Oct 17, 2019. Aug 17, 2020.
-->Applies to:
- Windows 10
- Windows 10 Mobile
- Microsoft Edge
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Microsoft Defender SmartScreen determines whether a site is potentially malicious by:
- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
Benefits of Microsoft Defender SmartScreen
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
- Anti-phishing and anti-malware support. Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks
- Reputation-based URL and app protection. Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- Operating system integration. Microsoft Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
- Improved heuristics and diagnostic data. Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
- Management through Group Policy and Microsoft Intune. Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings.
- Blocking URLs associated with potentially unwanted applications. In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see Detect and block potentially unwanted applications.
Important
SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
Submit files to Microsoft Defender SmartScreen for review
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can submit a file to Microsoft for review. For more info, see Submit files for analysis.
When submitting Microsoft Defender Smartscreen products, make sure to select Microsoft Defender SmartScreen from the product menu.
Viewing Microsoft Defender SmartScreen anti-phishing events
Note
No Smartscreen events will be logged when using Microsoft Edge version 77 or later.
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as Event 1035 - Anti-Phishing.
Viewing Windows event logs for Microsoft Defender SmartScreen
Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
Note
For information on how to use the Event Viewer, see Windows Event Viewer.
EventID | Description |
---|---|
1000 | Application Windows Defender SmartScreen Event |
1001 | Uri Windows Defender SmartScreen Event |
1002 | User Decision Windows Defender SmartScreen Event |
Related topics
-->Applies to:
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
- Security intelligence updates
- Product updates
Important
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
This also applies to devices where Microsoft Defender Antivirus is running in passive mode.
This also applies to devices where Microsoft Defender Antivirus is running in passive mode.
Note
You can use the below URL to find out what are the current versions:https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info
Security intelligence updates
Microsoft Defender Antivirus uses cloud-delivered protection (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus topic for more details about enabling and configuring cloud-provided protection.
Engine updates are included with the security intelligence updates and are released on a monthly cadence.
Product updates
Microsoft Defender Antivirus requires monthly updates (KB4052623) (known as 'platform updates'), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with Microsoft Endpoint Configuration Manager, or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.For more information, see Manage the sources for Microsoft Defender Antivirus protection updates.
Note
We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
Monthly platform and engine versions
For information how to update or how to install the platform update, please see Update for Windows Defender antimalware platform.
All our updates contain:
- performance improvements
- serviceability improvements
- integration improvements (Cloud, MTP)
Security intelligence update version: 1.323.9.0
Released: August 27, 2020
Platform: 4.18.2008.9
Engine: 1.1.17400.5
Support phase: Security and Critical Updates
Released: August 27, 2020
Platform: 4.18.2008.9
Engine: 1.1.17400.5
Support phase: Security and Critical Updates
What's new
- Add more telemetry events
- Improved scan event telemetry
- Improved behavior monitoring for memory scans
- Improved macro streams scanning
- Added 'AMRunningMode' to Get-MpComputerStatus Powershell CmdLet
Known Issues
No known issues
Security intelligence update version: 1.321.30.0
Released: July 28, 2020
Platform: 4.18.2007.8
Engine: 1.1.17300.4
Support phase: Security and Critical Updates
Released: July 28, 2020
Platform: 4.18.2007.8
Engine: 1.1.17300.4
Support phase: Security and Critical Updates
What's new
- Improved telemetry for BITS
- Improved Authenticode code signing certificate validation
Known Issues
No known issues
Security intelligence update version: 1.319.20.0
Released: June 22, 2020
Platform: 4.18.2006.10
Engine: 1.1.17200.2
Support phase: Security and Critical Updates
Released: June 22, 2020
Platform: 4.18.2006.10
Engine: 1.1.17200.2
Support phase: Security and Critical Updates
What's new
- Possibility to specify the location of the support logs
- Skipping aggressive catchup scan in Passive mode.
- Allow Defender to update on metered connections
- Fixed performance tuning when caching is disabled
- Fixed registry query
- Fixed scantime randomization in ADMX
Known Issues
No known issues
Security intelligence update version: 1.317.20.0
Released: May 26, 2020
Platform: 4.18.2005.4
Engine: 1.1.17100.2
Support phase: Technical upgrade Support (Only)
Released: May 26, 2020
Platform: 4.18.2005.4
Engine: 1.1.17100.2
Support phase: Technical upgrade Support (Only)
What's new
- Improved logging for scan events
- Improved user mode crash handling.
- Added event tracing for Tamper protection
- Fixed AMSI Sample submission
- Fixed AMSI Cloud blocking
- Fixed Security update install log
Known Issues
No known issues
Security intelligence update version: 1.315.12.0
Released: April 30, 2020
Platform: 4.18.2004.6
Engine: 1.1.17000.2
Support phase: Technical upgrade Support (Only)
Released: April 30, 2020
Platform: 4.18.2004.6
Engine: 1.1.17000.2
Support phase: Technical upgrade Support (Only)
What's new
- WDfilter improvements
- Add more actionable event data to ASR detection events
- Fixed version information in diagnostic data and WMI
- Fixed incorrect platform version in UI after platform update
- Dynamic URL intel for Fileless threat protection
- UEFI scan capability
- Extend logging for updates
Known Issues
No known issues
Security intelligence update version: 1.313.8.0
Released: March 24, 2020
Platform: 4.18.2003.8
Engine: 1.1.16900.4
Support phase: Technical upgrade Support (Only)
Released: March 24, 2020
Platform: 4.18.2003.8
Engine: 1.1.16900.4
Support phase: Technical upgrade Support (Only)
What's new
- CPU Throttling option added to MpCmdRun
- Improve diagnostic capability
- reduce Security intelligence timeout (5min)
- Extend AMSI engine internal log capability
- Improve notification for process blocking
Known Issues
[Fixed] Microsoft Defender Antivirus is skipping files when running a scan.
Security intelligence update version: 1.311.4.0
Released: February 25, 2020
Platform/Client: -
Engine: 1.1.16800.2
Support phase: N/A
Released: February 25, 2020
Platform/Client: -
Engine: 1.1.16800.2
Support phase: N/A
What's new
Known Issues
No known issues
Security intelligence update version: 1.309.32.0
Released: January 30, 2020
Platform/Client: 4.18.2001.10
Engine: 1.1.16700.2
Support phase: Technical upgrade Support (Only)
Released: January 30, 2020
Platform/Client: 4.18.2001.10
Engine: 1.1.16700.2
Support phase: Technical upgrade Support (Only)
What's new
- Fixed BSOD on WS2016 with Exchange
- Support platform updates when TMP is redirected to network path
- Platform and engine versions are added to WDSI
- extend Emergency signature update to passive mode
- Fix 4.18.1911.3 hang
Known Issues
[Fixed] devices utilizing modern standby mode may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
Important
This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
Important
This update is categorized as an 'update' due to its reboot requirement and will only be offered with a Windows Update
Security intelligence update version: 1.307.13.0
Released: December 7, 2019
Platform: 4.18.1911.3
Engine: 1.1.17000.7
Support phase: No support
Released: December 7, 2019
Platform: 4.18.1911.3
Engine: 1.1.17000.7
Support phase: No support
What's new
- Fixed MpCmdRun tracing level
- Fixed WDFilter version info
- Improve notifications (PUA)
- add MRT logs to support files
Known Issues
When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
Microsoft Windows Defender Av
Microsoft Defender Antivirus platform support
As stated above, platform and engine updates are provided on a monthly cadence.Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version:
- Security and Critical Updates servicing phase - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
- Technical Support (Only) phase - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
* Technical support will continue to be provided for upgrades from the Windows 10 release version (see Platform version included with Windows 10 releases) to the latest platform version.
During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
Platform version included with Windows 10 releases
The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
Windows 10 release | Platform version | Engine version | Support phase |
---|---|---|---|
1909 (19H2) | 4.18.1902.5 | 1.1.16700.3 | Technical upgrade Support (Only) |
1903 (19H1) | 4.18.1902.5 | 1.1.15600.4 | Technical upgrade Support (Only) |
1809 (RS5) | 4.18.1807.18075 | 1.1.15000.2 | Technical upgrade Support (Only) |
1803 (RS4) | 4.13.17134.1 | 1.1.14600.4 | Technical upgrade Support (Only) |
1709 (RS3) | 4.12.16299.15 | 1.1.14104.0 | Technical upgrade Support (Only) |
1703 (RS2) | 4.11.15603.2 | 1.1.13504.0 | Technical upgrade Support (Only) |
1607 (RS1) | 4.10.14393.3683 | 1.1.12805.0 | Technical upgrade Support (Only) |
Windows 10 release info: Windows lifecycle fact sheet.
Reinstall Windows Defender Windows 10
In this section
Article | Description |
---|---|
Manage how protection updates are downloaded and applied | Protection updates can be delivered through a number of sources. |
Manage when protection updates should be downloaded and applied | You can schedule when protection updates should be downloaded. |
Manage updates for endpoints that are out of date | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. |
Manage event-based forced updates | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
Manage updates for mobile devices and virtual machines (VMs) | You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. |