Windows Defender Antivirus Frequently asked questions and why should you use it with Microsoft Defender ATP

Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as endpoint detection and response and automated investigation and remediation, you get better protection that’s coordinated across products and services.

10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP

Advantage Why it matters
1 Antivirus signal sharing Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP.
2 Threat analytics and your configuration score Windows Defender Antivirus collects underlying system data used by threat analytics and configuration score. This provides your organization’s security team with more meaningful information, such as recommendations and opportunities to improve your organization’s security posture.
3 Performance Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. Evaluate Windows Defender Antivirus and Microsoft Defender ATP.
4 Details about blocked malware More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. Understand malware & other threats.
5 Network protection Your organization’s security team can protect your network by blocking specific URLs and IP addresses. Protect your network.
6 File blocking Your organization’s security team can block specific files. Stop and quarantine files in your network.
7 Auditing events Auditing event signals are available in endpoint detection and response capabilities. (These signals are not available with non-Microsoft antivirus solutions.)
8 Geographic data Compliant with ISO 270001 and data retention, geographic data is provided according to your organization’s selected geographic sovereignty. See Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards.
9 File recovery via OneDrive If you are using Windows Defender Antivirus together with Office 365, and your device is attacked by ransomware, your files are protected and recoverable. OneDrive Files Restore and Windows Defender take ransomware protection one step further.
10 Technical support By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. Troubleshoot service issues and review event logs and error codes with Windows Defender Antivirus.

There are a lot of questions asked by your customers so I have collated Windows Defender Antivirus Frequently asked questions, I hope this helps you.

Q1. Is Windows Defender Antivirus (Windows Defender AV) free?
A: Yes, Windows Defender AV is provided as a part of the Windows operating system license.

Q2. Is there any difference in protection between System Center Endpoint
Protection as deployed on Windows 8 or Windows 7 and Windows Defender
AV included in Windows 10?
A: Yes, as there are some new features, such as Block at First Sight, that depend on new, enhanced security features that are only available in Windows 10, version 1607 or later. We continuously improve the protection of our customer’s identity, device, and data in Windows 10, although the core protection offered by System Center Endpoint Protection in Windows 8 and Windows 7 and Windows Defender AV in Windows 10 are similar.

Q3. What has Microsoft done to improve the system performance of
Windows Defender AV and minimize the impact on the operating system?
A: Windows Defender AV settings allow for customization of the scanning, timing, impact, and other key features that allow you to tune the service to your needs. Our extensive experience with operating systems allows Windows Defender AV to work better with Windows to provide more seamless scanning, remediation, and day-to-day running of the product.

Q4. Is Microsoft committed to endpoint protection?
A: Yes. In 2015, CEO Satya Nadella described security as “The most pressing issue of our time”, and outlined a strong, dedicated approach to security and endpoint protection. Microsoft has continued to advance security protections for our customers, and Windows Defender AV is just one element within the holistic view of protection provided by our products and services. We are continuously improving Windows Defender AV to provide a high level of protection.

Q5. Is there a difference between consumer and enterprise protection in Windows Defender AV?
A: There is no difference in our scanning engine and protection level; however, the consumer client receives signature updates once a day while the enterprise client receives updates every 8 hours (or more frequently, with the appropriate configuration). There is also granular management for the enterprise with System Center Configuration Manager, Group Policy Objects, and Mobile Device Management (such as Intune). The enterprise client also provides centralized reporting functions for Security Operations (SecOps) Administrators.

Q6. How has Windows Defender AV changed to meet changing threats, polymorphic malware, and other new and evolving threats?
A: Microsoft is continuously improving Windows Defender AV to provide a high level of protection. In today’s world, static signatures are not enough to protect users and devices. Malware is constantly evolving, so it is vital to provide protection against 0-day attacks as well as ever-changing malware with fast, advanced detection, including cloud-based protection such as the Block at First Sight feature. Windows Defender AV also provides behavioral signatures in addition to its cloud-protection service to stop attacks and block suspicious programs. We also use “fuzzy” hashing and machine learning to better match malicious code.

Q7. How will Windows Defender AV protect the client against Ransomware?
A: Windows Defender AV provides a high level of protection against malware, including ransomware. Windows Defender AV, which is enabled by default, can respond to new threats faster by using improved cloud-based protection and automatic sample submission features to block malware “at first sight”. We’ve also improved the behavioral heuristics used by Windows Defender AV to help determine if a file is performing ransomware-related activities, and then detect and take action more quickly. In addition to protecting against ransomware, these features help protect clients from 0-day vulnerabilities and unknown malware. Learn more at the Windows Blog for Business: Defending against ransomware with Windows 10 anniversary update.

Q8. Are industry standard tests published on a regular basis?
A: Third-party and vendor-neutral tests results are published on a regular basis by the organizations who perform them, including results related to Windows Defender Antivirus.

Q9. How often are signature updates provided?
A: Signature updates are provided multiple times a day. Updates to the scanning engine are provided periodically on demand or through monthly Windows 10 OS updates.

Q10. What is the benefit of Potential Unwanted Application (PUA) protection?
A: PUA refers to unwanted application bundlers or their bundled applications. These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and often waste helpdesk, IT, and user time cleaning up the applications. Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims. The Potentially Unwanted Application protection feature is available only for enterprise customers. You can read more on the MMPC blog: Shields up on potentially unwanted applications in your enterprise.

Q11. A third-party product detected malware but Windows Defender AV didn’t, why?A: Microsoft is continuously improving Windows Defender Antivirus to provide a high level of protection. However, signature-based protection is not enough and we strongly recommend using the cloud-based protection features in Windows Defender AV to add another layer of antimalware protection. Using the cloud, Windows Defender AV can detect even more malware. Moreover, in the latest AV-test results from December 2016 Windows Defender AV scored 100% in the Real-World Testing test and 98.6% in the Widespread and Prevalent Malware test.

Q12. How can I provide feedback related to Windows Defender AV? Does anybody care about it?
A: Definitely, feedback is appreciated and can help improve our product. You can provide feedback through the Feedback Hub, which you can find in the Windows Start menu.  Features.

Q13. What are Microsoft’s “best practices” with regards to how to configure Windows Defender AV?
A: We publish Security Baselines that you can use to configure best practices protection.

Q14. If I already use Windows Defender AV or System Center Endpoint Protection why should I also deploy the monthly Malicious Software Removal Tool?
A: The Malicious Software Removal Tool (MSRT) acts as a secondary assessment of the system’s state and looks at very specific issues on a system. While SCEP or Windows Defender AV will actively protect against new threats, MSRT scans specific system resources in an effort to reduce common issues with systems that can sometimes be ignored by standard “quick” scans.

Q15. Why doesn’t Windows Defender AV include an endpoint firewall/URL protection/Host-based Intrusion Prevention System/other security feature?
A: Windows Defender AV is one piece of the Windows security feature set. While other vendors may include built-in firewall, URL scanning, or similar feature sets, Microsoft instead provides those built-in to Windows. These additional tools greatly increase the security of Windows without requiring additional licensing. Features like SmartScreen Filter for URL review and alerting and Windows Firewall have existed in the product for many versions and actively protect the system silently in the background without additional software or license purchases. Additionally, Microsoft is committed to continuing to invest in the tools built into Windows. Microsoft is investigating investments broadly in three areas – anti-exploit mitigations , attack surface reduction, and system protection. These are early in our planning cycle, so our plans are likely to evolve. Investments in these areas will alleviate the need for bolt-on security tools such as HIPS and make Windows easier to manage compared to traditional tools.

Q16. How does Windows Defender AV protect my systems from emerging malware (0-day) threats?
A: The Windows Defender AV team sees information on over a million malicious files collected daily, along with the metadata of files over 2 billion times a day. We use this information to developer our advanced, fast, cloud-based protection to protect users from emerging and advanced malware. We also work with third party security research partners, building up to a dynamic relationship service that references over 4.5 billion malware records.

Q17. How does Windows Defender AV use the cloud?
A: Windows Defender AV uses the cloud to enhance the capabilities delivered by the local Windows Defender AV client. While the local client can provide protection against many attacks, the cloud provides the real-time intelligence necessary to mitigate unknown and emerging threats. Windows Defender AV uses the scalability of the cloud, along with big data and machine learning technology, to provide more advanced protection than conventional virus signatures. By analyzing petabytes of data from file submissions and third-party vendors, along with other network, geographic, and demographic information in the cloud, Windows Defender AV can detect and prevent suspicious or malicious activity better than traditional signature-based protection tools.

Q18. Is Windows Defender AV available for other platforms (MacOS, Android, Linux)?
A: System Center Endpoint Protection includes an Endpoint Protection client for Linux and for Mac computers. These clients are not supplied with Configuration Manager; instead, you must download them from the Microsoft Volume Licensing Service Center.

Q19. Are there any plans to implement similar functionality into Windows Server editions?
A: By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs. You can manage Windows Defender AV by using WMI, Windows PowerShell, or Group Policy. More details can be found in the TechNet topic Windows Defender overview for Windows Server. Privacy

Q20. Does Microsoft collect any personal information while Windows Defender Antivirus Telemetry (MAPS) is on?
A: If you join “Cloud Protection” (in Windows 10, or named MAPS in earlier versions), Windows Defender AV might send specific files or metadata about files that Microsoft suspects might be malicious. Windows Defender AV data use is described in the Microsoft Privacy Statement.

Q21. What data do you collect and how is it stored and secured?
A: Microsoft uses sample files submitted to Windows Defender AV, along with many other data sources, to improve the effectiveness of the protection we deliver. All customer data collected is stored securely in our Microsoft data-centers and is only accessible to the security researchers developing our endpoint protection capabilities. Over time we will remove the data.

Q22. How does Windows Defender AV use the cloud to protect my PC?
A: Windows Defender Antivirus leverages the power of the cloud to provide an additional level of protection. If a file does not match any local signature, Windows Defender AV can send metadata about the file to the cloud to check if the file is known to be malicious. If there is no result, Windows Defender AV may upload the file to check its behavior and, if found malicious, the file will get blocked (Block at First Sight). All these options are fully configurable and you have full control on what is sent and when.

Q23. Can I know when Windows Defender AV uploads a file (sample) from my organization to the cloud?
A: Yes. Every time Windows Defender AV successfully uploads a file to the Microsoft cloud it will send an event to the event log. The event will show up in the event log as Event #2050: “MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED” and will include the file name and hash. For full details see the Windows Defender Events topic on TechNet.

Q24. Under what circumstances does Windows Defender AV take a copy of files?
A: When Windows Defender AV encounters a file that it does not recognize, it can send the metadata (such as the file name and hash,) to the cloud-based protection service. If the cloud-based Protection service cannot provide a definitive answer, Windows Defender AV can send the file itself for analysis. Currently, the file will be blocked from running on a local system only until the answer about the metadata arrives.

Q25. Does Microsoft use Windows Defender AV and cloud-based protection to create or target ads to users?
A: No, we don´t use any data from cloud-based protection to target ads to users. This data is used to improve security on Windows machines and provide a modern way of protecting against threats.

Q26. How much bandwidth does telemetry utilize?
A: Basic telemetry sends around 2 to 3 kb, with larger (less frequent) report sizes averaging 4.5 kb. Random file sample subsets (<1% of the deployed agents, averages once every three years if selected) may send around 500 kb to 1 mb. Operations.

Q27. Does Windows Defender AV remove malware from my machine?
A: If removal is possible, Windows Defender AV will remove any infections from the file and clean it. If the file is malware and its sole purpose is to attack the machine, those files typically have to be removed. Files that cannot be cleaned or removed by traditional means will be quarantined.

Q28. If I suspect a file has a virus or is possibly malicious, can I specifically have Microsoft or Windows Defender AV perform deep analysis of the file?
A: Yes, if you have specific concerns, you can upload your file sample through the Malware Protection Center sample submission form. Customers with support agreements can also open tickets with their appropriate technical resource or account teams.

Q29. How large are the AV signature files?
A: Signature files can vary in size depending on the state of the system. Windows Defender AV signature files are differential (binary/delta/delta) and can vary from approximately 150MB for the full file to as little as 5k if a daily delta update is applied to an existing, up-to-date client. Delta files may be released multiple times per day. If the client hasn’t successfully obtained a new set of signature files in a month then a full signature download will be required.

Q30. Can I have access to pre-release Windows Defender AV definition updates?
A: Yes, Microsoft offers partially-tested pre-release definition updates for download before the fully-tested (released) version is available. You can use these pre-release definitions to clean infected computers. You can also use them to protect computers that are at an immediate risk of infection. The pre-release definition update is not meant for enterprise wide deployment and should not be used if you are not experiencing a threat for which it was explicitly created.

Q31. How can I deploy Windows Defender AV in my organization?
A: Windows Defender Antivirus is a part of Windows 10 operating system so there is no need to deploy any agent.

Q32. How can I update Windows Defender AV signatures on devices in my organization?
A: Windows will automatically download and install updates once a day for you. To update antimalware definitions, you can use one or more of the following methods:
1. Updates distributed from Configuration Manager – This method uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.
2. Updates distributed from Windows Server Update Services (WSUS) – This method uses your WSUS infrastructure to deliver definition and engine updates to computers.
3. Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.
4. Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.
5. Updates from UNC file shares – With this method, you can save the latest definition and engine updates to a share on the network. Clients can then access the network to install the updates.

Q33. How can I manage Windows Defender AV in my organization?
A: Windows Defender Antivirus can be managed with Group Policies, Configuration Manager and MDM solutions, such as Intune.

Q34. How can I get Windows Defender AV reports and compliance status?
A: To access Windows Defender reports on scans, malware found, and compliance you can use Configuration Manager or Operations Manager Suite.

Q35. Windows Defender AV still protects devices even when a third-party AV is installed and functioning. What types of protection does this offer and where does Windows Defender Antivirus get its updates from?
A: Providing that the Windows Defender Antivirus client has access to Windows Update it will keep itself up to date in consumer mode (download signatures/engines once a day) in case the third-party product fails.

One thought

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s