Windows ships with a built-in security suite called Microsoft Defender — formerly known as Windows Defender — and for most people it provides everything they need to stay protected without paying for a third-party product. That said, the settings are spread across multiple screens inside the Windows Security app, and it is easy to feel lost when you need to do something specific: temporarily disable real-time protection to install a stubborn piece of software, add a folder to the exclusion list, run a targeted scan on a USB drive, or enable the ransomware protection feature that is off by default. This guide covers all of those scenarios step by step. It also explains when Microsoft Defender is sufficient on its own and when a paid antivirus might be worth considering, so you can make an informed decision without relying on guesswork. Whether you are setting up a new Windows PC or troubleshooting a specific Defender behavior, this guide has the answers.
Table of Contents
- What Is Microsoft Defender (Windows Defender)?
- Turning Real-Time Protection On and Off
- Running Virus and Threat Scans
- Exclusion Settings: Removing Folders and Files from Scans
- Firewall Settings
- Reputation-Based Protection (SmartScreen)
- Ransomware Protection with Controlled Folder Access
- Using Third-Party Antivirus Alongside Defender
- Is Microsoft Defender Enough on Its Own?
- Frequently Asked Questions
- Summary
What Is Microsoft Defender (Windows Defender)?
Current Capabilities and Independent Test Results
Microsoft Defender (the product has gone by several names — Windows Defender, Windows Security, Microsoft Defender Antivirus — but they all refer to the same built-in security suite) is included in every copy of Windows 8 and later at no extra cost. Microsoft updates it continuously, and today it covers a much wider range of threats than the early versions did. Its current feature set includes:
- Real-time protection — scans files as they are opened, downloaded, or executed
- Cloud-delivered protection — consults Microsoft's cloud database to identify new and emerging threats not yet in the local signature database
- Ransomware protection — blocks unauthorized apps from modifying files in protected folders
- Firewall — controls inbound and outbound network traffic
- SmartScreen — warns about suspicious websites and unrecognized downloads
Independent testing organizations such as AV-TEST and AV-Comparatives regularly evaluate antivirus products. In recent years, Microsoft Defender has consistently scored in the same range as paid products from Norton, Kaspersky, and Bitdefender — often achieving detection rates in the high 90s or above 99 percent. For everyday personal use, the protection level is genuine, not token.
How to Open Windows Security
All Defender settings live inside the Windows Security app. There are three quick ways to open it.
Option 1 — System tray icon
Click the shield icon in the notification area at the far right of the taskbar.
Option 2 — Start menu search
- Press the Windows key.
- Type Windows Security.
- Click the app in the results.
Option 3 — Settings app
- Press Windows key + I to open Settings.
- Click Privacy and security.
- Click Windows Security.
The Windows Security home screen shows a status summary for every protection category. Green checkmarks mean all is well. Yellow or red indicators mean something needs attention and usually link directly to the affected setting.
Turning Real-Time Protection On and Off
Steps to Disable Real-Time Protection
Real-time protection checks every file that opens, downloads, or runs. You should leave it on at almost all times. The main exception is when an installer is being falsely blocked — for example, if a legitimate application fails to install because Defender flags one of its files as a threat when it is not. In that case, a temporary disable lets the installation finish.
- Open Windows Security.
- Click Virus and threat protection.
- Under "Virus and threat protection settings," click Manage settings.
- Click the toggle under Real-time protection to switch it off.
- Click Yes if User Account Control (UAC) asks for confirmation.
Administrator rights are required. Standard or guest accounts cannot change this setting.
Why It Turns Itself Back On Automatically
If you turn real-time protection off manually, Windows will automatically re-enable it after a short time — typically within a few minutes to around fifteen minutes. This is intentional behavior built into Windows to prevent the PC from remaining unprotected due to an accidental or temporary setting change.
If you need a specific folder or file type permanently excluded from scanning without turning off real-time protection entirely, use the exclusion settings described in the next section. That approach is both safer and more precise than disabling the entire real-time protection layer.
Running Virus and Threat Scans
Quick Scan
A quick scan examines the areas of your system most likely to harbor active malware — memory, startup locations, and common system directories. It typically completes in five to fifteen minutes and is the right choice for a routine check or when you suspect something is wrong but want results fast.
- Open Windows Security.
- Click Virus and threat protection.
- Click Quick scan.
- Wait for the scan to complete.
If threats are found, click Threat history to see details and choose whether to quarantine, remove, or allow each item.
Full Scan
A full scan examines every file on your drives. It is more thorough but can take anywhere from thirty minutes to several hours depending on how much data you have. Running it overnight or when you step away from the PC minimizes disruption.
- Open Windows Security.
- Click Virus and threat protection.
- Click Scan options (located below the Quick scan button).
- Select Full scan.
- Click Scan now.
Your PC remains usable during a full scan, but CPU and disk usage will be noticeably higher. Close any applications you do not need before starting the scan to reduce the performance impact.
Custom Scan for a Specific Folder or Drive
When you plug in a USB drive from an unknown source, or want to check a single downloads folder without scanning the whole system, a custom scan is the quickest option.
- In Windows Security, go to Virus and threat protection.
- Click Scan options.
- Select Custom scan.
- Click Scan now.
- A folder picker dialog will open — navigate to and select the folder or drive you want to scan.
There is a faster shortcut: in File Explorer, right-click any file or folder and choose Scan with Microsoft Defender from the context menu. This launches a custom scan immediately without going through the Windows Security app.
Exclusion Settings: Removing Folders and Files from Scans
When You Need Exclusions
Exclusions tell Defender to skip certain locations entirely — no real-time scanning, no scheduled scan coverage. Use them sparingly and only in clear-cut cases:
- A development tool like Visual Studio, Docker, or a game engine triggers constant false positives that break builds or cause crashes
- Backup or sync software creates many temporary files that get repeatedly scanned, slowing down the system noticeably
- A legitimate game or application file is quarantined incorrectly and reinstalling it keeps triggering the same detection
Exclusions disable protection for those locations. Do not add high-risk folders such as Downloads, the desktop, or any folder where you regularly receive files from external sources. Malware frequently targets those locations specifically because exclusions there are a known attack vector.
How to Add a Folder to the Exclusion List
- Open Windows Security.
- Click Virus and threat protection.
- Under "Virus and threat protection settings," click Manage settings.
- Scroll down to the Exclusions section.
- Click Add or remove exclusions.
- Click Add an exclusion.
- Choose from Folder, File, File type, or Process.
- Navigate to and select the folder you want to exclude.
You can review and remove all active exclusions from the same screen at any time. Review your exclusion list periodically and remove entries that are no longer needed.
A warning about file type exclusions
Excluding an entire file extension such as .exe or .dll is extremely risky. Malware almost always uses these extensions, so blanket extension exclusions effectively create a blind spot that attackers can exploit. If you need to exclude something, use a specific folder path rather than a file type.
Firewall Settings
Checking Whether the Firewall Is On
The Windows Defender Firewall monitors and filters network traffic. It blocks unsolicited inbound connections by default and can also control which apps are allowed to send outbound traffic. Keep it on at all times unless you are running a dedicated network appliance that handles firewall duties instead.
- Open Windows Security.
- Click Firewall and network protection.
- You will see three profiles: Domain network, Private network, and Public network.
Each profile should show Microsoft Defender Firewall is on. If any of them shows a red warning, click that profile and switch the firewall back on.
Allowing a Blocked App Through the Firewall
When an app cannot connect to the internet even though your network is working, the firewall may be blocking it. Here is how to allow it:
- In Windows Security, go to Firewall and network protection.
- Click Allow an app through firewall.
- Click Change settings (administrator rights required).
- Find the app in the list. Check the Private box, the Public box, or both, depending on which network types the app needs to use.
- Click OK.
If the app does not appear in the list, click Allow another app and browse to the application's executable file to add it manually.
Reputation-Based Protection (SmartScreen)
SmartScreen checks files you download and websites you visit against Microsoft's database of known-good and known-bad content. If something is unrecognized or flagged, SmartScreen shows a warning before you can proceed. It is not a substitute for real-time protection, but it adds a meaningful layer of defense at the moment you download or run something new.
To review SmartScreen settings:
- Open Windows Security.
- Click App and browser control.
- Review the Reputation-based protection section.
The main settings and what they do:
| Setting | What it does |
|---|---|
| Check apps and files | Warns when a downloaded app or file is not recognized by Microsoft |
| SmartScreen for Microsoft Edge | Flags phishing sites and malicious downloads in the Edge browser |
| Potentially unwanted app blocking | Blocks adware and bundled software that arrives alongside legitimate installers |
| SmartScreen for Microsoft Store apps | Checks apps installed from the Microsoft Store |
Leave all of these on. Potentially unwanted app blocking is especially worth keeping enabled — bundled adware and browser hijackers are common infection vectors that slipped past older antivirus engines, and SmartScreen catches many of them before they run.
Ransomware Protection with Controlled Folder Access
Ransomware is malicious software that encrypts your files and demands payment for the decryption key. Even a well-configured antivirus can occasionally miss a new ransomware variant. Microsoft Defender's Controlled Folder Access feature adds a second line of defense by preventing any app that is not on your trust list from writing to your most important folders. If ransomware tries to encrypt files in those folders, the write attempt is blocked.
Enabling Controlled Folder Access
- Open Windows Security.
- Click Virus and threat protection.
- Scroll down to the Ransomware protection section and click Manage ransomware protection.
- Switch the Controlled folder access toggle to on.
By default, Controlled Folder Access protects the Documents, Pictures, Music, Videos, and Desktop folders. You can add additional folders to the protected list if you store important data elsewhere.
Adding Trusted Apps to the Allow List
Once Controlled Folder Access is enabled, some legitimate applications may be blocked from writing to protected folders and will show a notification saying access was denied. This is a false positive — the app is safe, but Defender does not recognize it yet. Adding it to the allow list resolves the issue.
- Go to the Ransomware protection screen in Windows Security.
- Click Allow an app through Controlled folder access.
- Click Add an allowed app.
- Choose Recently blocked apps to see what was just blocked, or Browse all apps to locate the app manually.
- Select the app and confirm.
Common apps that sometimes need to be added include backup software, photo editors, code editors, and database tools. Once added, those apps can write to protected folders without triggering Controlled Folder Access.
For more tips on keeping your Windows PC running smoothly, see the guide on fixing a slow PC.
Using Third-Party Antivirus Alongside Defender
When you install a third-party security product such as Norton, ESET, Kaspersky, or Bitdefender, Microsoft Defender's real-time protection automatically disables itself. This is intentional. Two real-time scanning engines running simultaneously fight over the same files, causing significant CPU and disk overhead and sometimes crashing applications. Windows detects the registered third-party product and steps aside.
When you uninstall the third-party product, Microsoft Defender automatically re-enables itself. You do not need to do anything manually.
What to do if Windows Security shows a warning after installing a third-party product
Sometimes Windows Security shows a yellow or red alert saying your antivirus protection is missing or unknown even though the third-party product is installed and running. This usually means the third-party product has not fully registered with the Windows Security Center API yet, or the registration is stale. Restarting the PC typically clears the warning. If it persists, check that the third-party product is up to date and running normally in its own dashboard — if it is, your PC is protected even if Windows Security says otherwise.
Is Microsoft Defender Enough on Its Own?
For the typical home user doing everyday tasks — browsing the web, watching video, working with Office documents, streaming music — Microsoft Defender provides a genuine level of protection that is comparable to paid products. The evidence for this comes from independent labs, not marketing materials.
Key reasons Defender holds up well:
- AV-TEST and AV-Comparatives have rated Microsoft Defender at 99 percent or above on detection of widespread malware in recent testing cycles
- Microsoft pushes daily definition updates, keeping pace with new threats
- Defender integrates directly with Windows Update, meaning OS-level patches and security definitions are applied together
- Its resource footprint is typically lighter than third-party products that run background cloud agents and update services
Situations where a paid product makes sense
- You manage multiple PCs for a family and want a centralized dashboard to monitor all of them
- You conduct frequent online banking or investment transactions and want identity protection or a dedicated banking browser mode
- Your business has compliance requirements (PCI DSS, HIPAA, etc.) that mandate a specific certified product
- You want bundled features such as a VPN, password manager, or dark-web monitoring included in a single subscription
The most honest summary: Defender's weakness is not its detection engine — it is the human behaviors around it. No security software protects against clicking a phishing link, entering credentials on a fake website, or running a file that a stranger emailed you. Pairing Defender with good habits (keeping Windows and apps updated, using unique passwords with a password manager, being skeptical of unexpected links) is more effective than switching to an expensive paid product while keeping risky habits unchanged.
Frequently Asked Questions
Q. Does Microsoft Defender work on Windows 11?
A. Yes. Microsoft Defender is included in Windows 10 and Windows 11 and works identically on both. The app is called Windows Security on both versions. Some screen layouts differ slightly between versions and between different Windows 11 builds, but all the settings described in this guide are available on both.
Q. Is there a way to permanently disable real-time protection without it turning back on?
A. Yes, but it is not recommended. You can prevent automatic re-enablement through Group Policy (gpedit.msc) or by editing the Windows Registry. Both methods carry significant security risk and are intended for managed enterprise environments. If your goal is simply to stop Defender from scanning a specific folder or file type, use the exclusion settings instead — that gives you the same practical result without lowering your overall protection level.
Q. Defender quarantined a file. Should I delete it?
A. First check the details. Go to Virus and threat protection > Protection history and find the quarantined item. If it is a file you did not intentionally download or create, deleting it is the right call. If it looks like a legitimate application file that was incorrectly flagged, click Restore (or Allow) to return it and then consider adding the folder to the exclusion list if the false positive keeps recurring. Quarantined files cannot harm your system — they are isolated — so there is no urgency to delete immediately if you want to investigate first.
Q. Can I use my PC normally while a scan is running?
A. Yes, but performance will be reduced during a full scan. CPU and disk usage rise noticeably, which can slow down other apps. For routine work like web browsing or writing documents, the impact is manageable. For video calls, rendering, gaming, or anything CPU-intensive, it is better to pause the scan or schedule it for a time when the PC is otherwise idle.
Q. How does Microsoft Defender compare to free antivirus apps like Avast or AVG?
A. In detection rate terms, all three are broadly comparable in independent tests. The practical difference is user experience: free versions of Avast, AVG, and similar products frequently display ads, push notifications to upgrade to paid versions, and install additional browser extensions or companion tools during setup. Defender has none of that — it runs silently in the background and integrates directly with Windows without adding extra software. Unless you have a specific reason to prefer a third-party free product, Defender is the more streamlined choice.
Summary
Microsoft Defender is a capable, well-maintained security product that requires no purchase and no extra installation. For most individual users, it provides adequate protection for everyday computing.
The three settings worth checking first on any Windows PC:
- Real-time protection — should always be on; disable only briefly for specific troubleshooting needs
- Exclusions — add only folders you fully trust, and review the list regularly to remove unnecessary entries
- Controlled Folder Access — off by default, worth enabling to protect Documents and other important folders from ransomware
Beyond those, SmartScreen and the firewall are on by default and generally need no changes. If a third-party antivirus is installed, Defender steps aside automatically — no manual action needed either way.
The most effective security posture combines a properly configured Defender with consistent habits: keeping Windows and all applications updated, using strong unique passwords with a password manager, and treating unexpected links or attachments with appropriate skepticism.
