Share via


Windows 10: Windows Defender (WD) Antivirus (AV)

Applies to:

Windows Server 2019

Windows 10 1809

Windows 10 1803

Windows 10 1709

Windows 10 1703

Windows Server 2016

Windows 10 1607

Updated Mar. 3rd, 2019.

Audience: Security Administrators, and IT Administrators.

I would go on-site with our Microsoft Premier customers, when I mentioned Windows Defender Antivirus (WD AV) , I would hear, Windows Defender?

A lot end-up thinking of Windows Defender from back in the days of Windows XP Service Pack 2, Windows Vista, and Windows 7 which was only an antispyware product.

So where is Windows Defender Antivirus coming from? Started with an acquisition of GeCAD's Reliable Anti-virus (RAV) which became Windows OneCare Live and then Windows Live OneCare.

Windows Live OneCare was replaced with Microsoft Security Essentials (MSE) for consumers and Forefront Endpoint Protection for enterprises which brought Microsoft Active Protection Service (MAPS).

MAPS in the cloud: How can it help your enterprise?
https://www.microsoft.com/security/blog/2015/01/14/maps-in-the-cloud-how-can-it-help-your-enterprise/

Forefront Endpoint Protection was replaced with System Center Endpoint Protection (SCEP).

MAPS_

And finally in Windows 8 (circa 2012), we merged Microsoft Security Essentials (MSE) and System Center Endpoint Protection (SCEP) for enterprises together to form Windows Defender Antivirus which was built-in to the O.S.. MAPS becomes “Cloud Protection”.

"We have made acquisition a part of Microsoft’s security strategy – since 2013 we’ve acquired companies like Aorato, Secure Islands, Adallom, and most recently Hexadite."
Reference:
A decade inside Microsoft Security
https://www.microsoft.com/security/blog/2017/11/09/a-decade-inside-microsoft-security/

And in Windows 10 we kept on investing on Windows Defender Antivirus (WD AV). See below on what changes that we made.

[Why WD AV?]

Top scoring in industry tests (Jan to Dec of 2018, and continuing in 2019).

/en-us/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests

March-April 2018 test results: More insights into industry AV tests
https://www.microsoft.com/security/blog/2018/07/20/march-april-2018-test-results-more-insights-into-industry-av-tests/

Adding transparency and context into industry AV test results
https://www.microsoft.com/security/blog/2018/05/24/adding-transparency-and-context-into-industry-av-test-results/

Protecting the protector: Hardening machine learning defenses against adversarial attacks

https://www.microsoft.com/security/blog/2018/08/09/protecting-the-protector-hardening-machine-learning-defenses-against-adversarial-attacks/

Some of you might ask, what did you guys do to improve on your 3rd party test scores?

  • Improved Machine Learning (ML) and Heuristics
  • New Deep ML targeting Behavioral anomalies

layered-machine-learning-models-funnel-3

Windows10CU-updated

“Cloud Protection + Block at First Sight (BaFS)”

Windows-Defender-cloud-instant-protection-1083x609

Another way of looking at it:Detonation-based-ML-diagram

Leading it to be next-generation antivirus.

Why Windows Defender Antivirus is the most deployed in the enterprise

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/

Antivirus evolved

https://cloudblogs.microsoft.com/microsoftsecure/2017/05/08/antivirus-evolved/

Windows Security Whitepaper - Windows 10 - Windows Defender Antivirus

https://info.microsoft.com/rs/157-GQE-382/images/Windows%2010%20Security%20Whitepaper.pdf

The Evolution of Malware Prevention (Machine Learning) whitepaper

https://info.microsoft.com/Windows-Defender-ML-Whitepaper-Registration.html

Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware
https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/?source=mmpc

Windows Defender Antivirus can now run in a sandbox
https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)
https://www.microsoft.com/security/blog/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/

[What’s new?]

What are some of the highlights for both the WDAV library and other additions and changes to security in Windows 10, versions:

What's new in Windows 10, version 1809 for IT Pros - Security

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#security

What's new in Windows 10, version 1803 IT Pro content - Security

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1803#security

What's new in Windows 10, version 1709 IT Pro content - Security

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709#security

What's new in Windows 10, version 1703 IT pro content - Security

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1703#security

What's new in Windows 10, version 1607 - Security

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1607#security

What's new in Windows 10, versions 1507 and 1511 - Security

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1507-and-1511#security

[Test / Deploy WD AV]

Windows Defender compliance mapping whitepaper

https://download.microsoft.com/download/C/7/7/C778B7BB-0783-42D7-93A9-B86DFB5A7BAD/Coalfire_Branded_Windows_Defender_Whitepaper_EN_US.pdf

Windows Defender Antivirus & Exploit Guard protection evaluation guide

https://www.microsoft.com/en-us/download/details.aspx?id=54795

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus

Partnering with the industry to minimize false positives
https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/

Give Windows Defender Antivirus, the Next-Gen Protection a try.

Next in this series:

Windows 10: Windows Defender Exploit Guard-Exploit Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-defender-exploit-guard-exploit-protection/

Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules
https://blogs.technet.microsoft.com/yongrhee/2019/02/24/windows-10-windows-defender-exploit-guard-attack-surface-reduction-rules/

Windows 10: Windows Defender Exploit Guard-Network Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/26/windows-10-windows-defender-exploit-guard-network-protection/

Anti-ransomware in Windows 10: Windows Defender Exploit Guard-Controlled Folder Access
https://blogs.technet.microsoft.com/yongrhee/2019/03/02/anti-ransomware-in-windows-10-windows-defender-exploit-guard-controlled-folder-access/

Thanks,

Yong

Resources:

https://aka.ms/wdavtechnet

https://www.microsoft.com/mmpc

https://aka.ms/mmpcblog

Lifecycle information on both Windows Defender Antivirus and SCEP are outlined at https://support.microsoft.com/lifecycle/search

Recommended settings for VDI desktops

/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations

A great Microsoft Ignite 2018 recording that goes over WDAV:

Windows Defender ATP machine learning: Detecting new and unusual breach activity - BRK3375