Windows Security: The Complete Guide to Virus and Threat Protection

The Virus & threat protection page in the Windows Security app in Windows 11 is the central management screen for protecting your PC from various threats, including viruses, malware (malicious software), and ransomware (ransomware).

In this article, we will use actual Windows 11 screens to explain in detail all the features available, from how to check the current status, to running scans, changing advanced settings, and importantly, how to protect against ransomware.

1. Current threats

This section is where you can check the current security status of your device and run scans.

Checking the status

The following information is displayed on the screen, allowing you to see the results of your most recent security check.

• Threats currently detected on the device
• The date and time of the last scan
• The time it took to scan
• Total number of files scanned

Scan options

Windows Security usually scans your device automatically, but you can also manually perform a detailed scan. There are four scan modes available:

Quick scan

• Overview: It scans only critical folders and locations within your system where threats are likely to hide.
  • Specifically, it scans all locations where malware might be registered to launch on the system, including registry keys and known Windows startup folders.
• Usage: Ideal for routine checks, it takes less time than other scanning methods.
• Remarks: If a further investigation is deemed necessary, you will be notified once it is complete.

Full scan

• Overview: It thoroughly scans all files, folders (including those on the C drive) and running programs on your device.
  • Specifically, a full scan starts with a quick scan and then scans all mounted fixed disks and removable/network drives (if a full scan is configured).
• Usage: This takes time, but is the best option if you want a complete check of your entire system.
  • A full scan can take several hours or even several days to complete, depending on the amount and type of data that needs to be scanned.

Custom scan

• Overview: Scans only specific files and folders that you specify.
• Usage: Use this when you want to check only the areas you are interested in, such as a USB memory stick or a specific download folder.

Microsoft Defender Antivirus (Offline Scan)

• Overview: This scan is designed to tackle stubborn malware that is difficult to remove or prevent while Windows is running. It uses the latest definition files and performs an inspection in a safe state before Windows loads after a reboot.
• Operation: Restart your PC and restart Windows Recovery EnvironmentRun "Quick Scan" to scan only important areas such as the system area.The journey takes approximately 15 minutes.
• note: Be sure to save the file before running it. When you click "Scan Now", a notification such as "You will be signed out in 1 minute" will appear.It will actually reboot after a few secondsThere is no time to waste, as this is often the case.
• If you do not want to restart: If nothing happens when you press the button (it doesn't reboot), the Windows Recovery Environment may be disabled. reagentc /info and the status is Disabled In the case of reagentc /enable Please enable it and then try again.

I want to read it together

Win10/11 Solved! "REAGENTC.EXE: Windows RE image not found" This time, when I run the command "reagentc /enable" to enable WinRE in Windows 10/11, I get the error message "REAGENTC.EXE: Windows RE image not found."

[Column] Why is the number of files scanned different each time?

Have you ever wondered why the number of files scanned varies each time you run a scan with Windows Security (Microsoft Defender)? This isn't a bug; it's due to the specifications of quick scans and full scans, as well as the dynamic changes in your system.

For quick scans

Quick scans do not examine every file on your system. They focus on specific locations where malware is likely to hide, such as registry keys, startup folders, and areas related to system startup. During this process, the scan engine dynamically determines the target files based on the system's current operating state, processes in memory, and loaded drivers in real time. Therefore, it is normal for the number of files scanned to vary depending on when the scan is performed.

In the case of a full scan

According to the official website, a full scan begins with a quick scan, followed by an inspection of all mounted hard disks and removable drives. The operating system and background applications are constantly running on your PC, and browser caches and temporary files are continuously being created and deleted. External drives such as USB drives are also included in the scan if they are connected. A full scan can take several hours to complete, and the amount and type of data to be scanned constantly changes due to file changes during this time; the number of files will never be the same each time.

It's okay if the number of scans is different.

As such, the number of files targeted varies each time due to factors such as the system's operating status, the increase or decrease in temporary files, and differences in connected devices. There's no need to worry that the scan stopped midway just because there are fewer files than last time. What's important is that the scan completes without errors and displays the result "No current threats."

Allowed threats

This is a list of items that Windows Security has identified as "threats" but that you have intentionally "allowed."

• No security measures are applied to items here.

• Change settings: If you accidentally allow something, you can select it from this list and click the expanded "Don't allow" button to have it treated as a threat again.

Protection history

At the bottom of the "Current Threats" section is a link called "Protection History." Clicking this link will take you to a log of the threats that Microsoft Defender Antivirus has detected and addressed, as well as the actions it has blocked.

The following information is recorded in chronological order:

• Quarantined Threats These are files that have been detected as viruses or malware, blocked from execution, and quarantined (disabled).
• Threats cleaned up (removed) Threats that were detected and automatically removed or neutralized.
• Blocked operations This is a record of changes made by apps that were blocked by features such as ransomware prevention (controlled folder access).

History details and operations

Clicking on each item in the list will open more detailed information, including the threat severity, the name of the detected threat (category), and which files were affected (file path).

If a safe file or app has been blocked by mistake (false positive), you can unblock it by selecting "Allow on device" or "Restore" from the "Actions" button on this details screen.

I want to read it together

How to view, delete, and restore Windows 11 "Windows Security Protection History" and precautions The Windows Security protection history displays your most recent protection actions and recommendations, and lets you restore or remove quarantined threats. Protection history also displays the list of detected threats...

Filter function

If you have a large history, you can use the "Filter" at the top of the screen to narrow down the display to only "Quarantined Items" or "Critical" threats.

2. Virus and threat protection settings

Click Manage settings for more control over how Microsoft Defender Antivirus behaves.

Real-time protection

• function: It constantly monitors and blocks malware, viruses, and spyware from installing or running.
• To turn it off: It can be temporarily turned off, but will automatically turn back on after a short time for safety reasons.
• note: While it's turned off, files that you open or download won't be scanned.

Dev Drive protection

• subject: For users using Windows 11 and who have set up a "Dev Drive" (not available for Windows 10).
• function: It offers a performance mode that allows you to maintain protection without slowing down your development work by deferring scanning until the operation is complete (asynchronous), rather than scanning immediately when a file operation occurs (synchronous).

Cloud-delivered protection

• function: It connects to Microsoft's cloud servers via the internet to retrieve the latest threat information in real time, improving the speed and accuracy of responses to new viruses.

Automatic sample submission

• function: It works with cloud protection to automatically send a copy of any suspicious files found to Microsoft for analysis.
• privacy: If a file may contain personal information, we will warn and confirm with the user before sending it.
• Manual Send: You can also use the "Manually Submit Samples" feature to submit specific files at your own discretion.

Tamper Protection

• function: Prevents malicious apps from disabling critical security features like real-time and cloud protection.
• authority: This setting can only be changed by device administrators (through the Windows Security app). Changes from external apps are blocked.
• note: This does not affect the operation of third-party antivirus software.

Controlled folder access

This feature is designed to protect against malicious applications (especially ransomware) from encrypting, modifying, or deleting important files such as documents and photos.

Open the "Manage Controlled Folder Access" link and turn the switch "On" to block unauthorized applications from making changes to files in protected folders and notify you.

Main setting items

This feature has two main sub-settings of importance:

1. Protected folders By default, system folders such as "Documents," "Pictures," "Favorites," "Music," and "Videos" are protected. Users can add any folders they want to protect (e.g., a backup folder on the D drive) to this list.
2. Allow an app through Controlled folder access If a trusted app is blocked, you can add the app (executable file) here to allow it to write (whitelist it). *Apps deemed safe by Microsoft are often automatically allowed, but free software or older apps may require manual permission.

Block history

Clicking the "Block History" link will allow you to check the log of actions blocked by the "Controlled Folder Access" feature. (Note: The actual screen is the same as "Protection History," but it is used to check the block log related to folder access.)

If the "Controlled Folder Access" feature is "On," even safe apps and games will be blocked as "write-protected" if they are not on the allowed list, which can cause problems such as "not being able to save" or "settings not being saved."

If you encounter such a problem, follow the steps below to check and fix it.

1. Click "Block History" to open the history screen.
2. If you see an item that says "Protected folder access blocked," click it to open the details.
3. Check the name of the blocked app and the folder it tried to access.
4. If it's a safe app you use, select "Allow on Device" from the "Actions" button.

When you do this, the app will automatically be added to the whitelist (allowed list), and you will be able to write normally from the next time.

Warnings

"Controlled Folder Access" is a very powerful protection feature, but turning it on can sometimes cause problems (blocks) such as not being able to save games you normally play or save with editing software. In this case, you need to check the "Block History" and add the app in question to the "Allow" list.

Exclusions

Specific files, folders, and processes can be scanned for viruses.Not applicablecan be set to.

Items added to the exclusion list will not be checked by Microsoft Defender, which may make your device more vulnerable. Please carefully consider whether you really need to add them.

Exclusion types

The following four categories can be specified:

1. File: Exclude a specific file.
2. Folder: Excludes the specified folder and all files within it.
3. File type: extension(example: .docx, .pdf) to exclude all files of that type.
4. process: Exclude files that specific programs open or create from scanning. (This setting skips monitoring when a program reads or writes files, preventing slowdowns or errors.)
   • Setting values: Generally, it is the process name (e.g. text.exe) for the
   • note: With just this setting,The program itself (exe) is not protected. If the program itself is being deleted, use the "File" exclusion above in conjunction with this. Exclude files opened by the program (process).Hint: If you want to exclude a process,Specify the full path and file nameIt is recommended to do so (to prevent malware from using the same name).

Using wildcards and environment variables

File type and process exclusion settings allow for flexibility.

• ワイルドカード * (asterisk): Represents any number of characters.
  • *st → .test, .past, .invest Excludes all extensions that end in st, such as
  • test.* → test.exe, test.txt etc. to exclude files named test regardless of extension.
  • C:\MyProcess\* All processes in that folder are excluded.
• Using environment variables: You can specify the system path using a variable.
  • Example: %ALLUSERSPROFILE%\CustomLogFiles\test.exe

4. Update Virus and Threat Protection

Manage whether your security intelligence (definition files) is up to date.

• Automatic updates: Typically, the latest data is downloaded automatically through Windows Update.
• Manual update: You can get the latest threat information right away by opening the "Protection Updates" link and clicking the "Check for Updates" button under "Security Intelligence."

5. Ransomware protection

This function protects against ransomware attacks, which encrypt data on devices and hold them hostage, and provides recovery support in the event of a fallout.

Clicking on the "Manage ransomware protection" link will take you to "Controlled Folder Access" will be displayed.

Ransomware data recovery

• premise: This item will only be displayed if you have completed the setup (sign-in) for Microsoft OneDrive. *If you have just installed and configured OneDrive, you may need to close and reopen Windows Security before the item will be displayed.
• function: This is a shortcut to OneDrive's "Version History (File Restore)" feature. By syncing files on your PC to OneDrive, you can ensure the safety of your data in case of an emergency.
• Restore: Even if you are a victim of ransomware and your files are encrypted, we will guide you through the process of rewinding your OneDrive data to the "date and time (state) before the infection." This increases the chances of recovering your data without paying the ransom. (Note: Only files synced to OneDrive are protected and restored.)

View files

• function: Clicking this will open the linked OneDrive folder (or the OneDrive web page).
• role: If you suspect you have been affected by ransomware, you can use it to visually check whether your cloud files are safe. It is also used as an access point for OneDrive's powerful feature, "Restore your OneDrive," which requires you to use the web version.