Windows Defender harnesses the power of machine learning, contributing to making Windows 10 Microsoft’s most secure client operating system and providing increased protection against security threats facing consumers and commercial enterprises today.

To reduce the number of both false negative and false positive detections our automation pipeline uses a variety of tools and technologies to process malware and unwanted software. These include:

  • Machine learning
  • Clustering
  • Cosmos
  • Azure and Cloud

The automation process

As seen in the diagram below, our automation typically takes a first pass at detecting malware as it is first encountered.

This adds another layer of protection to the manual work our security researchers do to write better generic detection signatures and clean-up routines, produce malware eradication strategies, and identify control points to take malware down.

Diagram showing that automation is the first part of malware analysis. Note: Stacked objects may run in parallel with each other

Figure 1: Automation is the first part of malware analysis. Note: Stacked objects may run in parallel with each other


Once a suspicious file is extracted and run within a virtual environment, or the features/attributes of a file are received, we use automation to sort the sample into one of the following classes:

  • Clean
  • Malware
  • Virus
  • Unwanted Software

Each of the classes above routes to a specific output. For example, once we identify a file as malware, we ship protection for it to our cloud engine. This also means customers who have the Microsoft Active Protection Service (MAPS) turned on, enjoy the benefits of being better protected against the latest threats.

Malware, viruses, and unwanted software can be mutated, packed, and obfuscated in a bid to evade detection. This requires targeted, and at times complex, detection signatures. Our automation can suggest or release the best type of generic signature for a certain file or cluster of files. The metrics attached to an automated signature are then automatically analyzed and various decisions can be made as to whether the signature is released or flagged for a researcher to manually analyze.

Classifying malware families

Our automation system can also classify a sample within the malware family to which it is most similar. If the system can’t confidently identify the real malware family, it assigns it a generic, synthetic family name. The prevalent family names for automation-classified malware are:

Individual threats within these families usually follow the format:

  • Trojan:Win32/<family name>

The graph below shows an example of our synthetic families and their respective encounters in the past six months.

Chart showing synthetic family encounters May – November 2015

Figure 2: Synthetic family encounters May – November 2015

Using automation helps us detect and remove malware and unwanted software faster and better protect our customers.

To ensure you are getting the latest protection, keep your real-time security software, such as Windows Defender for Windows 10 up-to-date.

Enable the Microsoft Active Protection Service (MAPS). MAPS uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender.


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.