Understanding Windows Defender real-time protection

Real-time spyware protection alerts you when spyware and other potentially unwanted software attempts to install itself or run on your computer. Depending on the alert level, you can choose one of these actions to apply to the software:

  • Quarantine. Moves the software to another location on your computer, and then prevents it from running until you choose to restore it or remove it from your computer.

  • Remove. Permanently deletes the software from your computer.

  • Allow. Adds the software to the Windows Defender allowed list and allows it to run on your computer. Windows Defender will stop alerting you to risks that the software might pose to your privacy or your computer. Add software to the allowed list only if you trust the software and the software publisher.

You can choose the software and settings that you want Windows Defender to monitor, but we recommend that you use all of the real-time protection options, called agents. The following table explains each agent and why it's important.

Real-time protection agent

Downloaded files and attachments

Monitors files and programs that are designed to work with web browsers. These files can be downloaded, installed, or run by the browser itself. Spyware and other potentially unwanted software can be included with these files and installed without your knowledge.

Programs that run on your computer

Monitors when programs start and any operations they perform while running. Spyware and other potentially unwanted software can use vulnerabilities in programs that you have installed to run malicious or unwanted software without your knowledge. For example, spyware can run in the background when you start a program that you frequently use. Windows Defender monitors your programs and alerts you if suspicious activity is detected.

Need more help?