Windows Defender is the Windows' built-in antivirus software, giving it a place in most information systems. But still, its signature format is yet undocumented.This talk tries to rectify this situation. This knowledge will then be used to demonstrate signature evasion for auditor's common tooling.Looking deeper, it will also highlight how Attack Surface Reduction, a technology used to prevent common offending patterns, actually works. It will benefit both Blue teams - to keep an eye on its blind spots - and Red teams - with a bypassing example.Finally, the format understanding provides a new possibility: updates diffing - a way to track the current interests of Windows Defender team.