Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender Antivirus is available in Windows 10 and Windows 11and in versions of Windows Server.
Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together machine learningbig-data analysisin-depth threat resistance researchand the Microsoft cloud infrastructure to protect devices (or endpoints) in your organization. Microsoft Defender Antivirus is built into Windowsand it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud.
Tip
As a companion to this articlesee our Security Analyzer setup guide to review best practices and learn to fortify defensesimprove complianceand navigate the cybersecurity landscape with confidence. For a customized experience based on your environmentyou can access the Security Analyzer automated setup guide in the Microsoft 365 admin center.
Prerequisites
Supported operating systems
- Windows
Microsoft Defender Antivirus capabilities
Microsoft Defender Antivirus provides anomaly detectiona layer of protection for malware that doesn't fit any predefined pattern. Anomaly detection monitors for process creation events or files that are downloaded from the internet. Through machine learning and cloud-delivered protectionMicrosoft Defender Antivirus can stay one step ahead of attackers. Anomaly detection is on by default and can help block attacks such as 3CX Security Alert for Electron Windows App. Microsoft Defender Antivirus started blocking this malware four days before the attack was registered in VirusTotal.
Modern malware requires modern solutions. In 2015Microsoft Defender Antivirus moved away from using a static signature-based engine to a model that uses predictive technologies such asmachine learningapplied scienceand artificial intelligence as this switch is what's necessary to keep you and your organizations safe from the complexity of today's ever-evolving malware landscape.
Microsoft Defender Antivirus can block almost all malware at first sightin milliseconds.
We designed our antivirus solution to work in both online and offline scenarios. For offline scenariosthe latest dynamic intelligence from the Intelligence Security Graph is provisioned to the endpoint regularly throughout the day. When connected to the cloudreal-time intelligence gets fed from the Intelligent Security Graph.
Microsoft Defender Antivirus can also stop threats based on their behaviors and process trees even when the threat has started execution. A common example of these kinds of attacks is fileless malware. Microsoft's Next-generation protection features work together to identify and block malware based on abnormal behavior. To learn moresee Behavioral blocking and containment.
Compatibility with other antivirus products
If you're using a non-Microsoft antivirus/antimalware product on your deviceyou might be able to run Microsoft Defender Antivirus in passive mode alongside the non-Microsoft antivirus solution. It depends on the operating system used and whether your device is onboarded to Defender for Endpoint. To learn moresee Microsoft Defender Antivirus compatibility.
Microsoft Defender Antivirus processes and services
The following table summarizes Microsoft Defender Antivirus processes and services. You can view them in Task Manager in Windows.
| Process or service | Where to view its status |
|---|---|
| Microsoft Defender Antivirus Core service ( MdCoreSvc) |
- Processes tab: Antimalware Core Service - Details tab: MpDefenderCoreService.exe - Services tab: Microsoft Defender Core Service |
| Microsoft Defender Antivirus service ( WinDefend) |
- Processes tab: Antimalware Service Executable - Details tab: MsMpEng.exe - Services tab: Microsoft Defender Antivirus |
| Microsoft Defender Antivirus Network Realtime Inspection service ( WdNisSvc) |
- Processes tab: Microsoft Network Realtime Inspection Service - Details tab: NisSrv.exe - Services tab: Microsoft Defender Antivirus Network Inspection Service |
| Microsoft Defender Antivirus command-line utility | - Processes tab: N/A - Details tab: MpCmdRun.exe - Services tab: N/A |
| Microsoft Security Client Policy Configuration Tool | - Processes tab: N/A - Details tab: ConfigSecurityPolicy.exe - Services tab: N/A |
To learn more about the Microsoft Defender Core servicevisit Microsoft Defender Core service overview.
For Microsoft Endpoint Data Loss Prevention (Endpoint DLP)the following table summarizes processes and services. You can view them in Task Manager in Windows.
| Process or service | Where to view its status |
|---|---|
| Microsoft Endpoint DLP service ( MDDlpSvc) |
- Processes tab: MpDlpService.exe - Details tab: MpDlpService.exe - Services tab: Microsoft Data Loss Prevention Service |
| Microsoft Endpoint DLP command-line utility | - Processes tab: N/A - Details tab: MpDlpCmd.exe - Services tab: N/A |
Comparing active modepassive modeand disabled mode
The following table describes what to expect when Microsoft Defender Antivirus is in active modepassive modeor disabled.
| Mode | What happens |
|---|---|
| Active mode | In active modeMicrosoft Defender Antivirus is used as the primary antivirus app on the device. Files are scannedthreats are remediatedand detected threats are listed in your organization's security reports and in your Windows Security app. |
| Passive mode | In passive modeMicrosoft Defender Antivirus isn't used as the primary antivirus app on the device. Files are scannedand detected threats are reportedbut threats aren't remediated by Microsoft Defender Antivirus. IMPORTANT: Microsoft Defender Antivirus can run in passive mode only on endpoints that are onboarded to Microsoft Defender for Endpoint. See Requirements for Microsoft Defender Antivirus to run in passive mode. |
| Disabled or uninstalled | When disabled or uninstalledMicrosoft Defender Antivirus isn't used. Files aren't scannedand threats aren't remediated. In generalwe don't recommend disabling or uninstalling Microsoft Defender Antivirus. |
To learn moresee Microsoft Defender Antivirus compatibility.
Check the state of Microsoft Defender Antivirus on your device
You can use one of several methodssuch as the Windows Security app or Windows PowerShellto check the state of Microsoft Defender Antivirus on your device.
Important
Beginning with platform version 4.18.2208.0 and later: If a server has been onboarded to Microsoft Defender for Endpointthe "Turn off Windows Defender" group policy setting will no longer completely disable Windows Defender Antivirus on Windows Server 2012 R2 and later. Insteadit will place it into passive mode. In additionthe tamper protection feature will allow a switch to active mode but not to passive mode.
- If "Turn off Windows Defender" is already in place before onboarding to Microsoft Defender for Endpointthere will be no change and Defender Antivirus will remain disabled.
- To switch Defender Antivirus to passive modeeven if it was disabled before onboardingyou can apply the ForceDefenderPassiveMode configuration with a value of
1. To place it into active modeswitch this value to0instead.
Note the modified logic for ForceDefenderPassiveMode when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active modetamper protection will prevent it from going back into passive mode even when ForceDefenderPassiveMode is set to 1.
Use the Windows Security app to check the status of Microsoft Defender Antivirus
On your Windows deviceselect the Start menuand begin typing
Security. Then open the Windows Security app in the results.Select Virus & threat protection.
Under Who's protecting me?choose Manage Providers.
You'll see the name of your antivirus/antimalware solution on the security providers page.
Use PowerShell to check the status of Microsoft Defender Antivirus
Select the Start menuand begin typing
PowerShell. Then open Windows PowerShell in the results.Type
Get-MpComputerStatus.In the list of resultslook at the AMRunningMode row.
Normal means Microsoft Defender Antivirus is running in active mode.
Passive mode means Microsoft Defender Antivirus runningbut isn't the primary antivirus/antimalware product on your device. Passive mode is only available for devices that are onboarded to Microsoft Defender for Endpoint and that meet certain requirements. To learn moresee Requirements for Microsoft Defender Antivirus to run in passive mode.
EDR Block Mode means Microsoft Defender Antivirus is running and Endpoint detection and response (EDR) in block modea capability in Microsoft Defender for Endpointis enabled. Check the ForceDefenderPassiveMode registry key. If its value is 0it's running in normal mode; otherwiseit's running in passive mode.
SxS Passive Mode means Microsoft Defender Antivirus is running alongside another antivirus/antimalware productand limited periodic scanning is used.
Tip
To learn more about the Get-MpComputerStatus PowerShell cmdletsee the reference article Get-MpComputerStatus.
Tip
Performance tip Due to a variety of factors (examples listed below) Microsoft Defender Antiviruslike other antivirus softwarecan cause performance issues on endpoint devices. In some casesyou might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which filesfile pathsprocessesand file extensions might be causing performance issues; some examples are:
- Top paths that impact scan time
- Top files that impact scan time
- Top processes that impact scan time
- Top file extensions that impact scan time
- Combinations – for example:
- top files per extension
- top paths per extension
- top processes per path
- top scans per file
- top scans per file per process
You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See: Performance analyzer for Microsoft Defender Antivirus.
Get your antivirus/antimalware platform updates
It's important to keep Microsoft Defender Antivirus (or any antivirus/antimalware solution) up to date. Microsoft releases regular updates to help ensure that your devices have the latest technology to protect against new malware and attack techniques. To learn moresee Manage Microsoft Defender Antivirus updates and apply baselines.
Tip
If you're looking for Antivirus related information for other platformssee:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
See also
- Performance analyzer for Microsoft Defender Antivirus
- Microsoft Defender Antivirus management and configuration
- Evaluate Microsoft Defender Antivirus protection
- Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.