Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Defender Next Generation Anti-malware

Published byAnna Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Defender Next Generation Anti-malware"— Presentation transcript:

1

2 Windows Defender Next Generation Anti-malware
BRK2327 Windows Defender Next Generation Anti-malware Deepak Manohar

3 Malware authors have an asymmetric advantage
Malware authors are well aware that industry reaction time is around 8 hours If you know the enemy and know yourself, you need not fear the result of a hundred battles. Art of War, Sun Tzu Malware’s lifecycle is faster than our signatures based protection can react Image source:

4 Mobile Device Security
OS does not expose rich local context Mobile Device Security Blocked app Conditional access allowed Security Blocked incoming Attachment removed Edge Web & Firewall Blocked egress connection Blocked IP: Endpoint Security Blocked malware Remediated unwanted sw

5 Mobile Device Security Log
Security products not optimized for enterprises Mobile Device Security Log Blocked app Conditional access allowed Security Log Blocked incoming Attachment removed Edge Web & Firewall Log Blocked egress connection Blocked IP: Endpoint Security Log Blocked malware Remediated unwanted sw

6 Current State Malware authors have an asymmetric advantage
OS does not expose rich local context Security products not optimized for the enterprise

7 Current State Future State
Security products consume rich local context OS does not expose rich local context Security products with extensive, global sensors Malware authors have an asymmetric advantage Security products not optimized for enterprises Optimized security products for the enterprise

8 Three-pronged approach
Rich Local Context Windows 10 securely provides local context Extensive Global sensors Windows Defender is enriched with extensive global sensors Empower IT security pros Windows 10 and Windows Defender optimized for the enterprise

9 #1 Windows 10 provides rich, local context

10 Windows 10 provides rich, local context
Windows 10 securely provides relevant system Windows 10 securely provides local contextual information Windows Defender securely persists and uses local context

11 Mail server Win10 Device Persisted Context File arrived via mail

12 Process linked to file from mail
Mail server Win10 Device Persisted Context File arrived via mail Persisted Context File arrived via mail Process linked to file from mail

13 Process linked to file from mail Origin Information
Mail server Win10 Device Persisted Context File arrived via mail Process linked to file from mail Origin Information File Arrived via mail Persisted Context File arrived via mail Process linked to file from mail Admin <- Process <- File <- mail +Admin

14 Windows 10 provides Local Context
Demo: Windows 10 - UAC context + Entry point (mail)

15 Process linked to file from mail
Mail server Win10 Device Internet Persisted Context File arrived via mail Process linked to file from mail Admin <- Process <- File <- mail Persisted Context File arrived via mail Process linked to file from mail Admin <- Process <- File <- mail Script File <- Skype Deobfuscated memory <- Script File <- Skype

16 Windows 10 provides Local Context
Demo: Windows 10 – Antimalware Scan Interface (AMSI) – Script de-obfuscation

17 Windows 10 provides rich, local context
MVI AMSI Secure Events UAC PLATFORM Internet Explorer Windows Resource Protection IExtension Validation (IEV) Secure Boot through UEFI OS Hardening Early Launch Antimalware (ELAM) Device Guard AppLocker MVI – Microsoft Virus Initiative AMSI – Antimalware Scan Interface UAC – User Account Control Available only in Windows 10 (or full functionality only in Windows 10)

18 Windows 10 provides rich, local context
Security products are enriched with local system context System Center Endpoint Protection/Intune/Windows Defender ANTIMALWARE Antimalware Behavior Monitoring Dynamic Translation Vulnerability Shielding Windows Defender Offline Persisted Store Shields Up Windows MVI AMSI Secure Events UAC PLATFORM Internet Explorer Windows Resource Protection IExtension Validation (IEV) Secure Boot through UEFI OS Hardening Early Launch Antimalware (ELAM) Device Guard AppLocker MVI – Microsoft Virus Initiative AMSI – Antimalware Scan Interface UAC – User Account Control ETW – Event Tracing for Windows Available only in Windows 10 (or full functionality only in Windows 10)

19 Windows 10 provides rich, local context
Security products are enriched with local system context System Center Endpoint Protection/Intune/Windows Defender ANTIMALWARE Antimalware Behavior Monitoring Dynamic Translation Vulnerability Shielding Windows Defender Offline Persisted Store Shields Up Windows MVI AMSI Secure Events UAC PLATFORM Internet Explorer Windows Resource Protection IExtension Validation (IEV) Secure Boot through UEFI OS Hardening Early Launch Antimalware (ELAM) Device Guard AppLocker MVI – Microsoft Virus Initiative AMSI – Antimalware Scan Interface UAC – User Account Control ETW – Event Tracing for Windows Available only in Windows 10 (or full functionality only in Windows 10) Hardware + Firmware + Software security full functionality only in Windows 10

20 #2 Security products w/ global sensors

21 Security products w/ global sensors
Extensive Global sensors Windows Defender is enriched with extensive global sensors Windows Defender on Windows 10 is enriched with context, aggregated From over 1B Windows devices From other cloud services (eg: mail services, url filtering services)

22 Responses in less than a second Privacy, compliance aware
Aggregated Context Machine Profile Threat Profile Suspicious Activity Persisted Context Aggregated Context Machine Profile Aggregated Context Machine Profile Threat Profile Suspicious Activity Aggregated Context Machine Profile Threat Profile Windows Defender Cloud Protection Over 100,000,000 queries each day Geo-distributed Responses in less than a second Privacy, compliance aware

23 10M spam blocks per minute
1B devices 10M spam blocks per minute Windows Defender Cloud Protection 3B malware alerts

24 Process linked to file from mail
Mail server Windows 10 Device Persisted Context File arrived via mail Process linked to file from mail Admin <- Process <- File <- mail Windows Defender on Windows 10 Uses Local context to call the cloud +Admin

25 Windows Defender Cloud Protection
Inter-connected Global context RESEARCHERS REAL-TIME SIGNATURE DELIVERY BEHAVIOR CLASSIFIERS REPUTATION CLOUD ENGINE Telemetry Cloud Protection Cloud calls Real-time signature 1 2 Goal: Block malware the ‘first time it’s seen’ in the first critical hours

26 Security products w/ global sensors
Demo: Windows Defender Cloud Protection

27 Security products w/ global sensors
Security products are enriched with extensive, global sensors ANTIMALWARE Windows Available only in Windows 10 (or full functionality only in Windows 10) System Center Endpoint Protection/Intune/Windows Defender Dynamic Translation Behavior Monitoring Vulnerability Shielding Windows Defender Offline Internet Explorer AppLocker Secure Events MVI UAC – AM Secure Boot through UEFI Windows Resource Protection Early Launch Antimalware (ELAM) Shields Up Persisted Store PLATFORM OS Hardening IExtension Validation (IEV) Device Guard AMSI Smart Cloud calls MVI – Microsoft Virus Initiative AMSI – Antimalware Scan Interface UAC – User Account Control

28 #3 Empower IT Pros

29 Optimized for the enterprise
Empower IT Pros Optimized for the enterprise Windows 10 and Windows Defender optimized for the enterprise Optimized for the enterprise

30 IE blocking feature for Java shipped
Empower IT Pros Windows 10 features improved IE extension security measures Attack targets are shifting On IE shifting to plugins IE blocking feature for Java shipped Defender IExtension Validation (IEV)

31 Empower IT Pros Config Mgr./Microsoft Intune/SCOM
4/16/2017 Empower IT Pros Config Mgr./Microsoft Intune/SCOM Config Manager provides a complete SCEP Management solution for Enterprises Microsoft Intune provides a complete management solution for Remote/BYOD scenarios Operations Manager provides a Windows Server Antimalware Management Pack © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Empower IT Pros Full featured manageability options in-box w/ Defender
4/16/2017 Empower IT Pros Full featured manageability options in-box w/ Defender OMADM Enables agentless management of the Antimalware Client PowerShell Rich set of commands for management WMI v2 Events and management of Antimalware client Command Line Direct access and manipulation of Antimalware Client Group Policy The standard way to set machine-wide scanning policies and preferences © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 Empower IT Pros Cleaning Advanced malware 150 MB download
Manual process

34 Empower IT Pros Cleaning Advanced Malware
Win10 OS 2-3 MB download Automated process Windows Defender Offline (WDO) Windows 10

35 Empower IT Pros Demo: WDO, cleaning advanced malware

36 Empower IT Pros Microsoft Intune – BYOD – agentless endpoint protection Windows 7 or Windows 8.1 device 25MB endpoint protection agent 125MB definitions (signatures) Windows 10 Windows Defender w/ OMA-DM enables agentless endpoint protection (25 MB) Windows Defender definitions are reused (125 MB)

37 Empower IT Pros Windows Server Antimalware
4/16/2017 2:39 PM Empower IT Pros Windows Server Antimalware What it is… Comprehensive real-time antimalware protection On by Default on new Installs of Server Optimized configuration for Server Roles Full featured manageability interface What SKUs of Server? Windows Server vNext Standard Windows Server vNext Datacenter Windows Server vNext Essentials Nano Server © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Empower IT Pros Windows Server Antimalware
4/16/2017 2:39 PM Empower IT Pros Windows Server Antimalware Optimized configuration for Server Roles Performance Worked with Server roles teams Diligently improved performance Automatic-Exclusions Optimizing “On Access Scan” exclusions per server role – no guesswork required Updated dynamically through Definition Updates – based on changes to roles/new threats Dynamic Configuration as roles are added/removed - additive © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 Empower IT Pros Optimized for enterprise MANAGEMENT ANTIMALWARE
System Center Configuration Manager, Microsoft Intune, SCOM and Endpoint Protection MANAGEMENT Endpoint Protection Management Software Updates + SCUP Settings Management Operating System Deployment Software Distribution Exchange Connector ANTIMALWARE w/ manageability ANTIMALWARE Windows Available only in Windows 10 (or full functionality only in Windows 10) System Center Endpoint Protection/Intune/Windows Defender Dynamic Translation Behavior Monitoring Vulnerability Shielding Windows Defender Offline Internet Explorer AppLocker Secure Events MVI Doc UAC – AM Secure Boot through UEFI Windows Resource Protection Early Launch Antimalware (ELAM) Persisted Store PLATFORM OS Hardening IExtension Validation (IEV) Device Guard AMSI Shields Up - Smart Cloud calls MVI – Microsoft Virus Initiative AMSI – Antimalware Scan Interface UAC – User Account Control Available only in Windows 10 (or full functionality only in Windows 10)

40 OS provides local context
Summary Current State OS provides local context Secure ETW Persisted Store AMSI UAC-AM Shields Up Future State MVI Prog. IEV OS does not expose rich local context Windows Defender consumes local context Extensive, Global sensors Windows Defender Cloud Shields Up - Smart Cloud calls Windows Defender has extensive global sensors Malware authors have an asymmetric advantage Empower IT Pros (seamless integration) OMA-DM, WMI, GPO, PS, CMD Offline cleaning/WDO BYOD deployment Intune Server AM/Auto-exclusions Security products not optimized for enterprises Windows Defender is optimized for enterprise

41 OS provides local context
Summary Old State Current State w/ Windows 10 OS provides local context Secure ETW Persisted Store AMSI UAC-AM Shields Up Current State Future State MVI Prog. IEV OS does not expose rich local context Windows Defender consumes local context Extensive, Global Sensors Windows Defender Cloud Shields Up - Smart Cloud calls Windows Defender has extensive global sensors Malware authors have an asymmetric advantage Empower IT Pros (optimized for enterprise) OMA-DM, WMI, GPO, PS, CMD Offline cleaning/WDO BYOD deployment Intune Server AM/Auto-exclusions Security products not optimized for enterprises Windows Defender is optimized for enterprise

42 Let’s beat malware. Deploy the Future
Windows 10 + Windows Defender – rich local context Windows Defender – extensive, global sensors Windows Defender – optimized for enterprise

43 Q&A

44 Please evaluate this session
4/16/2017 2:39 PM Please evaluate this session Your feedback is important to us! Visit Myignite at or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 4/16/2017 2:39 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Windows Defender Next Generation Anti-malware"

Similar presentations

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and data across devices, anywhere.

Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and data across devices, anywhere.
SCCM 2012 Features and Benefits

SCCM 2012 Features and Benefits
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.

Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.
Microsoft Forefront Client Security

Microsoft Forefront Client Security
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Devices and Deployment Management & Security Identity Cloud.

Devices and Deployment Management & Security Identity Cloud.
Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.

Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.
MobileFirst Protect 1. MobileFirst Protect (MaaS360) 2 Mobile Device Management Enable and Manage Apple iOS smartphones, and tablets with Apple DEP Gain.

MobileFirst Protect 1. MobileFirst Protect (MaaS360) 2 Mobile Device Management Enable and Manage Apple iOS smartphones, and tablets with Apple DEP Gain.
WCL209. GA3/23GA3/23 Manage & Secure PCs Anywhere All you need is an internet connection The Best Windows Experience Standardize your OS on the latest.

WCL209. GA3/23GA3/23 Manage & Secure PCs Anywhere All you need is an internet connection The Best Windows Experience Standardize your OS on the latest.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
UD-B325 Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and data across devices,

UD-B325 Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and data across devices,
Business Needs and IT Challenges How can IT maintain user productivity and protect against evolving threats How can IT reduce complexity and scale.

Business Needs and IT Challenges How can IT maintain user productivity and protect against evolving threats How can IT reduce complexity and scale.
Free, online, technical courses Take a free online course. Microsoft Virtual Academy.

Free, online, technical courses Take a free online course. Microsoft Virtual Academy.
Your storage on the ground; Your files in the cloud.

Your storage on the ground; Your files in the cloud.
Lack of control for mobile devices Different tools for phone & PC Policy conflict Inconsistent user experience… Granular mobile device mgmt Converged.

Lack of control for mobile devices Different tools for phone & PC Policy conflict Inconsistent user experience… Granular mobile device mgmt Converged.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security

Similar presentations

Ads by Google