First the good news. Microsoft today released a signature update for Windows Defender, the anti-malware software that's built in to Windows, to enable it to both detect and remove the Superfish malware that Lenovo installed on some systems.

Defender's removal process seems to be quite robust, both uninstalling the software and removing the dangerous certificate that Superfish installs. However, it doesn't appear to clean any contaminated installs of Firefox or Thunderbird; for that, you'll want to check out our manual removal instructions.





Now the bad news. While Windows Defender is supplied as part of Windows and works well enough, Microsoft gave it some rather strange behavior as a concession to third-party anti-malware vendors. If a third-party anti-malware product is installed, Windows Defender will automatically disable itself. Many Lenovo systems include trial versions of anti-malware software; during the duration of these trials, Windows Defender will be inactive.

If that trial is converted to an annual subscription, Windows Defender will remain inactive. Windows Defender will only offer to protect a computer after the machine is unprotected for a couple of weeks. Microsoft implemented this behavior in order to keep OEMs happy; the companies receive kickbacks from third-party anti-malware apps when system buyers upgrade their trials, and if Defender was always active, nobody would bother paying for anything else, thereby cutting off an OEM revenue stream.

The unfortunate consequence of this is that some—perhaps even many—of the people who need to be protected from Superfish will not (immediately) be able to take advantage of Windows Defender's protection. It's just another way that OEM preinstalled junkware hurts Windows users.