It always seemed strange to me that Microsoft let third-party software companies corner the market for protecting Windows from malware. I was personally excited when Microsoft acquired Sybari Software’s antivirus products back in 2005 and rebranded them as the Microsoft Forefront Security family of products. Then around 2012 Microsoft began releasing a series of announcements indicating they were ending further development of several Forefront products including Forefront Threat Management Gateway (which was a rebranding of Microsoft ISA Server, which was itself a reworking of the earlier Microsoft Proxy Server) and Microsoft Unified Access Gateway (which was based on a product originally acquired from Whale Communications). The only Forefront product that’s apparently still being developed is Forefront Identity Manager, but even that hasn’t seen a refresh since 2012. Then the antivirus products Forefront Endpoint Protection and Forefront Client Security were moved from the Forefront Family to Microsoft’s System Center family of products and renamed as System Center Endpoint Protection, and this is still around, although now it’s under the System Center Configuration Manager umbrella. Then as if all that naming confusion wasn’t enough, Microsoft did an even better job of confusing the end-user market with their Windows Defender anti-malware product, which was initially released in 2006, then superseded in 2009 by Microsoft Security Essentials, then integrated into Windows 8 as Windows Defender, and then renamed as Windows Defender Security Center in Windows 10 Creators Update. I’ve actually lost track whether or not Windows Defender Security Center now uses the same anti-malware engine as System Center Endpoint Protection. But who cares as long as it does its job, right
Well, that’s the question we need to ask, and to try and answer it I’ve invited Raymond Comvalius to share some thoughts on the subject. Raymond is an independent IT architect and trainer from the Netherlands. He has been active in the IT industry for more than 30 years, of which 24-plus years have been focused on Microsoft infrastructure products for both government and financial institutes. Raymond is the author of multiple books on Windows and security. As an architect, he supports organizations in IT strategy and realization of their next-generation workplace infrastructure. Raymond is actively involved with the national and international IT community and was a speaker at multiple international Microsoft events. You can find out more about Raymond on his website or by following him on Twitter. Let’s hear from Raymond now.
Windows Defender in Windows 10 Fall Creators Update
Until not so long ago, Microsoft didn’t really show a lot of interest to get Windows Defender on the market as a competitive offer to technically compete with competing products from other vendors. The only valid reason for a company to choose Windows Defender AV was the fact that it is built in Windows and that it provides seamless integration with its update mechanisms. Tests regarding system security products showed time and time again how the product was no better than mediocre in detection and prevention of malware infections. It always bugged me as a Windows expert that Microsoft didn’t seem to bother and use its knowledge of the platform to come up with the best protection possible and expand on the feature set in a way that only Microsoft can do on the platform.
This all seems to have changed over the past year. Finally, Microsoft showed some care about the malware detection tests and optimized Windows Defender AV to also detect the stuff that other vendors are detecting during those tests. At the same time, Defender seems to become a brand to protect Windows as Windows Defender Advanced Threat Protection (WDATP) hit the market. WDATP is the cloud-based intrusion detection platform that Microsoft offers as a part of the Windows E5 offering. The platform uses machine learning algorithms to detect behavior caused by hacks and malware. Especially when a hack is not based on malware, this is a brilliant way to detect that things are going wrong.
With the release of Windows 10 Fall Creators Update, or version 1709, Microsoft seems to really have gotten on target when it comes to making Windows Defender a serious contender for its competitors. The timing appears extremely well-staged at a moment because Kaspersky, one of the market leaders, is in a heavy storm of accusations that its software has been hacked and misused by state intelligence organizations, and more companies are looking at replacing Windows 7 for Windows 10.
To me, it was quite a surprise to find that probably the biggest changes in Windows 10 is a suite of Host Intrusion Prevention features that are tightly related to Windows Defender. These new features come under the Windows Defender label and provide new capabilities to prevent havoc from happening on your systems. The Host Intrusion Prevention suite is named Windows Defender Exploit Guard and it consists of the following features:
- Windows Defender Exploit Protection
- Windows Defender Attack Surface Reduction
- Windows Defender Network Protection
- Windows Defender Controlled Folder Access
One surprising fact is that most Exploit Guard features don’t come enabled by default. Even though that appears to contradict the “Secure by Default” slogan, the main reason appears to be compatibility. As we all remember what happened the last time when Microsoft tried to force a new security feature enabled by default when it introduced User Account Control with Windows Vista.
Another surprise is that the whole Windows Defender Exploit Guard suite is available in all versions of Windows 10. This looks as if Microsoft is now using a different approach introducing new security features in Windows 10, as all these features are available in all Windows 10 SKUs. With most previous introductions of security features, we’ve seen the features being introduced in Windows 10 Enterprise and sometimes Pro. This is still true for App Guard and Windows Defender Application Control (formerly known as Device Guard). In this case, Windows Defender Exploit Guard is there for every SKU with one important footnote: Except for Exploit Protection, every feature requires Windows Defender AV to be enabled.
Anyway, let’s have a closer look at Windows Defender Exploit Guard
Windows Defender Exploit Protection
Windows Defender Exploit Protection can be referred to as the new EMET built-in Windows 10. EMET is a solution that enables you to configure a number of the built-in process mitigations on applications when the developer did not do so. This prevents many potential zero-day exploits from happening. As EMET has been deprecated, Microsoft did not leave the idea behind. The reality is that EMETs exploit protections have increased from five in EMET to 18 in Windows 10 RS3. People who have implemented EMET before know it is hard to test and find the exploit protections that work and do not break specific applications. Microsoft managed to find a way to relieve you from most of the burden when implementing WDEP. The answer is Windows Defender Advanced Threat Protection (WDATP). If your system is licensed and configured to use WDATP, WDATP will automatically configure the Microsoft-recommended process mitigations on the system, covering most publicly available applications and providing maximum protection against zero-day exploits. As it does not require Windows Defender AV, even those who opt for a different AV solution can make use of this feature.
Windows Defender Attack Surface Reduction
Windows Defender Attack Surface Reduction is a set of mitigations that is aimed at disarming some of the most-used malware tactics. The measures in Attack Surface reduction can, for instance, block the execution of obfuscated scripts or stop Office applications from creating child processes.
The list of Attack Surface Reduction measures consist of:
- Block executable content from email client and webmail
- Block Office applications from creating child processes
- Block Office applications from injecting into other processes
- Block Execution of potentially obfuscated scripts
- Block Win32 imports from Macro code in Office
And the beauty of all this is it works with a single requirement: Do not disable Windows Defender AV
Windows Defender Network Protection
Windows Defender Network Protection is an example of simple effectiveness. The feature uses SmartScreen technology to block any executable from connecting to potentially malicious HTTP-based sources on the Internet. Network Protection extends SmartScreen from an Internet Explorer and Edge solution to the system level, allowing protection of other browsers and potential malware. Once again Windows Defender AV is a requirement for enabling Windows Defender Network Protection.
Windows Defender Controlled Folder Access
Controlled Folder Access is Microsoft’s answer to the ever-increasing number of ransomware infections. Controlled Folder Access allows only a list of known applications to write in user folders like Documents, Pictures, or alike. Users can extend the list of folders to protect and whitelist applications that are allowed to do file creation or editing.
My first experience with the feature showed that the default configuration is pretty strict. I would suggest that you first run the feature in audit mode for a while and use the logs to create a whitelist that will not annoy the users away from this really nice feature. The single option I now miss in Controlled Folder Access is an easy way to create a whitelist from the event logs. You probably already guessed there is one requirement for using Controlled Folder Access. That is (of course) Windows Defender AV.
Windows Defender AV is becoming pretty slick with the latest improvements and has become a better contender on the list of AV products. With the introduction of Windows Defender Exploit Guard there even are a few compelling features that many organizations do not want to live without. You can find more information about Windows Defender Exploit Guard here on the Windows Security Blog on TechNet.
Photo credit: Shutterstock
2 thoughts on “Is Windows Defender finally on the right track?”
Forefront Identity Manager is now Microsoft Identity Manager. The latest version introduced was MIM 2016.
Thanks for pointing that out.