Skip to main content

Microsoft Defender weaker than competing antivirus software when offline, says report

Surface Laptop Studio Backlit Keyboard
Surface Laptop Studio Backlit Keyboard (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • AV-Comparatives conducted research to figure out what the best consumer products are for malware protection.
  • Though it scored well overall, Microsoft Defender did poorly in the "offline detection" category, spotting markedly fewer threats than services such as Bitdefender.
  • Microsoft Defender did much better in categories such as false positives, wherein it had relatively few compared to the competition.

Those who rely on Microsoft Defender may be putting themselves in a tough spot when it comes to offline protection, based on results from testing conducted by AV-Comparatives (via Winfuture). In the organization's testing, Microsoft's antivirus solution dropped the ball compared to Avast and Bitdefender, which both excelled at spotting threats without an internet connection.

Before we dive into the results, let's quickly go over what AV-Comparatives threw at the antiviruses it tested: "The test set used for this test consisted of 10,040 malware samples, assembled after consulting telemetry data with the aim of including recent, prevalent samples that are endangering users in the field," the org's report reads. "Malware variants were clustered, in order to build a more representative test-set (i.e. to avoid over-representation of the very same malware in the set)."

With that in mind, here's how Microsoft did:

Microsoft Defender Offline Fail

Source: AV-Comparatives (Image credit: Source: AV-Comparatives)

As you can see in the results, while Defender was a tough cookie when online, it failed to detect nearly 40% of what AV-Comparatives ran by it while offline, possibly due to cloud dependencies. That poor performance made it the third-worst offline antivirus solution on the entire list. Meanwhile, G Data managed to spot 98.6% of threats while offline and there was a three-way tie between Total Defense, VIPRE, and Bitdefender, which all caught 97.8%.

Testing was done at the beginning of March 2022 with all products being put through their paces on fully updated 64-bit Windows 10 rigs. Though you should consult multiple test sources before drawing any firm conclusions, it may be worth checking out an alternative to Defender if you're particularly scared of offline safety and security risks. You can consult the best antivirus software roundup for ideas on where to start (Bitdefender is one option worth considering).

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.

14 Comments
  • Is this just Defender AV alone and properly configured or was it out of the box? Also did it have all of the other technologies enabled in the stack such as Device guard, ASR, Windows Firewall, and Smartscreen? One of the things that is annoying (and that people miss) when comparing MS products to other products is you have to compare the stack not just a component. MS breaks up components into separate products so any one solution may beat out a component but the whole MS Defender stack compares to if not beats the non-MS product. Just some food for thought for the outcome of this article.
  • Well if you want to compare stack to stack you have to look at the other side too, almost every company breaks these up becaise they're different technologies, a fire wall is not an anti virus nor is application guard. youre also comparing enterprise features to individually licenced products and since your talking enterprise stack a properly configured proxy does everything smartscreen does and more and because it scans your emails and web activity most companies disable it by policy. asr are just firewall rules and arent anything you wouldnt find in any Enterprise grade firewall. theyre esentially patches to known vulnerability given a microsoft coined name. But i think the biggest thing wrong with your assesment, is that this article is a comparison of CONSUMER GRADE ANTIVIRUS, not a comparison of enterprise threat and vulnerability management vs consumer grade antivirus, of course its going to win because your talking features of several security systems vs one element in a limited system enterprise stack to stack microsoft solutions still fall short. and by the way the reason Microsoft and almost all other companies seperate these very different products (with the exception of UTM solutions {unified threat management}) is because it is industry best practice. the concept of layered defences and in itself is a security measure removing a single point of failure or breach. Just some alternate food for thought. Derek Simon - Rayiik Solutions {Cyber security}
  • Defender and the firewall aren't the same software package. They are just both shown in Windows SECURITY center. Wow...
  • I've run MS Defender suite for 10plus yrs. No issues.
  • Does offline mean something like receiving a file on a USB drive? What are common offline threats? In general, I think I'm only concerned about online problems. Not excusing poor performance, just that depending what offline includes, perhaps it should be weighted quite low in evaluating total performance. Still, I hope MS sees this and address it. Or, as Annulator said, maybe this test is in isolation and ignoring the rest of the MS security stack.
  • @GraniteStateColin i believe offline would include things like rootkits which run pre operating system. But even if not, lets roll a hypothetical here. lets sat that our malware/virus malicious softwares first step were to interrupt your antivirus's ability to connect to the network (group policy addition, registry change, you could still be connected to the internet but your antivirus would not be, from this position it would be much more difficult to remove because all it has to do to get that advantage is block a single service/port/change a Mac address/ip/gateway ip/dhcp assignment at which point it might be stronger than the av's ability to handle (though hot load bad usbs are definately an issue its less common) exteral hard drives transfers from your phone to your computer, loss of wifi momentarily as a condition of activation.
  • Great points. Thanks. Yeah I wasn't thinking of startup issues. As a user, I can control physical connections, but not what my computer does at startup. That is indeed more concerning.
  • No offline means no internet connection. Defender has definition files and ways to detect things offline but it uses the internet connection to compare a suspicious file or get up to the second definition files. It works that way for a reason and it works amazingly well. If you can't get online and don't have the latest updates for other av software they won't find everything either... Id rather have realtime definitions and file checks. My PC & laptop is always online when it's on but to be extra careful I run a scan with something else once a month. Also Avast was bought by a hedge fund and is basically malware itself now.
  • It means in general when the PC isn't connected to the Internet.
  • Edited. Posted by accident.
  • I wouldn't allow Avast, AVG, and Avira within 100 feet of my computer! So far, Microsoft Security has done a great job of protecting me, so I don't see the need to use anything else.
  • Never had and have any issues with defender online and offline.
    tests like these can be taken with huge grains of salt and are usually done with favoritism in mind (aka the company that pays the most in advertising their malware infested pop up software). with my own friends we did a similar test with completely from scratch dummy malware and defender managed to find 89% of them out of the box offline against 15% of the big companies that charge $40 per month). you can be secured irl against viruses etc too if you lock yourself in 10mtr thick concrete with no water or air coming in ;)
  • The major problem with most commercial AntiMalware software is A: Most are resource intensive B: They're full of bloat. People want decent malware protection plus some want a firewall too. Not password managers, browser extensions, encryption, file shredders and all manner of other things they bloat their apps out with. Prior to getting a Surface Pro X I used to use ESET Smart Security because one of its selling points is low resources. Never had the issue I've had with others where it uses a tonne of resources. I had to use Microsoft Defender because it was all that supported WoA. ESET now supports WoA but I've had no issues with Microsoft Defender so will stick with it. Yes malware exists but the days of the wild west of Windows are gone. The bigger risk these days is phishing than traditional malware.
  • Hello Cortana, what is "offline"?