Time to take a fresh look at Windows Defender 4


Microsoft has stuck to it with Windows Defender. For several years it kind of sat there and didn’t do much. (I’m sure some Microsoft person just cringed.) But now it’s a full-fledged antivirus, antimalware, anti-ransomware protection machine that is built-in and free. It is specifically designed to protect Windows 10 and does so by protecting not only against drive-by downloads, definitions, and definition-less behavior tracking but it also protects against fileless malware running in memory via bad WMI, PowerShell, vbscript, and DLL’s. I’m going to argue that it’s the best way to protect your Windows 10 computers — in my MSP practice we’ve made the decision to not install any third party A/V onto Windows 10 computers. In fact, Defender was recently credited with averting what could have been a massive worldwide cyberattack.

For those of you who aren’t there yet, you should know that Microsoft has made a big deal about Defender playing nice with other antivirus applications, but what that means is that Defender takes a backseat and you lose some significant security features. Let’s take a look at what happens when you install another A/V product onto Windows 10.

Windows Defender passive mode

Windows Defender

Microsoft

Windows Defender has two modes, active and passive. The mode is switched automatically depending on whether another A/V is present on the machine or not. That other A/V has to be Defender aware. Certainly, by now they should all be, but you could encounter some that aren’t. I would call into question their modernity if that is the case.

Active mode: This is when Defender is on and no third-party A/V is installed. You get Enhanced rootkit and bootkit detection, offline scanning and cleaning, online scanning and cleaning, real-time protection from virus, malware, rootkits, and spyware. It also has cloud-delivered protection for near instant updates and dedicated protection based on Microsoft’s Big Data learning.

Passive mode: This is when a third party antivirus product is installed. When this occurs Windows Defender A/V will be disabled. However, you do have one option. You can manually enable something called “limited periodic scanning.” Consider it a fail-safe. When enabled, Defender will do a quick scan occasionally. To enable this open Windows Defender, go to Anti-Virus Protection Settings. Here you’ll see your antivirus software listed. Expand the Windows Defender options and toggle periodic scanning to On.

Many of the blogs you’ll see on the Internet say that Windows Defender antivirus gets disabled automatically when you install a third party A/V product. This is true, but it isn’t as straightforward as it sounds. What is frequently missed is an understanding that other defensive features are also disabled because they are part of the A/V feature set in Defender.

Malware protections get disabled, too

Below is a chart showing that attack surface reduction, network protection, and controlled folder access are also disabled when real-time protections are not enabled. (This is another way of saying that Defender is in passive mode.)

Windows Defender

You’ll note in the table above that Defender comes in two flavors. It’s either with ATP (Advanced Threat Protection) or without (standard). To get the ATM version, you need to have one of the following license types. For the rest of us, it’s the standard version of Defender, which is what I’m going to be talking about for the rest of this article because ATM is really a different animal that includes a single pane of glass management, threat hunting, remediation, and more.

  • Windows 10 Enterprise E5
  • Windows 10 Education E5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • ATM add-on

The real question is, of course, what did I really lose? To answer that question you need to understand what attack surface reduction, network protection, and controlled folder access do to protect Windows 10. We have the following definitions:

Attack surface reduction measures consist of:

  • Block executable content from email client and webmail.
  • Block Office applications from creating child processes.
  • Block Office applications from injecting into other processes.
  • Impede JavaScript and VBScript to launch executables.
  • Block execution of potentially obfuscated scripts.
  • Block Win32 imports from macro code in Office.

Controlled folder access is Microsoft’s answer to the ever-increasing number of ransomware infections. Controlled folder access allows only a list of known applications to write in user folders like Documents, Pictures, or the like. Users can extend the list of folders to protect and whitelist applications that are allowed to do file creation or editing.

Windows Defender Network Protection uses SmartScreen technology to block any executable from connecting to potentially malicious HTTP-based sources on the Internet. Network protection extends SmartScreen from an Internet Explorer and Edge solution to the system level, allowing protection of other browsers and potential malware.

And also potentially AMSI, too

The Anti-Malware Scanning Interface will be disabled as well. Your antivirus product may be modern enough to have picked up this functionality on its own. It was Microsoft’s intention that any third-party antimalware tool can use this interface. But if not, then you’ve also lost a very important tool. AMSI protects you against malicious code. As I type this, there is a rash of so-called fileless infections occurring. A fileless infection is when an attacker gains access to the machine (through brute force, phishing, social engineering…the usual culprits), launches PowerShell (for example) and loads their code into memory. No file was written to, there’s nothing on your machine except in RAM, from where it does its dirty work. AMSI is designed specifically to protect you from PowerShell scripts, group policy WMI calls, and VBscript that are obfuscated to hide from basic A/V products. AMSI views these in their plain state as they attempt to run, passes it through a filter to look for bad behavior, and stops it from running.

Test Defender

If you are the curious sort and would like to test Defender to see what is off, what is on, and what the difference in behavior is, Microsoft has a website where you can test the various features to make sure that they are working properly. Here you can test antivirus, drive-by downloads, real-time cloud protections and more.

Still not convinced?

Now the question is should you disable Defender services? Heck no! Windows Defender is one of those integrated features like IE was back in the day, so if you disable it in services Windows will become unstable. Save yourself some grief. Defender is third-party antivirus aware. Let those applications configure Defender for you. They will put it into passive mode for you. If they don’t then it’s a clear sign that your software isn’t keeping up with the times.

It is time to give Defender a shot. I know I read a lot of “defender sucks” stuff out there. It’s time to look at it again with a clear mind and see the direction that Microsoft is taking this product. It’s not the same old Defender you’ve hated for the last decade. It’s now a truly integrated security system. The days of benchmarking one A/V over another on how fast they caught a virus or Trojan are gone. It’s no longer a good measure. The attackers are smarter. The attacks are varied and they are coming from all directions. Defender is the integrated solution that we’ve been hoping would come along and Microsoft has really stepped up to the plate with this one. They’ve always been a great come-from-behind company and they’ve done it again with Defender in Windows 10 and in Server 2016, too. They are built on the same code so Windows Server is enjoying better built-in security now, too.

 


Leave a comment

Your email address will not be published. Required fields are marked *

4 thoughts on “Time to take a fresh look at Windows Defender

  • Ron

    “…if you disable it in services Windows will become unstable.”
    That hasn’t been our experience. We’ve used ESET Endpoint Antivirus (previously ESET NOD32 Antivirus for business) for years. When we started deploying Windows 10, we experienced system performance problems (computers slowed to the point of being unusable). Disabling Windows Defender through Group Policy resolved the performance trouble. Maybe this the “clear sign that your software isn’t keeping up with the times,” of which you write? In any event, our ESET subscription/license is up for renewal, and I’m exploring other options. I’m aware ESET Endpoint Antivirus alone offers fewer features (less protection) than the various Windows Defender components, and to be fair, ESET Endpoint Security.
    I would miss central reporting/management capability of ESET Remote Administrator, but I think System Center Configuration Manager Endpoint Protection (we already license) and various PowerShell tools may be sufficient for endpoint management/remediation.
    I’m evaluating ATP, but I’m not sure we can justify the cost of Windows Enterprise E5.
    Thanks for posting! I would appreciate any tips/suggestions you may have, based on the (minimal) information I provided about our environment/situation.

    • Third Tier Post author

      Ron, I had heard of that trouble with ESET. I think they have that resolved now. You should be able to leave the Defender service running now. You can buy ATP as a separate purchase item but I agree about the cost. It does include automated remediation and breach investigation throughout the network should an infection occur. Some very cool stuff. For now, I’m living without the central console while I figure out how we can best leverage the other benefits of E5 to justify the cost. I quite like the security advantages that the entire package offers.

  • Steve

    I know your article was targeting Windows 10 but there is an important difference with 2016…Per https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility:

    “On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine.”