Windows 10: Windows Defender (WD) Antivirus (AV)
Applies to:
Windows Server 2019
Windows 10 1809
Windows 10 1803
Windows 10 1709
Windows 10 1703
Windows Server 2016
Windows 10 1607
Updated Mar. 3rd, 2019.
Audience: Security Administrators, and IT Administrators.
I would go on-site with our Microsoft Premier customers, when I mentioned Windows Defender Antivirus (WD AV) , I would hear, Windows Defender?
A lot end-up thinking of Windows Defender from back in the days of Windows XP Service Pack 2, Windows Vista, and Windows 7 which was only an antispyware product.
So where is Windows Defender Antivirus coming from? Started with an acquisition of GeCAD's Reliable Anti-virus (RAV) which became Windows OneCare Live and then Windows Live OneCare.
Windows Live OneCare was replaced with Microsoft Security Essentials (MSE) for consumers and Forefront Endpoint Protection for enterprises which brought Microsoft Active Protection Service (MAPS).
MAPS in the cloud: How can it help your enterprise?
https://www.microsoft.com/security/blog/2015/01/14/maps-in-the-cloud-how-can-it-help-your-enterprise/
Forefront Endpoint Protection was replaced with System Center Endpoint Protection (SCEP).
And finally in Windows 8 (circa 2012), we merged Microsoft Security Essentials (MSE) and System Center Endpoint Protection (SCEP) for enterprises together to form Windows Defender Antivirus which was built-in to the O.S.. MAPS becomes “Cloud Protection”.
"We have made acquisition a part of Microsoft’s security strategy – since 2013 we’ve acquired companies like Aorato, Secure Islands, Adallom, and most recently Hexadite."
Reference:
A decade inside Microsoft Security
https://www.microsoft.com/security/blog/2017/11/09/a-decade-inside-microsoft-security/
And in Windows 10 we kept on investing on Windows Defender Antivirus (WD AV). See below on what changes that we made.
[Why WD AV?]
Top scoring in industry tests (Jan to Dec of 2018, and continuing in 2019).
/en-us/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests
March-April 2018 test results: More insights into industry AV tests
https://www.microsoft.com/security/blog/2018/07/20/march-april-2018-test-results-more-insights-into-industry-av-tests/Adding transparency and context into industry AV test results
https://www.microsoft.com/security/blog/2018/05/24/adding-transparency-and-context-into-industry-av-test-results/Protecting the protector: Hardening machine learning defenses against adversarial attacks
Some of you might ask, what did you guys do to improve on your 3rd party test scores?
- Improved Machine Learning (ML) and Heuristics
- New Deep ML targeting Behavioral anomalies
- Enhanced Exploit Kit Detection
- New Antimwalare Scan Interface (Script-based detection)
- Office VBA + AMSI: Parting the veil on malicious macros
- https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
- New Behavioral Engine (Behavioral Analysis)
- Massive amounts of security signals and threat intelligence from the Microsoft Intelligent Security Graph.
- Protecting the modern workplace from a wide range of undesirable software
https://www.microsoft.com/security/blog/2018/08/07/protecting-the-modern-workplace-from-a-wide-range-of-undesirable-software/
- Protecting the modern workplace from a wide range of undesirable software
- “Block at First Sight” (BaFS, Windows 10 1607, and newer, Windows Server 2016, and Windows Server 2019).
- Enable block at first sight
/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Microsoft AI competition explores the next evolution of predictive technologies in security
https://www.microsoft.com/security/blog/2018/12/13/microsoft-ai-competition-explores-the-next-evolution-of-predictive-technologies-in-security/
- Enable block at first sight
“Cloud Protection + Block at First Sight (BaFS)”
Another way of looking at it:
Leading it to be next-generation antivirus.
Why Windows Defender Antivirus is the most deployed in the enterprise
Antivirus evolved
https://cloudblogs.microsoft.com/microsoftsecure/2017/05/08/antivirus-evolved/
Windows Security Whitepaper - Windows 10 - Windows Defender Antivirus
https://info.microsoft.com/rs/157-GQE-382/images/Windows%2010%20Security%20Whitepaper.pdf
The Evolution of Malware Prevention (Machine Learning) whitepaper
https://info.microsoft.com/Windows-Defender-ML-Whitepaper-Registration.html
Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware
https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/?source=mmpc
Windows Defender Antivirus can now run in a sandbox
https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)
https://www.microsoft.com/security/blog/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/
[What’s new?]
What are some of the highlights for both the WDAV library and other additions and changes to security in Windows 10, versions:
What's new in Windows 10, version 1809 for IT Pros - Security
https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#security
What's new in Windows 10, version 1803 IT Pro content - Security
https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1803#security
What's new in Windows 10, version 1709 IT Pro content - Security
https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709#security
What's new in Windows 10, version 1703 IT pro content - Security
https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1703#security
What's new in Windows 10, version 1607 - Security
https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1607#security
What's new in Windows 10, versions 1507 and 1511 - Security
[Test / Deploy WD AV]
Windows Defender compliance mapping whitepaper
Windows Defender Antivirus & Exploit Guard protection evaluation guide
https://www.microsoft.com/en-us/download/details.aspx?id=54795
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Partnering with the industry to minimize false positives
https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/
Give Windows Defender Antivirus, the Next-Gen Protection a try.
Next in this series:
Windows 10: Windows Defender Exploit Guard-Exploit Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-defender-exploit-guard-exploit-protection/Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules
https://blogs.technet.microsoft.com/yongrhee/2019/02/24/windows-10-windows-defender-exploit-guard-attack-surface-reduction-rules/Windows 10: Windows Defender Exploit Guard-Network Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/26/windows-10-windows-defender-exploit-guard-network-protection/Anti-ransomware in Windows 10: Windows Defender Exploit Guard-Controlled Folder Access
https://blogs.technet.microsoft.com/yongrhee/2019/03/02/anti-ransomware-in-windows-10-windows-defender-exploit-guard-controlled-folder-access/
Thanks,
Yong
Resources:
https://www.microsoft.com/mmpc
Lifecycle information on both Windows Defender Antivirus and SCEP are outlined at https://support.microsoft.com/lifecycle/search
Recommended settings for VDI desktops
/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations
A great Microsoft Ignite 2018 recording that goes over WDAV:
Windows Defender ATP machine learning: Detecting new and unusual breach activity - BRK3375