The virus and threat protection page of the Windows Security app is designed to help you safeguard your device against various threats such as viruses, malware, and ransomware. The page provides access to several features and settings to ensure comprehensive protection, and it's divided in the following sections:
-
Current threats: This section displays any threats currently found on your device, the last time a scan was run, how long it took, and how many files were scanned. You can also start a new quick scan or choose from other scan options for a more extensive or custom scan
-
Virus & threat protection settings: In this section you can manage settings for Microsoft Defender Antivirus and third-party antivirus products
-
Virus & threat protection updates: This section is dedicated to ensuring that your device is protected with the latest security intelligence updates
-
Ransomware protection: In this section you can configure Controlled folder access, which prevents unknown apps from changing files in protected folders. It also offers options to configure OneDrive to help you recover from a ransomware attack
To access the virus and threat protection page, open the Windows Security app on your Windows device and select Virus & threat protection, or use the following shortcut:
Current threats
Under Current threats you can:
-
See any threats currently found on your device
-
See the last time a scan was run on your device, how long it took, and how many files were scanned
-
Start a new quick scan or go open Scan options to run a more extensive or custom scan
-
See threats that have been quarantined before they can affect you and anything identified as a threat that you have allowed to run on your device
Even though Windows Security is turned on and scans your device automatically, you can perform an additional scan whenever you want.
-
Quick scan: This option is useful when you don’t want to spend the time running a full scan on all your files and folders. If Windows Security recommends that you run one of the other types of scans, you'll be notified when the quick scan is done
-
Full scan: Scans every file and program on your device
-
Custom scan: Scans only files and folders that you select
-
Microsoft Defender Antivirus (offline scan): Uses the latest definitions to scan your device for the latest threats. This happens after a restart, without loading Windows, so any persistent malware has a more difficult time hiding or defending itself. Run it when you are concerned that your device has been exposed to malware or a virus, or if you want to scan your device without being connected to the Internet. This will restart your device, so be sure to save files you may have open. Microsoft Defender Offline will load and perform a quick scan of your PC in the Windows Recovery Environment. When the scan completes, your PC automatically restarts
Note: To see the results of the offline scan, open the Windows Security app on your Windows device and select Protection history.
To see the results of the offline scan, open the Windows Security app on your Windows device and select Protection history
The Allowed threats page shows a list of items that Windows Security has identified as threats, but that you have chosen to allow. Windows Security won't take any actions against threats you've allowed.
If you have accidentally allowed a threat and want to remove it, select it from the list, then select the Don't allow button. The threat will be removed from the list and Windows Security will once again act on it the next time it sees this threat.
Virus & threat protection settings
Use Virus & threat protection settings when you want to customize your level of protection, send sample files to Microsoft, exclude trusted files and folders from repeated scanning, or temporarily turn off your protection.
In the Windows Security app on your Windows device, select Virus & threat protection > Manage settings or use the following shortcut:
Virus & threat protection settings
Real-time protection is a feature in the Windows Security app that continuously monitors your device for potential threats such as viruses, malware, and spyware. This feature ensures that your device is actively protected by scanning files and programs as they are accessed or executed. If any suspicious activity is detected, real-time protection will alert you and take appropriate action to prevent the threat from causing harm.
You can use the Real-time protection setting to turn it off temporarily; however, real-time protection will turn back on automatically after a short while to resume protecting your device. While real-time protection is off, files you open or download won’t be scanned for threats. Keep in mind that if you do, your device might be vulnerable to threats and that scheduled scans will continue to run. However, files that are downloaded or installed won't be scanned until the next scheduled scan.
You can turn Real-time protection On or Off using the toggle button.
Notes:
-
If you just want to exclude a single file or folder from antivirus scanning, you can do that by adding an exclusion. This is safer than turning the entire antivirus protection off
-
If you install a compatible non-Microsoft antivirus program Microsoft Defender antivirus will automatically turn itself off
-
If tamper protection is turned on, you'll need to turn it off before you can turn Real-time protection off
Note: Dev Drive protection is not available on Windows 10.
Dev Drive Protection provides a secure and isolated space for developers to store and work on their code, ensuring that their development environment is protected from potential threats and vulnerabilities.
Dev Drive Protection includes a performance mode that scans the Dev Drive asynchronously. This means that security scans are deferred until after the file operation has completed, rather than being performed synchronously while the file operation is being processed. This asynchronous scanning mode provides a balance between threat protection and performance, ensuring that developers can work efficiently without experiencing significant delays due to security scans.
-
You can turn Dev Drive protection On or Off using the toggle button
-
Select See volumes to review the list of volumes that have Dev Drive protection enabled
To learn more, see Protect Dev Drive using performance mode.
This setting allows Microsoft Defender to get constantly updated improvements from Microsoft while you're connected to the internet. This will result in more accurately identifying, stopping, and fixing threats.
If you’re connected to the cloud with cloud-delivered protection, you can have Defender automatically send suspicious files to Microsoft to check them for potential threats. Microsoft will notify you if you need to send additional files, and alert you if a requested file contains personal information so you can decide whether or not you want to send that file or not.
If you're concerned about a file and want to make sure it was submitted for evaluation you can select Submit a sample manually to send us any file you want.
Tamper protection is a feature that helps prevent malicious apps from changing important Microsoft Defender Antivirus settings. This includes settings such as real-time protection and cloud-delivered protection. By ensuring these settings remain unchanged, tamper protection helps maintain the integrity of your device's security configuration and prevents malicious apps from disabling critical security features.
If tamper protection is turned on and you're an administrator on your device, you can still change these settings in the Windows Security app. However, other apps can't change these settings.
You can turn tamper protection On or Off using the toggle button.
Note: Tamper protection doesn't affect how third-party antivirus apps work or how they register with Windows Security.
Use the Controlled folder access setting to manage which folders untrusted apps can make changes to. You can also add additional apps to the trusted list so they can make changes in those folders. This is a powerful tool to make your files safer from ransomware.
When you turn on Controlled folder access, many of the folders you use most often are protected by default. This means that content in any of these folders cannot be accessed or changed by any unknown or untrusted apps. If you add additional folders, they become protected as well.
By default, Microsoft Defender Antivirus runs in the background, scanning files and processes that you open or download looking for malware.
There might be instances when you have a particular file or process that you don't want scanned in real-time. When that occurs, you can add an exclusion for that file, file type, folder or process.
Caution: Adding an exclusion to Windows Security means that Microsoft Defender Antivirus will no longer check those types of files for threats, which could leave your device and data vulnerable. Make sure you really want to do this before you proceed.
Exclusions only apply to real-time scanning with Microsoft Defender Antivirus. Any scheduled scans with Microsoft Defender Antivirus, or third-party antimalware products, might still scan these files or processes.
To add an exclusion
-
Select Add or remove exclusions
-
Choose one of the four options depending upon the type of exclusion you're trying to add:
-
File: Excludes a specific file
-
Folder: Excludes a specific folder (and all of the files within that folder)
-
File type: Excludes all files of a specified type, such as .docx, or .pdf
-
Process: Adding an exclusion for a process means that any file opened by that process will be excluded from real-time scanning. These files will still be scanned by any on-demand or scheduled scans, unless a file or folder exclusion has also been created that exempts them
Tip: It's recommended that you use the full path and file name to exclude a specific process. This makes it less likely that malware could use the same filename as a trusted and excluded process and evade detection.
To remove an exclusion
Caution: Excluding a file or process from antivirus scanning can make your device or data more vulnerable. Be certain you want to do this before you proceed.
-
Select Add or remove exclusions
-
Select the exclusion that you want to remove and select Remove
Using wildcards or environment variables
You can use a wildcard "*" to substitute for any number of characters.
-
In file type exclusions: If you use an asterisk in the file extension it acts as a wildcard for any number of characters. "*st" will exclude .test, .past, .invest, and any other file types where the extension ends in a st
-
In process exclusions:
-
C:\MyProcess\* will exclude files opened by all processes, located in C:\MyProcess, or any subfolders of C:\MyProcess
-
test.* will exclude files opened by all processes named test, regardless of the file extension
-
You can use environment variables in your process exclusions as well. For example:
-
%ALLUSERSPROFILE%\CustomLogFiles\test.exe
This will exclude any files opened by C:\ProgramData\CustomLogFiles\test.exe. For a complete list of Windows environment variables see: Recognized Environment Variables.
Virus & threat protection updates
Security intelligence (sometimes referred to as definitions) are files that contain information about the latest threats that could infect your device. Windows Security uses security intelligence every time a scan is run.
Windows automatically downloads the latest security intelligence as part of Windows Update, but you can also manually check for it.
In the Windows Security app on your Windows device, select Virus & threat protection> Protection updates > Check for updates or use the following shortcut:
Check for updates
Ransomware protection
The Ransomware protection page in Windows Security has settings for both protecting against ransomware, and recovering if you happen to get attacked.
In the Windows Security app on your Windows device, select Virus & threat protection> Manage ransomware protection or use the following shortcut:
Controlled folder access is designed to protect your valuable data from malicious apps and threats, such as ransomware. This feature works by checking apps against a list of known, trusted apps and blocking unauthorized or unsafe apps from accessing or changing files in protected folders.
When Controlled folder access is enabled, it helps safeguard your data by:
-
Blocking unauthorized changes: Only trusted apps are allowed to make changes to files in protected folders. If an app is determined to be malicious or suspicious, it will be blocked from making any changes
-
Protecting important folders: By default, Controlled Folder Access protects common folders such as Documents, Pictures, Videos, Music, and Desktop. You can also add additional folders to be protected
-
Providing notifications: If an app is blocked from making changes, you will receive a notification, allowing you to take appropriate action
To add or remove protected folders, select Protected folders or use the following shortcut:
Protected folders
To add or remove an app through Controlled folder access, select Allow an app through Controlled folder access or use the following shortcut:
Allow an app through Controlled folder access
Caution: Be thoughtful about which apps you add. Any added apps will be able to access the files in the protected folders and if that app gets compromised the data in those folders could be at risk.
If you receive the message App is blocked when you try to use a familiar app, you can unblock using the following steps:
-
Take note of the path of the blocked app
-
Select the message, and then select Add an allowed app
-
Browse for the program to which you want to allow access
Note: If you try to save a file to a folder and the folder is blocked, that means the app you’re using is blocked from saving to that location. If that happens, save the file to another location on your device. Then use the previous steps to unblock the app, and you’ll be able to save the files to your desired location.
For more details about controlled folder access see Protect important folders with controlled folder access.
The Ransomware Data Recovery section is designed to help you recover your files in case of a ransomware attack. It provides several key functionalities to ensure that your data remains safe and can be restored if it gets encrypted or blocked by ransomware.
The Ransomware Data Recovery section is integrated with Microsoft OneDrive. This allows you to back up your important files to OneDrive, ensuring that you have a secure copy of your data that can be restored in case of a ransomware attack. If your files are affected by ransomware, the Windows Security app will guide you through the process of restoring your files from OneDrive. This helps you quickly recover your data without having to pay the ransom.
You will receive notifications and alerts if ransomware is detected or if there are any issues with your OneDrive backup. This ensures that you are always aware of the status of your data protection.