How to enable Windows 10's Block at First Sight protection in Windows Defender
Windows Defender in Windows 10 may not be the best security solution, but it will keep your system safe from threats if you don’t have a third-party anti-malware program installed. Microsoft made several improvements to it in the Anniversary Update, and as a result it's now much more useful.
Newly introduced features, available from Build 1607, include Limited Periodic Scanning, which can intermittently scan your system and notify you of any threats (even if you are using another anti-malware program and have Windows Defender turned off), and Block at First Sight protection.
What Block at First Sight does is use heuristics, machine learning, and automated analysis to determine if a program you want to run is genuine, fake, or malicious, and checks it using Microsoft cloud protection. If it’s found to be a threat, Windows Defender will block it.
This function should be enabled by default. It may not be however, as Windows Defender gets turned off automatically when you run a third-party security product.
To check the status, go to Settings > Update & security and select Windows Defender. If you’re not using another anti-virus program, make sure Windows Defender is enabled here. Turn on Cloud-based Protection, and Automatic Sample submission.
Block at First Sight should now be running, but to check, open the Group Policy Management Console by clicking Start, typing gpedit.msc, and hitting enter.
Click on Administration Templates under Computer Configuration on the left, and open Windows Components on the right.
Scroll down to Windows Defender, and double-click it, then open MAPS.
Double-click Join Microsoft MAPS (which stands for Microsoft Active Protection Service) and make sure it’s enabled.
Open the Send file samples when further analysis is required setting and make sure it's Enabled. Set it to 1 (Send safe samples) or 3 (Send all samples).
Go back to the Windows Defender entry and open Real-Time Protection. Double-click Scan all downloaded files and attachments and make sure this is set to Enabled. Click OK. Double-click Turn off real-time protection and make sure it is set to Disabled. Click OK.
You can disable the feature at any time by going into the Group Policy Management Console, opening Windows components > Windows Defender > MAPS and double-clicking Configure the ‘Block at First Sight’ feature. Set the option to Disabled.
Block at First Sight does provide a useful line of defense against malicious software, but obviously it may delay the length of time it takes to download and run a program. Microsoft explains:
Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.