Skip to content

Defender

Preface

Windows Defender has improved massively over the years since it was introduced in 2009 as Microsoft Security Essentials. When it first launched, it was a slow and ineffective pile of garbage. In those days, you almost had to rely on using a third party antivirus suite to have proper protection for Windows, especially on XP, which had horrible security issues.

These days, Windows 10 and 11 are a far cry from the security issues that plagued Windows in the previous versions, though they’re far from perfect. I will say that Microsoft has made leaps and bounds with security and are continuing to make Defender even better. In the 22H2 update, they introduced Smart App Control, which continues to increase the defensive capabilities.

This guide is written on how to harden Defender. If you use a third party suite like ESET or BitDefender, you can skip much of what is written for the Windows hardening guide. The third party solutions have their own security features built in that are usually really good and are locked down as is. If you go with an internet security suite, you’ll have things like AV, a firewall, anti-tamper, password management, etc.

If you want to stick with Defender, you don’t have to pay extra. There’s one point to keep in mind. Running a security suite means it runs at the kernel level and can see everything you do on your computer. Microsoft can already see everything you do with your computer. If you run a third party solution, you are trusting yet another party with all your personal information. If you decide to go with a third party solution, do your due diligence and make sure they’re legitimate and read the privacy policy to know what they'll do with your info.

Virus & Threat Protection

This guide is written with the latest stable feature release of Windows 22H2 in mind. If you are running an older version of Windows, you might not see some of the features talked about in this guide.

We’ll start going from top to bottom with Defender. Starting from the home screen, everything should have a green check mark. If something doesn’t, you’ll need to see what Defender wants done.

Let’s start with the virus & threat protection page. Scans are automatically done by Defender. If you suspect that you may have downloaded something infected or went to a website and noticed a suspicious popup, you have the option to run a full system scan. Also, if you download something from the internet and aren’t sure of it, you can right click the file or folder and click “Scan with Microsoft Defender.” The other option with this, which I recommend instead, is to upload it to VirusTotal which will have a slew of antivirus engines scan the file.

Next, click on manage settings for virus and threat protection settings. There are a few different options you’ll see here, which I’ll explain.

The first option is real-time protection. This is a critical function of an antivirus, as it is always scanning what is going on with the computer. Many times, if you were to download something infected or you visited an infected website that was trying to do a drive-by malware download, you’ll see a popup from your AV software saying it stopped a threat. That is real-time protection doing its job.

Warning

There are two critical points regarding real-time protection.

The first is that Windows doesn’t scan archives (.zip, .7zip, .rar, etc) automatically when downloaded. It will only do so when running a manual scan or when it does an auto-scheduled scan. Many threat actors take advantage of this to spread malware. Archives can also be password protected, which means they’re encrypted. Defender will not be able to scan the files in that case. It’s becoming more common for attackers to send password protected archives disguised as legitimate files. Once a person puts the password in, opens the archive, and runs the file, the computer is infected and data is lost, stolen, and/or encrypted (ransomware).

The second point is that some threat actors will distribute various types of files that seem legitimate. People will try to run the files and the AV will remove the file because it’s a threat. Those same people will then go to the author, who will then tell people that it’s a false positive, the file is safe, and to turn off real-time protection to run the file. DO NOT do this!

If you work at a business or government agency and need to run what looks like legitimate software and have this issue, consult with your IT department first! In fact, if you work for a business or government agency, don’t attempt to install anything without permission from IT. There are usually policies that prohibit doing otherwise.

👉If you install something without permission and infect the network, you will likely be fired and could be held liable for damages and could even be criminally charged!👈

Main screen of Windows Defender

⬆️Main screen of Windows Defender⬆️

Main screen of virus and threat detection

⬆️Main screen of virus & threat detection⬆️

The next options you’ll see are cloud-delivered protection and automatic sample submission. These are critical features that work together symbiotically, though they only work with an internet connection.

The way AV worked many years ago was through daily updates called “signature updates.” These signatures were used by the AV to scan files on a computer to see if there were any infected files. A lot of viruses were able to make it past these signatures when the virus was still new and there wasn’t yet a signature for it. Though that is still the case today, it’s much less so thanks to cloud analysis and improvements to AV heuristics.

With these features enabled, the file is automatically uploaded to Microsoft for analysis. It will check the metadata of the file and the behaviors to see if anything is suspicious. This is not a foolproof feature and malware can still make it past this, but this feature continues to improve over time. One thing to keep in mind is that according to Microsoft’s documentation on this, if the file doesn’t come back clean before a defined timeout, it’ll be allowed to run.

The next option you’ll see here is tamper protection. This feature is designed to prevent malware from being able to change security settings in Defender, such as turning off real-time protection. It goes without saying here that while this is a good feature, it has a long way to go.

First, there are plenty of videos and research you can find on the web showing attacks that bypass this feature. Second, it seems odd that it doesn’t protect a user from themselves, i.e. what good is this feature when someone can turn off real-time protection to run a file that is malicious when the user doesn’t even know what they’re doing? Tamper protection in a lot of third party suites seems to be much stronger than what is currently in Defender. I’m hoping this will improve dramatically in Windows 12.

Protection setting page in Defender

⬆️Main screen of protection setting page⬆️

The last two options you’ll see are controlled folder access and exclusions. We’ll cover CFA shortly. When it comes to exclusions, I’ve seen some people post about files that an AV said were infected and one of the “solutions” that other people will give is to grant an exclusion to a file or an entire folder. This is a bad practice and can allow malware on your device! Any malware that may be in the file or folder will be allowed to run, and even if those files are clean, a malware infection could happen later down the road by using the attack surface that you opened up with the exclusion.

Going back one screen, you’ll see virus and threat protection updates. Feel free to manually check for updates, though Defender is good about staying updated.

The last option you’ll see is CFA. The premise of this is great, but it has a long way to go before it is good enough to be used as a daily driver feature. Many third party suites have ransomware protection and it does a much better job of staying in the background and not annoying the user.

Microsoft has made improvements to this, but it’s a long way from where it needs to be. It’s entirely your decision whether or not you want to deal with the issues. The feature is designed to prevent ransomware from being able to go into the protected folders and encrypting files. By default, it protects folders like “my documents” and “my pictures,” though you can add anything else you see fit.

It tends to frequently block legitimate apps from being able to run. What you’ll see when that happens is illustrated to the right. When this happens, you will need to open up the CFA section of Defender and add the app as allowed and many times will need to restart the app for it to work properly.

Controlled folder access main screen

⬆️Main screen of controlled folder access⬆️

Controlled folder access block notification

⬆️Controlled folder access block notification⬆️

Controlled folder access protection history page

⬆️Controlled folder access protection history⬆️

Account Protection

This section is simple. Windows will try to get you to login to your Microsoft account for enhanced security. If you’re a Home user, unless you bypassed the account login requirement, you’ll typically only see this on Pro editions. The only tangible benefit I’ve seen to this is the option to upload Bitlocker recovery keys to your account faster (more on that in the Bitlocker section.)

There is an option to set up Windows Hello. This requires an account to use. This allows alternate ways to sign in, such as with a fingerprint, facial recognition, etc.

The last option is dynamic lock. This requires a Bluetooth connection to use. You can have your phone synced to the computer, so that when Windows has detected you’ve moved away from the computer, it will automatically be locked. All the features here have significant privacy issues. If you decide to use them, be aware of that.

Account settings main page

⬆️Main screen of account settings page⬆️

Firewall & Network Protection

This section is much more advanced and requires more knowledge about what is going on inside your system in order to effectively use this. By default, Windows Firewall is a pile of garbage and I very strongly recommend using an alternative solution. Read the firewall section of this guide for more info.

Every now and then, Windows Firewall notifications will pop up asking if you want to allow internet access to certain apps. The problem with the default firewall is that many programs write their own rules into the firewall and are just able to get access automatically. If you don’t want to manually control what gets access, that’s not necessarily an issue, but I strongly recommend learning how to properly use a more powerful firewall and be selective about what you give permissions to. If you use a third party suite, the firewalls in them tend to be much better than what Windows has.

App & Browser Control

The next section covers some more advanced features of Defender. The first of them is Smart App Control. This was introduced with the 22H2 update. This feature allows Defender to block malicious or untrusted apps. Their documentation says these are apps that could cause the computer to run slowly, display unexpected ads, offer extra software you didn’t want, or do other unexpected things. It does this by using cloud analysis on files you try to run.

Microsoft says that it will try to make a prediction about the app and if it can’t, it will check to see if the file has a valid signature. If the signature is invalid or the file is unsigned, it will be blocked. This feature seems like it could be a good extra layer as it is developed. MS is trying to get more developers to get valid signature for their files for them to not be blocked by SAC.

There are three options for this, which are on, evaluation (which will figure out if it can run without getting in the way. If not, it will turn itself off), and off. From my limited testing so far, I think this will eventually add a good layer of protection to Windows.

Warning

If you turn this feature off, it can’t be turned back on unless you reinstall WIndows. MS has said this is because they don’t want any untrusted apps to already be running when it’s turned on. There hasn’t been word as of yet if this will be changed in the future.

In the telemetry section, I go over how to turn off much of Windows spying. If you make those changes, this feature will be disabled. It requires diagnostic data to be enabled, which means there is a tradeoff in privacy in order to use this feature.

Main screen of the app and browser control page

⬆️Main screen of the app and browser control page⬆️

The next part of this section is reputation-based protection settings. Inside here, you’ll find options for check apps and files, SmartScreen for Edge, phishing protection, potentially unwanted app blocking, and SmartScreen for MS Store apps. All these options should be enabled.

Something to note here is SmartScreen. This is part of the cloud analysis feature set that Defender uses. For example, if you download an untrusted app, SmartScreen will do a cloud analysis to see if it should run. If you get a SmartScreen popup, don’t just ignore it. Read it and understand what it’s telling you. There is an option to click “more info” and an option to run the file will show up.

If you’ve hardened your system through group policy or by using a hardening tool, the option to run may not even show up. If you want to still run the app, you need to make the determination whether or not it’s safe. Make sure to do your due diligence and verify through multiple sources, such as VirusTotal, whether or not it’s safe. Even if a file shows as clean, it could still have a malicious payload and infect your device.

The next option you’ll see is isolated browsing. This works by using Microsoft Defender Application Guard. In order to use this, you have to be running at least Windows Pro edition. Windows Home can’t use this feature, as it requires Hyper-V, which is part of a built in virtualization suite. In order for Hyper-V to work, you’ll need to enable virtualization in your BIOS.

MDAG is an excellent feature for browsing the web more securely and I would like to see MS take advantage of this sandboxing feature by building it into more apps and eventually the entire operating system. For example, Mac OS had sandboxing for all of its apps, meaning that one app can’t access the files of another app. There are a lot of security issues with apps being able to do this.

If you decide to install MDAG, Edge will become much more secure. You need to keep in mind that there are privacy issues with using Edge though. Refer to the browsers section for more info. A properly configured browser other than Edge will still do great against malware.

When you go to the settings for MDAG, you’ll see multiple options for things like being able to copy and paste from Edge, allowing access to camera and microphone, etc. These are off by default and should stay that way. Enabling any or all of these reduces the effectiveness of the sandboxing feature.

The last page for app and browser control is exploit protection. These are set by default to settings that work well with a typical device. This is an advanced section and you shouldn’t change any settings here unless you really know what you’re doing.

Device Security

This is the last section where changes can be made. The options that you see here are going to vary depending on the hardware that you’re using. If you’ve got a really secure system with the supported hardware, you should see core isolation, security processor, secure boot, and data encryption. If you don’t see any of that, don’t worry. I’ll walk you through what’s going on and how to change that.

At the bottom of whatever options are shown, you’ll see several different messages which are: Standard hardware security not supported, your device meets the requirements for standard hardware security, your device meets the requirements for enhanced hardware security, or your device has all secure-core PC features enabled.

This is where things start to become more complicated, so let’s dig in to what’s going on. In order for standard hardware security to be met, you need to have Trusted Platform Module (TPM) 2.0, Secure Boot enabled, data execution prevention (DEP) enabled, and UEFI MAT (Unified Extensible Firmware Interface Memory Attributes Table). Let’s break down what each of these are.

First, TPM and Secure Boot are very important and complicated features. Refer to the tab that I made specifically for them to get the details. DEP is in the exploit protection menu that we just discussed earlier and should be on by default. MS has described it as being like a coffee shop, where you only allow deliveries through doors designated for them, instead of being able to use whatever door they feel like.

Main screen of the device security page

⬆️Main screen of the device security page⬆️

UEFI is also something that can be a complicated topic on its own but I’ll give a basic rundown here. Many years ago, BIOS menus for motherboards used to be very basic. As time went on there were a lot of improvements, whereas today, if you get something like an ASUS ROG motherboard, you’ll have a massive amount of features. UEFI made things like that possible, along with being faster, using a different partitioning system, and allowing mouse navigation vs keyboard only with legacy BIOS. On the security front, it allowed for Secure Boot to be enabled, which has been a very important feature to hinder bootkits. The downside of secure boot has been that the compatibility with Linux has been spotty at best.

So to sum it up, if you have a motherboard made within the last ten or so years, you should already have UEFI. Then it’s just a matter of enabling TPM and Secure Boot. That’ll give you standard hardware security.

If you want to go a huge step above that though, then let’s go for enhanced hardware security. In order for this to happen, you need to have memory integrity turned on. Memory integrity is also referred to as Hypervisor-protected code integrity (HVCI). In order to do that in the first place, virtualization has to be turned on in your BIOS. Every motherboard manufacturer designs the BIOS to look different and even different models from the same manufacturer can have different layouts, so you’ll need to consult with your user manual for your BIOS manufacturer and model.

For AMD processors, you’ll need to find something called AMD-V. For Intel processors, you need to find Intel VT-x. Once enabled in the BIOS, you’ll have the option to turn on memory integrity in Defender. There’s a lot to unpack with memory integrity, so let’s dive in.This feature adds a huge amount of security to your computer. Malicious apps will often try to run drivers to hijack your system. HVCI uses virtualization to create an isolated environment. This is similar to the sandboxing that I talked about earlier with WDAG.

There can be compatibility issues with memory integrity though. I’ve barely had issues with it, but as an example, let’s say you have a really old graphics card that has to run drivers that came out about ten years ago. If there is incompatibility between the drivers and memory integrity, when you try to boot with it turned on, you’ll have a blue screen crash. Windows will then restart with it turned off. When you go back into the menu to see what’s going on, it will tell you which driver(s) are causing the issue. You can either remove the drivers, which could cause issues, or go without using HVCI.

The second thing to note on this is the performance hit by using it. Intel Kabylake processors with mode-based execution control and AMD Zen 2 processors or higher with guest mode execute trap work better with this and have less of a performance impact. That means Intel 7000 series and AMD Ryzen 3000 series and higher have the proper features to use HVCI without a slowdown.

There have been multiple benchmarks and users who have tested and no one seems to come to a consensus on the performance impact. Some say it’s only a couple percent and others say 10% or more, even on the supported hardware. Older processors have to emulate the features listed above and will have a bigger performance impact. When I tested this on older CPUs, I definitely noticed a performance impact, whereas on newer models, it seems very small.

Let’s go through the rest of the features on the core isolation page. The next one is firmware protection. There is a pretty good chance this is off and can’t be turned on. This is a pretty obscure feature right now and it’s related to System Management Mode (SMM). I will update this guide in the future to cover this in more depth, but this is a very complicated topic that will need to be covered with a lot of documentation. If you want to learn more about this in the meantime, feel free to Google “Secured-Core PC.”

The other item you’ll see is the vulnerable driver blocklist. If HVCI, SAC, or Windows S mode is turned on, this will already be enabled. This feature has a blocklist of drivers that have known vulnerabilities, signed with certificates that were used to sign malware, and drivers that circumvent the “Windows Security Model.”

Protection History

This is the last section that’s important to pay attention to. If there's anything that gets blocked, this is where you’ll need to come to find out what was going on. Defender will tell you if a program had a virus signature, what the file was, and what it did with it. You’ll have the option to allow blocked items from here, but keep in mind the risk that comes with that.