MalwareTips Bot

Robot
Verified
Content Creator
When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop attacks as they happen and before they have impact. This means that our service will expand beyond detection, investigation, and response, and will now allow companies to use the full power of the Windows security stack for preventative protection. The stack will be powered by our cloud-based security intelligence, which moves us from a world of isolated defenses to a smart, interconnected, and coordinated defense grid that is more intelligent, simple to manage, and ever-evolving.

We will also provide a single pane of glass experience for security professionals. This means that security management (SecMgmt) teams can easily configure a broad set of Windows security stack technologies through an integrated configuration management experience. Security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console. This will not only give companies a full picture of what’s happening on their endpoints, but will also put them in the driver seat to quickly react to threats as they happen. Leveraging our cloud-based security intelligence gives the optics, context, and tools that companies need to quickly investigate and remediate incidents.

Here are some highlights of the Windows Fall Creators Update:

  • Attack surface reduction with EMET in the box – In the Windows Fall Creators Update, we are introducing Windows Defender Exploit Guard, which gives companies more control on restricting how code runs on their machines and provides tools to mitigate exploits at runtime. Windows Defender Exploit Guard will offer a set of powerful features for intrusion prevention, such as Attack Surface Reduction (ASR) smart rules, which are designed to give laser-focused and targeted blocking capabilities. For example, companies can take advantage of built-in rules that can block Office files containing macros that attempt to download and execute content from the web. Windows Defender Exploit Guard will also help companies take advantage of vulnerability mitigation capabilities that are native to the OS as well as those formerly offered in Enhanced Mitigation Experience Toolkit (EMET) which are now built into Windows. With the addition of EMET technology, companies will be able to apply advanced vulnerability mitigations on legacy apps running on Windows 10 without the need to recompile them. Another powerful Windows Defender Exploit Guard capability will allow automatic blocking of websites known to host malicious code, by leveraging Windows Defender SmartScreen knowledge base. The integration between Windows Defender ATP and Windows Defender Exploit Guard is designed to offer new prevention capabilities that offer smarter and adaptive defenses for companies using our service (Figure 1).


Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event

  • Single pane of glass view across the Windows security stack – In this release we are exposing a broader set of Windows security stack technologies in a single pane of glass experience to allow SecOps to do more and quickly react to attacks (Figure 2). Here are some examples of what SecOps will be able to perform:
    • Get access to Windows Defender SmartScreen alerts and events that show if an employee within the company clicked on a specific URL despite receiving warning message
    • See Windows Defender Antivirus detections and actions that took place and connections that got blocked by Windows Defender Firewall
    • View Device Guard events that have surfaced unauthorized applications that have been blocked but may still be present within the environment and then access blocked/audit information from Windows Defender Exploit Guard
    • Get access to events and alerts when Windows Defender Application Guard has successfully isolated and blocked attacks targeting the browser within the Windows Defender Application Guard container


Figure 2: Windows Defender ATP new dashboard view

  • More detection, investigation, and response – Providing advanced detection, investigation, and response capabilities is where Windows Defender ATP started and there are exciting new additions being added to the Windows Fall Creators Update. In this release, we are growing our detection dictionary to include new indicators of attacks (IoA) that cover recent techniques that attackers use. Some of these new detections include dynamic script-based attacks, network explorations, and keylogging alerts. We are offering richer investigation experience across a wide set of Windows 10 security technologies. For example, if a user is tricked into installing malware in their browser, and infection is contained and later discarded in Windows Defender Application Guard without a trace, Windows Defender ATP still gives SecOps visibility to the event for future investigation in Windows Defender ATP console (Figure 3). This will enable them to get to the root cause faster and get complete understanding of the full breadth of the attack footprint. We will offer a set of new and powerful response capabilities to allow SecOps to do more and react faster. For example, users will be able to update and run machine scan using Windows Defender Antivirus, conduct application restriction per machine, and block execution of unknown files using Device Guard technology.


Figure 3: Windows Defender ATP machine timeline view with Windows Defender Application Guard event

  • New security analytics view – We will provide customers visibility into their company’s security posture with a new security analytics view (Figure 4) that will help shed light on possible vulnerable areas in their endpoints. Customers can monitor overall endpoint security health, quickly identify weak spots in their network, and take the necessary resolution actions. Windows Defender ATP will help identify vulnerable areas in endpoints by providing protection score across a wide set of Windows security technologies.


Figure 4: Security Analytics

  • Set of new APIs – We are expanding our set of security graph APIs to provide more flexibility to customers interested in using Windows Defender ATP data together with their security information and event management (SIEM) system. Our new APIs will allow customers to get more information on what’s going on and also take actions needed.

Finally, we plan to extend Windows Defender ATP to also cover the Windows Server platform, starting with Windows Server 2012 R2 and 2016 releases. We are also working on supporting more platforms beyond Windows, and plan to share more information about it later this year as it becomes available.

We encourage you to learn more and experience the current version of Windows Defender ATP by signing up for our 90-day free trial today. Please note that we plan to release our new Fall Creators Update features for preview later this year around the September-October timeframe.



Avi Sagiv
Principal Program Manager, Windows Defender ATP

Continue reading...
 
Last edited by a moderator:

ncage

Level 2
Watched a video on this and it seems pretty nice. Seems kind of like cylanceprotect & cylance optics the difference being cyclance will actually protect you from the threat and show you what the malware was trying to do rather than being a postmortem process.

I'm a msdn enterprise subscriber and i was hoping i could give this a run for free and it doesn't appear like i can.

Hopefully with microsoft getting all this analytics data it will make windows that much better in the future. I will definitely be keeping a eye out.
 
  • Like
Reactions: Parsh

ispx

Level 13
Verified
I get why they don't market this for home users

That looks way to advanced for the average user.
allow me to decipher your post.

your post has two sentences :

I get why they don't market this for home users
sentence one would mean that you understand why this product is not for home users,

there can be no other meaning to what you wrote.

That looks way to advanced for the average user.
sentence two you are now explaining what you wrote in sentence one,

by saying that this product is way too advanced for an average user.

what you wrote in these two sentences can only be understood one way which is : the home user is an average user.

which is why i said that you are assuming that the home user is an average user, which is a wrong assumption.

now whether you meant one home user or some home users or all home users is besides the point.

your post states only & only one thing that the home user is an average user, be it one user some users or all users is secondary.

you can thank me for making you understand what you wrote in your post. it has been a pleasure making you understand.
 

Windows Defender Shill

Level 7
Verified
This is a weird thing for you to get mad at......But you did

Average - a number expressing the central or typical value in a set of data, in particular the mode, median, or (most commonly) the mean, which is calculated by dividing the sum of the values in the set by their number.

All - used to refer to the whole quantity or extent of a particular group or thing.

These terms are NOT synonymous with one another, and cannot be interchanged or interpreted to mean so.

*I don't come to MT for pointless arguments (I do that on political sites). So me and you are done. Have a nice night!
 
  • Like
Reactions: frogboy and ispx
5

509322

Exploit Guard is slated for Enterprise\Education at this time.

Microsoft is very unlikely to make the listed features available to consumer Windows users.
 
  • Like
Reactions: Andy Ful and XhenEd

EASTER

Level 3
Verified
Exploit Guard is slated for Enterprise\Education at this time.

Microsoft is very unlikely to make the listed features available to consumer Windows users.
Well that just throwed cold water on any anticipation or expectations for Home models.

But you can look at that another way. It will keep the vendors in development for those without the more hardened versions.
 
  • Like
Reactions: ispx
5

509322

Well that just throwed cold water on any anticipation or expectations for Home models.

But you can look at that another way. It will keep the vendors in development for those without the more hardened versions.
People would know this stuff if the people who write the articles would clearly identify what versions of Windows - Home, Pro, Enterprise, Education - the features are to be implemented.

Microsoft does this same irritating thing itself. They will make an official post that says "Windows 10," but only by reading the entire article does one realize that they were only referring to the Enterprise\Education versions.

Sometimes you don't know that Microsoft did or did not implement something until you actually have your hands on a new version of Windows.
 
Last edited by a moderator: