Microsoft Defender Antivirus uses several methods to provide threat protection:
- Cloud protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as “real-time protection”)
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Microsoft Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See Use next-gen Microsoft Defender Antivirus technologies through cloud protection for how to enable and configure Microsoft Defender Antivirus cloud protection.