We review products independently, but we may earn commissions if you make a purchase using affiliate links on our website. Also note that we are not antivirus software; we only provide information about some products.

Independent product review · evidence checked July 14, 2026

Microsoft Defender Review 2026: Strong Free Baseline, Real Limits

Microsoft Defender Antivirus is no longer the placeholder product people remember from old Windows PCs. It now has credible top-tier lab results and zero subscription cost. The catch is that “Defender” names several different products, key ransomware controls need attention, and a paid suite can still make sense for a family or a higher-risk workflow.

AV-TEST April 2026: 18/18 AV-C real-world protection: 99.0% 0 false alarms in 400-case test Built into Windows: $0

Our verdict: Microsoft Defender Antivirus is enough for many careful people running a fully updated Windows 11 PC. It earned 18/18 in AV-TEST's April 2026 cycle and protected against 99.0% of AV-Comparatives' February–May real-world cases with zero false alarms. It isn't the complete security bundle sold by Norton or Bitdefender, and it can't rescue an unsupported Windows install, unsafe exclusions or stolen account sessions. Our current score is 8.9/10; that's one editorial assessment, not a reader aggregate.

Editorial rating8.9/10
Protection evidenceVery strong
Cost$0 in Windows
Best fitUpdated Windows 11 PC
Why Defender is a serious choice
  • Current results compete with leading paid antivirus products
  • No separate subscription, renewal jump or upgrade advertising
  • Deep Windows integration and automatic security-intelligence updates
  • Zero false alarms in the current 400-case real-world test
  • Steps back automatically when another registered antivirus takes over
Where the free baseline stops
  • No bundled VPN, password manager, identity restoration or antivirus support desk
  • Controlled Folder Access needs deliberate setup and can block safe apps
  • Windows Security spreads controls across several screens
  • Scan spikes can hurt developer, sync and gaming workflows
  • Windows 10 needs ESU and reaches its consumer ESU endpoint soon

Microsoft Defender Antivirus at a glance

Microsoft Defender Antivirus is the malware engine built into current Windows. The Windows Security app is the dashboard that exposes it alongside Windows Firewall, account protection, device security and app/browser controls. People still search for “Windows Defender,” but the antivirus itself is now called Microsoft Defender Antivirus. That naming distinction matters because Microsoft also sells or bundles enterprise Defender products and a separate consumer Microsoft Defender app through Microsoft 365.

For a normal Windows 11 PC, the built-in engine is active without an installer or separate account. It provides real-time file and process scanning, cloud-delivered protection, automatic sample submission, behavior monitoring, potentially unwanted app protection, scan history and a bootable Microsoft Defender Offline scan. Microsoft's Windows Security overview explains how the antivirus works beside Firewall and Smart App Control instead of turning every Windows security layer into one product.

The current evidence supports a positive verdict, but not the lazy claim that Defender is “perfect.” In AV-Comparatives' latest real-world cycle it stopped 396 of 400 cases, leaving four compromised systems. In the lab's separate malware-protection test, online protection reached 99.93% while offline detection was much lower at 89.2%. The cloud is part of the protection model; a disconnected machine doesn't receive the same result.

Plain-English answer: use Defender on an updated Windows 11 PC when you want strong core antivirus without another subscription. Add or replace it when a real need—family management, mixed operating systems, identity help, VPN, paid support or frequent risky downloads—justifies the extra product.

Microsoft Defender lab results in 2026

A responsible Defender review needs more than one perfect-looking badge. AV-TEST scores protection, performance and usability under its protocol. AV-Comparatives separates web-delivered real-world attacks, malware already on disk or removable storage, false alarms and performance. We keep those results separate because averaging them would create a number no lab published.

Independent testPeriod / buildDefender resultDecision value
AV-TEST Windows 11March–April 2026
Defender 4.18
6/6 protection
6/6 performance
6/6 usability
18/18 under current default-setting testing; protection was 100% in March and 99.9% in April.
AV-C Real-World ProtectionFebruary–May 2026
400 cases
99.0% protected
4 compromised
0 false alarms
Very good web-threat protection and the best false-alarm result in this cycle, but four cases still succeeded.
AV-C Malware ProtectionMarch 2026
10,000 cases
89.2% offline detection
98.1% online detection
99.93% online protection
3 false alarms
Cloud and later protection layers materially improved the outcome; don't describe the offline rate as final protection.
AV-C PerformanceApril 2026
Low-end Windows 11 PC
Total impact: 12.9
AV-C 80 / Procyon 97.1
Office benchmark score was excellent, but mixed task impact was behind the lightest group. This isn't a detection score.

What the zero false alarms result does—and doesn't—mean

Microsoft recorded no wrongly blocked clean files or domains in AV-Comparatives' 400-case real-world set. That's a meaningful usability win. It doesn't promise that every unsigned utility, game mod or in-house tool will run without a SmartScreen reputation warning. SmartScreen and Smart App Control use reputation and signing signals that are adjacent to the antivirus test, and niche software can still trigger friction.

Cloud dependence is part of the product

The gap between 89.2% offline detection and 99.93% online protection shows why turning off cloud-delivered protection or blocking Defender's update path weakens the product tested by the labs. This isn't unique to Microsoft; modern antivirus engines rely on cloud reputation and rapid intelligence. If a PC spends long periods isolated from the internet, test that unusual environment rather than borrowing the online score.

What Microsoft Defender costs—and what “Defender” isn't free

The built-in Microsoft Defender Antivirus is genuinely included with Windows. There's no 30-day trial, device renewal or paid malware-detection tier to unlock on that Windows PC. You don't need Microsoft 365 for the real-time antivirus shown in Windows Security.

Microsoft reuses the Defender brand for other products. The Microsoft Defender app included with Microsoft 365 Personal and Family adds a multi-device dashboard and, in supported markets, identity and credit monitoring. The current US Microsoft 365 plan page lists Personal at $99.99/year and Family at $129.99/year. Those subscriptions also buy Office apps and OneDrive; purchasing either plan only to obtain antivirus for one Windows PC is poor value.

ProductCurrent consumer costWhat it doesWhat not to assume
Microsoft Defender Antivirus$0, built into WindowsPrimary Windows malware engine reviewed on this page.It isn't the whole Windows Security dashboard and doesn't include a VPN or identity-restoration service.
Microsoft Defender appIncluded with Microsoft 365 Personal / FamilyCross-device security dashboard with platform-dependent malware, web and identity tools.iOS can't receive the same anti-malware scanning as Windows, Mac or Android.
Defender for Business / EndpointBusiness or enterprise licensingManaged endpoint detection, response and administration.Consumer Defender lab results don't prove an organization's configuration or response process.

The free engine's economic advantage is bigger than a first-year price comparison. Norton and Bitdefender can be good purchases, but they add renewal decisions and product accounts. Defender stays part of Windows. A paid suite has to justify itself through useful services and a better experience for your household, not a vague claim that free antivirus is automatically weak.

The Windows security layers that matter

Real-time, cloud-delivered and tamper protection

Real-time protection checks files and processes as they are opened or run. Cloud-delivered protection and automatic sample submission help Microsoft classify unfamiliar files quickly. Tamper Protection makes it harder for another program to change important Defender settings behind your back. Open Windows Security → Virus & threat protection → Manage settings and verify these controls instead of assuming an old “green check” reflects the current state.

Controlled Folder Access is useful, but not friction-free

Controlled Folder Access is Defender's focused ransomware control: untrusted apps can't change files in protected folders. It's powerful because it can stop encryption even when a file isn't yet labeled malware. It can also block a legitimate editor, backup utility or game from saving. Microsoft's current virus and threat protection guide explains the protected-folder and allow-app workflow. Enable it deliberately, test the programs that write to Documents/Desktop/Pictures and allow only the exact trusted executable that needs access.

SmartScreen and Smart App Control are separate reputation layers

Microsoft Defender SmartScreen evaluates websites and downloads, with the strongest native integration in Edge and Windows. Smart App Control is a Windows 11 app-execution layer that combines signing and cloud reputation; it works alongside antivirus rather than replacing it. There's currently no per-app bypass inside Smart App Control, so developers and users of unsigned niche software may find it too restrictive.

Older guides say Smart App Control can only be enabled after a clean install and can never be switched back on. Microsoft's current Smart App Control FAQ now says recent Windows updates may let an eligible device enable or re-enable it without reinstalling. Other Microsoft documentation still describes clean-install and regional prerequisites. Check App & browser control on the actual PC; don't reset Windows on the strength of an old tutorial.

Firewall, PUA blocking and Defender Offline

Windows Firewall filters network traffic but isn't the antivirus engine. Potentially unwanted app blocking helps with bundlers, adware and low-quality software that may not meet the malware definition. Microsoft Defender Offline restarts into a trusted scanning environment for threats that resist removal while Windows is running. None of these replaces a backup: ransomware protection can reduce risk, but a disconnected or versioned copy is what gives you a recovery path after encryption, deletion or account takeover.

A ten-minute Microsoft Defender security check

  1. Confirm the operating system is supported. Install Windows Update and restart. Windows 10 users must verify consumer ESU enrollment or move to Windows 11; an antivirus can't patch an unsupported OS.
  2. Open Windows Security. Resolve red or yellow warnings rather than relying on the taskbar icon alone.
  3. Check protection updates. Virus & threat protection → Protection updates → Check for updates shows the security-intelligence state.
  4. Verify core switches. Keep real-time protection, cloud-delivered protection, automatic sample submission and Tamper Protection enabled unless a documented managed policy says otherwise.
  5. Review ransomware protection. Turn on Controlled Folder Access only when you can test required applications and respond to a blocked-app notification.
  6. Review App & browser control. Confirm reputation-based protection and inspect Smart App Control's actual state on Windows 11.
  7. Run the right scan. Quick scan is the routine check; use Full scan for a broad review, Custom for a specific target and Offline scan when persistent malware is suspected.
  8. Audit exclusions. Remove broad exclusions you can't justify. Never exclude Downloads, the entire user profile, a whole drive, PowerShell or `MsMpEng.exe` to chase performance.
  9. Test recovery. Restore one file from the backup you expect to save you. OneDrive sync isn't automatically the same as an offline backup.
  10. Protect the account. Use unique passwords, MFA/passkeys and current recovery details. Antivirus can't reverse a stolen browser session or recover an account after its security information is replaced.
Why updates are part of this review: several Microsoft Defender vulnerabilities were added to exploited-vulnerability tracking in 2026, including CVE-2026-33825, CVE-2026-41091 and CVE-2026-45498. Microsoft distributed fixes through Windows and Defender platform/engine updates. The lesson isn't to disable antivirus; it's to keep the security tool itself patched and verify updates after a long-offline PC comes back.

Performance: light at idle, capable of visible scan spikes

AV-TEST gave Defender 6/6 for performance in April. AV-Comparatives provides more texture: its April low-end test recorded a Procyon Office score of 97.1, close to the no-security baseline of 100, but the combined task score produced a total impact of 12.9. McAfee, Kaspersky, ESET, Trend Micro, Norton, Avast and AVG posted lower impact numbers in that cycle. “Built in” doesn't guarantee the lightest result in every workload.

A recovered June editorial log used a mid-range i5-12450H notebook with 16 GB DDR5 and NVMe storage. It recorded about 95–180 MB for the main Defender/security services at idle, a 28–38% CPU peak during a full scan, roughly 21 minutes to scan 280 GB and a 1–2 second boot difference. The log lists Windows 10 22H2 with a Windows 11 24H2 cross-check. These are one rig's observations, not a promise for your CPU, storage, file count or current build.

Why `MsMpEng.exe` suddenly consumes CPU

The Antimalware Service Executable often spikes after a large set of files changes: a new game library, a cloned repository, dependency install, virtual-machine image, Docker volume or cloud-sync event. Current Reddit support threads confirm that the complaint hasn't disappeared. The safe response is to identify the exact workload, let an initial scan finish, schedule heavy work away from active use and create the narrowest possible exclusion only when the risk is understood.

Microsoft explicitly warns that exclusions stop Defender from checking the excluded file, folder, type or process. Excluding `node_modules` may be tempting, but install scripts can execute code there. Excluding a whole Steam library can hide a malicious mod. Excluding `MsMpEng.exe` or Defender's own folder isn't an optimization; it attacks the protection boundary. If the system remains unusable, compare a reputable alternative on the same workload rather than hollowing out Defender.

What happens when you install Norton, Bitdefender or another antivirus

Windows Security Center registers the active security provider. When a maintained non-Microsoft antivirus takes over, Defender's real-time capabilities are disabled or placed in passive mode so two kernel-level engines don't compete over the same file. If the third-party product is removed, Windows can reactivate Defender. The Microsoft compatibility documentation is the better reference than a registry-hack tutorial.

Limited Periodic Scanning is a separate optional mode that lets Defender perform occasional scans while another antivirus is active. It's a second opinion with limited scope, not two complete real-time engines working together. Don't force real-time Defender back on through unsupported changes and assume more scanners always means more protection; driver conflicts, duplicate scans and competing quarantine actions can reduce reliability.

Reasonable free pairing

Defender as the only real-time engine plus a reputable on-demand scanner such as Malwarebytes Free for a manual second opinion. Confirm the second tool hasn't enabled a trial real-time layer.

Avoid this setup

Two paid products both forced into real-time mode, broad mutual exclusions and the belief that either tool will repair an unsupported or already-compromised operating system.

Windows 11, Windows 10 ESU and the mobile Defender app

Windows 11 is the clean recommendation

The consumer lab results on this page were produced on current Windows 11. A fully updated Windows 11 device can combine Defender Antivirus with supported hardware protections, SmartScreen, Smart App Control where available, Memory Integrity and modern servicing. Exact availability still depends on the device, edition, policy and regional rollout.

Windows 10 is now a transition case

Normal Windows 10 support ended October 14, 2025. Microsoft's consumer ESU program supplies critical and important security updates to enrolled Windows 10 22H2 PCs only through October 13, 2026; it doesn't restore feature updates or normal technical support. Defender running on a non-enrolled Windows 10 PC isn't a substitute for missing OS security patches. Plan the Windows 11 move or a supported replacement now.

Microsoft Defender for Individuals is a different subscription app

The Microsoft 365 Defender app can be installed on Windows, macOS, Android and iOS. Current Microsoft support says its anti-malware protection is available on Windows, Mac and Android. iOS doesn't allow the same device-wide malware scan; its value is web, privacy, identity and dashboard features. Identity and credit monitoring are tied to region and eligibility, so a non-US buyer should verify the exact services before treating Microsoft 365 as an identity-security purchase.

If you already buy Microsoft 365 for Office and OneDrive, the Defender app is a useful included dashboard. If you want one security subscription solely for a mixed Windows/Mac/phone household, compare it with Bitdefender or Norton: their consumer bundles were designed around that job, while Microsoft's strongest consumer antivirus value remains the free engine inside Windows.

What current users praise—and where they still distrust Defender

Current community evidence is consistent on one point: Defender's reputation lags behind its lab results. A January 2026 r/techsupport discussion about dropping Bitdefender received broad “Defender is sufficient on an updated home PC” answers. Similar Windows 11 threads frame paid antivirus as a purchase for support and extra services. That's a real change from the 2018 advice to install almost anything else.

The dissent matters. A July 2026 r/antivirus thread about scanning unknown, old games split between users who trust current Defender and users who consider that download behavior too risky for the default stack. That's the right dividing line: lab results describe defined test sets, not permission to run abandoned executables from file lockers. Someone who routinely tests untrusted software needs isolation, backups, disposable virtual machines and stronger operational discipline—not merely another consumer badge.

Performance complaints also persist. Developers and gamers still report `MsMpEng.exe` spikes, while others object to scattered settings and a thin activity log. We use those reports as a trial checklist, not a detection statistic. No named-user quote or one-off infection story is evidence that Defender always works or always fails.

Community takeaway: “Defender is enough” assumes supported Windows, active updates, normal download behavior, tested backups and account security. Remove those conditions and the answer can change without the antivirus engine changing at all.

Who should use Microsoft Defender—and who should pay for more

Stay with Defender if
  • You run one or two fully updated Windows 11 PCs
  • You already have a password manager, MFA and tested backups
  • You don't need a bundled VPN, identity restoration or parental dashboard
  • You want no separate renewal or vendor account
  • You can inspect Windows Security and respond to a blocked app safely
Consider another product if
  • You manage Windows, Mac, Android and iPhone users together
  • A less technical relative needs one clearer cross-device console and paid help
  • You want VPN, cloud backup, family controls or identity services in one bill
  • Your work repeatedly triggers Defender scans and careful tuning doesn't fix it
  • You intentionally handle high-risk files and have a tested isolation workflow

Businesses shouldn't make this choice from a consumer review. Defender for Endpoint, centralized policy, EDR telemetry, incident response, identity controls and staff behavior change the product and the risk model. An 18/18 home-user score doesn't prove a small company's unmanaged PCs are secure.

Microsoft Defender vs Bitdefender, Norton, ESET and Malwarebytes

OptionChoose it forMain trade-off against DefenderRead next
Microsoft DefenderStrong no-cost Windows 11 baseline with no separate renewal.Scattered controls; no complete VPN/family/identity/support bundle.Is Defender good enough?
Bitdefender Total SecurityCross-platform paid protection, Safepay and richer security controls.Subscription management, plan differences and a 200 MB/day VPN in Total Security.Bitdefender review
Norton 360 DeluxeVPN, password manager, parental controls and 50 GB Windows backup for five devices.$49.99 first year rises to $124.99 renewal; current users report persistent upsells.Norton review
ESET HOME SecurityGranular controls and a quieter security-first experience.Paid plan without Norton's breadth of bundled services.ESET review
Malwarebytes FreeManual second-opinion scans beside Defender's real-time engine.Free tier isn't the primary real-time replacement; avoid silently activating two real-time trials.Malwarebytes review

Don't buy a suite only because its marketing says “advanced protection.” Ask what specific problem it solves. A paid VPN may be worse than the one you already use. A bundled password manager may create migration work without improving unique-password habits. Identity monitoring may be unavailable in your country. Defender sets a high free baseline, so extras must earn their price.

Frequently asked questions about Microsoft Defender

Is Microsoft Defender enough in 2026?

Yes for many careful users on a fully updated Windows 11 PC. Defender earned 18/18 in AV-TEST's April 2026 cycle and 99.0% protection with zero false alarms in AV-Comparatives' February–May real-world test. Consider a paid suite for cross-platform family management, identity services, VPN, backup, paid support or a higher-risk workflow.

Is Windows Security the same as Microsoft Defender Antivirus?

No. Microsoft Defender Antivirus is the malware engine. Windows Security is the dashboard that exposes Defender plus Windows Firewall, account protection, device security and app/browser controls. SmartScreen and Smart App Control are related Windows layers, not alternative names for the antivirus engine.

Does Microsoft Defender protect against ransomware?

Defender uses real-time, behavioral and cloud protection against ransomware. Controlled Folder Access adds a focused layer that blocks untrusted apps from changing protected folders, but you must configure and test it because it can block legitimate software. Keep a separate tested backup; no antivirus guarantees recovery.

Should I use Malwarebytes Free with Defender?

It can be a reasonable manual second-opinion scanner while Defender remains the only real-time engine. Check that Malwarebytes hasn't enabled a Premium trial or real-time layer without your intent. Two complete real-time antivirus engines shouldn't be forced to run together.

What happens to Defender when I install Norton or Bitdefender?

Windows registers the third-party antivirus as the active provider and disables or places Defender's real-time capabilities in passive mode. Limited Periodic Scanning can provide occasional Defender scans, but it isn't a second complete real-time engine. If the other product is removed, Windows can reactivate Defender.

Why is `MsMpEng.exe` using so much CPU?

Defender may spike while scanning a large set of new or changed files such as a game library, repository, dependency folder, VM image or cloud sync. Let the first scan finish, identify the exact workload and use only narrow, risk-reviewed exclusions. Never exclude Downloads, a whole drive, Defender itself or broad script locations to improve speed.

Is Defender safe to use on Windows 10 in 2026?

Only as part of a supported system. Normal Windows 10 support ended October 14, 2025. Enrolled Windows 10 22H2 consumer PCs can receive critical and important ESU security updates through October 13, 2026. Defender can't replace missing operating-system patches, so plan a supported Windows 11 PC or another supported platform.

Is Microsoft Defender free on Mac, Android and iPhone?

The built-in free antivirus reviewed here is a Windows product. The separate Microsoft Defender app for Mac, Android and iOS is included with Microsoft 365 Personal or Family. Current Microsoft documentation lists anti-malware on Windows, Mac and Android; iOS receives different web, privacy, identity and dashboard functions because device-wide malware scanning is restricted.

Final verdict: the free baseline paid antivirus must beat

Microsoft Defender Antivirus is a strong recommendation for a supported, updated Windows 11 PC. The current record is concrete: 18/18 at AV-TEST, 99.0% protection and zero false alarms in AV-Comparatives' real-world cycle, 99.93% online protection in the malware test and a respectable—though not leading—12.9 impact score. There's no separate subscription to cancel.

The conditions belong in the verdict. Defender's cloud layer and updates must work. Controlled Folder Access needs careful setup. Windows 10 needs ESU and reaches its consumer deadline on October 13, 2026. A family with Macs and phones, a person who wants a VPN/identity/support bundle, or someone handling untrusted executables may be better served by a paid suite plus better operational controls.

Bottom line: keep Defender when you need antivirus on an updated Windows PC and already handle backups, passwords, MFA and safe downloads. Pay for Bitdefender, Norton or ESET when you can name the bundle or workflow advantage. Don't pay merely to replace a “basic” engine—the 2026 evidence no longer supports that description.