Configure behavioral, heuristic, and real-time protection

Applies to:

Windows Defender Antivirus uses several methods to provide threat protection:

  • Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
  • Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
  • Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research

You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).

This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.

See Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection for how to enable and configure Windows Defender Antivirus cloud-delivered protection.

In this section

Topic Description
Detect and block potentially unwanted applications Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
Enable and configure Windows Defender Antivirus protection capabilities Enable and configure real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features