Decoding Microsoft Defender’s

Ask someone what antivirus software they use and you’ll probably get a near-religious argument about which one they have installed. Antivirus choices are often about what we trust — or don’t — on our operating system. I’ve seen some Windows users indicate they would rather have a third-party vendor watch over and protect their systems. Others, like me, view antivirus software as less important these days; it matters more that your antivirus vendor can handle windows updating properly and won’t cause issues.

Still others rely on Microsoft Defender. It's been around in one form or another since Windows XP.

Defender recently had a zero-day issue that was silently fixed. As a result, I instructed many users to check which version of Defender they have installed. (To check: click on Start, then on Settings, then on Update and security, then on Windows Security, then Open windows security. Now, look for the gear (settings) and select About.

There are four lines of information here. The first gives you the Antimalware Client Version number. The second gives you the Engine version. The third gives you the antivirus version number. And the final number is the Antispyware version number. But what does it mean when Defender says its Engine version, Antivirus version and antispyware version is 0.0.0.0? It may mean that you have a third-party antivirus installed; it’s taking over for Defender, which is thus properly shut off. Some people thought their “on demand” antivirus vendor was merely a scan-only tool, with Defender still the main antivirus tool. But if the third-party scanning tool is seen as a real-time antivirus, it will be the operative software on your system.

Defender involves more than just checking bad files and downloads. It offers a variety of settings most users don’t check on a regular basis — or even know about. Some are exposed in the GUI. Others rely on third-party developers to deliver additional guidance and understanding. One such option is the ConfigureDefender tool on the GitHub download site. (ConfigureDefender exposes all of the settings you can use via PowerShell or the registry.)

As noted on the ConfigureDefender site, different versions of Windows 10 provide different tools for Defender. All Windows 10 versions include Real-time Monitoring; Behavior Monitoring; scans of all downloaded files and attachments; Reporting Level (MAPS membership level); Average CPU Load while scanning; Automatic Sample Submission; Potentially unwanted application checks (called PUA Protection); a base Cloud Protection Level (Default); and a base Cloud Check Time Limit. With the release of Windows 10 1607, the “block at first sight” setting was introduced. With version 1703, more granular tiers of Cloud Protection Level and Cloud Check Time Limit were added. And starting with 1709, Attack Surface Reduction, Cloud Protection Level (with extended Levels for Windows Pro and Enterprise), Controlled Folder Access and Network Protection showed up

As you scroll through the tool, you’ll notice a section that covers control for Microsoft’s Attack Surface Reduction (ASR) rules. You’ll also note that many of them are disabled. These are among the most overlooked settings in Microsoft Defender. While you will need an Enterprise license to fully expose monitoring across your network, even standalone computers and small businesses can take advantage of these settings and protections. As noted in a recent document, Microsoft Defender Attack Surface Reduction recommendations, there are several settings that should be safe for most environments.