Since almost before time began (ok so 1974 – Rabbit) malware and viruses have existed on computers, since then the volume and level of sophistication of attacks has dramatically increased. You are no longer defending against viruses, you are defending against attacks from a whole range of threat actors. Aside from backups, antivirus is often one of the first and last lines of defence on systems, as such over the years a range of products and services have arisen (and far more opinions) in the antivirus space, so much so that now we have solution stacks named endpoint detection and response. So, to get to the point, the threat landscape is vast (this year alone there has been 6 million new malware samples discovered – https://www.av-test.org/en/statistics/malware/)
A new Superhero?
Windows defender was always an underdog in this space, if you google “Windows 10 defender reviews” you will see a range of star ratings such as, 3 out of 5, 2.5 out of 5, 2 out of five etc.
Security has never been more in focus with business, however there is always a driver to ensure costs are controlled and value is being added, so I thought I would write about Windows 10 defender and look at some of the reasons you may want to drop your 3rd party solution.
Out of the box, from Windows 10 Creators edition you get the following features in Windows Defender:
- Signature based detection
- Ransomware detection and mitigation (must be enabled)
- PowerShell exploit detection
- Cloud based submission (must be enabled, and please understand the privacy/intellectual property implications in doing so)
We’ve put defender through the paces in the lab and tested the following scenarios:
|PowerShell Reverse Shell Exploit||Blocked|
|Heavily Obfuscated binary||Bypassed|
|Binary Ransomware (custom)||Blocked (on specific folders only)|
|PowerShell Ransomware (custom)||Bypassed (excluding protected folders)|
Overall, we were impressed with the level of protection windows defender provided, we have tested a range of products (including next generation products) and have managed to bypass all of those tested. Would we go out the house in the rain without a jacket? No, much like I wouldn’t recommend not having AV where it’s supported. I wouldn’t however trust it alone to keep me dry all winter, I’d probably want to combine it with an umbrella, waterproof shoes etc.
It goes without saying that defender on its own has a number of gaps. It lacks central management and reporting unless coupled with other solutions such as:
- Active Directory Domain Services Group Policy (for central configuration)
- Microsoft OMS (central reporting and alerting)
- Microsoft System Center Configuration Manager (Central Reporting and configuration)
It also does not have an agent/app for mobile devices (mobile is a whole other subject) nor does it have host intrusion prevention or a firewall (but there is one in Windows!) so please bear this in mind.
Now let’s get one thing clear, if I was defending a sizeable environment I would likely adopt all three or the above (or suitable alternatives) alongside a whole range of other controls, AV is not a panacea, you can do a lot to defend simply by using a hardened configuration with technologies such as group policy, app locker, bit locker etc.
AV Feature Summary
The following table provides a summary of key features:
|Potentially Unwanted Programs||Yes|
|Signature based detection||Yes|
|Heuristics/Real Time Protection||Yes|
|In Memory Scanning||Yes (subject to build version)|
|Performance Considerate||Yes (when utilised with exclusions)|
|Centralised Reporting||With additional services|
|Centralised Alerting||With additional services|
|Application Engine (e.g. SharePoint/Exchange)||No|
|Host Intrusion Protection Services||No|
|Firewall||No (provided by Windows Firewall)|
|Web Content Filtering||No|
|PowerShell Exploit Detection||Yes|
Since BUILD 1507 Windows 10 Enterprise customers can enable virtualization-based security (VBS) & hypervisor protected code integrity (HVCI) – for more info see: https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/td-p/167303
Remember that unsigned drivers may cause issues with this so make sure you update firmware/drivers and conduct testing.
Windows Defender is included in your Windows 10 license, however additional costs are required for Active Directory, SCCM and OMS. These costs however are likely to blend into other technology management capabilities that are recommended for your environment regardless of choice of AV solution.
When looking at your endpoint security it’s really important to understand your current state security posture, the threats you are likely to face and the level of investment you need to make to be compliant both from a legal/regulatory perspective but also in line with your corporate risk appetite. Would I deploy Windows 10 defender to a customer as part of their endpoint protection solution, absolutely? I would however want to ensure it’s augmented with a management service and look at additional controls (disable SMBv1, enable PowerShell logging, disable macros etc.) much as I would with any other endpoint detection solution.