Skip to main content
Microsoft Security

Why Windows Defender Antivirus is the most deployed in the enterprise

Statistics about the success and sophistication of malware can be daunting. The following figure is no different: Approximately 96% of all malware is polymorphic – meaning that it is only experienced by a single user and device before it is replaced with yet another malware variant. This is because in most cases malware is caught nearly as fast as it’s created, so malware creators continually evolve to try and stay ahead. Data like this hammer home how important it is to have security solutions in place that are as agile and innovative as the attacks.

The type of security solution needed has a complex job: It must protect users from hundreds of thousands of new threats every day – and then it must learn and grow to stay ahead of the next wave of attacks. The solution cannot just react to the latest threats; it must be able to predict and prevent malware infections.

Over the last year, we’ve talked about how we’re investing in new innovations to address this challenging threat landscape, what we’ve delivered, and how it will change the dynamics. Today, I want to share the results of our new antivirus capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) which are genuinely incredible because they will directly benefit the work you are doing.

Currently, our antivirus capabilities on Windows 10 are repeatedly earning top scores on independent tests, often outperforming the competition. This performance is the result of a complete redesign of our security solution.

What’s more, this same technology is available for our Windows 7 customers as well, so that they can remain secure during their transition to Windows 10.

It started back in 2015

We’ve been working to make our antivirus capabilities increasingly more effective, and in 2015 our results in two major independent tests (AV-Comparatives and AV-TEST) began to improve dramatically. As you can see in the chart below, beginning in March 2015 our scores on AV-TEST began to rise rapidly, and, over the course of the next five months, we moved from scores averaging 85% on their Prevalence Test to (or near) 100%.  Since then, we’ve maintained those types of scores consistently.  Our scores on AV-Comparatives experienced a very similar spike, trajectory, and results.

Our scores on AV-Comparatives experienced a very similar spike, trajectory, and results.

In December 2017, we reached another milestone on AV-TEST, where we achieved a perfect score across both the Prevalence and Real-World based tests. Previously we had only scored a perfect 100% on one of the two tests for a given month. The following chart from the AV-TEST site shows our scores from November and December 2017 on Windows 7. These same scores are also applicable to Windows 10, which shares the same technology (and more).

These same scores are also applicable to Windows 10, which shares the same technology (and more).

For AV-Comparatives, we recently achieved another important quality milestone:  For five consecutive months we detected all malware samples.  Our previous best was four consecutive months. The AV-Comparatives chart below shows our February 2018 results where we scored a perfect 100% block rate.

February 2018 results where we scored a perfect 100% block rate.February 2018 results where we scored a perfect 100% block rate.

While independent antivirus tests are one indicator of a security solution’s capabilities and protections, it’s important to understand that this is only one part of a complete quality assessment.

For example, in the case of Windows Defender ATP (which integrates our antivirus capabilities and the whole Windows security stack), our customers have a much larger set of protection features – none of which are factored into the tests.  These features provide additional layers of protection that help prevent malware from getting onto devices in the first place. These features include the following:

If organizations like AV-Comparatives and AV-TEST performed complete security stack tests (i.e., testing against the complete endpoint protection solution) the results would often tell a very different story. For example, in November, we scored a 98.9% based on a single file miss on the Real-World test. The good news, however, is that we would have scored 100% if either Windows Defender Application Guard or Application Control was enabled.

In November, we scored a 98.9% based on a single file miss on the Real-World test.

Read: Adding transparency and context into industry AV test results

How did we achieve these results?

The short answer is that we completely redesigned our antivirus solutions for both Windows 7 and Windows 10 from the ground up.

To do this, we moved away from using a static signature-based engine that couldn’t scale due to its dependence on constant input from researchers. We’ve now moved to a model that uses predictive technologies, machine learning, applied science, and artificial intelligence to detect and stop malware at first sight.  We described the use of these technologies in our recent posts on Emotet and BadRabbit, as well as the recent Dofoil outbreak.  These are the types of approaches that can be very successful against the ongoing avalanche of malware threats.

Because of these changes, our antivirus solution can now block malware using local and cloud-based machine learning models, combined with behavior, heuristic, and generic-based detections on the client. We can block nearly all of it at first sight and in milliseconds!

This is incredible.

Our antivirus solution can now block malware using local and cloud-based machine learning models.

We’ve also designed our antivirus solution to work in both online and offline scenarios.  When connected to the cloud, it’s fed real-time intelligence from the Intelligent Security Graph.  For offline scenarios, the latest dynamic intelligence from the Graph is provisioned to the endpoint regularly throughout the day.

We’ve also built our solution to defend against the new wave of fileless attacks, like Petya and WannaCry.  To read more about how we protect against these attacks, check out the blog post “Now you see me: Exposing fileless malware.”

What this means to you

Each of these milestones is great, but the thing that makes us the most excited here at Microsoft is very simple:  Customer adoption.

Right now, we are seeing big growth in enterprise environments our across all of our platforms:

These are awesome numbers and proof that customers trust Windows security.  What we are seeing is that as organizations are moving to Windows 10 they are also moving to our antivirus as their preferred solution.  With our antivirus solution being used on more than 50% percent of the Windows 10 PCs deployed in commercial organizations, it is now the most commonly used antivirus solution in commercial organizations on that platform.  This usage is in commercial customers of all sizes – from small and medium-sized businesses to the largest enterprise organizations.

Over the past couple of months I’ve shared this data with multiple customers, and often I’m asked why we’ve seen such a positive increase. The answer is simple:

  1. Our antivirus capabilities are a fantastic solution! The test results above really speak for themselves. With five months of top scores that beat some of our biggest competitors, you can be confident that our solution can protect you from the most advanced threats.
  2. Our solution is both easier and operationally cheaper to maintain than others. Most enterprise customers use Config Manager for PC management of Windows 7 and Windows 10 security features, including antivirus. With Windows 10, the antivirus capabilities are built directly into the operating system and there’s nothing to deploy. Windows 7 didn’t include antivirus capabilities by default, but it can be deployed and configured in Config Manager. Now organizations do not have to maintain two infrastructures – one for PC management and another for antivirus.  Several years ago, our Microsoft IT department retired the separate global infrastructure that was used to manage Microsoft’s antivirus solution – and now you can too! With our solution there’s less to maintain and secure.
  3. Our solution enables IT to be more agile. On Windows 10 there’s no agent – security is built into the platform.  When a new update of Windows 10 is released, you don’t need to wait for a 3rd party to certify and support it; instead, you have full support and compatibility on day one. This means that new releases of Windows and all the latest security technologies can be deployed faster.  This allows you to get current, stay current, and be more secure.
  4. Our solution offers a better user experience.  It’s designed to work behind the scenes in a way that is unobtrusive to end users and minimizes power consumption. This means longer battery life – and everyone wants more battery life!

While we’ve made excellent progress with our antivirus solution, I’m even more excited about the protection and management capabilities we will deliver to our customers in the near future. In the meantime, one of the best ways to evaluate our antivirus capabilities is when you run it with Windows Defender ATP. With Windows Defender ATP, the power of the Windows security stack provides preventative protection, detects attacks and zero-day exploits, and gives you centralized management for your end-to-end security lifecycle.

Sign up to try Windows Defender ATP for yourself!

Related blog posts:

March-April 2018 test results: More insights into industry AV tests

Adding transparency and context into industry AV test results

Machine learning vs. social engineering


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.