Microsoft has included antivirus with their operating systems for many years, but in my experience very few businesses run Defender as their primary antivirus platform. Even though Defender Antivirus is a good product, it has been difficult to manage across a business, doesn’t have a dedicated console and is missing more advanced features like web content filtering.
I’m sure many people are surprised to hear that Microsoft does actually have a full-featured product designed for business, with a dedicated console. It’s called Microsoft Defender for Endpoint and is like Defender antivirus on steroids, with more advanced Endpoint Detection and Response (EDR) capabilities. EDR products use advanced behavioural techniques to help detect and stop more advanced threats like fileless malware. They also provide visibility and a history of activities like user login activities, network activities and file system changes, so a breach can be investigated.
Why haven’t you heard of Defender for Endpoint?
For starters it was just rebranded from Microsoft Defender Advanced Threat Protection (ATP), and was Windows Defender ATP before that. If you are looking online for further information on the product, the Microsoft Defender ATP name will still be predominant. Up until early last year it was also only available as part of Windows E5, meaning it wasn’t even a consideration for many businesses. It can now be purchased standalone and this certainly makes it more accessible and is now a genuine consideration for many businesses.
A huge advantage of Defender for Endpoint is that it’s built into Windows and doesn’t require any additional software to be installed. It’s also supported on macOS, Linux and mobile platforms, although capabilities differ between operating systems are more limited on non-Windows devices.
Some features I like:
It has Vulnerability Management built in and will discover and report on vulnerabilities and misconfigurations on endpoints. Your environment is given an overall exposure score, and recommendations to mitigate vulnerability, such as updating an application or deploying a hardened configuration. Vulnerabilities are provided with a CVE reference. A welcome addition is a software inventory, so you can drill down to vulnerabilities and impacted devices on a particular piece of software.
An Automated Investigation capability is included, meaning that the system will automatically launch an investigation when a threat is detected and remediate if required. My experience with this component has been very good and it has definitely decreased the manual effort involved in an investigation. The devices involved, logs, findings and any pending actions are all clearly laid out.
The Web Protection component that stops access to phishing and malware sites now includes category based web content filtering. This is something that was added to the product recently and is still in beta, but it shows that Microsoft are committed to providing a full featured product.
Microsoft Defender for Endpoint is now more accessible as it can be purchased standalone. If you run a Microsoft shop, then the simplicity of deployment and integration with other Microsoft tools, means it’s well worth considering, particularly if you are looking to move beyond traditional antivirus and implement an EDR with a broader set of security capabilities.