I had a session at the Microsoft Tech Summit in Stockholm, presenting the new Security Features in Windows 10 Fall Creators Update (1709). After the session, I had a handful of questions about Windows Defender Antivirus, and because I often get similar question, I will share my view on the capability of Windows Defender Antivirus.
Why pay for a yearly subscription from a third-party antivirus provider, when Windows Defender Antivirus seem to cover almost all threats?
Would you say that Windows Defender Antivirus is enough, or what benefits would companies, as well private individuals, gain from adding another antivirus solution?
By answering those questions, I am fully aware I am moving into holy grounds, and I should know as I spend ten (10) years managing a third-party antivirus solution, and I loved it – still do!
However, the short answer is: Yes!
The longer answer is: It depends.
Let me elaborate a bit further on those answers.
Keeping your PC safe with a trusted antivirus protection is your main concern. Using the built-in to Windows 10, Windows Defender Antivirus, gives you some benefits, hereunder automatic update using Microsoft Update technologies. However, there’s a catch. To manage Windows Defender Antivirus, you need either System Center Configuration Manager or Microsoft Intune. By managing I am referring to reporting as configuration can be done in several ways, using:
- Microsoft System Center Configuration Manager
- Microsoft Intune
- Windows Management Instrumentation (WMI)
- Group Policy
It will be possible to monitor alerts using other means than Microsoft System Center Configuration Manager (SCCM) or Microsoft Intune, e.g. by using Windows Event Forwarding Server or Windows Analytics. However, these solutions will highly reduce your response time and will primarily give you some simple reporting.
The problem with antivirus, is the fact that most traditional antivirus solution is monitoring for file-based attacks and do nothing to prevent (or even detect) non-malware attacks, providing attackers with a point of entry that goes completely overlooked.
Traditional AV and machine-learning AV are designed to only identify threats when a file is written to disk or read from disk. Since they only look at the attributes of an executable file, they are completely blind in the face of attacks where no files are involved, especially when organizations are relying on legacy AV or traditionally Application Control as Microsoft Application Locker (AppLocker) or similar (I highly recommend Windows AppLocker).
Running legacy AV and machine-learning AV is not enough, you need to be able to monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels and monitor and analyzes the relationships among events.
With Windows 10 Fall Creators Update (1709), Microsoft introduced Windows Defender Exploit Guard (WDEG). As such, you can now audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center (WDSC) or using any of the configuration options mentioned above.
There are four features in Windows Defender Exploit Guard (WDEG):
- Exploit Protection
- Attack Surface Reduction (ASR)
- Network Protection
- Controlled Folder Access
Be aware all components but Exploit protection, does requeue Windows Defender Antivirus as your primary antivirus product.
To further increase the protection for devices that meet certain hardware requirements, you can use virtualization-based protection of code integrity with Windows Defender Application Control (WDAC).
And to tie a perfect knot I always recommend using Windows Defender SmartScreen, Windows Defender BitLocker, Windows Defender Firewall, Windows Defender Credential Guard and ensure end user do not have administrative privileges (at least on domain joined devices).
To get back to the questions that started this rant. I would recommend Windows Defender Antivirus any day, at a minimum you should consider the option if you already pay for the licenses. If you already have Microsoft System Center Configuration Manager (SCCM) and/or Microsoft Intune in place, it is a no-brainer and you should consider using Windows Defender Antivirus over third party antivirus products.
However, I did state “It depends”. So, if you do not have a management option in place or you are running down-level versions of Windows, or even running Windows 10 prior Windows 10 Fall Creators Update (1709) I would recommend you keep your third-party antivirus product a little longer – and please be advised some Windows 10 (1709) features does require Windows 10 Enterprise Edition.
However, if you Windows Platform is based on Windows 10 Fall Creators Update (1709) or above and you are prepared to start using the new security layers which is built in to Windows you will get a rock-solid platform with multiple security layers, meaning if one layer gets breached the next layer is kicking in!
Windows Defender Antivirus in Windows 10 and Windows Server 2016: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10
Windows Defender Application Control: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control
Protect derived domain credentials with Windows Defender Credential Guard: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
Windows Defender Firewall with Advanced Security: https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security
Windows Active Defense: https://demo.wd.microsoft.com/
What is a Non-Malware (or File less) Attack? https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/