Is Windows Defender actually protecting you? A free script to find out in seconds
One of the most common Cyber Essentials gaps we see has nothing to do with complicated technology — it's that antivirus protection has quietly stopped working, and nobody noticed.
At Prestige Cyber Guard, we work with UK businesses every day to help them achieve and maintain Cyber Essentials certification. Malware protection is one of the five core controls the scheme checks — and it catches more organisations out than you'd expect. Not because they don't have antivirus software, but because they assume it's working when it isn't.
This post gives you a free PowerShell script you can run right now to find out.
What Cyber Essentials requires for malware protection
Cyber Essentials is the UK government-backed certification that demonstrates your organisation has the fundamental controls in place to defend against the most common cyber threats. When it comes to malware protection, the scheme has four clear expectations:
You must have active, licensed antivirus or endpoint protection software installed
Real-time (on-access) scanning must be enabled — not just scheduled scans
Virus definitions must be kept up to date, ideally updated daily
Malware scans should be run regularly across your devices
These sound straightforward, but the reality is that real-time protection can be accidentally disabled, definitions can fall behind if a machine isn't connected to the internet regularly, and on older machines Windows Defender sometimes stops running altogether without any visible warning to the user.
Why this matters more than you might think
If your antivirus definitions are several days out of date, your machine won't recognise the latest malware variants. New threats emerge constantly — ransomware, trojans, credential stealers — and an antivirus that doesn't know what it's looking for offers very little protection.
If real-time scanning is off, files can be downloaded, opened, and executed without ever being checked. You might as well have no antivirus at all.
And if you're heading into a Cyber Essentials assessment with these gaps, they will be found — and you'll need to remediate before you can certify.
The script: check your malware protection in under a minute
We've written a short PowerShell script that checks four things automatically and tells you clearly whether you pass or fail each one.
How to run it (no technical experience needed)
Press the Windows key on your keyboard
Type PowerShell
Right-click on "Windows PowerShell" in the results
Click "Run as administrator"
Click "Yes" if a blue permission box appears
In the window that opens, paste the following line and press Enter:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Then paste the full script below and press Enter
The script
Write-Host ""
Write-Host "=====================================================" -ForegroundColor Cyan
Write-Host " CYBER ESSENTIALS - MALWARE PROTECTION CHECK" -ForegroundColor Cyan
Write-Host "=====================================================" -ForegroundColor Cyan
Write-Host ""
Write-Host "CHECK 1: Windows Defender service..." -ForegroundColor White
$defenderService = Get-Service -Name WinDefend -ErrorAction SilentlyContinue
if ($defenderService -and $defenderService.Status -eq "Running") {
Write-Host " [PASS] Windows Defender service is running" -ForegroundColor Green
} else {
Write-Host " [FAIL] Windows Defender service is NOT running" -ForegroundColor Red
Write-Host " Action: Open Windows Security and enable Virus & threat protection" -ForegroundColor Yellow
}
Write-Host ""
Write-Host "CHECK 2: Real-time protection..." -ForegroundColor White
try {
$mpStatus = Get-MpComputerStatus -ErrorAction Stop
if ($mpStatus.RealTimeProtectionEnabled) {
Write-Host " [PASS] Real-time protection is ON" -ForegroundColor Green
} else {
Write-Host " [FAIL] Real-time protection is OFF" -ForegroundColor Red
Write-Host " Action: Go to Windows Security > Virus & threat protection > Turn on" -ForegroundColor Yellow
}
Write-Host ""
Write-Host "CHECK 3: Virus definition age..." -ForegroundColor White
$defAge = (Get-Date) - $mpStatus.AntivirusSignatureLastUpdated
$defDate = $mpStatus.AntivirusSignatureLastUpdated.ToString("dd MMM yyyy HH:mm")
if ($defAge.TotalHours -le 24) {
Write-Host " [PASS] Definitions updated $([math]::Round($defAge.TotalHours,1)) hours ago ($defDate)" -ForegroundColor Green
} elseif ($defAge.TotalDays -le 3) {
Write-Host " [WARN] Definitions are $([math]::Round($defAge.TotalDays,1)) days old ($defDate)" -ForegroundColor Yellow
Write-Host " Action: Run Windows Update or open Windows Security > Update" -ForegroundColor Yellow
} else {
Write-Host " [FAIL] Definitions are $([math]::Round($defAge.TotalDays,0)) days old ($defDate)" -ForegroundColor Red
Write-Host " Action: Run Windows Update immediately" -ForegroundColor Red
}
Write-Host ""
Write-Host "CHECK 4: Active threats..." -ForegroundColor White
if ($mpStatus.ThreatID -eq $null -or $mpStatus.ThreatID.Count -eq 0) {
Write-Host " [PASS] No active threats detected" -ForegroundColor Green
} else {
Write-Host " [FAIL] Active threats found on this machine!" -ForegroundColor Red
Write-Host " Action: Open Windows Security and run a Full Scan immediately" -ForegroundColor Red
}
} catch {
Write-Host " [ERROR] Could not retrieve Windows Defender status." -ForegroundColor Red
Write-Host " Defender may be disabled or a third-party AV is installed." -ForegroundColor Yellow
Write-Host " If using a different antivirus, check it manually." -ForegroundColor Yellow
}
Write-Host ""
Write-Host " Need help? Contact Prestige Cyber Guard:" -ForegroundColor White
Write-Host " hello@prestigecyberguard.co.uk" -ForegroundColor Cyan
Write-Host ""
What the results mean
[PASS] — that check is good. No action needed.
[WARN] — something needs attention before your next assessment. It won't necessarily stop you certifying right now, but it's a risk you should address soon.
[FAIL] — this is a Cyber Essentials gap. You'll need to fix it before you can achieve or renew certification. Each fail comes with a plain-English action so you know exactly what to do.
[ERROR] — the script couldn't read Defender's status. This usually means Defender has been replaced by a third-party antivirus (such as Sophos, ESET, or Norton). That's fine — Cyber Essentials accepts any licensed antivirus — but you'll need to check those four requirements manually within your chosen product.
This is part of a bigger picture
Malware protection is just one of the five Cyber Essentials controls. The others are:
Firewalls — protecting the boundary of your network and devices
Secure configuration — removing unnecessary software and default settings that create risk
User access control — making sure people only have the access they actually need (we covered this in our previous blog post)
Security update management — keeping software and operating systems patched
Each of these can be checked with practical, repeatable steps — and we'll be covering them all in this series.
Ready to work towards certification?
Running a script is a great start, but achieving Cyber Essentials certification means evidencing all five controls across your whole organisation — not just one machine. That's where we come in.
At Prestige Cyber Guard, our Cyber Essentials Support service takes you from initial assessment through to certification. We'll identify any gaps, help you fix them, and support you through the submission process — so you can certify with confidence and without the stress.
Get in touch today: 📧 hello@prestigecyberguard.co.uk 🌐 www.prestigecyberguard.co.uk
Cyber Essentials is a UK government-backed scheme managed by IASME on behalf of the National Cyber Security Centre (NCSC). Holding certification demonstrates that your organisation has the fundamental controls in place to protect against the most common cyber threats.
