In this blog post, I am going to talk about one of the main components of the Microsoft Defender for Endpoint (Check the Intro Blog Post Here), which is the Microsoft Defender Antivirus, also known as Next Generation Protection. Remember that in previous blog posts we’ve talked about how Microsoft Defender for Endpoint uses and amplify a lot of the built-in Windows Security features, and the built-in Antivirus engine is one of them.

Read other parts here:

P1: Microsoft Defender for Endpoint – Architecture

P2: MS Defender for Security Strategy & Role of AI

P3: MS Defender for Endpoint – Threat and Vulnerability Management (TVM)

P4: MS Defender for Endpoint – Attack Surface Reduction ASR

P5: Microsoft Defender Antivirus Internal Mechanics

P6: Microsoft Defender Endpoint Detection & Response (EDR)

If malware gets delivered to your endpoints and, thus, bypassed the previous controls we’ve talked about previously such as Threat and Vulnerability Management (TVM) and Attack Surface Reduction (ASR), it is up to the Microsoft Defender Antivirus to stop that malware from running. This is also called pre-execution blocking. But before talking about that, let’s talk about a branding issue here.

You have all undoubtedly heard about Microsoft Defender Antivirus which is automatically enabled and installed on Windows 10 devices. Unfortunately, due to its history, Defender Antivirus still battles with a lot of bias. However, in recent years the solution went from mediocre at best, to becoming one of the most effective and highest-ranking anti-malware solutions!

Microsoft then introduced Microsoft Defender for Endpoint which is a comprehensive endpoint protection platform. But make no mistake: Microsoft Defender Antivirus is not the same as Microsoft Defender for Endpoint.

With that in mind, you can think of Microsoft Defender for Endpoint as a brand that represents many of Microsoft security capabilities that already exist in Windows 10 (including Microsoft Defender Antivirus), in addition to other sensors and capabilities, and with deep cloud integration.

Microsoft Defender Antivirus is Microsoft Defender for Endpoint’s ‘next generation protection’-component that combines machine learning, big data analysis, in-depth threat research and Microsoft’s cloud infrastructure to protect devices. It uses behavior monitoring, heuristics, and real-time threat protection, to detect and block malicious file or fileless threats. Through the power of cloud, it detects and blocks new and emerging threats almost instantly.

I believe Microsoft thought that instead of building these capabilities from scratch in the Microsoft Defender for Endpoint product, it is easier to have Microsoft Defender for Endpoint integrate with and use the native Microsoft Defender Antivirus capabilities. To confuse you more, Microsoft Defender Antivirus is also called [Next Generation Protection] in Microsoft Defender for Endpoint documentation. So, when we talk about Microsoft Defender for Endpoint Next Generation Protection, we are referring to the Microsoft Defender Antivirus functionalities.

DISCLAIMER: This content was written for the “Microsoft 365 Security for IT PRO 2020/2021” Edition which talks in great details about the entire security stack for Microsoft 365. Newer version of the book is now released and can be accessed here. I encourage you to download the book to get updated content of defender for endpoint and many other M365 security products.

Microsoft 365 Security for IT PRo

Microsoft Defender Antivirus Features

As shown in Figure below, Microsoft Defender for Endpoint uses the Windows 10 Microsoft Defender Antivirus engine for:

  1. Real-Time Protection: using local ML models, behavioral and heuristics to block threats (pre-execution sensors).
  2. Cloud-delivered protection complements real-time protection by sending file metadata and file samples to the cloud for further analysis.
  3. Blocking Potentially Unwanted Applications (PUA): apps that are deemed unsafe but may not be detected as malware can be blocked.
  4. Tamper Protection essentially locks Microsoft Defender Antivirus and prevents its security settings from being changed by local administrators.

In this blog, we are going to look at each feature in great details to so you can understand how Microsoft Defender Antivirus helps you protect your endpoints and how it works well (better together) with Microsoft Defender for Endpoint.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 1

Better Together

The question I keep getting is “what if I am using a third-party antivirus solution on my Windows 10 machines?”. Well, although better together (Microsoft Defender for Endpoint and Microsoft Defender Antivirus), you can use Microsoft Defender for Endpoint with third-party antivirus, though consider that if you are using Microsoft Defender for Endpoint together with a non-Microsoft antivirus solution, Microsoft Defender Antivirus automatically goes into passive mode. This means real-time protection and threats are not remediated by Microsoft Defender Antivirus.

To use the full feature set of Microsoft Defender for Endpoint and gain more visibility, it is recommended to use Microsoft Defender Antivirus as your main and only antivirus solution. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender for Endpoint capabilities, such as Endpoint Detection and Response and Automated Investigation and Remediation, you get better protection that’s coordinated across products and services.

In the next subsections, I will try to list why I recommend using Microsoft Defender Antivirus as your only installed and active antivirus engine if you are going to use Microsoft Defender for Endpoint.

Attack Surface Reduction ASR

Microsoft Defender Antivirus is the client-side component, which is used to, for example, block execution of an application. As such, ASR Rules which aim to do just that won’t work if Defender Antivirus isn’t used.

Blocking Files

One of the Microsoft Defender for Endpoint EDR response actions is to block a file. Microsoft Defender Antivirus must at least be running in Passive mode for your security team to be able to block a file. However, to use a custom indicator to block or allow a file, your organization should use Microsoft Defender Antivirus and have the cloud–based protection capability enabled.

Network Protection

ASR Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). Network Protection requires that Microsoft Defender Antivirus real-time protection and cloud-delivered protection to be enabled.

Details About Blocked Malware

You get more details and actions for blocked malware if you use Microsoft Defender Antivirus as your main antivirus.

Performance

Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use both offerings together.

Threat Analytics and Configuration Score

Microsoft Defender Antivirus collects underlying system data used by Threat Analytics and TVM Configuration Score.

Integration of OneDrive Files Restore

If a ransomware threat is found on your device, Microsoft Defender Antivirus will notify you of the threat, help you remove the ransomware from your device, and give you the option to use OneDrive Files Restore so you can recover your OneDrive files to the state they were in before the attack occurred. The date and time that Microsoft Defender detected the attack will be pre-selected in Files Restore, making the process simple and easy to use.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 2

1. Real-Time Protection

Microsoft Defender for Endpoint Real-Time Protection (a.k.a always-on protection) is the core element of Microsoft Defender Antivirus and it provides Microsoft Defender for Endpoint a lot of insights and information about what’s happening at the endpoint.

Real-time protection means continuously inspecting files, processes, registry keys and more. Beyond signature-based detection, it uses behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.

Configuration with Group Policy

To configure real-time protection using group policy, complete the following steps:

  • Open the Group Policy Editor console. Go to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus. Configure the following settings:
    • Allow antimalware service to startup with normal priority.
    • Allow antimalware service to remain running always.
  • In the Microsoft Defender Antivirus details pane, double-click Real-time Protection. Or, from the Microsoft Defender Antivirus tree on left pane, click Real-time Protection. You can see all the configuration available for real-time protection.

Next, configure the scan option by going to the Scan key as illustrated in Figure below Here you can find a lot of configuration items to help you customize how real-time protection works.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 3

Configuration with Microsoft Endpoint Manager

You can also configure real-time protection for onboarded machine from Microsoft Endpoint Manager. Go to https://endpoint.microsoft.com/, then navigate to Endpoint Security > Antivirus > Create Policy.

Pick Windows 10 or later for the Platform and Microsoft Defender Antivirus for the Profile. Click Create. Give the profile a name and click Next. You can see all the available configuration settings.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 4

2.Cloud-Based Protection

Think of this as a complement to the real-time protection feature, we’ve just discussed. At the endpoint itself, Microsoft Defender Antivirus has many local detection capabilities. However, Microsoft Defender Antivirus might ask the cloud about files that it can’t tell for sure whether they are malicious or not. This is what cloud-based protection is.

Let me give you a quick example of how Microsoft Defender Antivirus uses the power of the cloud to identify malware and zero-day attacks which are shown in the below figure:

  • Step 1: Microsoft Defender Antivirus real-time protection (if enabled) inspects a file and uses different methods such as behavioral, heuristics and local ML models (it takes milliseconds).
  • Step 2: if Microsoft Defender Antivirus can’t tell if the file is malicious and Microsoft Defender Antivirus cloud-delivered protection is enabled, it sends metadata about the file to the cloud. Metadata is just a small size of data such as the hash of the file.
  • Step 3: The cloud backend consults the Microsoft Intelligent Security Graph for a match. If there is a match, the cloud returns the verdict about the file to the client whether it is clean or malicious (this takes milliseconds). If there is no match (this is the first time we see this file), the cloud might ask the client to upload the file to the cloud to perform a more thorough analysis.
  • Step 4: The client holds the file and uploads it to the cloud for further analysis.
  • Step 5: The cloud back-end performs advanced analysis (ML, detonation chamber, big data). This might take minutes, hours or even days in case of big data analysis.
  • Step 6: The client will wait for a pre-defined period before allowing the file to run, even if it didn’t receive a reply from the cloud (depends on the value of the Cloud Block Timeout configuration setting). There is a risk that the file might be malicious, but it is a compromise between waiting for hours for the cloud to get back a result, and the user who is waiting to run the file.
  • Step 7: The cloud finishes analysis after hours perhaps. If the file turned out to be clean, we are good. If not, then that client is already compromised. However, the cloud will generate a new signature for that malware and send it back to the client and future clients so that when they encounter this file, they know already it is malicious.
Microsoft Defender Antivirus - Microsoft Defender for Endpoint 5

You can see that we need many pieces to work together to defend against today’s zero-day attacks. You need a strong endpoint real-time protection engine at the endpoint level, and you need the power of the cloud to help in this fight. You might wonder whether this means the client needs to consult the cloud and wait for an answer, or what happens if there is no internet connection at that time?

Well, here is how things are designed (shown in Figure below). Each Microsoft Defender Antivirus client has local machine learning models, and behavior-based detection algorithms, so that it can use all that logic offline and without consulting the cloud. This operation takes only milliseconds.

If the client suspects a file that is suspicious, and if the client is connected to the internet, then he consults the cloud by sending only metadata of the file so that the cloud can use metadata-based machine learning models to determine if the file is malicious or not. This only takes milliseconds and is considered real-time protection.

If these metadata-based machine learning models still can’t find the answer, the cloud might request a sample of that file. The reason why the cloud might request a sample of the file is because there are some additional features that are available in the cloud that wouldn’t be necessary performant to do on the client. The end goal here is to preserve the end user experience and not lock the file for a long time.

When that happens, sample analysis-based machine learning models are used in the cloud which might take seconds. At that level, quick extraction of additional features is performed with deep learning models to figure out whether the file is clean or malicious. The cloud might say “I think that the file is suspicious, so please hold for couple of seconds”. Once the cloud determined the truth about the file, it sends the response back to the client. This is also considered real-time protection capability as we are talking about mere seconds here.

In certain scenarios, detonation-based machine learning models can be invoked in the cloud. In this model, the cloud can runs the malware within a virtual machine and observe the behavior of the suspected file. The bad news is that new malware is often designed to evade such techniques and might include built-in detection features to detect it is running within a sandbox/detonation environment. The good news is that the cloud can do more feature extraction in the virtual environment and run them back through other machine learning models. This process can take a couple of minutes to complete. This doesn’t provide real-time protection but provides one more layer of protection and intelligence!

The cloud finally can choose to invoke the heavy stuff, big data analysis, which can take up to hours or days to run. In such analysis, the cloud uses signals from across the company and other endpoints to deeply understand the behavior of that file.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 6

In the last two scenarios, when the cloud uses detonation-based machine learning models or big data analysis, the client will not wait for minutes or hours for a response back from the cloud. If the file is infected and the cloud could not determine it is a bad file in seconds, the client will allow that file to run. In the background, the cloud will continue analyzing to establish a verdict about that file. If, in time, it turns out the file (or process) was malicious, we may have lost patient zero, but all other connected endpoints will be able to block the threat almost instantaneously. The verdict on the malware isn’t just made available to your environment: all other Microsoft Defender for Endpoint customers benefit from it as well, and vice versa.

Disconnected Clients

What if the client is not connected to the internet for some reason? Does it mean you are left unprotected? The answer is ‘no’. You are still protected because the client has its own machine learning models that it can use to detect malicious files. Roughly 75% of the protection happens at the client level using local machine learning models that don’t need cloud connectivity. Even if you don’t have cloud connectivity and Microsoft Defender Antivirus couldn’t identify a file as suspicious at the beginning and allow it to run, that malicious file will eventually start doing bad things (even in the case of fileless attack). This could be a process injection or doing something bad on the system, and when that happens, the Microsoft Defender for Endpoint behavioral based detection kicks in and takes actions immediately (post-execution with EDR).

When you have endpoints that you know will be disconnected from the internet for a long time, your best defense approach is to invest in turning on and configuring Attack Surface Reduction capabilities  to compensate the lack of cloud-based protection.

Configure and Validate Network Connectivity

For cloud-delivered protection to work, the Microsoft Defender Antivirus needs to connect to the cloud backend services and you must configure your network to allow connections between your endpoints and certain Microsoft servers.

Note: For a full list of URLs you need to allow in your network, check Microsoft documentation here.

Cloud-Delivered Protection Blocking Levels

When the cloud returns a verdict for a submitted file (sample) from the client, you can configure your tolerance-to-risk ratio by configuring blocks level in Microsoft Defender Antivirus:

  • Blocking level = High:  applies a strong level of detection while optimizing client performance (greater chance of false positives).
  • Blocking level = High+: applies additional protection measures (may impact client performance and increase risk of false positives).
  • Zero tolerance blocks all unknown executables.

Enable Block at First Sight

Imagine the following scenario: most wide-scale attacks like ransomware take 5 or 8 hours to finish and hit thousands or millions of machines globally. Depending on periodically pulling new definition updates from the cloud (every 4 hours for example) doesn’t work with such fast attacks that start and end before clients get updated with signatures and information about this new zero-day attack.

Even with cloud-delivered protection, there is a possibility that this kind of attack might go unnoticed. Allow a malicious file to run on the client first before consulting the cloud might not be an optimal solution as the malware might delete itself once it runs or even changes its appearance (think of metamorphic and polymorphic malware that can change its shape and signature with time on the same machine). This means that if we allow the malware to run and then start to consult the cloud for better protection, we may already be too late.

A better approach is to let Microsoft Defender Antivirus block the file from running once the client attempts to run an executable that was not seen before. The file (process) remains blocked until a sample is sent to the cloud backend for analysis. Only after the file is uploaded to the cloud for further processing, and the verdict came back clean, it can run locally.

This process ensures that the cloud backend gets a copy of the file and can process it using ML models or detonation chamber and decide whether it is safe or malicious. This also means we guarantee that other clients who encounter the same file get instant response from the cloud and, as such, additional victims are avoided. Using Block at First Sight reduces the response time for future clients from hours to seconds, yet may be sacrificing the experience of the first user/device that encounters a file. 

Note: To learn more about metamorphic and polymorphic malware, check this article here.

The feature Block at first sight is all about preventing the malicious file from running on the client until the file is completely uploaded to the cloud. Let me walk you through a scenario to explain how this feature works as shown in the below figure. If the below conditions are met:

  • Microsoft Defender Antivirus encounter a suspicious but undetected file (that is, Microsoft Defender Antivirus does not know if the file is safe or clean).
  • The file type is executable or non-portable executable file (such as JS, VBS, or macros – requires Windows version 1803 or later).
  • The file is downloaded from the internet or originated from the Internet zone.

And Block at First is enabled, then the following will happen:

  • Hash value of the file will be checked by the cloud to determine if this is a previously detected file.
  • If the cloud backend is unable to decide, Microsoft Defender Antivirus locks the file locally and uploads a copy to the cloud.
  • Users will see a longer “Running security scan” message in the browser while the file is being uploaded. This might result in what appears to be slower download times for some files.
  • Only after the cloud has received the file, Microsoft Defender Antivirus will release the lock and let the file run.
  • The cloud performs additional analysis to reach a determination for all future encounters of that file.
Microsoft Defender Antivirus - Microsoft Defender for Endpoint 7

To enable this feature locally on your Windows 10 client, make sure that both Cloud-delivered protection and Automatic sample submission are both turned on.

To configure this feature using Group Policy:

  • Go to Computer configuration and click Administrative templates.
  • Expand the tree to Windows components > Microsoft Defender Antivirus > MAPS, configure the following Group Policies, and then click OK
    • Double-click Join Microsoft MAPS and ensure the option is set to Enabled. Click OK.
    • Double-click Send file samples when further analysis is required and ensure the option is set to Enabled and the additional options are either Send safe samples (1) or Send all samples (3).
  • In the Group Policy Management Editor, expand the tree to Windows components > Microsoft Defender Antivirus > Real-time Protection:
    • Double-click Scan all downloaded files and attachments and ensure the option is set to Enabled, and then click OK.
    • Double-click Turn off real-time protection and ensure the option is set to Disabled, and then click OK.

To configure this feature using Microsoft Endpoint Manager, go to https://endpoint.microsoft.com/, then navigate to Endpoint Security > Antivirus > Create Policy.

Pick Windows 10 or later for the Platform and Microsoft Defender Antivirus for the Profile. Click Create. Give the profile a name and click Next. Ensure the following settings are configured under the Cloud Protection section.

  • Cloud-delivered protection: Enable
  • File Blocking Level: High
  • Time extension for file scanning by the cloud: 50
  • Submit samples consent: Send all samples automatically
Microsoft Defender Antivirus - Microsoft Defender for Endpoint 8

Cloud Block Timeout Period

As you already know by now, when the client suspects that a file is suspicious, it asks the cloud for a help and will lock the file until it receives an answer from the cloud. By default, the period that the file will be blocked is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.

Note: Block at first sight and its prerequisites must be enabled before you can specify an extended timeout period.

To configure the cloud block timeout period using group policy:

  • In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
  • Expand the tree to Windows components > Microsoft Defender Antivirus > MpEngine
  • Double-click Configure extended cloud check and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
Microsoft Defender Antivirus - Microsoft Defender for Endpoint 9

You can also configure the timeout period in Microsoft Endpoint Manager. To configure cloud-delivered protection using Microsoft Endpoint Manager, go to https://endpoint.microsoft.com/, then navigate to Endpoint Security > Antivirus > Create Policy

Pick Windows 10 or later for the Platform and Microsoft Defender Antivirus for the Profile. Click Create. Give the profile a name and click Next. You can see the available configurations under Cloud Protection section.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 9

Enable Cloud-Delivered Protection

You can enable the cloud-delivered protection using many methods. The simplest way is enabling it on individual devices by using the Windows Security App. Although this approach is great for testing purposes, or on a personal device. This isn’t scalable and shouldn’t be used in a corporate environment.

  • Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender.
  • Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label. Click Manage Settings.
  • Confirm that Cloud-based Protection and Automatic sample submission are switched to On.

There is a PowerShell command you can use to do exactly the same:

Set-MpPreference -MAPSReporting Advanced

Set-MpPreference -SubmitSamplesConsent SendAllSamples

You can also use Group Policy. Go to Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > MAPS.

  • Double-click Join Microsoft MAPS. Ensure the option is enabled and set to Basic MAPS or Advanced MAPS. Select OK.
  • Double-click Send file samples when further analysis is required. Ensure that the option is set to Enabled and that the other options are either of the following:
    • Send safe sample (1)
    • Send all samples (3)

To configure cloud-delivered protection using Microsoft Endpoint Manager, go to https://endpoint.microsoft.com/, then navigate to Endpoint Security > Antivirus > Create Policy

Pick Windows 10 or later for the Platform and Microsoft Defender Antivirus for the Profile. Click Create. Give the profile a name and click Next. You can see the available configurations under Cloud Protection section.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 11

3.Blocking Potentially Unwanted Applications (PUA)

For security professionals, unwanted applications often mean malware. However, there is a category of software that sits in between malicious software and safe/clean software. Their behaviors might affect the performance of your endpoint and they might behave differently in the presence of security products. They usually have poor reputation that makes you think twice before installing them. We will call this new category as Potentially Unwanted Applications (PUA) which includes:

  • Advertising software: software that displays advertisements or promotions, including software that inserts advertisements to webpages.
  • Bundling software: software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
  • Evasion software: software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
Note: To understand more how Microsoft classify and label such category of software, check their documentation here.

When a PUA is detected at the endpoint (or any attempt to download, move, run, or install), Microsoft Defender Antivirus blocks the file and moves it to quarantine and a notification is displayed to the user. The notification will be prefaced with PUA: to indicate its content.

Configuration with Group Policy

To configure PUA using group policy, follow the steps below:

  • In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.
  • Expand the tree to Windows components > Microsoft Defender Antivirus.
  • Double-click Configure protection for potentially unwanted applications.
  • Select Enabled to enable PUA protection.
  • In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the setting will work in your environment. Select OK.

Configuration with Microsoft Endpoint Manager

You can configure PUA from Microsoft Endpoint Security. Go to https://endpoint.microsoft.com/, then navigate to Endpoint Security > Antivirus > Create Policy.

Pick Windows 10 or later for the Platform and Microsoft Defender Antivirus for the Profile. Click Create. Give the profile a name and click Next. You can see the available configurations under Remediation section > Action to take on potentially unwanted apps. Options are:

  • Not configured
  • Disabled
  • Enabled
  • Audit Mode

PUA audit mode is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 12

Configuration with PowerShell

Finally, you can also use PowerShell to configure PUA:

//To enable PUA protection

Set-MpPreference -PUAProtection enable

//To set PUA protection to audit mode

Set-MpPreference -PUAProtection auditmode

//To disable PUA protection

Set-MpPreference -PUAProtection disable

Note: The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via Microsoft Defender SmartScreen. Click here for more details.

4.Tamper Protection

When your machine is under attack, the first thing the attacker will try to do is to disable your antivirus solution to evade detection and to work freely on your device. Doing so, enables the attacker to connect to the Command and Control center, download his tools, perform privilege escalation all whilst your antivirus is disabled and, thus, remaining undetected. In fact, malware such as TrickBot, GootKit, and the Nodersok trojans make a concerted effort to bypass Microsoft Defender Antivirus to remain resident on an infected computer or to bypass its protections.

Note: The Trickbot trojan is a banking trojan that attempts to steal online banking credentials and it targets machines with Microsoft Defender as the main antivirus solution. According to Forbes, it was thought to have compromised no less than 250 million email accounts to distribute the malware payload. When it loads, it starts by disabling Microsoft Defender Antivirus services and processes to evade detection. In fact, there is a publication on how this trojan can disable Microsoft Defender Antivirus services in great details.

There are also times when the security team in big organizations want to enforce a set of security rules for Microsoft Defender Antivirus, and they don’t want the local admins in remote offices to simply disable the Microsoft Defender Antivirus for any reason. By default, there is nothing that prevents a local admin on the machine from stopping the Microsoft Defender Antivirus service or turning it off with a (local) GPO.

The Windows 10 and the Microsoft Defender team worked together to solve this problem by introducing Tamper Protection. Tamper Protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:

  • Configuring settings in Registry Editor on your Windows machine.
  • Changing settings through PowerShell cmdlets.
  • Editing or removing security settings through group policies.

Tamper protection also stops malware from disabling Microsoft Defender Antivirus cloud-based detection or delete security intelligence updates once the setting is enabled.

Instead, you only can change Microsoft Defender settings though the Windows 10 user interface (in case you are not using MDM) or an enterprise management tool (such as Intune) for enterprises.

Even if you are using a third-party antivirus software, you should enable tamper protection for Microsoft Defender Antivirus because Microsoft Defender Antivirus automatically turns on (as it already exists in Windows 10) when a third-party antivirus software is removed. This means if an attacker tries to disable your third-party antivirus, he will be faced with Microsoft Defender Antivirus with tamper protection turned on.

Turn on for individual machines (for individuals)

If you don’t have the Microsoft Defender for Endpoint licenses (perhaps you are a home user or not subject to settings managed by a security team), then you can use the Windows Security app to turn on tamper protection.

  • Go to Start and start typing Defender. In the search results, select Windows Security
  • Select Virus & Threat Protection > Virus & threat protection settings.
  • Set Tamper Protection to On or Off.

Tamper Protection for Enterprises

There are a couple of ways to enable tamper protection on your Windows devices.  Tamper Protection for Enterprises is currently supported on the following Operating Systems:

  • Windows 10
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server, version 1803 or later

There are three ways to enable tamper protection on your devices:

  • A Windows 10 policy for MDM managed devices through MEM
  • A Windows policy for Tenant Attached (MEMCM managed devices) through MEM
  • A global policy configured in the Microsoft Security Center (preview)

Right now, there isn’t any way to configure tamper protection through GPO or a Powershell command line and this has it’s reasons. Tamper protection needs to be enabled and disabled in a way to ensure that no one, except the IT admin, can enable or disable it.

What if an attacker tricks a Windows 10 machine by sending a malicious instruction to disable tamper protection on the device (man-in-the-middle) or how can we ensure that tamper protection configuration from MDM is authentic and really came from MDM not from other source?

In the security world, this is solved by signing the request. We need to sign the tamper protection instructions is sent to Windows, so that your endpoints authenticate your tamper protection instructions before applying them.

This works by connecting both the Microsoft Defender for Endpoint and Microsoft Endpoint Manager, and once those two are talking to each another, there will be a signed payload exchanged between the two services as shown in the figure below.

When IT admins decide to turn-on tamper protection, the Microsoft Defender for Endpoint policy pushed to the client contains that signed payload for the client to ensure it was not tampered with. Even if man-in-the-middle attack happens or somebody tries to modify registry keys locally, only Intune and only Microsoft Defender for Endpoint can modify the on or off state of the local Microsoft Defender Antivirus.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 13

Once tamper protection is turned on, all the tamper protection events are sent to Microsoft Defender for Endpoint to get organization-wide visibility on the status of tamper protection across all your onboarded endpoints as shown in the below figure. When an attacker, whether it be malware or a local user, attempts to tamper with Windows Security or Microsoft Defender settings, an alert will be pushed to be available within Microsoft Defender for Endpoint. Administrators can then dig into these alerts to see what machine are being targeted and perform remediation.

Exclusive for Microsoft Endpoint Manager. At time of writing, Microsoft Endpoint Manager is the only MDM system that can be used to configure tamper protection. There haven’t been any announcement to bring this capability to third-party MDM systems.

If you already have Microsoft 365 E5, you are licensed to use Intune to manage devices, and you have Windows 10 1709 or later, you can use Microsoft Endpoint Manager to centrally configure tamper protection for your managed devices. Go to https://endpoint.microsoft.com/, then navigate to Endpoint Security > Antivirus > Create Policy.  Pick Windows 10 or later for the Platform and Windows Security experience for the Profile. Click Create. Give the profile a name and click Next. Configure the Enable tamper protection to prevent Microsoft Defender being disabled.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 14

The same flow can also be used to enable tamper protection on devices managed by Configuration Manager, which are being sync’ed to Microsoft Endpoint Manager through Tenant Attach. Tenant Attach is a feature of Microsoft Endpoint Manager Configuration Manager, which allows you to manage Configuration Manager devices (which don’t need an internet connection) through the MEM portal. The main advantage of using this feature instead of a native MDM configuration through Intune is that this policy will also be applicable to Windows Server devices (as Intune doesn’t have any support for Server OS).

While management through the MEM portal is great, this still requires an organization to use MEM. A lot of organizations are deploying Microsoft Defender for Endpoint, but using a different device management system. Until very recently, these organizations could not enable tamper protection. In March of 2021, the MDE team provided a global switch to enable tamper protection through the Microsoft Security Center.

To enable this, navigate to settings within the Security Portal, select endpoints > advanced features.

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 15

It’s important to note that this feature is still in preview and is applicable to your entire organization. When you enable this, all your MDE enrolled Windows devices will have tamper protection enabled. If you want to exclude some devices from having tamper protection enabled, you can create a policy within MEM to do so. Policies within MEM have precedence over the global configuration. This configuration is a huge step forward to bringing tamper protection to every organization.

When enabled using any of the methods mentioned above, workstations will show that this setting is being “managed by your administrator” as illustrated in:

Microsoft Defender Antivirus - Microsoft Defender for Endpoint 16

There are three different ways to configure tamper protection, but what method should you choose? This depends entirely on your organization and management systems. If you are not using Microsoft Endpoint Manager (tenant attach or MDM), then your only choice is the global switch within the Security Center. I highly recommend looking into enabling, otherwise every local administrator is able to disable Microsoft Defender.

If you are currently using Microsoft Endpoint Manager, I would recommend to enable to global switch to ensure all your devices are correctly configured. If you need to exclude a few devices (for troubleshooting for example), create a policy within MEM to disable it.

About this Microsoft Defender for Endpoint Blog Series

During the years, I have worked with many security and Infrastructure services, and I usually don’t find good information in the web on how a product or service works. For me to master a service, I need to learn how it thinks, the internal mechanics, and even how the product group who designed it really thought about different features.

So, I started blogging years back to reflect my understanding and help others find useful information that is not found elsewhere on the internet (at least in one place) and direct from my experience.

This blog series is written after careful consideration and will help you imagine how Defender for Endpoint works from the bottom up. I rarely have time to blog these days, so I might not update the blog on new features. However, the content here will give the information you need to build on top.

CREDITS Big thanks to my friend and fellow Microsoft MVP and RD: Ahmad Nabil who helped me put such content and the Microsoft 365 Security for IT PRO book family who helped in reviewing and editing this chapter. Newer version of the book is available here with updated content and valuable content about other Microsoft 365 security services. Download the new book here.