Real-time protection in Windows Defender - How does it work?

New Contributor

Hello Everyone,


Let me begin with a high-level presentation of our environment - our project develops an application for EU countries on top of a Microsoft infrastructure – Windows Server 2016, Active Directory, SQL Server 2016 and BizTalk Server 2016. More than 300 servers are protected with the default antimalware solution – Windows Defender.


Our application exchanges messages between countries, messages which often contain attachments. Since there is no particular integration with Windows Defender, we place all messages in a temporary folder for 10 minutes immediately after downloading and before starting to process them. This approach is supposed to give enough time to Windows Defender to scan the messages and the attachments.


The concerns we have are related to this 10 minutes ‘time-window’ we allow to Windows Defender for scanning the messages. Is it enough or we need to increase it? For how long should we wait in order to make sure the messages we take from that temporary folder are scanned – regardless of their number or their size? 


What does it mean 'Real-time protection' and how does it work? Do we really need to wait 10 minutes to make sure the files are scanned? Is it possible for a user or application to access/read/copy/run/use in any way an infected file before being scanned?


I should mention that our servers are not connected to internet but only rely on CLIENT features (offline signature database which is periodically updated). We do not use CLOUD threats intel as we cannot submit suspicious files to be analyzed due to GDPR constrains.


Thanks in advance for your clarifications.



2 Replies
The files should be scanned on write so 10 minutes is more than enough. I would like to dig a bit deeper on your GDPR constraints and cloud protection. You can have cloud protection but not submit samples. See the graphic here:

Just turning on cloud protection and not sample submission would get you better protection from the metadata check we do. The metadata list can be found here:

I would work with your privacy team on whether the information in the metadata check would still not allow you to use cloud protection without sample submission. You are missing out on a lot of the protection stack by not having cloud protection turned on.


Hello @Jake_Mowrer,


Thank you for your answer, but it doesn't reply to my question - 'Is it possible for a user or application to access/read/copy/run/use in any way an infected file before being scanned?'


What if we have millions of received files with sizes varying from few KB to 2GB? This could be a real life production scenario. I also worked for Microsoft and I would expect a clear answer - Yes, the real time protection will ensure all files are scanned before accessing them in any way. No user or application cannot read that file before being scanned. Or No, you should wait 1 hour to be 100% sure before starting processing the files. The purpose of my question is to shorten the processing of European cases with 10 minutes per segment - which should decrease the waiting time at European level with millions of minutes per day in total.


I understand your explanation about the benefits of cloud features but our servers do not communicate with Internet as being included in a secure enclosed network - this has been decided long ago by all participant countries after long debates and it is unlikely to be changed.


The only benefit I see for keeping the files on disk for 10 minutes is to hope that 'Detonation-Based ML Models' will analyze a suspicious file and detect it as virus in this short interval (see the attached screen). But since we do not submit samples, this benefit is only theoretical.


Thanks again but I still wait for clarifications on Real-time protection.