Windows 10’s built-in security software frequently beats paid antivirus programs in independent tests. It recently scored 100 percent from security-research laboratory AV-Test and is arguably all you now need to protect your PC from malware.
Now called Microsoft Defender (rather than Windows Defender), it’s a deceptively simple set of tools that mostly works in the background. Dig into Defender’s settings, however, and you’ll find powerful features that can increase your PC’s protection against the latest threats. We’ll explain how to unlock them.
1. Detect and Remove Hidden Malware
By default, Microsoft Defender's Antivirus component performs a Quick scan of your system every day. This checks only the folders in which threats are most commonly found.
To run a scan manually, either go to Settings > Update & Security > Windows Security or type security in the Start Menu search bar and select the Best Match. Select Virus & threat protection and click Quick scan.
To scan more thoroughly, click Scan options and choose Full scan, which checks every file and program on your PC. Alternatively, select Custom scan, which lets you check specific files and folders for malware.
If you suspect your system is infected, but the other scans don’t find anything, select Microsoft Defender Offline Scan. This targets malware that’s difficult to detect, such as rootkits.
Offline Scan works by rebooting into a safe environment to perform a scan outside of Windows, where hidden malware is unable to run. Save your work before choosing this option, then click Scan now > Scan, and your PC will restart.
The scan takes up to 15 minutes. Don’t panic if your screen goes black for a few seconds, as this is normal. If any malware is found, you’ll be prompted to remove it, but otherwise, your PC will boot back into Windows once the scan is complete.
2. Protect Your Files From Ransomware
Ransomware can cause serious problems on your PC, encrypting your files and folders and demanding payment to unlock them with no guarantee that the decryptor will work.
It’s strange then that Defender’s ransomware protection is switched off by default, presumably to stop legitimate programs from being blocked. Fortunately, the feature is easy to enable.
On the Virus & threat protection screen, scroll down to Ransomware protection and click Manage ransomware protection.
Click the switch under Controlled folder access to turn the option on. This will protect your Pictures, Documents, Videos, Music, and Desktop folders, but you can supplement these by clicking Protected folders, then Add a protected folder.
You can’t remove protection from pre-selected folders, but you can let specific programs access them by clicking Allow an app through controlled folder access.
3. Automatically Block the Latest Malware
Microsoft Defender offers real-time protection against malware, detecting and blocking known threats using constantly updated virus definitions.
It also safeguards your system against threats that have yet to be identified through a feature called Cloud-delivered protection, formerly known as Microsoft Active Protection Service (MAPS). This uploads details of suspicious files to Microsoft, to determine whether they’re safe.
The feature is enabled by default, but it’s worth checking in case it’s been turned off by another security program or hidden malware. You should see a warning if this is the case.
On the Virus & threat protection screen, click Manage settings under Virus & threat protection settings and switch on Cloud-delivered protection if it’s not already active.
You should also turn on Automatic sample submission to submit suspicious files to Microsoft for further analysis. This may sound like a privacy risk, but it will only upload program files automatically. If a file could contain personal information, you’ll be asked for permission before it’s sent.
If Microsoft detects that a file is dangerous, it will be blocked not only on your PC but also on other Microsoft Defender users' systems. Think of it as doing your bit for the security community.
4. Block Unrecognized and Unwanted Apps
The May 2020 Update added protection against potentially unwanted programs (PUPs) to Windows Security (in the past, blocking this junk required using a PowerShell command) to complement its existing SmartScreen feature.
To ensure these tools are offering maximum protection, select App & browser control in Windows Security. Click Turn on under Reputation-based protection if prompted, then click Reputation-based protection settings.
The Check apps and files option uses Microsoft Defender SmartScreen to stop unrecognized and untrustworthy programs running on your PC. Although it sometimes blocks legitimate software (which you can choose to run anyway), this should be enabled. However, unless you use Edge, the second SmartScreen option can be switched off.
Under Potentially unwanted app blocking, ensure that Block apps and Block downloads are both selected to prevent bundled junk from being installed alongside other software.
5. Configure Defender’s Firewall Settings
Windows Defender Firewall automatically blocks incoming and outgoing security threats, so long as it’s properly configured. Click Firewall & network protection in Windows Security and ensure that the Domain, Private, and Public options are all switched on.
The firewall uses "rules" against which all internet traffic is checked. To define your own rules, click Advanced settings and select either Inbound Rules to control data coming into your PC or Outbound Rules to manage data heading out to the network and internet.
You can block specific ports to protect against risky types of web traffic, for example, port 21, which manages file transfers (FTP):
- Select Inbound Rules and, in the right-hand sidebar, click New Rule.
- In the New Inbound Rule Wizard, select Port and click Next.
- Enter 21 in the Specific local ports box and click Next.
- On the following screen, select Block the connection, and click Next twice.
- Give the rule a name such as Block incoming file transfers, and click Finish to apply it.
If you experience any problems with a rule you’ve created, select it, and choose either Disable Rule or Delete.
6. Access Defender’s Advanced Settings with ConfigureDefender
Microsoft Defender has many advanced settings that you can’t access via Windows Security but need to unlock via complicated PowerShell commands. This is where ConfigureDefender comes in useful.
This free tool provides a graphical user interface for all Defender's settings, which gives you complete control over your system security. You can easily enable and disable any options you want, from basic settings such as scanning all downloads and attachments to advanced tweaks such as blocking potentially dangerous Office macros and programs on USB sticks.
ConfigureDefender is very easy to use, with one-click options that apply Default, High, or Max protection to Microsoft Defender. You’ll need to restart your PC for its changes to take effect.
Strengthen Microsoft Defender’s Defenses
Although you can leave Microsoft Defender to do its job without changing any settings, there are clear benefits to enabling options that are switched off by default. Not only will this increase your protection against the latest threats, but it means you can customize your security to suit your needs.
Of course, you don’t have to stick with Window 10’s built-in software if you’d prefer to trust a different company to defend your PC. There are plenty of other reliable and free security suites for Windows that are worth considering.