Why Windows 10 users have better anti-virus protection

Almost all Windows 10 PCs are now running anti-virus software because the built-in Windows Defender is turned on automatically unless an alternative program is installed. With up-to-date versions of Windows 10, the "unprotected rate" has fallen to around 3 percent of the PCs that Microsoft updates.

Historically, Microsoft has been reluctant to protect its users, partly because of anti-trust threats from anti-virus software providers. Back in 2006, when up to half of PCs were unprotected, McAfee and Symantec threatened European anti-trust lawsuits over Microsoft's plan to include Kernel PatchGuard in Windows Vista. Just before the Windows 7 launch in 2009, AVG told me: "At this point, we're watching in Brussels to ensure they don't bundle [anti-virus software] with Windows and trigger about a trillion lawsuits."

Today's PCs still show the aftermath, in that about 28 percent of Vista PCs and more than 20 percent of Windows 7 PCs are still unprotected, according to the latest Microsoft Security Intelligence Report (No 21). Indeed, the reality is probably somewhat worse: many unprotected PCs are not counted because they don't have Windows Update turned on.

Why are the numbers so high? The virus threat has been well publicised, and AVG, Avast and many other companies have been offering free anti-virus programs for more than a decade. Partly, it's a regional issue. The countries with the highest average number of unprotected PCs - Libya, Algeria, Nigeria, Iraq and Tanzania - don't have the best internet connections.

Other reasons are shown in the barchart at the end of this post.

In Windows 7's case, more than 60 percent of unprotected PCs still don't have any anti-virus software installed. In another 20 percent of cases, it's installed but turned off. In some cases, AV is turned on but the definitions and signatures are out of date. That may be because of expired subscriptions, but Vista and Windows 7 don't report those.

That changed after Microsoft bundled Defender with Windows 8, and it emerged that one major reason for a lack of protection was that the PC's anti-virus software subscription had expired. With Windows 10, the main problems are users failing to update their PCs or turning off their anti-virus software or "snoozing" it.

Of course, the "expired subscription" problem may yet appear on Windows 10, because most new PCs have not been running Windows 10 for more than one year.

Windows 10's improved security

Having taken on the burden of protecting PCs, Microsoft is now trying to make Defender more capable, which should be confirmed by better scores in group anti-virus tests. Microsoft is also using multiple approaches so it's not wholly dependent on Defender. For example, some malware is blocked by Windows 10's SmartScreen or "safe browsing" filter.

Microsoft has also added features from EMET, its Enhanced Mitigation Experience Toolkit. Windows 10 now includes DEP (Data Execution Prevention), SEHOP (Structured Exception Handler Overwrite Protection), and ASLR (Address Space Layout Randomization) as standard, and Enterprise users also get post-breach feedback from ATP (Advanced Threat Protection). Microsoft therefore plans to stop offering EMET on July 31, 2018, though not everyone thinks that's a good idea.

Windows 10 also includes cloud-based protection, which was turned on by default in the Anniversary Update version. When Defender notices a suspicious file that it doesn't recognise, it refers it to the cloud service, which uses heuristics, automated file analysis and machine learning to decide whether or not to block it. Microsoft says: "In many cases, this process can reduce the response time when a new threat emerges from hours to seconds."

Cloud-based heuristics have already made a contribution to blocking ransomware attacks that were not detected by traditional virus signatures (PDF). Of course, users will be less secure if they change the defaults in a misguided attempt to protect their privacy.

Another factor is that Windows 10's new browser, Edge, has better security than IE. Also, Edge doesn't support ActiveX or Java add-ins, so it isn't vulnerable to many of the attacks that compromised earlier versions of Internet Explorer.

Infection rates

Microsoft's Security Report counts "malware encounters" separately from malware infections: PCs often run into malware without being infected by it. This has produced an oddity: Microsoft reports that "two of the five most commonly encountered operating system exploits on Windows computers in 1H16" - Unix/Lotoor and AndroidOS/GingerMaster - "actually target the Android mobile operating system."

Microsoft sees Android malware when users attach their smartphones or storage cards to Windows PCs, or use their Windows PCs to download programs to transfer to their phones.

The average infection rate for Windows PCs, according to Microsoft's Malicious Software Removal Tool (MSRT), is currently 1.01 percent. It's less than 0.4 percent in the best countries (Finland, Japan, Denmark, Norway Germany) and around 8 percent in Libya, which also scores highest for unprotected PCs. The five worst areas are Libya, Iraq, Mongolia, the Palestinian Authority and Morocco.