The NoVirusThanks software are good choices, SysHardener should have a restore point or use of imaging software in case a rule breaks something in the system (happened to me). Same if one is using built-in Group Policy if you have paid Windows versions.
If one is patient and committed to keeping Defender enabled, I would maybe wait for developer Andy Ful to introduce his Casual User Protection for easier and more understandable security policies and restrictions. This, like many other software (VoodooShield, OSA, ConfigureDefender)) potentially has far less impact on one's system performance, much less bloat, and Defender's security is still enhanced.
Coincidentally I got an alert that CFA blocked cleanmgr.exe after installing Windows updates but cleanmgr still executed successfully without whitelisting. My view is that CFA alerts are not always accurate and can be sometimes be ignored. CFA does not kill or stop the work of applications. It...
spyshelter, crystal security, immunet, or run mcafee stinger one time and it'll give you mcafee Real Protect (which has real-time monitoring). and while it is older and not as relevant, you can still use winpatrol, and it'll alert you to any start-up additions or new services etc.
webroot can be run with other antivirus', but it no longer can be run with window's defender, the security centre turns defender off now with webroot installed. you can only turn on the periodic scanning. they run together on win 7 (not 10)
I've been using WD -- enhanced by Hard Configurator -- for real-time, and Hitman Pro free as the 2nd-opinion scan. If H_C didn't exist, I'd use NVT OSA as the real-time companion to WD. (I switched to H_C when I was troubleshooting a connectivity problem and decided to keep it instead of reinstalling OSA.)