News Categories
Announcement (9) Amy Babinchak (64) Tips (1) SBS 2011 (6) Windows Essentials 2012 (4) Edwin Sarmiento (28) SQL Server (22) SQL Server 2012 (6) SQL Server Clustering (3) SQL Server Disaster Recovery (6) Windows Server 2008 Clustering (1) log shipping (1) Brian Higgins (3) Uncategorized (42) Hyper-V (67) Virtualization (13) Windows 8 (13) Cisco VPN Client (1) Windows Server 2012 (24) Friend of TT (4) Hangout (2) Office365 (4) DNS (8) Jeremy (7) Cliff Galiher (3) Active Directory (12) ClearOS (4) Linux (4) presentations (2) SQL PASS (6) Chris Matthews (4) Printers (2) SharePoint (8) SQL Server Administration (7) Windows PowerShell (3) recovery model (1) sql server databases (1) Dave Shackelford (7) SMB Nation (1) Steve (1) Boon Tee (5) Kevin Royalty (3) Lee Wilbur (2) Philip Elder (10) SMBKitchen Crew (31) Susan Bradley (15) AlwaysOn (1) AlwaysOn Availability Groups (4) readable secondaries (1) row versioning (1) undocumented (1) The Project (2) Webinar (3) Enterprise for SMB Project (9) Security (25) Remote Desktop Connection for Mac (1) Remote Desktop Services (8) Windows Server 2008 (1) Exchange (15) Powershell (6) Microsoft (15) Performance (7) data types (1) Server 2012 (1) monitoring (1) DevTeach (1) SQL Server High Availability and Disaster Recovery (5) Clusters (44) Hyper-V Server 2012 (2) Business Principles (26) Cost of Doing Business (13) DHCP (7) sbs (15) Windows Server (30) SMBKitchen (26) Windows Server 2008 R2 (4) StorageCraft (1) P2V (1) ShadowProtect (6) StorageCraft ShadowProtect (1) VHDs (1) Intel RAID (2) Intel Server System R2208GZ (1) Intel Server Systems (17) RAID (2) SAS (2) SATA (2) Server Hardware (12) Microsoft Licensing (2) OEM (2) System Builder Tips (4) Intel (5) Intel Channel Partner Program (4) Intel Product Support (10) Intel Server Boards (2) Intel Server Manager (2) Cloud (26) IT Solutions (2) On-Premises (20) SMB (9) WIndows Azure (2) StorageSpaces (1) Error (47) Error Fix (35) Intel Desktop Boards (2) Intel SSDs (2) SSD (2) Business Opportunity (17) Data Security (11) Identity Security (7) Information Security (14) Privacy (2) Intel Modular Server (6) Promise (2) Storage Systems (9) Live ID (2) Microsoft ID (4) User Profiles (2) Articles (2) Building Client Relationships (6) DBCC IND (2) DBCC PAGE (2) filtered indexes (2) SQL Server Index Internals (2) training (11) Adobe (3) Internet Street Smart (8) Intel Storage Systems (2) LSI Corp (2) LSI SAS6160 Switch (2) Storage Spaces (7) Firmware Update (2) Product Support (7) Hybrid Cloud Solutions (3) Server Core (2) MAXDOP (1) SharePoint 2013 (1) SharePoint best practices (1) SQL Server Authentication (1) Family (5) Alternatives (1) SBS 2011 Standard (4) Microsoft Small Business Specialist Community (2) Microsoft Surface (2) SBSC (2) Networking (4) Availability Groups (3) CANITPro (1) HA/DR (1) Step-By-Step: Creating a SQL Server 2012 AlwaysOn Availability Group (1) webcast (1) VMWare (2) Conferences (2) Client Focus (2) Disaster Recovery (6) Error Workaround (8) Troubleshooting (4) Logitech (2) Product Review (7) Windows Features (4) XBox Music (2) SBS 2008 All Editions (4) MDOP (2) Microsoft Desktop Optimization Pack (2) Software Assurance (2) W2012E (6) Windows Server 2012 Essentials (6) Internet Explorer (3) USB 3.0 (2) USB Hard Drive (2) Bug Report (2) Microsoft Office 365 (5) sharepoint online (2) BitLocker (2) Windows (2) Microsoft Update (3) Swing Migration (2) Windows Update (4) Outlook (2) Group Policy (9) WS2012e (2) WSUS (3) Office (3) Microsoft Downloads (5) Microsoft Office (3) DRP (3) Virtual Machines (2) Virtual Server Hardware (2) online course (1) SQL Server learning (7) 2 Factor Authentication (2) 2FA (2) PASS Summit 2013 (4) SQLPASS (5) Contest (1) e-learning (1) Udemy (1) smbtechfest (1) backups (2) PASS Summit First Timers (3) IIS (2) RD Gateway (4) RD RemoteApp (2) RDWeb (4) Remote Desktop Connection (2) Remote Web Access (2) Remote Web Workplace (2) Cryptolocker (6) Backup (4) Restore (2) CryptoLocker (1) AuthAnvil (1) SBS 2003 (1) SBS Migration (1) Windows Server 2012 R2 (9) Documentation (1) IE 11 (4) testimonials (11) SQL Server 2008 (1) Best Practices (1) Support (1) Intel Xeon Processor (1) RemoteApp (1) Android (1) iOS (1) Hyper-V Replica (2) PowerShell (2) SBS (3) Break (1) Business Intelligence (1) Excel 2013 (1) Power Map (1) Power Query (1) PowerBI (1) MultiPoint (2) Surface (1) Net Neutrality (1) Opinion (2) ASP (9) HP (2) Scale-Out File Server (8) SOFS (10) Windows Phone (1) Updates (1) Intel NUC (1) Intuit (1) QuickBooks (1) Office364 (1) Intel Server Systems;Hyper-V (1) Firewall (1) Patching (1) Mobile (1) Mobility (1) sharepoint (1) Microsoft Security (1) Beta (1) Storage Replication (1) outlook (1) Hyper-V Setup (3) JBOD (1) Azure (1) PCI (1) PCI DSS (1) PII (1) POS (1) MicroStaff (2) Catherine Barr (2) Third Tier (1) BeTheCloud (1) BrainExplosion (1) LookAWhale (1) Manuel (1) Rayanne (3) SuperSecretNews (1) TechYourBooks (3) Managed Services (1) Training (1) E-mail (1)
RSS Feed
It's time to take a fresh look at Windows Defender
Posted by Amy Babinchak on 29 March 2018 01:51 PM

Microsoft has stuck to it with Windows Defender. For several years it kind of sat there and didn’t do much. (I’m sure some Microsoft person just cringed.) But now it’s a full-fledged antivirus, antimalware, anti-ransomware protection machine that is built-in and free. It is specifically designed to protect Windows 10 and does so by protecting not only against drive-by downloads, definitions, and definition-less behavior tracking but it also protects against fileless malware running in memory via bad WMI, PowerShell, vbscript, and DLL’s. I’m going to argue that it’s the best way to protect your Windows 10 computers — in my MSP practice we’ve made the decision to not install any third party A/V onto Windows 10 computers. In fact, Defender was recently credited with averting what could have been a massive worldwide cyberattack.

For those of you who aren’t there yet, you should know that Microsoft has made a big deal about Defender playing nice with other antivirus applications, but what that means is that Defender takes a backseat and you lose some significant security features. Let’s take a look at what happens when you install another A/V product onto Windows 10.

Windows Defender passive mode

Windows Defender



Windows Defender has two modes, active and passive. The mode is switched automatically depending on whether another A/V is present on the machine or not. That other A/V has to be Defender aware. Certainly, by now they should all be, but you could encounter some that aren’t. I would call into question their modernity if that is the case.

Active mode: This is when Defender is on and no third-party A/V is installed. You get Enhanced rootkit and bootkit detection, offline scanning and cleaning, online scanning and cleaning, real-time protection from virus, malware, rootkits, and spyware. It also has cloud-delivered protection for near instant updates and dedicated protection based on Microsoft’s Big Data learning.

Passive mode: This is when a third party antivirus product is installed. When this occurs Windows Defender A/V will be disabled. However, you do have one option. You can manually enable something called “limited periodic scanning.” Consider it a fail-safe. When enabled, Defender will do a quick scan occasionally. To enable this open Windows Defender, go to Anti-Virus Protection Settings. Here you’ll see your antivirus software listed. Expand the Windows Defender options and toggle periodic scanning to On.

Many of the blogs you’ll see on the Internet say that Windows Defender antivirus gets disabled automatically when you install a third party A/V product. This is true, but it isn’t as straightforward as it sounds. What is frequently missed is an understanding that other defensive features are also disabled because they are part of the A/V feature set in Defender.

Malware protections get disabled, too


Below is a chart showing that attack surface reduction, network protection, and controlled folder access are also disabled when real-time protections are not enabled. (This is another way of saying that Defender is in passive mode.)

Windows Defender

You’ll note in the table above that Defender comes in two flavors. It’s either with ATP (Advanced Threat Protection) or without (standard). To get the ATM version, you need to have one of the following license types. For the rest of us, it’s the standard version of Defender, which is what I’m going to be talking about for the rest of this article because ATM is really a different animal that includes a single pane of glass management, threat hunting, remediation, and more.

  • Windows 10 Enterprise E5
  • Windows 10 Education E5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • ATM add-on

The real question is, of course, what did I really lose? To answer that question you need to understand what attack surface reduction, network protection, and controlled folder access do to protect Windows 10. We have the following definitions:

Attack surface reduction measures consist of:

  • Block executable content from email client and webmail.
  • Block Office applications from creating child processes.
  • Block Office applications from injecting into other processes.
  • Impede JavaScript and VBScript to launch executables.
  • Block execution of potentially obfuscated scripts.
  • Block Win32 imports from macro code in Office.

Controlled folder access is Microsoft’s answer to the ever-increasing number of ransomware infections. Controlled folder access allows only a list of known applications to write in user folders like Documents, Pictures, or the like. Users can extend the list of folders to protect and whitelist applications that are allowed to do file creation or editing.

Windows Defender Network Protection uses SmartScreen technology to block any executable from connecting to potentially malicious HTTP-based sources on the Internet. Network protection extends SmartScreen from an Internet Explorer and Edge solution to the system level, allowing protection of other browsers and potential malware.

And also potentially AMSI, too


The Anti-Malware Scanning Interface will be disabled as well. Your antivirus product may be modern enough to have picked up this functionality on its own. It was Microsoft’s intention that any third-party antimalware tool can use this interface. But if not, then you’ve also lost a very important tool. AMSI protects you against malicious code. As I type this, there is a rash of so-called fileless infections occurring. A fileless infection is when an attacker gains access to the machine (through brute force, phishing, social engineering…the usual culprits), launches PowerShell (for example) and loads their code into memory. No file was written to, there’s nothing on your machine except in RAM, from where it does its dirty work. AMSI is designed specifically to protect you from PowerShell scripts, group policy WMI calls, and VBscript that are obfuscated to hide from basic A/V products. AMSI views these in their plain state as they attempt to run, passes it through a filter to look for bad behavior, and stops it from running.

Test Defender


If you are the curious sort and would like to test Defender to see what is off, what is on, and what the difference in behavior is, Microsoft has a website where you can test the various features to make sure that they are working properly. Here you can test antivirus, drive-by downloads, real-time cloud protections and more.

Still not convinced?


Now the question is should you disable Defender services? Heck no! Windows Defender is one of those integrated features like IE was back in the day, so if you disable it in services Windows will become unstable. Save yourself some grief. Defender is third-party antivirus aware. Let those applications configure Defender for you. They will put it into passive mode for you. If they don’t then it’s a clear sign that your software isn’t keeping up with the times.

It is time to give Defender a shot. I know I read a lot of “defender sucks” stuff out there. It’s time to look at it again with a clear mind and see the direction that Microsoft is taking this product. It’s not the same old Defender you’ve hated for the last decade. It’s now a truly integrated security system. The days of benchmarking one A/V over another on how fast they caught a virus or Trojan are gone. It’s no longer a good measure. The attackers are smarter. The attacks are varied and they are coming from all directions. Defender is the integrated solution that we’ve been hoping would come along and Microsoft has really stepped up to the plate with this one. They’ve always been a great come-from-behind company and they’ve done it again with Defender in Windows 10 and in Server 2016, too. They are built on the same code so Windows Server is enjoying better built-in security now, too.



About Third Tier

Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.





Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.

Help Desk Software by Kayako Fusion