are obfuscated to hide from basic A/V products. AMSI views these in their plain state as they attempt to run, passes it through a filter to look for bad behavior, and stops it from running.
If you are the curious sort and would like to test Defender to see what is off, what is on, and what the difference in behavior is, Microsoft has a website where you can test the various features to make sure that they are working properly. Here you can test antivirus, drive-by downloads, real-time cloud protections and more.
Still not convinced?
Now the question is should you disable Defender services? Heck no! Windows Defender is one of those integrated features like IE was back in the day, so if you disable it in services Windows will become unstable. Save yourself some grief. Defender is third-party antivirus aware. Let those applications configure Defender for you. They will put it into passive mode for you. If they don’t then it’s a clear sign that your software isn’t keeping up with the times.
It is time to give Defender a shot. I know I read a lot of “defender sucks” stuff out there. It’s time to look at it again with a clear mind and see the direction that Microsoft is taking this product. It’s not the same old Defender you’ve hated for the last decade. It’s now a truly integrated security system. The days of benchmarking one A/V over another on how fast they caught a virus or Trojan are gone. It’s no longer a good measure. The attackers are smarter. The attacks are varied and they are coming from all directions. Defender is the integrated solution that we’ve been hoping would come along and Microsoft has really stepped up to the plate with this one. They’ve always been a great come-from-behind company and they’ve done it again with Defender in Windows 10 and in Server 2016, too. They are built on the same code so Windows Server is enjoying better built-in security now, too.
2 thoughts on “Windows Defender: From antivirus afterthought to multifaceted solution”
I have read what you have said about the Microsoft Defender antivirus as it is ?,from your website page and I’d like to share with you a weird scenario I have come across just by accidental find. My installed W.D/M.D antivirus is always giving the green light after I downloaded and installed a dangerous file or program as it has treated it in the same way as a genuine safe downloaded file and program including it’s installations. After not noticing
any on screen warnings by the antivirus relating to the dangerous downloaded file or program ,proceeded to go on and after the damage was done still no warnings had shown up until I saw the damages my computer was starting to get. I only found out just by random search on what was installed that was found in one of my folders with at least 50 weird files that wasn’t there before and it don’t know why these heavily infected files were left alone. This wasn’t just a one off either as other similar cases also occurred as my W.D/M.D had left my test files alone and it didn’t even detect one of my other infected programs either and only found that out that program was heavily infected by sending it to the VirusTotal.com website and saw what my program had hidden in it after the scan was done on the new page. Every other free antivirus i had tried one by one also listed my downloaded program as heavily infected as shown on the detection list during a full scan. Kaspersky free after using that had detected every downloaded file and program of mine during a full scan or custom scan by showing a warning in the detection scan list ,and in other tests I on purpose downloaded a dangerous file and program and it also was detected on the spot, and it was virtually impossible to further explore it all after my attempt was blocked each time. In July 2021, I have been able to continually with ease download and install dangerous file/s and program/s as I noticed it didn’t cause any alerts by the W.D/M.D antivirus and you guessed it no alerts either after even a trojan got installed. No other free antivirus has shown the same bad end results as the W.D/M.D did not even back in Windows 7.My installed W.D back in Windows 7 did the same thing and it really hasn’t changed up till now except for its name.. A.V.G 9.0 free antivirus when I had that in Windows 7 had done well against a trojan as I noticed and not once did I ever had to reinstall Windows 7 ever. In every case after downloading a dangerous file or program in Windows 7 the installed computer nasty bypassed W.D or M.S.E and I lost the lot and had to reinstall Windows 7 back on many occasions. I have noticed and read about computer experts in their online website reviews who mentioned that the M.D had improved in 2021 and showing a detection rate of 99.7% in 2021 and if was the case the M.D would of shown an on screen alert every time I downloaded and or installed a dangerous file or program including from my downloads folder where spare programs are kept but sadly no such luck. Every dangerous downloaded file and program had actually went in undetected and bypassed my M.D and M.D still didn’t do anything about it. I no more send dangerous downloaded files and programs to Microsoft as its not taken seriously and it looks like what i sent to them earlier on ends up in their email trash or junk or in the rubbish ,and then they deleted it afterwards .I actually had better luck with Kaspersky who at least took my dangerous file that I sent to them seriously as i got a reply by them a few days later and the free antivirus didn’t make a mistake of it’s detection relating to that file and that file was heavily infected with a trojan and other nasties were also hidden in that file and you guessed it the W.D/M.D didn’t find nothing wrong with it nor after a full scan or a custom scan and just went ahead with the installation of that file and all i got in the end was just a file with hidden Trojans and other nasties minus what i was after. Bye for now your welcome to comment..
I would like to further continue on, in your home or business use of the M.D antivirus you might claim it’s virtually impossible to download and install a dangerous downloaded file or program as it’s mostly detected and has the same result as any other antivirus, and your quite welcome to mention it. In my testing of all free antiviruses one by one and noticed only the W.D/M.D is the only free antivirus that allows a dangerous downloaded file or program to be explored further including whatever computer nasty that was hidden in that file or program and mostly ended up with a locked up computer or messed up computer and the only way out was to do a full reinstall. No other free antivirus yet had allowed a dangerous downloaded file or program to be explored further including its installation once it got detected before the download was made or after installing it and when a custom scan was made. My W.D/M.D didn’t detect my dangerous downloaded file and or program nor did it detect anything wrong after i installed the infected file or program nor did it detect any of my infected programs after doing a custom scan either. Every other free antivirus i had tried out one by one all detected one of my programs as showing it was heavily infected just by doing a custom scan/full scan and saw my program listed on the detection list and what was hidden inside that program?, and no mistake was made. In using the Kaspersky free antivirus it detected every dangerous downloaded file and program I had in my downloads folders and no mistake was made and no matter how I tried to explore that detected file or program?, it just couldn’t be done. The Kaspersky free also detected every dangerous file and or free legal programs that i tried to download and that’s where it ends. In my case the Kaspersky free antivirus in 2021 has shown it can do the job with a much higher detection and takes immediate action every time when a dangerous file or program before its downloaded as shown on the screen by a warning popup. Maybe this explains why Microsoft is jealous don’t like Kaspersky as this company has shown it can do a better job when it comes to computer security and who made a free antivirus that i found to be incredibly wonderfully made from start to finish. Like to add in your comments…?,bye..