Keylogging malware protection built into Windows
Devices running Windows 11 and Windows 10 have built-in protection against malware and malicious software with Microsoft Defender Antivirus. Microsoft Defender Antivirus can detect and block keyloggers, screen scrapers, and other types of malware threats that can track, steal, or damage data on devices.
What is keylogger malware and screen scraper malware?
Keyloggers, also known as keystroke loggers, can record keystrokes, screenshots, and clipboard data. While screen scrapers are malicious programs that surreptitiously take screenshots and/or record videos of what is on your device’s screen, this kind of malware capability can exist independently without keylogging abilities. In both cases, stolen data is sent to an attacker over the network.
What is Microsoft Defender Antivirus and what does it do?
Microsoft Defender Antivirus comes with all versions of Windows 11 and Windows 10, and it is the next-generation protection component of Microsoft Defender for Endpoint, which offers additional capabilities such as endpoint detection and response and automated investigation and remediation. Microsoft Defender Antivirus uses machine learning, artificial intelligence, and the cloud-based Microsoft Intelligent Security Graph to block malware at first sight and in milliseconds. It also analyzes the behaviors and process trees of threats and can stop fileless malware and human-operated attacks.
How does protection work?
Let’s dive into more details about how we help prevent malware keyloggers from getting on the system in the first place. Protection from malware, which is turned on by default in Windows 11 and Windows 10, starts the moment you power on your device. Windows uses Secure Boot, Trusted Boot, and Measured Boot to verify the firmware, bootloader, kernel, drivers, and anti-malware software before loading them. These technologies help prevent malware from tampering with the boot sequence and compromising the device before Microsoft Defender Antivirus software starts up.
Once started, Microsoft Defender Antivirus takes advantage of multiple detection engines to block malware at first sight. The behavioral blocking and containment in Microsoft Defender for Endpoint can identify fileless malware and stop threats, even after threats start executing.
What if Microsoft Defender Antivirus isn’t used?
Users can consider enhancing security on unmanaged personal devices with Copilot+ PCs, which, as Secured-core PCs, bring advanced security to commercial and consumer devices. Secured-core PCs have hardware-backed security features enabled by default without any action required by the user, as well as Microsoft Security Baseline (a group of settings implemented by Microsoft based on security experts’ feedback). In addition to the layers of protection in Windows 11, Secured-core PCs provide advanced firmware safeguards and dynamic root-of-trust for measurement to help provide protection from chip to cloud. Learn more about the new Windows 11 security features.
What if malware is not detected and it tries to disable Microsoft Defender Antivirus?
Tamper protection, which is included in Windows 11 and Windows 10 and is on by default, safeguards some security settings—such as virus and threat protection—from being turned off or modified by malware, which helps protect against keyloggers.
What if a user who has admin rights on their machine turns off real-time scanning?
Microsoft Defender SmartScreen can block malware downloads before they get on the system even if Microsoft Defender Antivirus real-time scanning is turned off. Additional detection engines from Microsoft Defender for Endpoint can still find keyloggers.
How do I know there is keylogger protection when I’ve never seen a detection?
To show how Microsoft Defender for Endpoint detections and blocks, below we provide three keylogging examples in which two Windows 11 and Windows 10 built-in protections are disabled. These protections are:
Microsoft Defender Antivirus, which scans for malware on disk and in memory.
Microsoft Defender Smartscreen, which helps block malware downloads, including downloads by third-party browsers and email clients.
In the examples below, the screenshots show three different keyloggers being detected by Microsoft Defender for Endpoint.
Keylogger example 1
In addition to keylogging, this keylogger performed some exploration activities, also referred to as recon activities. Both activity types were detected.
Keylogger example 2
In this example, a keylogger spawned other files. Microsoft Defender for Endpoint was able to detect suspicious behavior.
Keylogger example 3
Here, the keylogger was prevented from running the first time. Even when the keylogger was explicitly allowed to run via the end user (with admin rights) approving the execution, the keylogger was unable to capture keystrokes and screenshots due to other prevention mechanisms.
The image below shows the detection of the three keyloggers we tested above. Although real-time protection was disabled earlier, Microsoft Defender Antivirus is shown as a detection source because enhanced detection and response (EDR) in Microsoft Defender for Endpoint can request that Microsoft Defender Antivirus scan files. Learn more at Endpoint detection and response in block mode.
Built-in protection in Windows 11 and Windows 10 helps protect against malware keyloggers by preventing them from getting into the system and running. For even better protection, consider using Microsoft Defender for Endpoint also. When both the built-in protection and Microsoft Defender for Endpoint are used together, you get better protection that’s coordinated across Microsoft products and services.
For more information, download the Windows 11 security guide PDF and see 13 reasons to use Microsoft Defender Antivirus with Microsoft Defender for Endpoint.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft Tech Community – Latest Blogs –Read More