Sep 07, 2020. Jul 13, 2020.
- Microsoft Windows Defender
- Turn On Windows Defender Windows 10
- Microsoft Windows Defender Security Center
- Microsoft Windows Defender Update
- Microsoft Windows Defender Scam
Applies to:
Overview
Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using Microsoft Defender ATP together with your antivirus protection.
- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have EDR in block mode (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact.
Antivirus and Microsoft Defender ATP
The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state |
---|---|---|---|
Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
Windows 10 | Microsoft Defender Antivirus | No | Active mode |
Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[1] |
Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[1] |
Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode |
Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode |
(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019 to prevent problems caused by having multiple antivirus products installed on a machine.
If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
- Path:
HKLMSOFTWAREPoliciesMicrosoftWindows Advanced Threat Protection
- Name: ForceDefenderPassiveMode
- Type: REG_DWORD
- Value: 1
See Microsoft Defender Antivirus on Windows Server 2016 and 2019 for key differences and management options for Windows Server installations.
![Microsoft Windows Defender Microsoft Windows Defender](/uploads/1/2/9/2/129208712/301896819.jpg)
Important
Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center Endpoint Protection, which is managed through Microsoft Endpoint Configuration Manager.
Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
Functionality and features available in each state
The following table summarizes the functionality and features that are available in each state:
State | Real-time protection and cloud-delivered protection | Limited periodic scanning availability | File scanning and detection information | Threat remediation | Security intelligence updates |
---|---|---|---|---|---|
Active mode | Yes | No | Yes | Yes | Yes |
Passive mode | No | No | Yes | No | Yes |
EDR in block mode enabled | No | No | Yes | Yes | Yes |
Automatic disabled mode | No | Yes | No | No | No |
- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
- When EDR in block mode (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
Keep the following points in mind
Microsoft Windows Defender
If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because the service requires common information sharing from the Microsoft Defender Antivirus service in order to properly monitor your devices and network for intrusion attempts and attacks.
When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable limited periodic scanning, which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
In passive mode, you can still manage updates for Microsoft Defender Antivirus; however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode.
Warning
You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the Windows Security app.
Related topics
-->Applies to:
- Windows 10
- Windows 10 Mobile
- Microsoft Edge
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Microsoft Defender SmartScreen determines whether a site is potentially malicious by:
- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
Benefits of Microsoft Defender SmartScreen
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
- Anti-phishing and anti-malware support. Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks
- Reputation-based URL and app protection. Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- Operating system integration. Microsoft Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
- Improved heuristics and diagnostic data. Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
- Management through Group Policy and Microsoft Intune. Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings.
- Blocking URLs associated with potentially unwanted applications. In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see Detect and block potentially unwanted applications.
Important
SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
Submit files to Microsoft Defender SmartScreen for review
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can submit a file to Microsoft for review. For more info, see Submit files for analysis.
When submitting Microsoft Defender Smartscreen products, make sure to select Microsoft Defender SmartScreen from the product menu.
Viewing Microsoft Defender SmartScreen anti-phishing events
Note
Turn On Windows Defender Windows 10
![Defender Defender](/uploads/1/2/9/2/129208712/616898303.png)
No Smartscreen events will be logged when using Microsoft Edge version 77 or later.
Microsoft Windows Defender Security Center
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as Event 1035 - Anti-Phishing.
Viewing Windows event logs for Microsoft Defender SmartScreen
Microsoft Windows Defender Update
Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
Note
For information on how to use the Event Viewer, see Windows Event Viewer.
EventID | Description |
---|---|
1000 | Application Windows Defender SmartScreen Event |
1001 | Uri Windows Defender SmartScreen Event |
1002 | User Decision Windows Defender SmartScreen Event |