Having the right cybersecurity strategy requires a delicate balance between protection and convenience. The scale tips and topples when one side outweighs the other. In the world of security, the scale has typically leaned towards convenience for the purpose of business operability and efficiency. Unfortunately, a focus heavily weighted too far on convenience can result in massive security incidents and data breaches.
The Microsoft Detection and Response Team (DART) wants to help all organizations avoid common mistakes and issues we see when handling customers’ security incidents and breaches. In this blog, we would like to share lessons learned from commonly seen gaps specific to endpoint security. Understanding this can help you prioritize your security controls and processes.
Note: The information in this post is recommended for administrators, such as security architects, support staff, and leadership, who deal with security solutions. Consider these recommendations and decide whether they are being applied, or whether sufficient justification against implementing these recommendations exists.
Understanding the effect of third-party antivirus and Microsoft Defender Antivirus coexistence
On Windows 10 devices, Microsoft Defender Antivirus is shipped as part of the OS and is enabled by default. However, on endpoints protected with a non-Microsoft antivirus (AV) or antimalware application, Microsoft Defender Antivirus will automatically disable itself. Identifying the current AV solution in place, and any secondary support, is imperative to understanding what level of protection you have, and which solutions are turned on and actively protecting your organization. When DART arrives on site, often the first question from the customer is “why didn’t Defender stop this?” Microsoft Defender Antivirus has entire teams dedicated to threat intel updates, real time analysis, and detection support. Having a secondary AV in place will disable Microsoft Defender Antivirus and all this backend support. (See 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint.)
Windows 10 client devices that are enrolled with Microsoft Defender for Endpoint and have a non-Microsoft antivirus solution as primary AV, Microsoft Defender Antivirus operates in passive mode, allowing the primary AV to do real-time protection. Important: Real-time protection and threats will not be remediated by Microsoft Defender Antivirus while it is in passive mode. Customers should still keep Microsoft Defender Antivirus up to date even when it is in passive mode via Security intelligence updates and product updates. There are many reasons for doing so. One such reason is if an attacker manages to disable the primary 3rd party antivirus, Defender antivirus may detect the missing primary antivirus and start itself to protect the system. It will act as a backup antivirus. For isolation and remediation capabilities, the Endpoint Detection and Response (EDR) component of Defender for Endpoint will handle these actions. In fact, most investigations begin with EDR, as suspicious activity on an endpoint is sandboxed and allows security operators to analyze thereafter. AV can only block known threats, but behavioral based threats need the advanced defense capability that EDR technology provides.
On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not automatically enter passive mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product on Windows Server, you should set Microsoft Defender Antivirus to passive mode manually to prevent problems caused by having multiple antivirus products installed on a machine. Having multiple antivirus solutions on a system may strain resources and caused performance issues on the system.
What you get with Microsoft Defender Antivirus and Defender for Endpoint
While customers can use a non-Microsoft antivirus solution with Defender for Endpoint if they choose to, using Defender Antivirus and Defender for Endpoint together amplifies endpoint protection and maximizes the return on investment with the following capabilities:
- Feedback-loop blocking: Also referred to as rapid protection, feedback-loop blocking is a component of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint. When a suspicious behavior or file is detected by Microsoft Defender Antivirus, information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware and drives protection across the entire ecosystem. With feedback-loop blocking, devices across your organization are better protected from attacks.
- Network protection: Network protection is a feature in that enables customers to allow or block specific URLs and IP addresses, either manually or via threat intelligence feeds. It helps to prevent applications from accessing malicious domains. This feature is available but will not work without our antivirus capabilities enabled. Detailed information about network protection events and blocks can be viewed and analyzed in the Microsoft Defender Security Center, where security teams can also run advanced hunting queries for a more proactive security approach.
- Block at first sight: Block at first sight provides a way to detect and block new malware within seconds. When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat. This feature and its required settings are enabled by default when certain prerequisite settings are enabled, but will not work without Microsoft Defender Antivirus.
- Detect and block potentially unwanted applications: Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. This feature is powered by Microsoft Defender SmartScreen. Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
- Attack surface reduction, controlled folder access, SmartScreen: Preventive blocking capabilities like attack surface reduction rules, controlled folder access, and SmartScreen alerts will not work without Microsoft Defender AV. Microsoft Defender AV with SmartScreen enabled provides a rich source of signals to Defender for Endpoint, as well as process chain information in alerts. This includes events like LSASS potential credential theft, execution of files that have low reputation by Microsoft, potential ransomware execution, and more.
- Audit Logs: It is important to recognize that the audit events will not capture the proper audit without Microsoft Defender Antivirus. Without proper audit, basic functionality such as tracking which machines have up to date of Antivirus definitions will not be available for administrators. An example we encountered of improper audit log led to domain compromise. The attacker compromised a common user machine and downloaded malware into it. Microsoft Defender Antivirus is able to catch and report when attackers reuse known malware. Without proper auditing, such reports will not reach the attention of administrators. As a result, attackers will be able to keep testing malware till one malware that the antivirus misses works, and then will reuse the same malware to attack other machines.
- Detailed information on blocked malware: When a file is blocked by Microsoft Defender Antivirus, the alert, assessment of machine risk, and actions taken across the organization are recorded. This provides for accountability and traceability. The ability to allow or block a file directly from the Microsoft Defender for Endpoint is already available. This also includes the ability to request a download or collect the file. If a third-party solution blocks malware, your organization has much less visibility and fewer available reactive actions.
- Microsoft Secure Score for devices: Microsoft Secure Score is a measurement of an organization’s security posture, with a higher number indicating more improvement actions taken. Many components require Microsoft Defender Antivirus to collect the underlying system data. Many of these features will be limited without Microsoft Defender Antivirus, which significantly reduces available detailed information. For example, “Top exposed devices” can be inaccurate if a third-party antivirus solution is used. Microsoft Defender Antivirus provides details such as when the device was last scanned for malware and when antivirus signatures were updated. Such details provide much richer detail and context as well as a better assessment of an organization’s security posture with Secure Score when Microsoft Defender Antivirus is used.
- Compliance and Geolocation: Microsoft Defender Antivirus, including Defender for Endpoint, components within Microsoft Defender and geo-location of data, are under the same ISO 27001 compliance. When you use the Defender for Endpoint platform, you get data related to the geo sovereignty, ISO compliance, and data retention. You can avoid a potential risk of using a third-party vendor with a different level of compliance or the task of validating compliance with the third-party vendor.
- Better threat intel: Because of our deep integration across components, Microsoft Defender Antivirus learns from Defender EDR detections, and vice versa. With Microsoft Defender Antivirus, suspicious files can be collected and sent to Microsoft for analysis. The result is that Microsoft products can share the signals across the enterprise and globally to be a stronger single platform.
- Tamper protection: Many bad actors may attempt to disable security features including antivirus protection to further expediate their malicious activities. Our investments in tamper protection help to harden systems against these types of tactics. Microsoft Defender Antivirus together with Microsoft Defender for Endpoint enable security teams to detect and manage tampering attempts on endpoints. Tampering alerts are raised in the Microsoft Defender Security Center, giving security teams an additional data point in understanding an attack, as well as the ability to investigate and resolve these attempts.
- Industry leading endpoint security: Organizations are looking to use best of breed solutions while also simplifying their security. Microsoft Defender for Endpoint has been recognized by industry analysts as a leading endpoint security product and we are proud of our performance and coverage in the MITRE ATT&CK evaluations. Additionally, Microsoft Defender’s antimalware capabilities have consistently achieved high scores in independent AV tests such as AV-TEST, AV-Comparatives, and SE-Labs
In a recent DART incident response scenario, a customer had a third-party antivirus solution in place and was working on a proof-of-concept for Defender for Endpoint using Windows 7. For several days, there were no serious alarming detections. One day, a warning for a well-known credential theft tool was detected by Defender for Endpoint. An immediate investigation was activated in response. During the investigation, it became clear that the credential theft tool was written in a particular way and stored in an exclusion folder to completely avoid the third-party antivirus. After much tracing, it turned out that the workstations that were initially infected had multiple alerts from the third-party antivirus. No alerts were observed because the warnings weren’t sent anywhere and Microsoft Defender Antivirus was in passive mode. The attacker was eventually able to produce a tool that avoided the antivirus detection and managed to steal high-privileged account credentials leading to data exfiltration. The entire investigation was only triggered when a Windows 10 machine was set up in the environment with Microsoft Defender Antivirus active and the machine onboarded to Microsoft Defender for Endpoint. Defender was able to quickly detect the malware based on the malicious behaviors.
Defender for Endpoint sensors are designed to work together as part of a solution, actively sharing data with each other and other Microsoft security stack products. Introducing non-Microsoft sensors could impact the value of alerts and incident intelligence. As mentioned in this article, there are multiple advantages to combining both Microsoft Defender Antivirus and Defender for Endpoint. Hopefully, through discussing all the key points, it might just be worth your time to review your organization’s current cybersecurity antivirus and EDR solution.
So many times, I have heard from customers’ operations and administrators that they don’t know what AV products they are using, how to configure their AV solutions, how to troubleshoot their AV solutions, how many different AV solutions they support, and so on. Because having too many AV vendors can be an operational risk, consider reducing the number of AV vendors your organization uses.
If you’re still not convinced of the value of running both Microsoft Defender Antivirus and Microsoft Defender for Endpoint, you can still get an added layer of protection with EDR in block mode. EDR in block mode is designed to block malicious behavior during post breach that might get missed by the primary antivirus solution. You can read more about this feature in our documentation as well as our recent blog post.
If you’re not yet taking advantage of Microsoft Defender for Endpoint’s industry leading security optics and detection capabilities, we encourage you to sign up for a free trial today.
This article was written by Kim Hwee and originally appeared in the Microsoft Tech Community Blog.
Ready to Get Started with mDS?
Fill-out the quick form & a MDS technical expert will contact you soon!
+1 (888) 123-4567