How Reliable Are Default Windows Security Apps?

Matt Smith 13-03-2012

windows security applicationThe first computer my family owned ran Windows 95. It had just arrived, and we purchased a computer with it so that we could have easy access to this new-fangled thing called “the Internet.” At the time, no one in my family had thought much about security, and neither had the developers of Windows. There was no firewall, no antivirus and no account control.


Today, Windows comes has all of these features built in or available for download. Microsoft isn’t exactly considered a trustworthy company by many of its customers, however, which begs the question – do these features actually work?

Windows Firewall

windows security application

The first built-in firewall for Windows shipped with Windows XP in 2001 under the name “Internet Connection Firewall.” It was extremely basic and not turned on by default, which allowed a number of worms to easily spread between 2001-2004. Microsoft responded by revising the firewall and changing the name to Windows Firewall 3 Things You Should Know About Your Windows 7 Firewall The Windows 7 Firewall is software that controls your network traffic. Its default behavior is to allow outbound traffic and deny inbound traffic. Most programs that require a change from the default settings however, can... Read More with the release of XP Service Pack 2.

It is hard to say how effective a firewall is because it’s difficult to test them. Unlike security software, which can be reviewed by rounding up known viruses and throwing them again the software to see if they’re detected and quarantined, firewalls do not lend themselves to objective testing.

The main weakness with Windows Firewall is that the default configuration usually allows outbound connections even if they do not match a rule. You can change this, however, by opening Windows Firewall, going to Advanced Settings and then opening Windows Firewall Properties. Please note that if you choose to block outbound connections you will be see many permission prompts and/or will experience connectivity issues with some software.


What is certain is that a firewall is better than no firewall. The task of a firewall is to block unauthorized access by outside sources and alert the user, providing the option to allow access if the source is recognized. All software firewalls, including Windows Firewall, do this without issue. This drastically reduces the chance that a worm will be able to infect your PC.

Microsoft Security Essentials

windows security tools

Strictly speaking, Microsoft still does not ship Windows with an anti-virus. However, they do now offer free software called Microsoft Security Essentials Free Security Suite for Windows: Microsoft Security Essentials Read More . You can download and install it on any version of Windows Vista or Windows 7 and the 32-bit edition of Windows XP.

Early tests of MSE showed were positive, but some more recent results have been disappointing. The AV-Test scorecard for November-December of 2011 gave it a score of 2 out of 6 for protection and an August 2011 test from AV Comparatives only awarded the software a rating of “Advanced,” which is decent but not outstanding.


Some perspective must be applied to these results. The AV-Test scorecard for November-December of 2011 gave it a score of 2 out of 6 for protection and an August 2011 test from AV Comparatives only awarded the software a rating of “Advanced,” which is decent but not outstanding.

This means that your chances of being infected by malware are low. However, your chances are even lower if you use Avast! Free AntiVirus instead. Users who are not technically included may feel more trusting of the Microsoft branded product, but at this moment using Avast! is a better idea.

User Account Control

windows security application

If you want the definition of irony, try this. User Account Control was added to provide much-needed against malware, which could easily escalate permissions and change critical system files without the user knowing. Users found the feature annoying and promptly turned it off, reversing the work Microsoft had put in to making Windows more secure.


Annoying though it may be, UAC does its job. I always recommend that it be kept on and UAC prompts be carefully scrutinized. Denying access to an unusual permission request can mean the difference between a functioning computer and one that is infected or even disabled – at least until you reinstall Windows.


So, let’s return to the beginning. Are the default Windows security applications reliable?

In my opinion, yes. If you use all three of these features and keep Windows Update on (so that security exploits are patched) you will be protected from the vast majority of threats. No security solution is perfect, but the trio above is good enough.

Microsoft Security Essentials is the only weak link, but even it provides protection against over 90% of malware threats. That’s not a bad number even if it’s below most other products on the market.


Geeks who are particularly concerned with security will absolutely want to look at third-party security software, but for everyone else the simplicity of the default Windows security apps makes them an acceptable choice.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. VS Vishnu
    August 27, 2012 at 7:08 pm

    avast :-)

  2. Chris Hoffman
    March 14, 2012 at 12:01 am

    Microsoft Security Essentials is shipped by default in Windows 8 (it's now called "Windows Defender" though; it's replaced the old Defender.) So it can basically be considered a default app, at this point.

    • knuthf
      March 14, 2012 at 10:21 am

      Yes - but has Microsoft corrected anything?
      They ask you to download and install code so your "software" is kept "updated" - Why not do it corect at the first time?

      The bugs and the holes left open to exploit in Windows is still around and their "firewall" contains makes no attempt to correct the flaws.

      I have an alarm system in my house, but I still lock my door and close the windows. I beieve my insurance company consider it gross ignorance to leave the door and windows open, so the security alarm can alert me shoulld a burglary take place.
      It is strange to see that the same insurance company leaves their firewall open and use software that contains known security flaws.Of course I do not trust MS, because I know. But they are clever to market their product and convince many that they are safe. Belief is one thing, knowledge something else.

  3. Matt
    March 13, 2012 at 11:23 pm

    90% of threats detected by MSE? I hate scores like that because they're totally misleading. There's no weighting applied that would allow you to judge the real risk from things in the wild. Most of the things MSE seems to miss are threats encountered regularly, compared to Eset NOD32 which didn't detect some, but those it missed don't even register on most AV companies figures for being "in the wild".

    Drop MSE and install a free program like Avast, Avira, AVG etc. because MSE is just asking for trouble - I find it hard to believe it even scored 90% at any time given the number of MSE systems I've had to remove viruses or malware from.

    Windows firewall works ok... personally I prefer far more control rather than having it tucked away int he somewhat obscure interface that controls it within Control panel.

    UAC does the job well. Unfortunately many legacy applications need permissions changing on folders after install to run properly, but rather than give proper advice about this, companies making the software say "Turn off UAC" and the user blindly does so. Very irresponsible of both parties.

  4. SuperJdynamite
    March 13, 2012 at 11:03 pm

    "It is hard to say how effective a firewall is because it’s difficult to
    test them.  Unlike security software, which can be reviewed by rounding
    up known viruses and throwing them again the software to see if they’re
    detected and quarantined, firewalls do not lend themselves to objective

    You can objectively test a firewall rule by seeing if traffic goes through the firewall.

    Given its complexity objectively testing AV software is much harder than figuring out if a port is open on a firewall.

    • M.S. Smith
      March 15, 2012 at 5:05 am

      Yea, sure. And firewalls do that. But is the firewall open to exploit? Are there ways to bypass firewall X that won't work on firewall Z? Is the default configuration acceptable? I haven't run across the sort of information explained well.

      Now, it may be because all firewall are quite good at what they do. But I wouldn't say that I'm sure of that.

  5. Bruce Epper
    March 13, 2012 at 10:48 pm

    Unless the machine in question is low usage (light surfing, email, etc) by someone who practices safe surfing, you really should have something better than MSE on it.  It is okay for keeping most crap off of a system, but is easily subverted by a careless user and it really isn't worth a damn at removing many infections.  There are better free and paid AV packages out there.

    • M.S. Smith
      March 15, 2012 at 5:01 am

      Oh, certainly. But like I said, it's far better than nothing and it does detect most threats.

  6. knuthf
    March 13, 2012 at 10:31 pm

    Microsoft has never implemented the full tcp/ip stack, they have for a purpose omitted things. Most important is that they use an archaic code with no security at all. Your Internet connections remain for others to use - they can "Connect()" and "Bind()" to tand your firewall and access control will do nothing to stop intruders.

    MS will never do anything as long as they cannot charge for it. Use an external router, block access to Microsoft and drop updates. Let proper software protect you, best drop Windows and install Ubuntu or Mint or Mac. These will set the connections closed - cerrada, with SO_DONTLINGER.

    • M.S. Smith
      March 15, 2012 at 5:10 am

      Oh, okay. Everyone can install Ubuntu. 
      But then they'd be running Ubuntu. Ouch.

      Look, no one should block access to Microsoft updates. I have heard of possible exploits that use that vector, but their existence doesn't matter. The protection of an up-to-date OS far outweighs the possibility of an exploit via the updater. 

      And manual updating isn't a good answer, either. I use my PC all the time and I certainly can't be asked to remember to go patch my computer manually. Do you think joe smoe is going to do it? That's why they're automatic!

  7. Jello
    March 13, 2012 at 4:51 pm

    In addition to all the microsoft security softwares I use a Netgear Hardware Fireware router ($89) connected to my cable modem, and I have never been

    • Bruce Epper
      March 13, 2012 at 10:44 pm

      That you know of?  Or do you have it configured to log events and are you reviewing those logs to make sure there has been no breach?  If it isn't logging and you aren't reviewing those logs, you are only guessing on your security status.

    • knuthf
      March 13, 2012 at 10:45 pm

      Do you enable blocking of Netbios? I use 2 routers, to implement two rings, one for those that need Netbios access on the Internet to do "Winlogon" and the rest. The router will reboot every night, to clear lingering sockets.

  8. Ant Knee
    March 13, 2012 at 4:39 pm

    Yeah, well my kids managed to get viruses on both our Windows 7 PCs. They had the firewall enabled and were using Security Essentials. Completely patched. 
    We use OpenDNS to block unwanted web sites... Not happy with Windows to say the least. 

    • northerngeek
      March 13, 2012 at 5:18 pm

      That's really unfortunate but at least the situation seems better than my friend's parents recently had:

      1. Tonnes of viruses on their PC, therefore they switched to Mac
      2. Happily continued their lives for a few months
      3. Found out that somehow their Mac had become infected with  significant malware (pop-ups, fake AV warnings etc.).
      4. Nobody knew how to remove it or which tools were available to fix it, their first visit to the Apple store didn't give much help and eventually they just decided to wipe the system clean.
      5. They now use Linux... but have to ring said friend everytime a codec or plugin doesn't work.

      Atypical sure but I'm happy my PC is easy to fix.

      • knuthf
        March 13, 2012 at 10:43 pm

        What you say is what they want you to believe.
        Anything that runs on a Mac has to be installed, with sysadm privileges. Now to remove it is very simple - Go to "Application" in the start menu and DELETE it - and again you will be asked to present the sysadm password.

        If they have a standard Linux distribution, like Ubuntu, they can get and download the codec and application they want. This also includes free firewalls to avoid silly queries to LDAP service and whatever you want to protect. The codecs that will not install, are those with scripts that dumps the content of your drive on the net, and because the system separate use from abuse, those codecs will not install. 

        Bear in mind that most Internet servers run on Linux, and most of MacOS utilities are the same as for Linux. You can forget your skills in MS wizardry, MacOS and Linux requires knowledge and not prayers. So all codecs are available on Mac and Linux. 

        • Matt
          March 13, 2012 at 11:09 pm

          "Anything that runs on a Mac has to be installed"...

          Same with a PC.
          A Mac is not invulnerable at all. Sure, there are less things that target Mac, but that's because there are far less Mac users, so there isn't the interest in exploiting it. Windows users outnumber Mac users by about 500 to 1.
          Remove any application on a Mac just by deleting it? Not true. I've seen a few systems first hand where that simply would not remove the malware (it reinstalled on next boot WITHOUT asking for any password).

          The biggest flaw in the Mac system is the arrogance of the user base. If that arrogance could be removed, this would open up the ability to discuss issues openly and honestly, so they would be addresses quicker, and Mac users would be safer instead of carrying on in ignorance.

        • knuthf
          March 14, 2012 at 9:45 am

          NO - Microsoft invented something they called "ActiveX", and DCOM that allows scripts to run. The biggest flaw is tha arrogance of the ignorant user community.
          These scripts "install" easy and the OS kernel debugger - NTVDM.EXE is used as command processor to grant them access to everything.

          Now MacOS is Unix 4.2 BSD. The file system will hide ALL files that is not accessible, and you need to change user - to gain access and modify files. You claim to have seen things that are impossible. Linux is based on the same. On these you can run a script in your browser, read just the same as the user can read and modify just the same. The kernel CANNOT be modified, you need to reboot and link in new code while loading. The user base of Unix/Linux may be ignorant, but there is no need for them to know. They leave their computers locked, they can delete files and modify contet that can destroy their system. But they cannot install malware without giving a password.It is not "may not" it is physically impossible. Just post against this, it exhibits gross ignorance.

    • Robbie Pence
      March 13, 2012 at 10:35 pm

      Yeah, it's likely porn or stupid 'game' sites. It's not Windows' fault - it's nearly always the user. Macs CAN get viruses too, see the other comment.

      • knuthf
        March 14, 2012 at 10:07 am

        I agree in full, but it is possible to avoid or limit the damages, where Microsoft sees the commercial opportunity to sell you software. Its like selling you a car that will puncture every 100 miles so they can supply you with new, cheap tyres. 
        The question for this discussion "How reliable are MS security application?" - and my anwer is to turn around and ask you to consider those that made the OS: Why do you need it?
        So, a Mac cannot get a virus, but code at a porn site can execute in the browser, and read your files. When you leave, they cannot execute any more. They cannot be installed, they cannot live on, to modify the OS or be allowed to stay, they need to give the "sudo" command and give the password. Most Internet servers run this OS (Linux) and these servers has to be protected from hackers.Hackers started hacking Unix, so forget all claims of that these or not subject to attempts.

        The first is that these OS makes it default that connections are closed, taken down. Windows leaves them open for anyone to interject a package and keep on accessing your computer. But you have a choice, it is very cheap to change, Linux is free, ad the code can be inspected.