Microsoft Defender for Endpoint explained

Home / Blue Team Tools / Microsoft Defender for Endpoint explained

What is Microsoft Defender for endpoint?

Microsoft Defender for endpoint is an anti-malware solution for Windows systems and works hand in hand with Microsoft ATP, which is a post-breach solution.

An Anti-malware (often also called anti-virus) is software that detects, stops, and removes different types of malware. There are two forms of malware detection. The simplest form of malware detection is signature-based. This works by looking for certain known fragments of malware in files. This type of detection is easy to evade through techniques called ghostwriting. This is where malware authors add/change small portions of code in order to change the malware’s signature while keeping all of it’s functionality.

To avoid evasion and fight against new and unknown malware, heuristics-based detection is used. Unlike signature-based detection, this type of detection looks for suspicious behavior in software rather than just signatures. Microsoft Defender incorporates both of these detection methods as well as other features to identify potentially malicious programs. Here I’m going to give a breakdown of Microsoft Defender for endpoint’s main features:


This is the simplest form of malware protection. Running a scan with defender will passively look through files depending on the chosen scan type and search for malware. The advantage of a scan is that it will generally look through more files than other types of protection. The disadvantage is that it does not run actively, which means that it will not stop a virus from getting downloaded, for example.

There are different types of scans you can run:

  • Quick scan only looks through the most common malware locations.

  • Full scan looks through all files on your hard drive and generally takes a very long time.

  • Custom scan looks through a location of your choice, such as a specific file or removable drive.

  • Windows Defender Offline scan that restarts and performs a scan outside of the usual Windows environment.

Real Time Protection

Unlike passive scanning, real-time protection actively looks for malware about to be downloaded, copied, or executed. While actively scanning for malware in real-time does require extra resources, it is invaluable in stopping malware before it can be downloaded or executed. To enable this feature you simply need to turn it on. 

Ransomware Protection

The ransomware protection feature in Defender allows you to specify folders that only trusted applications can access. This prevents them from getting encrypted due to a ransomware attack. The disadvantage of protecting a folder in this way is that scripting languages such as PowerShell and applications not in the trusted applications list will not be able to modify the files in those folders. 

Cloud-Based Protection

This provides additional malware protection by sending information about suspicious files to Microsoft’s servers and asking if they are safe to run. When automatic sample submission is enabled, it may send the files in question to Microsoft but you can also submit samples manually. This feature will only upload executables automatically. Non-executable files such as documents (even with macros) will not be uploaded and analyzed. Enabling these features greatly increases the efficiency of real-time protection. However, even though it will not upload personal documents, it may still raise privacy-related concerns.


Sometimes, Windows Defender may remove files that are not malware per se and that you may wish to keep. For example, cryptocurrency mining software and memory editors are regularly detected as either malware or PUPs (Potentially Unwanted Programs). This happens for a good reason as these types of software are often used as a part of malware. However, there might be legitimate reasons to run this type of software. To allow this, it is possible to set up exclusions in Windows Defender for files, folders, file types, and processes that you know are safe.

Exclusions are also sometimes used to prevent real-time protection from hogging resources. For example, programmers often exclude their development folders as there is no reason to scan their software every time they test it.


While Microsoft Defender is a great anti-malware solution, it does have its limitations. One example would be its lack of sophisticated response capabilities. Once malware is found, you can choose to remove it, quarantine it, or exclude it, but it does not provide advanced incident reporting or send any notifications about suspicious behavior.