Having the right cybersecurity strategy requires a delicate balance between protection and convenience. The scale tips and topples when one side outweighs the other. In the world of security, the scale has typically leaned towards convenience for the purpose of business operability and efficiency. Unfortunately, a focus heavily weighted too far on convenience can result in massive security incidents and data breaches.
The Microsoft Detection and Response Team (DART) wants to help all organizations avoid common mistakes and issues we see when handling customers' security incidents and breaches. In this blog, we would like to share lessons learned from commonly seen gaps specific to endpoint security. Understanding this can help you prioritize your security controls and processes.
Note: The information in this post is recommended for administrators, such as security architects, support staff, and leadership, who deal with security solutions. Consider these recommendations and decide whether they are being applied, or whether sufficient justification against implementing these recommendations exists.
Understanding the effect of third-party antivirus and Microsoft Defender Antivirus coexistence
On Windows 10 devices, Microsoft Defender Antivirus is shipped as part of the OS and is enabled by default. However, on endpoints protected with a non-Microsoft antivirus (AV) or antimalware application, Microsoft Defender Antivirus will automatically disable itself. Identifying the current AV solution in place, and any secondary support, is imperative to understanding what level of protection you have, and which solutions are turned on and actively protecting your organization. When DART arrives on site, often the first question from the customer is "why didn't Defender stop this?" Microsoft Defender Antivirus has entire teams dedicated to threat intel updates, real time analysis, and detection support. Having a secondary AV in place will disable Microsoft Defender Antivirus and all this backend support. (See 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint.)
Windows 10 client devices that are enrolled with Microsoft Defender for Endpoint and have a non-Microsoft antivirus solution as primary AV, Microsoft Defender Antivirus operates in passive mode, allowing the primary AV to do real-time protection. Important: Real-time protection and threats will not be remediated by Microsoft Defender Antivirus while it is in passive mode. Customers should still keep Microsoft Defender Antivirus up to date even when it is in passive mode via Security intelligence updates and product updates. There are many reasons for doing so. One such reason is if an attacker manages to disable the primary 3rd party antivirus, Defender antivirus may detect the missing primary antivirus and start itself to protect the system. It will act as a backup antivirus. For isolation and remediation capabilities, the Endpoint Detection and Response (EDR) component of Defender for Endpoint will handle these actions. In fact, most investigations begin with EDR, as suspicious activity on an endpoint is sandboxed and allows security operators to analyze thereafter. AV can only block known threats, but behavioral based threats need the advanced defense capability that EDR technology provides.
On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not automatically enter passive mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product on Windows Server, you should set Microsoft Defender Antivirus to passive mode manually to prevent problems caused by having multiple antivirus products installed on a machine. Having multiple antivirus solutions on a system may strain resources and caused performance issues on the system.
What you get with Microsoft Defender Antivirus and Defender for Endpoint
While customers can use a non-Microsoft antivirus solution with Defender for Endpoint if they choose to, using Defender Antivirus and Defender for Endpoint together amplifies endpoint protection and maximizes the return on investment with the following capabilities:
In a recent DART incident response scenario, a customer had a third-party antivirus solution in place and was working on a proof-of-concept for Defender for Endpoint using Windows 7. For several days, there were no serious alarming detections. One day, a warning for a well-known credential theft tool was detected by Defender for Endpoint. An immediate investigation was activated in response. During the investigation, it became clear that the credential theft tool was written in a particular way and stored in an exclusion folder to completely avoid the third-party antivirus. After much tracing, it turned out that the workstations that were initially infected had multiple alerts from the third-party antivirus. No alerts were observed because the warnings weren’t sent anywhere and Microsoft Defender Antivirus was in passive mode. The attacker was eventually able to produce a tool that avoided the antivirus detection and managed to steal high-privileged account credentials leading to data exfiltration. The entire investigation was only triggered when a Windows 10 machine was set up in the environment with Microsoft Defender Antivirus active and the machine onboarded to Microsoft Defender for Endpoint. Defender was able to quickly detect the malware based on the malicious behaviors.
Defender for Endpoint sensors are designed to work together as part of a solution, actively sharing data with each other and other Microsoft security stack products. Introducing non-Microsoft sensors could impact the value of alerts and incident intelligence. As mentioned in this article, there are multiple advantages to combining both Microsoft Defender Antivirus and Defender for Endpoint. Hopefully, through discussing all the key points, it might just be worth your time to review your organization’s current cybersecurity antivirus and EDR solution.
So many times, I have heard from customers’ operations and administrators that they don’t know what AV products they are using, how to configure their AV solutions, how to troubleshoot their AV solutions, how many different AV solutions they support, and so on. Because having too many AV vendors can be an operational risk, consider reducing the number of AV vendors your organization uses.
If you’re still not convinced of the value of running both Microsoft Defender Antivirus and Microsoft Defender for Endpoint, you can still get an added layer of protection with EDR in block mode. EDR in block mode is designed to block malicious behavior during post breach that might get missed by the primary antivirus solution. You can read more about this feature in our documentation as well as our recent blog post.
If you’re not yet taking advantage of Microsoft Defender for Endpoint’s industry leading security optics and detection capabilities, we encourage you to sign up for a free trial today.
Microsoft Defender for Endpoint
More information on next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
Microsoft Defender Antivirus compatibility
Behavioral blocking and containment: Transforming optics into protection
Endpoint detection and response (EDR) in block mode
Turn on block at first sight
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.