Microsoft Defender's protective capabilities suffer offline

Microsoft Defender, the default security solutions on modern versions of the Windows operating system, has been doing well in recent antivirus tests of independent organizations such as AV-Comparatives. In 2019, it was revealed that Windows Defender had a market share of more than 50% already on Windows.
The most recent test by AV-Comparatives confirm the high detection and protection rate of Microsoft Defender, but it also highlights that the program's offline detection rate is weaker than the detection rate of most of the competing antivirus solutions.
According to the results of the test, Microsoft Defender had one of the worst offline detection rate results; it managed to detect 60.3% of all threats on offline devices. Only Panda Free Antivirus, with a detection rate of 40.6% , and Trend Micro Internet Security, with a detection rate of 36.1% , scored worse in the offline detection test.
The remaining 14 antivirus solutions offer better offline detection rates according to the test. Bitdefender and Total Defense Essential Antivirus, the latter uses Bitdefender's engine, detected 97.8% of all threats in tests. Many antivirus solutions detected over 90% on offline devices.

Microsoft Defender fared better on Internet-connected devices. The default Windows security solution detected 98.8% of all threats and had a protection rate of 99.96%, good test results but not the best result of all tested products.
AV Comparatives switched from reporting detection ratings to reporting detection and protection ratings for all tested products. Antivirus programs may not always detect inactive malware samples, but they may recognize them when they are active; this explains the higher percentage of the protection rates in the table.
Avast and AVG, the latter is owned by Avast, scored 99.5% and 99.98% respectively, McAfee got 99.3% and 99.97% detection and protection rates, and G Data 98.6% and 99.99%.
Microsoft Defender had 4 false alarms in the test. Five products had fewer false positives, one the same result as Microsoft. ESET's Internet Security program was the only product with no false positive alarms.
Closing Words
Many devices have permanent Internet connections. The result of the offline detection test highlights how important cloud connectivity and testing is for Microsoft's security product.
Now You: which security solutions do you use to protect your devices?


Microsoft Defender’s detection rate for push up bras and edible panties is presently unsurpassed so it’s highly unlikely I’ll be switching to another “Detector” anytime soon.
“Came across this script and finally got my Windows 11 activated github.com/devtree3/windows-11-activator-new leaving it here for anyone who needs help. It’s a new bug. You just run the .bat file and allow cmd to do it.”
Just one recent malware campaign, where the mighty Defender, ATP, Tamper Protection, SmartScreen, Control Flow Guard, Core Isolation & ~~insert more buzzwords~~, DOES NOT BLINK AN EYE, because the malware 1st phase script simply added exceptions via built-in commandline control interface (no other mainstream AV does that, for obvious reasons).
But Defender sure likes to WARN about the lack of Microsoft Account…
What do all the tech journalists and by extension common folks do?
Eat the 98.8% paid advertisements figures in av-comparatives av-test and other sell-out outlets without giving it a second thought. But the reality is that Defender is pure garbage still and much more closer to 0%, easily neutered by mildly sophisticated malware (and most malware today even from script kiddies is masquerading as useful thing, that only later on do malware things).
Defender’s capabilities suffer when offline….
Ok? And how many viruses are you getting when you’re offline? Are you just plugging in every USB you see laying around? Does anyone really use USBs anymore?
Seems like a bit of a non issue that defender isn’t great at stopping viruses in environments where Viruses are extremely uncommon.
Now You: which security solutions do you use to protect your devices?
Zorin OS
You’re welcome.
Basically this means microsoft defender is completely useless, which we already knew. Its only job is to keep the datalines open to microsoft servers for datamining and advertising. Actually, it has another function as well: to flag every adobe crack as a virus =) Adobe have paid good money for this windows feature, as well as a few other companies whose overpriced products are also very easily cracked. One could say that Microsoft Defender is actually nothing more than a bribed prison guard. Then again this fits Redmond today perfectly. Dirty mafia.
Let me see if I am understanding this article correctly:
When you are online, Microsoft Defender has a better protection rate even when scanning local files and running programs on your hard drive than it would while off-line, because it can connect with additional cloud resources not present in the local program. When you are off-line, however, Microsoft Defender’s detection rate drops, even when it comes to local stored files and locally run programs, because it can only use the Windows Defender program you have stored locally and can not connect with additional cloud resources.
Is that a correct reading of these results?
Initially when I read the article, it sounded like Microsoft’s detection rates for webpages and emails were good, but they were not as good at detecting malicious running programs and files. Now, I don’t think that’s what the article was saying.
I have to admit as a non-expert, sometimes this stuff isn’t crystal clear to me, but I find it very much worth reading about and getting clarification about when I am not sure if I understand it correctly.
John, yes that is correct.
Thanks! I appreciate the confirmation. Keep up the good work.
I notice that MS Defender still false-triggers on some of the NirSoft tool.
While I was checking the ‘Malware Protection Rate’ archive, to everyone’s curiosity there is a recent special test regarding uninstallation of these products commissioned by PC Magazine Germany (the same magazine that had also ordered the report ‘Data transmission in Internet security products’ which wouldn’t hurt to update after so many years).
OT but not so much thinking about all the unnecessary additional features of antivirus: yesterday I was updating the portable build of CCleaner… (…).
Typo: in “Microsoft Defender had one of the worst online detection rate results; it managed to detect 60.3%” you mean to say “offline”, not “online”.
Bill, thank you. I corrected the typo.
If your device is not connected to the internet, you don’t need AV /doh!
> If your device is not connected to the internet, you don’t need AV /doh!
In general, this is theoretically true, but those with evil intentions are devious. They have a different capacity for thought than good people, and they come up with things that good people would not assume.
https://www.ghacks.net/2022/04/12/microsoft-windows-security-updates-april-2022-overview/#comment-4519338
https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-a-modified-version-of-vlc-and-exploited-it-for-malware-attacks/#comment-4519247
The risk is not limited to software: seven years ago, a backdoor was secretly embedded in a legitimate Lenovo product and sold. The astonishing incident made headlines because the backdoor code was “indestructible” even after the system was initialized, then the operating system was cleanly installed.
Lenovo Turns Off Superfish PC Adware Following Customer Complaints – Personal Tech News – WSJ
http://blogs.wsj.com/personal-technology/2015/02/19/lenovo-turns-off-superfish-pc-adware-following-customer-complaints/
Lenovo: Companies working in China may have to install local backdoors | Hacker News
https://news.ycombinator.com/item?id=18025645
Even “closed programs” are potentially unreliable because the circumstances are similar.
https://www.ghacks.net/2022/04/16/google-chrome-emergency-update-patches-0-day-vulnerability/#comment-4519655
https://www.ghacks.net/2022/04/01/opera-gx-video-pickup-and-gx-profiles/#comment-4518733
In this life, we cannot let our guard down under any circumstances. Do not be overconfident, but be vigilant.
About the Lenovo incident case:
Worst of all, Superfish stores the CA signature (private key) in the Superfish program, and Superfish certificates and Superfish CAs are being diverted to be common to all the world. This means that by extracting the Superfish CA private key from Superfish on a Lenovo PC, a malicious attacker can attack as much as he/she wants.
Errata Security: Extracting the SuperFish certificate
http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
Lenovo has issued an official statement in response to the Superfish issue. According to the statement, “Superfish was pre-installed on Windows laptops shipped between September and December 2014, but pre-installation was stopped in January 2015. Though the original official statement was that “Superfish had been pre-installed since at least June 2014. In short, They want to fade out the case, not get to the bottom of it.
Lenovo Newsroom | LENOVO STATEMENT ON SUPERFISH
http://news.lenovo.com/article_display.cfm?article_id=1929
Back in the day when email was text based; no images, no script, no html if one was sensible about how one conducted themselves on the net you were pretty safe. Then some damn fool said let’s imbed all of the above in email and all of a sudden a mass of malware, phising, tracking and viruses.
Then A/V products exploded. It’s the same strategy as with medical conditions – don’t fix them – keep people sick and addict them to machines and drugs.
Then the A/V vendors decided A/V protection was a secondary priority. Advertising, telemetry data collection and the sale of that data became the focus.
We have now come full circle where A/V products are the virus.
I stopped using such products in 2012. I have not had one virus that I’m aware of since then. My email will never be cloud based (cloud is by definition insecure), and all “features” of email are disabled. Plain text might not look pretty, but at least I can easily read the content that the author wanted to communicate without all the bloat.
I just recently got 2 years of Malwarebytes for $32 (total), not bad, but after seeing the AV comparatives chart, I kind of wish I’d gone with Eset or Bitdefender. Eset looks strong, and I like their 0 false positives.
I’m sure you are 100% safe and protected if you use a Microsoft account.
Haven’t used an AV since about 2012. Haven’t updated Windows since about 2018. Running 7 and 10. A firewall is enough. I bet 80% of the “viruses” Defender tells people it found are false positives. It kept blocking legit files I was downloading that’s why I turned it off. It is mostly useless. I use virustotal to scan suspicious files occasionally.
Now You: which security solutions do you use to protect your devices?
I use Windows Defender as one layer of defense. Other layers are as follows:
– blocking hosts file (currently Steven Black adware+malware) that blocks connections to known bad Internet sites and ad networks (some of which have been known to re-direct to malware sites)
– hardware firewall that blocks all incoming connections
– software firewall on each computer in white list mode (only approved programs are allowed outbound network access)
– always use a non-administrator account for daily use so should something make it past other layers of security the potential impact is limited to just that user account and not the whole system
– always use critical thinking when using the computer as the person behind the keyboard (one of the most important security layers) could affect any other security measures
I wish I could use Kaspersky. They had a excellent reputation, until the Ukraine war…
I think that MS won’t stop till they destroy Defender completely. Thanks for the article! :]
What is the meaning of online detection? Is it when the sample file is uploaded for analysis?
It means that the cloud is involved in one way or another, including uploading hashes of files or uploading entire files.
Thanks for the clarification.
Why on earth does Microsoft make Windows Defender less effective offline?
It should perform the same if you have the latest updates. this is crazy…
Automatic online detection is what Martin explained, and also a serious bad idea.
Your AV solution could potential leak personal information, intellectual property, or just any other compromising stuff to these companies. And depending who accesses that you could be reported to authorities, your employer, or being black mailed.
The updates for the offline tests aren’t the latest, but x days old on purpose and I don’t have the time to look up how many days that is. This is about the best way in a “real world” test for a system that has been offline for a while and put into use offline where new files are introduced via an external device (e.g. USB stick) or on a LAN without WAN internet.
On the average, MS updates sigs/defs every four hours.
> Now You: which security solutions do you use to protect your devices?
I stopped relying on “Anti-Virus Solutions” two years ago.
Based on many years of skill, most of the risks can be prevented by avoiding potential hazards and disabling JavaScript.
Specifically,
Regardless of sites that are untrustworthy (cannot prove trustworthiness).
I do not click on the URL, but check it with a tooltip (Popup ALT Attribute). For unknown sites, I check site trustworthiness with “IndicateTLS”, “Flagfox”, and “IP Address and Domain Information”.
I use “ClearURLs” and “LocalCDN” to prevent unauthorized redirects, “uBlock Origin” to block JavaScript, and “VoodooShield” to lock down the system and block (control) all executable programs.
Anything that requires downloading must be from the official site, and I always check the “GPG Signature” and the hash value. “Unchecky” is useful for adware protection.
In my use case, I have not had any malware or other problems with the above techniques.
Just to be safe, I run full scans with “Microsoft Defender”, “Start Emergency Kit Scanner”, and “Malwarebytes” on an irregular basis.
@owl – would be good to hear how you handle your phone?
All that for a desktop computer, but hopefully you are as thorough about your phone.
I wouldn’t expect anything less.
@BM,
I got rid of my phone a long time ago.
The only one in my possession is an iPhone loaned to me by the company for business use. It is governed by an enterprise group policy and is not customizable.
https://www.ghacks.net/2022/01/30/what-happens-to-all-the-windows-10-devices-that-are-incompatible-with-windows-11-in-2025/#comment-4514402
https://www.ghacks.net/2022/03/31/adduplex-windows-11s-usage-share-rise-slowed-down-to-a-crawl-in-march-2022/#comment-4518530
About the “AV full scans” that I run irregularly:
As a general rule, I disable “Real-time Protection” and “Cloud-delivered Protection”.
In short, I run offline scans after manually updating the definition files.
The reason for this is followed to @Steve’s comment.
https://www.ghacks.net/2022/04/22/microsoft-defenders-protective-capabilities-suffer-offline/#comment-4520024
PS,
“uBlock Origin” can be used with the mail client “Mozilla Thunderbird”.
gorhill/uBlock · GitHub
https://github.com/gorhill/uBlock/releases
FLAGFOX has been dysfunctional for a year or more.
Numerous sites display the default green-globe flag with the mouse hover reporting “Unknown site / CDN” and the mouse click Geotool displaying marginal or no data.
The forum’s “How to report a bug” links to flagfox dot servehttp dot com are 404.
Emails daveg dot extensionfeedback at gmail com gets an auto reply with a link to that same forum’s “How to report a bug.”
It looks like DaveG’s last post on the forum was in Jan. 2018.
Which leads one to wonder, who’s doing the location database updates and posting on flagfox dot wordpress dot com??
The right-click tools remain a viable and customizable feature that I use quite often.
@Haakon,
> FLAGFOX has been dysfunctional for a year or more……….
It’s strange !?
I rechecked, my current situation and there are no problems in the areas you pointed out, and it is functioning as expected.
By the way, it is as follows.
https://i.imgur.com/zzuqde2.png
Flagfox
Author: David Garrett
Version 6.1.49
Last Updated March 30, 2022
Homepage??https://flagfox.wordpress.com/
https://addons.mozilla.org/en-US/firefox/addon/flagfox/versions/
It’s an existing and recent recurrence of an old issue:
https://flagfox.net/viewtopic.php?f=3&t=670
The fixes discussed there need to be revisited and it seems that’s not going to happen as it’s been discussed elsewhere by others, not just by me here, for quite a while. (Since that forum topic, the checked green dot flag was replaced by a green “globe” and “unknown site” to “unknown site / CDN.”)
Your “current situation” is pointless. Instead of investigating for yourself that the Flagfox bug reporting site (hosted by a dynamic DNS service, BTW) is expired or commenting on the extended DaveG’s absence from the forum, you post up a link to the Mozilla’s Add-ons site and some copy/pasted data pulled from the Add-ons Manager. Yup, that explains it all!
We do get IPv4 & IPv6 address location database updates, which is welcome. But the afflicted Geotool enhancements will continue to disappoint. But, as I said, the right-click tools remain a viable and customizable feature.
I hope some tragedy hasn’t befallen DaveG and all is well in his camp.
End of discussion. I won’t be revisiting this thread.
> Now You: which security solutions do you use to protect your devices?
I stopped relying on “seatbelts” two years ago.
Based on many years of skill, most of the risks can be prevented by avoiding potential hazards and not speeding.
Specifically,
Regardless of roads that are untrustworthy (cannot prove trustworthiness).
I do not drive on the interstate, but check it with a roadmap (TomTom One). For unknown routes, I check road trustworthiness with “Shell Map of Kentucky”, “Sunoco Road Map”, and “Mobilgas Washington”.
I use “GPS” and “GLONASS” to prevent unauthorized redirects of my car, “Radar warner” to block attempts at estimating my driving speed, and “obd2 shield” to lock down the CAN bus system and block (control) all engine subroutines.
Anything that requires biofuel must be from the official site, and I always check the “GPS Signature” and the octane value. “Petrol checker” is useful for E10 protection.
In my use case, I have not had any accident or other problems with the above techniques.
Just to be safe, I run full road checks with “Car buddy”, “Drive Safely™”, and “Headlights” on an irregular basis.
Wait till i get started about the blunder that condoms are!
/s
This is awesome
@Frankel,
That is quite a light-hearted “paraphrase”.
Instead of “seatbelts,” I think “autopilot function” would be more appropriate.
By the way, I own some motorbike and some sports car.
They are not the latest model with automatic driving function, but they’re that requires steering wheel operation with a manual transmission.
For safety, I need to check tire pressure and tread remaining.
While driving, it is essential to pay attention to the surroundings with mirrors, etc., and to check the gauges (oil pressure, oil temperature, water temperature, tachometer).
Driving is fun & intense pleasure, but driver awareness (safety awareness and accident prevention) is essential.
Well, that’s the way it is.
@owl
Indeed, autopilot systems are a complete blackbox to me. Ars had a good article recently how little a LIDAR picks up, and that it usually fails already in rain. I have not to strong opinions on automatic, but I always switched gears manually in my life and don’t find it uncomfortable.
Regarding steering wheels I prefer classic ones: The potentiometric ones just won’t feel the same to me. A few good servos and hydraulics make for the sweetest steering.
Just my 2 cents.
Your methods aren’t even remotely realistic for 99.9% of computer users.
@Trey,
> for 99.9% of computer users.
I was only commenting on my methodology.
I do not intend to say to others that they should do so.
It just needs to be an example of “diverse methods”.
Well, I’m not saying all of them, but I do believe that “you can (and do) share some of them”.
Thanks much. Us non hacks DO need 2 self protect & learn more. That said; can u keep it simple 4 us? How (& when) 2 disable java script. We will run Full scans more. Can we load (& run) different AV Off line while still having window defender On-line? Just purchased Asus laptop: ASUS TM420U . Been off line since win.7. (but with phone).
Correction of sentences:
Wrong,
Regardless of sites that are untrustworthy (cannot prove trustworthiness).
Correct,
Avoid untrustworthy (cannot prove trustworthiness) sites.
By the way,
Do not neglect “vulnerability measures” for your system.
Updates to browsers and application software should be proactively applied.
https://www.ghacks.net/2022/04/02/microsoft-update-catalog-downloads-are-now-using-https/#comment-4518855
Google Safe Browsing:
https://www.ghacks.net/2021/11/05/create-custom-firefox-installations-with-firefox-profilemaker/#comment-4507967
False Positive:
https://www.ghacks.net/2022/04/04/recover-windows-and-program-passwords-with-extpassword/#comment-4518862
We need to learn to “Don’t rely on something”. In short, end-users themselves must self-learn and improve their knowledge and experience.
https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-a-modified-version-of-vlc-and-exploited-it-for-malware-attacks/#comment-4519247