Video: When it comes to malware, Windows 10 is twice as secure as Windows 7.
Microsoft's Windows Defender ranks seventh out of 15 antivirus (AV) products in an independent test. But the results don't tell the whole picture, argues Microsoft.
With improvements to Windows 10's built-in Windows Defender antivirus, some users are questioning whether it's worth paying for a third-party product from the likes of Symantec, McAfee or Kaspersky.
But according to the latest results for Windows home and business use from German AV benchmarking firm, AV-Test, Windows Defender is still trailing third-party AV, tying in seventh place with four other vendors.
The top AV products for Windows 10 across protection, performance, and usability in December were Trend Micro, Vipre, AhnLab, Avira, Bitdefender, Kaspersky, and McAfee, according to AV-Test.
Windows Defender rated highly on protection, detecting 100 percent of new and old malware, but lost points for performance, which measures how much an AV slows applications and websites; and usability, which counts false-positives or instances where AV wrongly identifies a file as malicious.
Windows Defender's performance rating was dragged down because it slowed the installation of frequently used applications more than the industry average, and wrongly detected 16 pieces of legitimate software compared with the industry average of four.
But Microsoft wants enterprise customers to know that Windows Defender is only half the picture, given the option for customers to also deploy Windows Defender Advanced Threat Protection's (ATP) "stack components" including Smartscreen, Application Guard, and Application Control.
In the January and February test Windows Defender also scored 100 percent on protection. However it did miss two samples. Since then it's retrained its machine-learning classifiers to detect them.
But Microsoft notes in a new paper that Defender ATP did catch them, which isn't reflected in AV-Test's or other testing firms' results. Microsoft hopes to change this so that testers include so-called stack components available in ATP.
"As threats become more sophisticated, Microsoft and other security platform vendors continue evolving their product capabilities to detect threats across different attack stages," Microsoft's Windows Defender Research team writes.
"We hope to see independent testers evolve their methodologies as well. Our customers need greater transparency and optics into what an end-to-end solution can accomplish in terms of total preventive protection, including the quality of individual components like antivirus.
"Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on end-to-end security stack testing."
Windows Defender still has problems with incorrectly classifying legitimate apps as malware, according to the January-February test.
However, Microsoft contends that all six of the misclassified apps were either media players or audio mixers, which aren't common in enterprise environments.
It also argues that the false-positives in the synthetic test don't factor in contextual information Microsoft uses in the real-world machines that prevent Defender from wrongly flagging clean apps as bad.
And Windows Defender is still significantly slower than the industry average for installing frequently used applications. However, again Microsoft counters that enterprise users generally spend less time installing new apps and more time using browsers, email, and word processors.
Previous and related coverage
Windows 10 security won't protect you from tech-support scammers' lies and trickery.
Just scanning a specially-crafted file could lead to a totally compromised Windows machine.
Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.
Microsoft is adding Windows 7 SP1 and Windows 8.1 to the list of protected end-points covered by Windows Defender ATP, starting this summer.
Microsoft preps new Windows 10 security features to ensure system integrity during start-up and after it's running.