Is Windows’ built-in Defender Antivirus good enough for business?

Microsoft Defender is an entire ecosystem of personal and business security products, but here we’re concentrating on the most familiar version. That is, the antivirus protection is built into both Home and Professional versions of Windows 10 and 11.

The big question is whether users (and IT managers) can stick with Microsoft’s built-in antivirus, or should they invest in a dedicated business tool.

Related reading: What is Microsoft 365 Copilot? Guide by a Microsoft MVP

How effective is Defender against malware?

The malware detection engine is the same across all versions of Defender. So whether you’re using the protection built into Windows 10 Home or pay for a dedicated endpoint protection version, the core virus detection features remain the same. That makes sense. With the exception of targeted phishing and ransomware attacks, threats remain consistent whether your PC is at home or at work.

To see how well Defender protects against malware, we turn to the experts in this field. AV Comparatives, AV-TEST, and SE Labs have included Defender in their tests for years. While it performed poorly at first, for the past six years Microsoft Defender has achieved protection scores that match (give or take) its paid-for rivals.

It’s worth noting that, in the main, these are consumer antivirus tests. However, the companies also run enterprise-focused tests that make for interesting reading.

AV-TEST appears to use the standard, integrated version of Defender in its regular business antivirus tests. We say “appears”, as AV-TEST doesn’t state (and wouldn’t confirm) whether it enables any of Microsoft’s endpoint protection management tools.

Microsoft confirms that the labs’ focus on testing Microsoft Defender Antivirus means that not all additional features of the company’s full paid-for endpoint security solutions are brought into play. As such, those labs’ business tests are also a useful tool for evaluating Defender’s standalone anti-malware capabilities.

Since 2017, Defender has invariably achieved either a top Outstanding protection score of 6/6 or just below at 5.5/6 from AV-TEST.

In summary, Microsoft Defender performs consistently well in tests and has outclassed its paid-for rivals on a number of occasions. So is Microsoft Defender effective against malware? That’s a simple “yes”.

Can Windows Defender protect my laptop?

Next question. Can you just leave the built-in version of Defender running on a business-critical laptop and be reasonably confident that you won’t fall victim to every virus going?

Again, the answer is yes. But with the usual caveat that the best antivirus solution in the world can’t protect you against wilfully reckless behaviour.

That means users must remember to take regular backups. They must use a password manager to generate strong, unique passwords for everything.

You need to enforce multi-factor authentication where available. And you should configure networking settings to be suitably wary when users connect to an unfamiliar network.

You should also take advantage of Defender’s ransomware protection. The latter monitors critical directories for changes and uses OneDrive to retain version-controlled copies of your most important files.

Microsoft’s Edge browser includes even more protections, which are designed to integrate closely with Windows’ defences. Specifically, it protects against phishing attacks, one of the most common vectors for malware delivery and data theft in business environments.

What about email?

You can’t use the Windows Security Centre to configure granular email threat scanning. However, Microsoft Defender SmartScreen will protect and warn you against known malicious downloads and unsafe websites. It also scans downloads for threats, regardless of what browser or email client you’re using.

If your business email service comes from a major provider such as Gmail for Google Workspace or Outlook for Microsoft 365, you’ll benefit from integrated protection against spam, malware and phishing

Even business email providers that emphasise privacy and zero knowledge of your emails’ contents from their end, such as as Proton Mail for Business, have automated phishing and spam-detection tools to help keep unwanted content out of your inbox.

So, if you’re operating a small business with modest requirements and limited resources, or if your corporate security policy allows you to use your own laptop for important work stuff, then the version of the Microsoft Defender Antivirus that comes built into both Home and Professional versions of Windows 10 and 11 should provide adequate protection.

Scaling up

Whether you can run an entire small business without some kind of endpoint protection is another question.

Some businesses don’t need it. A four-person office running some combination of Windows, macOS and Linux workstations, with its own file server cheerfully sitting behind the network firewall’s DMZ, is unlikely to be exposed to excessive risk by running with the operating systems’ default measures against malware.

These come in the form of both active defences and, especially in the case of macOS and Linux, permissions policies that make it difficult for unauthorised software to access anything it shouldn’t.

On Windows, Microsoft Defender antivirus and firewall settings can still be administered via Active Directory Group Policy. That means you don’t need Defender for Business or Intune to roll out a consistent security policy for everyone. However, even Defender antivirus’ defaults are solid, providing all-important real-time malware protection.

If you have a web server or enterprise cloud hosted on-premises, make sure there aren’t insecure accounts on there. Databases used to be a prime offender for this, but modern LAMP (Linux, Apache, MySQL, PHP) and LEMP (Linux, Nginx, MySQL, PHP) configurations don’t create the default accounts that used to represent common vulnerabilities.

When should you spend money on antivirus?

As your user and device numbers expand, however, so does your attack surface. There’s a greater chance of someone being tricked by a phishing attack, opening a malicious attachment, or reading a website that’s fallen victim to a contaminated ad that drops malware.

If you have a reasonably sized Windows fleet, it’s not a great idea to operate without some kind of endpoint security solution. The main reason for this is that it will give you the ability to monitor what’s happening across your network. You will also benefit from a centralised management system so you can ensure that each system’s malware protection is actually up to date.

Perhaps you have a Microsoft 365 subscription. Some of these come with additional endpoint protection: Microsoft Defender for Business is bundled with Microsoft 365 Business Premium, for example.

Microsoft has an aggressively priced standalone Defender for Business subscription for businesses with up to 300 users that costs £2.30 per licensed user per month (US $3, AUS $4.10). Each of those users can activate it on up to five devices. Protection per server costs the same.

Microsoft is by no means the only major player in small business endpoint security. Well-regarded, good-value and sometimes even more capable small business endpoint protection solutions are available from established companies including Avast, Malwarebytes, Bitdefender, F-Secure, Sophos, Eset and Trend Micro.

What you do counts

While malware defences are important, it’s often user and corporate behaviour that makes the critical difference.

Making regular backups can be the difference between a ransomware attack that takes your business down for days and one that’s solved by reinstalling affected computers and restoring your last good backup.

If your day-to-day IT management is done in-house, make sure someone has clear responsibility for security. Then make sure they have sufficient time and resources to do their job.

If you don’t have that kind of time or expertise on staff, or sufficient budget to afford a specialist hire, get an appropriate IT support contract from a firm that understands the needs of small and medium enterprises.

Make sure your staff not only get directives telling them to follow security best practices but that they understand why those rules exist. Make sure that your security policies reflect actual best practices – having everyone change their passwords every 90 days just results in people picking weak or reused passwords, for example.

Enterprise-grade endpoint protection is a tool, perhaps the most valuable aspect of which is easy monitoring and deployment of security solutions. It’s well worth having, but it’s only part of a cohesive business security policy.

Recommended reading: How Microsoft AI makes Bing and Copilot work

Avatar photo
KG Orphinades

KG is a security expert, journalist and technical writer who advises small businesses on practical ways to keep safe and helps IT support agencies provide timely guidance to their clients.