Insights

Is Windows Defender Mature Enough to Replace Third-Party Antivirus / Antimalware?

by

About the Windows 10 Application Security Webinar

Adaptiva recently hosted a great webinar on Windows 10 Application Security with Sami Laiho, global security expert. Microsoft MVP Ami Casto joined as well.

Windows 10 Applicaton Security

Sami Laiho Leading Global Security Expert Microsoft MVP & MCT Pluralsight Author Elite Security Keynote Speaker @samilaiho

Third Party App Security

Ami Casto Technical Evangelist & Microsoft MVP, Adaptiva @adaptivaami

This webinar was chock-full of need-to-know Windows 10 security information for enterprises, so I decided to share the wisdom in a blog series. You can get all the details in the full webinar.

The Young Adulthood of Windows Defender

When Windows Defender was first released in 2006, Microsoft described it as “not great, but better than nothing.” I’m paraphrasing, but was the essence of their message at launch.

Microsoft told corporate customers not to abandon third-party antimalware solutions in favor of Windows Defender. (Note: I’m using antimalware even though the official name is “Windows Defender Antivirus” because viruses are a subset of malware.)

In the past dozen years, businesses’ need for comprehensive cybersecurity has skyrocketed. In response, Microsoft has continued to improve Windows Defender. As IT pros roll out Windows 10, they are reevaluating their need for third-party antimalware.

Is Windows Defender Grown Up Enough?

Instead of being coy, I’ll tell you flat out: yes. Windows Defender is good enough to replace third-party antimalware in most businesses, regardless of size. This does not mean it’s the right choice for every business, but it’s a viable option.

Now let’s talk about why! The logic is not very intuitive, so I’ll break it down. It starts with this premise:

Traditional antimalware software—whether Windows Defender or third party—cannot be your primary endpoint protection anymore.

For many years, traditional antimalware software was the backbone of Windows application security. At the core of these technologies is an engine that looks for software on your system—both on disk and in memory—that matches patterns of malware. The search for malware can be more sophisticated than just matching patterns, but that’s historically been the heart of it.

The patterns are stored in a definition file. You can think of it as a catalog of data used to identify malware. That definition file is frequently updated and distributed to all endpoints.

You are probably aware of more advanced antimalware solutions that use things like real-time telemetry, cloud databases, and artificial intelligence. One example of these is Microsoft Advanced Threat Protection (ATP), though many third-party solutions compete here too. This blog references only traditional antimalware engines, where Windows Defender competes.

If you suggest using Windows Defender some IT pros may argue, “third-party antimalware solutions catch 99% of malware, and Windows Defender only catches around 94%. So why would I use Windows Defender?” While the exact numbers may vary, nobody disputes that third-party engines catch more malware than Windows Defender.

This is where it gets interesting …

All the major antimalware providers find more than 1,000,000 new malware samples every day.

Whoa, what!? Yes, it’s right here on Sami’s slide from the webinar.

So, even at 99% coverage, an antimalware engine is missing more than 10,000 different pieces of malicious software every day. That’s a lot of pieces of badness flying under your radar daily. It only takes one to compromise your organization.

To make your company’s applications totally secure, you have to take additional measures. These start with using other Windows 10 security features such as whitelisting, exploit protection and many others. You may want to deploy other types of third-party security software (beyond antimalware). Plus you’ll need to apply a myriad of best practices throughout your organization.

In the context of this bigger picture, Windows Defender makes sense:

  1. It will catch the overwhelming majority of malware
  2. It’s distributed and updated as a part of Windows 10 itself
  3. A strong security strategy does not rely on antimalware to catch everything

What’s the Catch?

Windows Defender’s biggest disadvantage is that it does not have a centralized logging and alerting system. This can, however, be mitigated several different ways:

  • Microsoft System Center Endpoint Protection can address this need for businesses using Microsoft System Center Configuration Manager
  • Companies using Microsoft  can set up alerting through Windows Defender ATP
  • A third-party security information event management (SIEM) system can track Windows Defender activity and provide alerting
  • Event forwarding (aka log forwarding) may be a good option as well for smaller companies

Log Forwarding

For organizations that don’t have an advanced solution for managing centralized logging and alerting from Windows Defender, log forwarding is a viable option. Log forwarding was originally released as part of Windows Vista, so it’s been around for a while.

Basically, you could allocate a centralized server for alerting and management with Windows Defender. Use group policy to forward events from every client to the central server. Create a task on the server that runs a PowerShell script to evaluate events, and send an email or take other action when alerting is merited.

Yes, Windows Defender Is All Grown Up

Windows Defender is a mature technology that is more than adult enough for your company to rely on. Even large enterprises can adopt it, though that doesn’t mean they should. Your organization’s technologies, challenges and processes are unique. Nobody can rightfully tell you “xyz is the best antimalware in all cases.”

That said, you can’t ignore Windows Defender anymore! It may make your life a little easier because it’s built into Windows. So if you can make it work, it could free up some time you now spend managing antimalware engines. Then you can use that time to work on the million other cybersecurity tasks on your list!

Bill Bernat
Director of Product and Content Marketing, Adaptiva

Get free education resources and more at the Adaptiva Academy

Get Free Stuff