The Young Adulthood of Windows Defender
When Windows Defender was first released in 2006, Microsoft described it as “not great, but better than nothing.” I’m paraphrasing, but was the essence of their message at launch.
Microsoft told corporate customers not to abandon third-party antimalware solutions in favor of Windows Defender. (Note: I’m using antimalware even though the official name is “Windows Defender Antivirus” because viruses are a subset of malware.)
In the past dozen years, businesses’ need for comprehensive cybersecurity has skyrocketed. In response, Microsoft has continued to improve Windows Defender. As IT pros roll out Windows 10, they are reevaluating their need for third-party antimalware.
Is Windows Defender Grown Up Enough?
Instead of being coy, I’ll tell you flat out: yes. Windows Defender is good enough to replace third-party antimalware in most businesses, regardless of size. This does not mean it’s the right choice for every business, but it’s a viable option.
Now let’s talk about why! The logic is not very intuitive, so I’ll break it down. It starts with this premise:
Traditional antimalware software—whether Windows Defender or third party—cannot be your primary endpoint protection anymore.
For many years, traditional antimalware software was the backbone of Windows application security. At the core of these technologies is an engine that looks for software on your system—both on disk and in memory—that matches patterns of malware. The search for malware can be more sophisticated than just matching patterns, but that’s historically been the heart of it.
The patterns are stored in a definition file. You can think of it as a catalog of data used to identify malware. That definition file is frequently updated and distributed to all endpoints.
You are probably aware of more advanced antimalware solutions that use things like real-time telemetry, cloud databases, and artificial intelligence. One example of these is Microsoft Advanced Threat Protection (ATP), though many third-party solutions compete here too. This blog references only traditional antimalware engines, where Windows Defender competes.
If you suggest using Windows Defender some IT pros may argue, “third-party antimalware solutions catch 99% of malware, and Windows Defender only catches around 94%. So why would I use Windows Defender?” While the exact numbers may vary, nobody disputes that third-party engines catch more malware than Windows Defender.
This is where it gets interesting …
All the major antimalware providers find more than 1,000,000 new malware samples every day.
Whoa, what!? Yes, it’s right here on Sami’s slide from the webinar.
So, even at 99% coverage, an antimalware engine is missing more than 10,000 different pieces of malicious software every day. That’s a lot of pieces of badness flying under your radar daily. It only takes one to compromise your organization.
To make your company’s applications totally secure, you have to take additional measures. These start with using other Windows 10 security features such as whitelisting, exploit protection and many others. You may want to deploy other types of third-party security software (beyond antimalware). Plus you’ll need to apply a myriad of best practices throughout your organization.
In the context of this bigger picture, Windows Defender makes sense:
- It will catch the overwhelming majority of malware
- It’s distributed and updated as a part of Windows 10 itself
- A strong security strategy does not rely on antimalware to catch everything
What’s the Catch?
Windows Defender’s biggest disadvantage is that it does not have a centralized logging and alerting system. This can, however, be mitigated several different ways:
- Microsoft System Center Endpoint Protection can address this need for businesses using Microsoft System Center Configuration Manager
- Companies using Microsoft can set up alerting through Windows Defender ATP
- A third-party security information event management (SIEM) system can track Windows Defender activity and provide alerting
- Event forwarding (aka log forwarding) may be a good option as well for smaller companies
For organizations that don’t have an advanced solution for managing centralized logging and alerting from Windows Defender, log forwarding is a viable option. Log forwarding was originally released as part of Windows Vista, so it’s been around for a while.
Basically, you could allocate a centralized server for alerting and management with Windows Defender. Use group policy to forward events from every client to the central server. Create a task on the server that runs a PowerShell script to evaluate events, and send an email or take other action when alerting is merited.
Yes, Windows Defender Is All Grown Up
Windows Defender is a mature technology that is more than adult enough for your company to rely on. Even large enterprises can adopt it, though that doesn’t mean they should. Your organization’s technologies, challenges and processes are unique. Nobody can rightfully tell you “xyz is the best antimalware in all cases.”
That said, you can’t ignore Windows Defender anymore! It may make your life a little easier because it’s built into Windows. So if you can make it work, it could free up some time you now spend managing antimalware engines. Then you can use that time to work on the million other cybersecurity tasks on your list!