Microsoft Defender Antivirus Review (2024)

Even in the days of MS-DOS, Microsoft provided a limited kind of antivirus protection. In Windows 10 and Windows 11, Microsoft Defender Antivirus protects against viruses, Trojans, ransomware, and all types of malware, and it also manages other Windows security features. If you have no other antivirus installed, Defender jumps in to offer protection. When you install a third-party tool, it goes dormant. Defender does a decent job, too, but the best competitors, including free ones, do even better.

In the realm of free antivirus, we’ve awarded two apps our Editors’ Choice honor. If you just want straight antivirus protection at no charge, AVG AntiVirus Free is our pick. For antivirus plus a generous selection of security suite features, look to Avast One Essential.

No Installation Required

Before we go further, don't confuse this Windows component with the more powerful Microsoft Defender for Business. The latter is an enterprise-focused endpoint protection system, aimed at business and not free.

Microsoft Defender Antivirus differs from other free antivirus tools in that there's no installation required; it's already present. When you click the Defender icon in the notification area, it opens the Windows Security app. The main security screen displays large icons for virus protection and six additional feature collections. Clicking one of those icons (or its corresponding item in the left-rail menu) brings up a page for the selected security features. I'll go into detail about these features below.

(Credit: Microsoft/PCMag)

Microsoft Defender Scan Choices

Microsoft Defender focuses mainly on real-time protection. Where many other antivirus tools put a big Scan button front and center, Windows makes you work to even find the on-demand scan choices. In testing, a full scan finished in 26 minutes, but not without drama. Defender keeps a running estimate of the time remaining for the scan. This estimate kept going up and up, reaching past 4 hours, then dropped precipitously as the scan finished.

(Credit: Microsoft/PCMag)

Defender’s scan time is much faster than the current average of 2 hours, and it clearly performed some optimization to speed subsequent scans. A second scan finished in just 11 minutes.

In addition to the expected Quick, Full, and Custom scan options, Microsoft Defender offers what it calls Offline Scan. Designed to handle persistent malware that defends itself against removal by a normal scan, this scan reboots the system and runs before Windows fully loads. That also means it runs before any malware processes load. In theory, the malware is defenseless. If you feel that you still have a malware problem after a regular scan, give the offline scan a try.

Offline scan does run during the Windows boot process. Other antivirus tools that offer a similar boot-time scan typically boot into Linux, so there's not even a faint chance Windows-based malware could run. Bitdefender's Rescue Environment makes Linux-based malware removal particularly simple.

(Credit: Microsoft/PCMag)

It's true that after that initial full scan, real-time protection should handle any new attacks. However, many users like to schedule an occasional full scan for added security. You won't find that functionality in Microsoft Defender, though. If you want to schedule a scan, you'll have to dig into the unwieldy, threatening Task Scheduler app. Most competing antivirus utilities make scheduling scans much easier.

Mixed Lab Results

Some years ago, Windows Defender (as it was then called) routinely earned truly wretched scores from the independent testing labs, coming in below zero at times. At present, all four labs I follow include Microsoft Defender Antivirus in their regular test reports. Its scores run the gamut from perfection to failure.

Security experts at AV-Test Institute rate antivirus programs on three criteria, Protection, Performance, and Usability. An antivirus can earn up to six points for each of these, for a maximum total of 18. In the latest report, Defender takes the full six points for Protection and Performance and comes close with 5.5 for Usability. A score of 17.5 is enough to earn the title Top Product.

Avira Free Security also took 17.5 points in the latest test, while AVG AntiVirus Free and Kaspersky Free, along with a few others, reached a perfect 18 points.

London-based SE Labs awards five levels of certification, AAA, AA, A, B, and C. Microsoft Defender aced this one, earning AAA certification. But then, all the antivirus apps I follow earned AAA certification in the latest reported test.

Antivirus tools don't receive a numeric score or letter grade from the researchers at AV-Comparatives. An antivirus that passes a test gets Standard certification; one that doesn't pass gets the label Tested. Those that do more than the minimum can rate Advanced or Advanced+. I follow three of this lab's many tests, and Microsoft appears in the latest report for all three. Microsoft Defender receives one Standard, one Advanced, and one Advanced+ rating, a decent showing, if not outstanding. Bitdefender Antivirus Free, Avast, and AVG reach Advanced+ in all three, while Avira, Kaspersky, McAfee AntiVirus Plus, and Norton manage two Advanced+ ratings.

British testing firm MRG-Effitas runs two tests I track. One is a pass/fail test that challenges each antivirus to defend against attacks on online banking. In the latest banking protection test, half the tested apps failed, Defender among them.

The other test from this lab measures defense against a full range of malware types. In this test, an app that completely thwarts all the malware attacks earns Level 1 certification. An app that remediates the attacks within 24 hours gets Level 2 certification. Along with Bitdefender and Malwarebytes, Defender reaches Level 1 certification. All but one of the remaining apps manage Level 2.

Each lab uses its own scoring system, which makes comparisons tough. I've devised an algorithm that maps them all to a 10-point scale and generates an aggregate score. Bitdefender leads the pack with a perfect 10 based on scores from all four labs. Also tested by all four, Avira reach 9.4 points and Microsoft Defender manage 9.2. Avast One Essential and Norton AntiVirus Plus match Avira’s 9.4 points but were only tested by three labs.

Good Hands-On Test Results

If you never installed any other form of malware protection, or if your antivirus subscription expires, Defender steps in and does its best to keep you safe. As we’ve seen, lab tests suggest it does a decent job, not an outstanding one. I also put it through my regular hands-on malware protection test for a real-world view of its effectiveness.

To start my hands-on testing, I open a folder containing my current set of malware samples. Shortly after I did so, Microsoft Defender began slowly picking off those it recognized as malware. In most cases it quarantined the found threats, but it reported some as just “Potentially unwanted.” To give it the best chance of success in the test, I clicked through for each potentially unwanted app and actively sent it to quarantine. Eventually it stopped finding new concerns. At that point, it had eliminated 66% of the samples.

Next, I exposed Microsoft Defender to hand-modified copies of my sample set. To create these copies, I change the filename, append zeroes to change the file size, and overwrite some non-executable bytes. Looking just at the ones whose originals it caught on sight, Defender missed 33% of the tweaked samples. I am surprised to see it caught a couple of the modified samples whose originals slipped the net.

(Credit: Microsoft/PCMag)

I took the remaining samples and launched them one by one, noting Defender’s reaction. It caught many of the remaining samples at this point, detecting 95% of them one way or another. Webroot also detects 95% of these samples, but Guardio tops the list with 98% detection. Note that I had to modify my test for Guardio, as it only checks files for malware at download time, and only in Chrome.

An antivirus can lose points from its overall score by leaving behind traces of the malware it detected. Guardio doesn’t lose a thing here, coming out with 9.8 points. Minor lapses take Webroot SecureAnywhere AntiVirus down to 9.4 and Microsoft Defender down to 9.1 points.

Defender’s score is decent, and it beats other free antivirus tools tested with this sample set. AVG only got 8.6 points, Avast 8.4, and Kaspersky 8.2 points. AVG and Avast both come out ahead of Defender in independent lab tests.

I did run into one odd problem, something I’ve encountered before. Microsoft Defender kept finding certain malware threats over and over, even after it eliminated them. During my previous review, I learned that this is a fairly common problem, solved by deleting a detection history folder Defender maintains. But in Windows 11, I don’t have permission to view that folder, much less delete it. Microsoft should fix this known problem.

My malicious URL blocking test uses an ongoing feed of the newest malware-hosting URLs discovered by researchers at MRG-Effitas. These are typically no more than a few days old. I launch each URL and note whether the antivirus blocks all access to the page, eliminates the downloaded malware, or does nothing at all. Technically, SmartScreen Filter provides this protection for Edge, but Defender manages SmartScreen Filter. It's worth noting that most competing antivirus utilities apply malicious download protection to all popular browsers, while Microsoft only protects its own.

Out of 100 malware-hosting URLs, SmartScreen Filter blocked access to 7% at the URL level and prevented download of the malware payload for another 88% in my testing. When it detected a dangerous URL, the filter diverted the browser to a warning page. The file-level protection takes several forms. For some it reports the download as blocked “because it could harm your device.” Others receive the label “blocked as unsafe by Microsoft Edge.” As in my other test, when Defender reported a potentially unwanted application, I went through the multi-click process required to quarantine it.

(Credit: Microsoft/PCMag)

In well over half the cases, I got a notification that the file in question “is not commonly downloaded,” with advice to only continue if I trusted the file. I treated these notifications the same as active malware detection, choosing to delete the file in every case.

Defender’s 95% total protection is decent, but 10 recent antivirus tools have scored better, and six of those reach a perfect 100%. Among those 100% winners are Norton AntiVirus, Sophos Home Premium, Trend Micro, and ZoneAlarm Free Antivirus.

Poor Phishing Detection

The creators of phishing websites don't bother learning to code. They don’t toil at creating clever Trojans to evade antivirus systems and steal login credentials. Instead, they attack the weakest link—the user. Phishing pages try to fool you into giving up login credentials for your email provider, banking websites—even dating and gaming sites. They do so by creating a page that looks exactly like the real thing. These sites get blacklisted and shut down quickly, but the fraudsters just spin up new ones.

To test phishing protection, I gather reported phishing URLs from various websites. I make sure to include those so new they haven't yet been analyzed and blacklisted. After all, it’s no great feat to block websites on a blacklist. A real antiphishing solution needs the ability to detect frauds in real time. In addition to reporting the app’s detection rate for verified phishing pages, I compare its rate to that of the phishing protection built into Chrome, Firefox, and Edge. In this case, the app in question is SmartScreen Filter, managed by Microsoft Defender for Microsoft Edge, so I only had to compare Edge with the other two browsers.

By observation, detection rates for Edge’s built-in protection vary across a wide range. Luckily, I have an easy way to smooth out that variation. Rather than launch a new round of testing, I averaged the results for Chrome, Edge, and Firefox from my last dozen phishing tests of other apps.

(Credit: Microsoft/PCMag)

Microsoft’s results don’t look great, which jibes with previous results. It detected just 69% of the verified phishing pages, and its detection rate lagged 8 percentage points behind Firefox and 14 points behind Chrome. In their own most recent tests, Avast, Guardio, Trend Micro Antivirus+ Security, and ZoneAlarm all score 100% detection, as does the unusual Norton Genie scam detector.

Simple Ransomware Protection

Buried in the antivirus settings is a feature that offers a degree of ransomware protection. It's turned off by default. If you want ransomware protection (and who doesn’t?) you must scroll down to "Controlled folder access" and turn it on. By default, it protects your Documents, Pictures, Videos, Music, and Favorites folders, blocking any unauthorized attempt to modify files in these locations.

Almost every antivirus tool wipes out my real-world ransomware samples on sight, or at least before they launch. If I want to test ransomware protection, I must disable other antivirus elements. Defender, by contrast, missed two of those ransomware samples in initial testing, and missed a hand-modified version of another. For testing purposes, I launched those three and closely observed Defender’s actions. The results weren’t good.

(Credit: Microsoft/PCMag)

It seemed to block one sample on launch, but clearly didn’t stop all activity, as it subsequently reported preventing unauthorized file access by that sample. Despite attempts by the antivirus, the ransomware left a ransom note and encrypted three dozen files. It caught unauthorized access by a second sample, yet that one managed to encrypt 1,400 files. Finally, it flagged a third sample as ransomware, prevented unauthorized file access, and further blocked a component of the ransomware as a threat. Yet that third ransomware sample deposited several copies of its ransom note and encrypted more than 3,600 files.

Windows Defender successfully prevented changes to protected files by a tiny text editor that I wrote myself. I don’t know exactly which programs Microsoft has pre-authorized, but I know my TinyEditor isn’t on the guest list. It also prevented my simple-minded ransomware simulator from modifying protected text files. But in both cases these programs acted only on files in protected folders. Real-world ransomware doesn’t limit itself to Documents, Pictures, and the like.

The similar file-protection feature in Trend Micro, Panda Free Antivirus, and a few others lets you extend trust to an unrecognized program directly from the popup warning. With Microsoft Defender, that's not an option. To add an exception for a valid program you must awkwardly dig into the settings.

Windows Security Dashboard

As noted, the overall Windows Security dashboard serves as a central location to manage various security features. Clicking the icons at the left side of the main window brings up pages of security information and settings. With a few exceptions, you don’t need to change the associated settings, though. In most cases Windows comes configured for proper security.

I've already covered features of the Virus & threat protection page. As noted, the main thing you should change here involves ransomware protection—you need to turn it on. I'd prefer to see this turned on by default.

The Account Protection page links to system settings related to your Microsoft account, including Windows Hello for logging in and the optional Dynamic lock, which locks the PC when a paired device isn't nearby. If your PC supports Windows Hello, you can configure it to log you in based on facial or fingerprint recognition. Configuring the system to lock when your phone (or other paired device) goes out of range is smart.

(Credit: Microsoft/PCMag)

From the Firewall & Network Protection page, you can check the status of Windows Firewall and perform simple tasks like allowing an app through the firewall. It also offers quick access to network troubleshooting and firewall configuration. Windows Firewall is effective enough that you may not need a third-party firewall.

You use the App & Browser Control page to configure aspects of SmartScreen Filter. It comes configured to warn if you download dangerous files or venture to dangerous websites. SmartScreen also checks web content used by Windows Store apps. Just leave these turned on. Expert users can dig in to configure exploit prevention technologies including CFG, DEP, and ASLR. If you don't already know what those abbreviations stand for, you're not qualified to meddle with the settings. Likewise, most users probably won't grasp details of the information displayed on the Device Security page.

(Credit: Microsoft/PCMag)

In 2022, Microsoft added a feature called Smart App Control. When active, this feature checks every app you launch against its “intelligent cloud-powered security service.” Safe apps sail through; malicious or dubious ones get stopped. Sounds good! However, you probably can’t use it. You can only enable this feature on a brand-new installation of Windows 11. Turning it on later requires you to reset your computer or reinstall Windows.

The Device Performance & Health page includes checks for any issues with Windows update, storage capacity, and device drivers, offering help to resolve any detected issues. On this page, you can also click for a Fresh Start, a full reinstallation of Windows that retains your documents and some settings and restores your Windows Store apps. However, the process wipes out desktop apps, including Microsoft Office and third-party antivirus, so you don’t want to use it without serious consideration.

The final page, Family Options, tracks the parental control options built into Windows. Parental control features include content filtering, screen time control, and limiting kids to age-appropriate apps, as well as locating the children's mobile devices. However, it works only on Windows and only in Microsoft browsers. It's of little use in this modern multi-platform world.

An Able Defender

Making sure every Windows PC has at least some degree of antivirus protection is a good move on Microsoft's part. We used to say Windows Defender isn’t good, but it’s better than nothing. At present, we're willing to say Microsoft Defender Antivirus is good, period. Some of its lab test scores are excellent now, though it took a while to reach this point. It earned a good score in our hands-on malware protection test, but it didn't do so well at detecting phishing frauds.

The very best free antivirus utilities still give you even more protection, however, and they earn great scores from the independent testing labs. Avast One Essential and AVG AntiVirus Free are the apps we’ve identified as Editors’ Choice winners in the free antivirus realm. Avast comes with a network inspector, a password manager, and a wealth of security bonus features. AVG sticks closer to the essentials of antivirus protection. You're free to try these two, or any of our other top-rated free antivirus tools, and choose the one that suits you best. If your choice proves to be Microsoft Defender, go ahead and run with it.