Windows Defender ATP versus traditional antivirus solutions

Windows Defender ATP versus traditional antivirus solutions

For their 2019 security strategy, many organisations are considering Endpoint Detection Response (EDR) solutions, to improve their security posture against the many threats of today. In this blog post, we will explain in a concise manner why your traditional antivirus (AV) solutions cannot cope with the actual threats of today and why Windows Defender ATP would be an excellent candidate to replace these solutions.

Why are the traditional antivirus solutions failing to protect organisations against the threats of today?

For most of the organisations, traditional antivirus solutions have long been the most ubiquitous endpoint-security technology. During the last 15 years, antivirus solutions were able to stop “most” of the malware attacks targeting your endpoint. Typically, they do that by scanning each new file that lands on the disk against a database of malware signatures.

There are three structural problems with this signature-based detection approach:

  1. Antivirus vendors have difficulties to keep track of the different variants of all those malware families (which are daily released) and to develop the according malware signatures.
  2. For performance reasons, antivirus vendors try to keep the signature database as small as possible. That’s why many traditional AV vendors’ databases only contain the updates of the latest malware threats. Coping both with the performance and threat detection aspect is challenging using a signature-based detection method.
  3. Threat actors can easily adapt the malware code or their techniques to circumvent the malware signatures developed for traditional AV solutions.

Traditional AV cannot cope with the new trends in malware land: fileless malware

Threat actors have noticed that, over the years, traditional antivirus solutions were becoming more and more efficient in detecting malicious files on disks. To stay undetectable and keep their operations stealthy, threat actors have adapted their techniques. That is why since the beginning of 2017 more sophisticated threat actors make use of fileless malware. Where traditional malware requires some executable files to run the payload, fileless malware runs its payload directly in memory without dropping an executable file on the disk.

Because there is no file left on the disk in fileless malware attacks, there isn’t a signature for traditional antivirus solutions to look for. As a result, fileless malware attacks stay undetected by these traditional AV solutions. Although lately some traditional AV solutions have been adapted to tackle fileless attacks through scanning memory for AV signatures, this remains inefficient.

How can Windows Defender ATP better detect and protect your endpoints from the new techniques used in malware attacks?

Windows defender ATP is more than just ‘marketing’, it uses a fundamentally different approach compared to traditional AV solutions, in the way that malicious malware attacks are detected and prevented. Whereas many traditional AV solutions use an incident reactive approach without providing any context, Windows Defender ATP is system and user forensic centric, providing a full analyst context of what is occurring on the system and by whom.

Microsoft provides a broad range of security protection and detection capabilities for your endpoints that address a wide spectrum of threats:

  • Windows Defender provides file-based protection using signatures and a heuristics-based approach.
    • To be able to deal with the newest malware, Windows Defender offers cloud look-ups to ensure the latest signature updates are considered. The cloud look-up will send unknown files to detonation chambers and sandbox technology in the cloud. Once analysed and identified as malicious, the cloud signatures will be updated and made available immediately for all Windows Defender clients. The file-based signatures will be updated a few hours later for all endpoints.
    • On top of this sandbox technology, Windows defender ATP will monitor the user, process and system behaviour continuously in your organizations, using a cloud-based machine learning approach. This has greatly improved Microsoft’s detection accuracy in test results. Microsoft’s Windows Security Research Team benefits from a vast installation of over one billion consumer endpoint versions of the antivirus engine and its online system-check utilities, which provide a unique and rich set of intelligence (IOCs and IOAs).
  • Windows Defender makes use of AMSI (Antimalware Scan Interface). AMSI is an open interface that will unencrypt and decode obfuscated scripts before inspecting the content of the script in memory.

Other key differentiators of Windows Defender ATP compared to other EDR solutions

  • Microsoft is unique in the endpoint protection space, as it is the only vendor with the capacity to embed protection features directly into the core of the OS. As a result of this agentless approach, the deployment of Windows Defender ATP and the maintenance is occurring much faster and much more efficient compared to other EDR solutions.
  • Windows Defender ATP offers automatic investigation and remediation that help reduce the volume of alerts in minutes at scale.
  • Windows Defender ATP allows you to use a powerful search and query tool to hunt for possible threats in your organization, using your own threat intelligence. Depending on the SLA; three or six months of endpoint forensics data is stored, which is available for historical analysis and threat hunting.
  • Windows Defender ATP is easy to deploy and administer from the cloud using the Windows Defender Security Centre, which is the management interface for the whole Windows Defender suite, including ATP.
  • Through integration with some third-party vendors, Microsoft provides threat detection, prevention and responses for non-Windows endpoints in a cross-platform environment.

A real comparative test between traditional AV and Windows Defender ATP

For one of the SecWise customers, we recently performed a comparative test between their traditional AV solution and Windows Defender ATP. We tested the detection and response capabilities of both solutions, as well as the hunting capacity.

The test consisted of the simulation of the techniques and procedures used during the so-called APT attacks by sophisticated threat actors. The test was not focused on commodity malware. In total, 36 simulated attacks were launched. This is a description of the test environment:

  • Windows 10 build 1607 (patched) with traditional AV and APT module
  • Windows 10 build 1803 (patched) with Windows Defender AV & ATP
  • Systems were connected to public WIFI without perimeter security
Windows Defender AV & ATP Traditional AV (including ATP module)
Detection rate out of the box 21/36 5/36
Using hunting queries 30/36 5/36

 

The main takeaways from this test:

  1. Compared to the traditional AV solution, Windows Defender ATP provides a much better preventive and detective capability against both commodity and advanced persistent malware threats.
  2. Windows defender ATP has a very strong detection capacity in finding suspicious or malicious PowerShell scripts. The fileless approach of using PowerShell to retrieve and execute malicious code, is becoming increasingly popular amongst cyber criminals and state sponsored attackers.
  3. The “Advanced Hunting” functionality in Windows Defender ATP allows you to proactively hunt for possible threat scenarios across the customer’s organization, using a powerful search and query tool inside Windows Defender ATP.

If you are interested in getting more details on Windows Defender ATP or the comparative test, don’t hesitate to contact us.