Microsoft Defender Review: Decent Antivirus, No Installation Required

Before we go further, don't confuse this Windows component with the more powerful Microsoft Defender for Business. The latter is an enterprise-focused endpoint protection system, and it’s not free.

Microsoft Defender Antivirus differs from other free antivirus tools in that there's no installation required. If you’re running Windows, you already have it. When you click the Defender icon in the notification area, it opens the Windows Security app. The main security screen displays large icons for eight security areas. The components most central to Microsoft Defender are Virus & Threat Protection and App & Browser Control, as well as the Protection History list. Clicking one of those icons (or its corresponding item in the left-rail menu) brings up the selected security features.

Microsoft Defender focuses mainly on real-time protection. Where many other antivirus tools put a big Scan button front and center, Defender’s scan choices are just one of many elements on the Virus & Threat Protection page.

Similar Products

Our Current Picks for The Best Free Antivirus Software for 2025

Avast One Basic

4.5

Outstanding

From $2.50 Per Month for Premium Version at AVAST

See It Read Our Review

Bitdefender Antivirus Free for Windows

4.0

Excellent

Save up to 45% on Paid Plans at Bitdefender

See It Read Our Review

AVG AntiVirus Free

4.5

Outstanding

$0.00 at AVG

See It Read Our Review

Avira Free Security

3.5

Good

$0.00 at Avira

See It Read Our Review

Avast One Basic for Mac

4.0

Excellent

Visit Site at AVAST

See It Read Our Review

AVG AntiVirus for Mac

3.5

Good

$0.00 at AVG

See It Read Our Review

Avira Free Antivirus for Mac

3.5

Good

$0.00 at Avira

See It Read Our Review

In testing, a full scan took almost four hours. That’s vastly more than the 26 minutes I clocked in my last review, and according to Defender’s time estimates, it could have been vastly longer.

While it’s scanning, Defender reports the number of files scanned along with an estimate of the time remaining. That estimate kept steadily going up and reached ridiculous heights. At about two hours in, it claimed that the scan would take 31 hours more. It came down from that peak slowly and eventually finished, taking almost twice the current average time for a full scan. I actively kept track of the scanning process, so I’m very sure the final time of 3 hours 50 minutes is accurate. Yet Defender itself reported “Scan lasted 2 hours 11 minutes.”

Given that I thoroughly deleted all my samples before the timing test, I was surprised to find that the scan reported 97 threats. These all turned out to be contained in Microsoft Edge’s cache files. It’s possible that Microsoft Defender has some special ability to reach inside those files in a way that’s not available to competing products.

Many antivirus tools use their initial full scan to optimize for subsequent scans. This can result in a massive speedup in scans after the first. Bitdefender cut 92% from its scan time on a second try, and ESET NOD32 Antivirus cut 91%. When last tested, McAfee took well over eight hours for its initial full scan, but completed a second in less than an hour, cutting the time by 90%. I launched a second scan with Microsoft Defender to see whether it exhibits any similar speedup. Not long after starting, it reported about 50 minutes remaining. An hour later, it still reported 50 minutes remaining. With no massive speedup evident, I terminated the test and moved on.

In addition to the expected Quick, Full, and Custom scan options, Microsoft Defender offers what it calls Offline Scan. Designed to handle persistent malware that defends itself against removal by a normal scan, this scan reboots the system and runs before Windows fully loads. That also means it runs before any malware processes load. In theory, the malware is defenseless. If you feel that you still have a malware problem after a regular scan, give the offline scan a try.

Defender’s offline scan runs during the Windows boot process. Other antivirus tools that offer a similar boot-time scan typically boot into linux, so there's not even a faint chance Windows-based malware could run. Bitdefender's Rescue Environment makes booting into linux to remove malware particularly simple.

It's true that after that initial full scan, real-time protection should handle any new attacks. However, many users like to schedule an occasional full scan for added security. You won't find that functionality in Microsoft Defender, though. If you want to schedule a scan, you'll have to dig into the unwieldy, somewhat threatening Task Scheduler. Most competing antivirus utilities that offer scheduling make the process much easier.

Eight or nine years ago, Windows Defender (as it was then called) routinely earned poor scores from AV-Test Institute. Go back a few more years, and you find it scoring below zero in another lab’s tests. At present, all four labs I follow include Microsoft Defender Antivirus in their regular test reports, with scores ranging from just OK to perfect.

Security experts at AV-Test Institute rate antivirus programs on three criteria: Protection, Performance, and Usability. An antivirus can earn up to six points for each of these, for a maximum total of 18. In the latest report, Microsoft and more than 80% of tested antivirus apps achieved a perfect 18 points. Among the other antiviruses with a perfect score were Avira Free Security, Avast, AVG AntiVirus Free, and Norton.

London-based SE Labs awards five levels of certification: AAA, AA, A, B, and C. Microsoft Defender aced this one, earning AAA certification. However, McAfee, Norton, Webroot, and all the other tested antivirus apps also earned AAA certification in the latest reported test.

Antivirus tools don't receive a numeric score or letter grade from the researchers at AV-Comparatives. An antivirus that passes a test gets Standard certification, and one that doesn't pass gets the label Tested. Those that do more than the minimum can rate Advanced or Advanced+. I follow three of this lab's many tests, and Microsoft appears in the latest report for all three. Microsoft Defender receives one Standard and two Advanced certifications, a mediocre showing. Avast, AVG, and ESET reached Advanced+ certification in all three tests, while Bitdefender Antivirus Free, McAfee AntiVirus, and Norton managed two Advanced+ ratings and one Advanced.

British testing firm MRG-Effitas runs two tests I track. One is a pass/fail test that challenges each antivirus to defend against attacks on online banking. Defender passed the latest banking protection test, along with all competitors except Trend Micro Antivirus+ Security.

The other test from this lab measures defense against a full range of malware types. In this test, an app that completely thwarts all the malware attacks earns Level 1 certification. An app that remediates all attacks within 24 hours gets Level 2 certification. Along with Bitdefender and Norton, Defender reached Level 1 certification. Avast, Avira, and ESET passed at Level 2, while Trend Micro once again failed the test.

It's Surprisingly Easy to Be More Secure Online

Each lab uses its own scoring system, which makes comparisons challenging. I've devised an algorithm that maps them all to a 10-point scale and generates an aggregate score.

Getting a high aggregate score from all four labs is tough since just one less-perfect result can drag down the total. Based on results from all four labs, Avast One Essential, Norton AntiVirus Plus, and Microsoft rose to the challenge, attaining 9.9, 9.6, and 9.5 points, respectively.

Tested by three labs, Bitdefender and McAfee share the top score, 9.8 points, while Avira matches Microsoft’s 9.5 points. The actual highest aggregate score goes to AVG, which came in with a perfect 10 based on reports from two labs. After a rocky past, Microsoft is among the antivirus apps with the best lab scores.

If you never installed any other form of malware protection, or if your antivirus subscription expires, Defender steps in and does its best to keep you safe. As we’ve seen, it earns mostly excellent scores in independent lab tests. I also put it through my regular hands-on malware protection test for a real-world view of its effectiveness, and here it didn’t do as well.

In a typical malware blocking test, I install the antivirus under test on a virtual machine that has malware samples stored in several folders. For some apps, just opening the folder triggers real-time scanning. Others wait until the malware app is about to launch. Still others apply their real-time scanning to files as they’re downloaded.

The scenario above is only possible because my test virtual machines have Defender bound, gagged, and immobilized. Otherwise, Defender would interfere with my testing of third-party programs.

To test Defender itself, I downloaded the samples from online storage. This proved to be more hands on than usual. In almost every case, Edge noted that the file is not commonly downloaded and advised caution. Some couldn’t download at all, flagged with the note, “blocked as unsafe by Microsoft Defender SmartScreen” in the browser’s download list. For others, the download began but was interrupted by a notification area pop-up stating, “Threats found.” For those, the download showed “Couldn’t download - Virus detected.”

Downloads flagged with the description PUP (potentially unwanted program) required the most attention. A pop-up advised going to Windows Security for details. In Windows Security, the list of recent events revealed a note “Potentially unwanted app found,” and clicking that note allowed me to select an action. In every case (and there were plenty) I chose Quarantine. That’s a lot of clicks to manage each PUP.

Between SmartScreen preventing dangerous downloads, real-time protection eliminating downloaded malware, and PUPs taking a trip to quarantine, Defender eliminated 89% of the malware samples, including 100% of the ransomware samples.

Next, I ran through the same process using hand-modified copies of my sample set. To create these copies, I change the filename, append zeroes to change the file size, and overwrite some non-executable bytes. Looking just at the ones whose originals it caught on sight, Defender missed 28%. Testing with modified samples gives me a view into how flexible each antivirus app’s detection methods are. Scores in this ancillary test range from 1% missed for Avast and AVG to 82% missed for UltraAV. Microsoft’s score falls in the middle.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

Email

Sign Me Up

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

I took the surviving samples and launched them one by one, noting Defender’s reaction. In almost every case, it allowed the malware program to run unhindered. Its total detection rate was 90%, and its overall score was 8.9 out of 10 possible points, the lowest among antivirus tools tested with my current set of malware.

UltraAV has the best score among antiviruses tested with this same collection, with a perfect 10 points. Avast, AVG, Norton, and Webroot Essentials all come next, each with 9.7 points. Among antivirus tools tested with previous collections of malware, Guardio holds the best score, 9.8 points.

My malicious URL blocking test uses an up-to-the-minute feed of the newest malware-hosting URLs discovered by researchers at MRG-Effitas. These are typically no more than a few days old. I launch each URL and note whether the antivirus blocks all access to the page, eliminates the downloaded malware, or does nothing at all. Defender’s SmartScreen Filter provides this protection for Edge. Most competing antivirus utilities apply malicious download protection to all popular browsers, while Microsoft only protects its own. That’s tough for enthusiasts of Chrome or Firefox.

Out of 100 malware-hosting URLs, SmartScreen Filter blocked precisely none at the URL level. It blocked downloading 89% of the samples in one way or another, with information about its activities appearing in Microsoft Edge’s download list. Some didn’t even begin to download, with a message saying the download was “blocked as unsafe by Microsoft Defender SmartScreen.” For others, a pop-up warned of threats detected after the download, and the downloaded file disappeared, leaving the message “Couldn’t download - virus detected.” In quite a few cases, the download finished, but Defender warned that it was a PUP. In each of those, I went through the tedious process of opening the security center, finding the reported PUP, and sending it to quarantine.

In quite a few cases, a browser message warned me that the file in question is not commonly downloaded, requiring my confirmation to keep on downloading. This message didn’t say the files were good or bad, just uncommon, so I chose to keep on in every case.

Defender’s score of 89% in this test is a bit below the median of 92%, which is not an impressive showing. In their own tests using then-current malware-hosting URLs, Avira, Guardio, and Sophos Home Premium blocked 100% either by preventing access to the dangerous URL or eliminating the malware payload.

The creators of phishing websites don't bother learning to code. They don’t toil at creating clever Trojans to evade antivirus systems and steal login credentials. Instead, they attack the weakest link—the user. Phishing pages try to fool you into giving up login credentials for your email provider, banking websites, and even dating and gaming sites. They do so by creating a page that looks exactly like the real thing. These sites get blocklisted and shut down quickly, but the fraudsters just spin up new ones.

To test phishing protection, I gather reported phishing URLs from websites that track such things. I make sure to include both verified frauds and reported URLs so new they haven't yet been analyzed and blocklisted. After all, it’s no great feat to block websites that have already been reported on a phishing blocklist. A real antiphishing solution needs the ability to detect fraud in real time.

In addition to reporting the app’s detection rate for verified phishing pages, I compare its rate to that of the phishing protection built into Chrome, Firefox, and Edge. In this case, the app in question is SmartScreen Filter, managed by Microsoft Defender for Microsoft Edge, so I only had to compare Edge with the other two browsers.

By observation, detection rates for Edge’s built-in phishing protection vary widely. Luckily, I have an easy way to smooth out that variation. Rather than launch a new round of testing, I averaged the results for Chrome, Edge, and Firefox from my last 20 phishing tests of other apps.

Microsoft’s results don’t look great, which jibes with previous results. It detected just 75% of the verified phishing pages, and its detection rate lagged 2 percentage points behind Firefox and 14 points behind Chrome. For comparison, half the antivirus utilities in recent tests reached 95% detection or better, and eight managed a perfect 100%. Those eight winners included the phishing-centric Norton Genie scam detector as well as NordVPN and Surfshark, both of which primarily focus on VPN protection. The traditional antivirus winners in the phishing protection test are AVG, Avira, Guardio, McAfee, and Webroot, all with 100% detection.

Buried in the antivirus settings is a feature that offers a degree of ransomware protection. It's turned off by default. If you want ransomware protection, you must scroll down to "Controlled folder access" and turn it on. By default, it protects your Documents, Pictures, Videos, Music, and Favorites folders, blocking any unauthorized attempt to modify files in these locations. You probably want to add the Desktop folder.

So, does it work? For a quick sanity check, I used a tiny text editor that I wrote myself. I don’t know precisely which programs Microsoft has pre-authorized, but I know my TinyEditor isn’t on the trusted list. When I tried to save an edited text file in the Documents folder, Defender prevented the unauthorized changes. It also prevented a simple-minded ransomware simulator that I coded myself from modifying protected text files. But in both cases, these programs acted only on files in protected folders. Real-world ransomware doesn’t limit itself to Documents, Pictures, and the like.

Trend Micro, Panda Free Antivirus, and a few others offer similar protection against unauthorized programs modifying protected documents. Typically, the warning message includes an option to add the program involved to the trusted list. With Microsoft Defender, that's not an option. If I wanted to authorize my TinyEditor for future use, I would have had to dig deep into settings and add it manually.

Of course, the best ransomware protection testing uses real ransomware. Most of the time, I can accomplish this kind of test by turning off an antivirus app’s real-time protection, leaving the ransomware layer to do its job alone. That’s not possible with Microsoft Defender, but I came up with a way to get at least a modicum of testing by excluding the folder containing ransomware samples from Defender’s scanning. As always, I disconnected the virtual machine from the internet during ransomware testing for safety. This had the added benefit of disabling Defender’s cloud-based SmartScreen lookup.

A dozen of my ransomware samples are the common file-encrypting type, while two represent ransomware that encrypts the whole disk. Both whole-disk attacks succeeded, rendering the virtual drive inaccessible without any reaction from Defender. That makes sense, given that Defender’s detection works strictly at the file level.

The antivirus successfully quashed three samples when they transferred operations to a subprogram outside the excluded folder. Three others simply wouldn’t run in the limited test environment.

The remaining half-dozen samples left Defender looking ineffective. It did catch five of the six in action, but not before they had encrypted files outside the protected folders, from a few dozen files to several hundred. The remaining sample got past Defender’s detection, killed the Defender process completely, and encrypted nearly 10,000 files, including all files in the supposedly protected Documents folder.

As noted, the overall Windows Security dashboard serves as a central location to manage various security features. The dashboard features eight big icons representing eight security areas: Account Protection, App & Browser Control, Device Performance & Health, Device Security, Family Options, Firewall & Network Protection, Protection History, and Virus & Threat Protection. If you make it wide enough, it sprouts a menu on the left side. With a few exceptions, you don’t need to change security settings, though. In most cases, Windows comes configured for proper security.

I've already covered the features of the App & Browser Control and Virus & Threat Protection pages. As noted, the main thing you should change here involves Controlled folder access for ransomware protection—you need to turn it on. I'd prefer to see this turned on by default. Protection History, at the bottom of the list, lets you review details of everything the security system has done for you.

The Account Protection page links to system settings related to your Microsoft account, including Windows Hello for logging in and the optional Dynamic lock, which locks the PC when a paired device isn't nearby. If your PC supports Windows Hello, you can configure it to log you in based on facial or fingerprint recognition. Configuring the system to lock when your phone (or other paired device) goes out of range is smart.

From the Firewall & Network Protection page, you can check the status of Windows Firewall and perform simple tasks like allowing an app through the firewall. It also offers quick access to network troubleshooting and to the daunting advanced firewall configuration app. Windows Firewall is effective enough that you may not need a third-party firewall.

You use the App & Browser Control page to configure aspects of SmartScreen Filter. It comes configured to warn if you download dangerous files or venture to dangerous websites. SmartScreen also checks web content used by Windows Store apps. Just leave these turned on. Expert users can dig in to configure exploit prevention technologies, including CFG, DEP, and ASLR. If you don't already know what those abbreviations stand for, you're not qualified to meddle with the settings. Likewise, most users probably won't grasp the details of the information displayed on the Device Security page.

In 2022, Microsoft added a feature called Smart App Control. When active, this feature checks every app you launch against its “intelligent cloud-powered security service.” Safe apps sail through; malicious or dubious ones get stopped. Sounds good! However, you probably can’t use it. You can only enable this feature on a brand-new installation of Windows 11. Turning it on later requires you to reset your computer or reinstall Windows.

The Device Performance & Health page checks for issues with Windows update, storage capacity, and device drivers and offers help to resolve any detected issues. On this page, you can also click for a Fresh Start, a full reinstallation of Windows that retains your documents and some settings and restores your Windows Store apps. However, the process wipes out desktop apps, including Microsoft Office and third-party antivirus, so you don’t want to use it without serious consideration.

The final page, Family Options, tracks the parental control options built into Windows. Parental control features include content filtering, screen time control, limiting kids to age-appropriate apps, and locating the children's mobile devices. However, it works only on Windows and only in Microsoft browsers, so it's of little use in this modern multi-platform world.