Windows Defender: Rise of the machine (learning)

Windows Defender harnesses the power of machine learning, contributing to making Windows 10 Microsoft’s most secure client operating system and providing increased protection against security threats facing consumers and commercial enterprises today.

To reduce the number of both false negative and false positive detections our automation pipeline uses a variety of tools and technologies to process malware and unwanted software. These include:

  • Machine learning
  • Clustering
  • Cosmos
  • Azure and Cloud

The automation process

As seen in the diagram below, our automation typically takes a first pass at detecting malware as it is first encountered.

This adds another layer of protection to the manual work our security researchers do to write better generic detection signatures and clean-up routines, produce malware eradication strategies, and identify control points to take malware down.

Diagram showing that automation is the first part of malware analysis. Note: Stacked objects may run in parallel with each other

Figure 1: Automation is the first part of malware analysis. Note: Stacked objects may run in parallel with each other


Once a suspicious file is extracted and run within a virtual environment, or the features/attributes of a file are received, we use automation to sort the sample into one of the following classes:

  • Clean
  • Malware
  • Virus
  • Unwanted Software

Each of the classes above routes to a specific output. For example, once we identify a file as malware, we ship protection for it to our cloud engine. This also means customers who have the Microsoft Active Protection Service (MAPS) turned on, enjoy the benefits of being better protected against the latest threats.

Malware, viruses, and unwanted software can be mutated, packed, and obfuscated in a bid to evade detection. This requires targeted, and at times complex, detection signatures. Our automation can suggest or release the best type of generic signature for a certain file or cluster of files. The metrics attached to an automated signature are then automatically analyzed and various decisions can be made as to whether the signature is released or flagged for a researcher to manually analyze.

Classifying malware families

Our automation system can also classify a sample within the malware family to which it is most similar. If the system can’t confidently identify the real malware family, it assigns it a generic, synthetic family name. The prevalent family names for automation-classified malware are:

Individual threats within these families usually follow the format:

  • Trojan:Win32/<family name>

The graph below shows an example of our synthetic families and their respective encounters in the past six months.

Chart showing synthetic family encounters May – November 2015

Figure 2: Synthetic family encounters May – November 2015

Using automation helps us detect and remove malware and unwanted software faster and better protect our customers.

To ensure you are getting the latest protection, keep your real-time security software, such as Windows Defender for Windows 10 up-to-date.

Enable the Microsoft Active Protection Service (MAPS). MAPS uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender.

Comments (10)

  1. Mary Jane Krenek says:

    I can't turn my Windows Defender on?

  2. WJ Westberry says:

    These sites pop up constantly on my computer. Uninstalling does not rid them. Please help me get them off of my computer and make sure they can’t return. I am not sure Windows Defender is working.

  3. Christine Hayes says:

    I’ve tried using Windows Defender and Microsoft Essentials to remove/Dynamer!ac Trojan”Win32. Any suggestions?

    1. poncho says:

      Know whatcha mean, I”ve tried Microsoft Security and Malwarebytes but they claim to Quarantine “Trojan” but it still remains…it has even messed up my keyboard. I really don’t understand why Microsoft has not found a fix ……”UNLESS” they are in on it????

  4. sunny says:

    When I was in Windows XP I was using AVG Antivirus. After Upgrading windows 8 I realize that Windows Defender is best. It will not slowdown my PC and It detect virus from USB. I am using Windows Defender for 3 years now.

  5. if you made it you no what it needs to keep it running

    1. I believe you’re the best choice out of all security because you made it, and you know how to take care of it

  6. Quangmen says:

    I can’t turn my Windows Defender on? it kept informed : “this app has been turned off and isn’t monitoring your computer windows defender”

  7. j m says:

    i have win 7 home 64bits
    i tried defender, does not see it
    security essential finds it but cant remove it
    what next

    1. j m says:

      talking about DYNAMER TROJAN

Skip to main content