Forum Discussion

GeorgeCostache's avatar
GeorgeCostache
Copper Contributor
Oct 08, 2021

Real-time protection in Windows Defender - How does it work?

Hello Everyone,   Let me begin with a high-level presentation of our environment - our project develops an application for EU countries on top of a Microsoft infrastructure – Windows Server 2016, A...
Jake_Mowrer's avatar
Jake_Mowrer
Former Employee
Oct 13, 2021
The files should be scanned on write so 10 minutes is more than enough. I would like to dig a bit deeper on your GDPR constraints and cloud protection. You can have cloud protection but not submit samples. See the graphic here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide#how-cloud-protection-and-sample-submission-work-together

Just turning on cloud protection and not sample submission would get you better protection from the metadata check we do. The metadata list can be found here:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide#examples-of-metadata-sent-to-the-cloud-protection-service

I would work with your privacy team on whether the information in the metadata check would still not allow you to use cloud protection without sample submission. You are missing out on a lot of the protection stack by not having cloud protection turned on.

Jake
  • GeorgeCostache's avatar
    GeorgeCostache
    Copper Contributor
    Oct 13, 2021

    Hello Jake_Mowrer,

     

    Thank you for your answer, but it doesn't reply to my question - 'Is it possible for a user or application to access/read/copy/run/use in any way an infected file before being scanned?'

     

    What if we have millions of received files with sizes varying from few KB to 2GB? This could be a real life production scenario. I also worked for Microsoft and I would expect a clear answer - Yes, the real time protection will ensure all files are scanned before accessing them in any way. No user or application cannot read that file before being scanned. Or No, you should wait 1 hour to be 100% sure before starting processing the files. The purpose of my question is to shorten the processing of European cases with 10 minutes per segment - which should decrease the waiting time at European level with millions of minutes per day in total.

     

    I understand your explanation about the benefits of cloud features but our servers do not communicate with Internet as being included in a secure enclosed network - this has been decided long ago by all participant countries after long debates and it is unlikely to be changed.

     

    The only benefit I see for keeping the files on disk for 10 minutes is to hope that 'Detonation-Based ML Models' will analyze a suspicious file and detect it as virus in this short interval (see the attached screen). But since we do not submit samples, this benefit is only theoretical.

     

    Thanks again but I still wait for clarifications on Real-time protection.

     

    George

Resources