Microsoft includes “Windows Defender” in names of several security capabilities that the company provides. In discussions with Minerva Labs customers and partners I’ve witnessed frequent confusion regarding the role that these technologies can play in an enterprise security architecture. What benefits do they offer? Which ones are included in the base operating system? What are their dependencies?
Below is my attempt at untangling the “Windows Defender” naming mess. If you’re impatient, scroll down to the end to see the table that summarizes all the names and capabilities. Note that I’ve assembled these details after carefully examining and interpreting Microsoft’s public documentation. If you notice any errors or omissions, I’d love to hear about them via Twitter or our contact form.
Windows Defender AV and Windows Defender ATP
The standalone name Windows Defender refers to malware protection built into Windows 8. In earlier versions of the OS, Microsoft used the name Microsoft Security Essentials. Starting with Windows 10, Microsoft enhanced the anti-malware component built into the OS and named it Windows Defender Antivirus (Windows Defender AV). Windows Defender AV is also available as part of Windows Server 2016 and later, where it’s sometimes called Endpoint Protection. In addition, Microsoft uses the name Microsoft Antimalware for Azure to refer to the anti-malware agent on the virtual machines that run on the Azure Cloud platform; this technology’s capabilities are consistent with those of Windows Defender Antivirus.
Starting with Windows 10 version 1703 and Windows Server 2016, the OS also includes an app called Windows Defender Security Center, which allows end-users to review the status of built-in and (beginning with Windows 10 version 1709) compatible third-party security aspects of the system. Windows Defender Antivirus as well as Windows Defender Security Center are free components built into the modern Windows operating system. Microsoft sometimes also uses the name Windows Defender Security Center to refer to the online portal for the commercial product Windows Defender ATP, which is described below.
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a commercial product from Microsoft “that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.” It competes with third-party solutions that offer Enterprise Detection and Response (EDR) capabilities, focusing on scenarios where preventative measures may have failed and allowing the organization to detect, investigate and contain the incident. It also offers visibility into the data reported by other compatible Microsoft security products. Windows Defender ATP requires the higher-end Windows Enterprise E5 license. It can capture data from endpoints running Windows 10 version 1607 or later, Windows Server 2016, Windows 7 and Windows 8.1 as long as the customer purchased the appropriate license and potentially from other platforms.
Other “Windows Defender” Capabilities
Windows Defender SmartScreen is a free feature of Windows 10 designed to prevent end-users from accessing known malicious websites or opening suspicious files downloaded from the Internet. Windows 10 prior to version 1703 called this feature SmartScreen Filter and Windows SmartScreen.
Microsoft uses the name Windows Defender Exploit Guard (Windows Defender EG) to refer to several host-based intrusion prevention capabilities of Windows 10 version 1709 and Windows Server 2016 or later. Some aspects of Windows Defender EG require Windows Defender AV:
- Exploit protection provides exploit mitigation measures akin to those in the now-retired Enhanced Mitigation Experience Toolkit (EMET). Exploit protection is free as part of the compatible Windows versions. It doesn’t require special licensing and doesn’t depend on other Microsoft products such as Windows Defender AV.
- Attack surface reduction “helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.” It comes with rules that block risky actions, such as blocking Windows API calls from Microsoft Office macros and blocking executable content from email messages. This doesn’t require special licensing. It only works if Windows Defender AV with real-time protection is enabled.
- Network protection blocks attempts by apps to connect to “low-reputation” hosts via HTTP and HTTPS. It helps restrict connections to malicious domains that might host exploit kits or phising scams, enhancing free Windows Defender SmartScreen functionality mentioned above. This feature requires a Windows enterprise license and Windows Defender AV with real-time protection and cloud-delivered protection.
- Controlled folder access aims to lower the risk of ransomware destroying files in designated “protected folders.” This capability is availabe for Windows 10, version 1709 and later and Windows Server 2016. It requires Windows Defender AV with real-time protection enabled.
Windows Defender Application Control (WDAC) implements application whitelisting, “restricting the applications that users are allowed to run and the code that runs in the System Core (kernel).” WDAC can also limit capabilities of unsigned scripts. Enterprises can enforce WDAC policies on any edition of Windows 10 and Windows Server 2016 without additional licensing; the creation of policies requires Windows 10 Enterprise, Windows 10 Pro or Windows Server 2016. Prior to version 1709 of Windows 10, this feature was known as Windows Defender Device Guard configurable code integrity policies. Some aspects of WDAC overlap with AppLocker, which is another application whitelisting technology from Microsoft; it works on Windows 10, Windows Server 2016 and some older OS versions. Microsoft recommends deploying WDAC “at the most restrictive level possible” and then using “AppLocker to fine-tune the restrictions to an even lower level.”
Windows Defender Device Guard utilizes hardware and virtualization technologies to “isolate the Code Integrity (CI) decision-making function” from the rest of the OS to mitigate against exploits and help ensure integrity of kernel-level code. This feature is available on Windows 10 and Windows Server 2016 without additional licensing requirements. It relies on Hyper-V Code Integrity (HVCI) functionality, which is an implementation of Virtualization-Based Security (VBS), and is incompatible with other hypervisors, such as VMware Workstation and VirtualBox. It also has other hardware requirements, such as the need for the Trusted Platform Module (TPM).
Windows Defender Credential Guard isolates Windows-managed credentials and secrets, such as NTLM password hashes and Kerberos tickets, to lower the risk of credential theft and similar attacks. This free feature, available for Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise, uses similar HVCI functionality as Windows Defender Device Guard and has similar prerequires.
Windows Defender Firewall with Advanced Security (WFAS) is the host-based firewall built into Windows 10 and Windows Server 2016. Earlier versions of Windows referred to this capability as Windows Firewall and, potentially, lacked some of the functionality available in newer versions of the OS. WFAS can control network traffic going to and from local applications. It also supports IPSec for securing network connections.
Windows Defender System Guard refers to OS components that protect the integrity of key aspects of the operating system, starting from boot-time. Microsoft began using this name in Windows 10, version 1709. This free feature relies on the Trusted Platform Module (TPM) chip and Secure Boot technology. It utilizes a hardware-based root of trust to validate that the firmware, the bootloader, the Windows kernel and other critical OS components have not been modified.
Windows Defender Application Guard isolates Internet Explorer and Edge instances when browsing untrusted websites  in “a temporary, contained environment.” This feature is supported on 64-bit Windows 10 Enterprise, version 1709 or higher, and Windows 10 Pro, version 1803 and higher. To implement the sandbox around the browser, it relies on Hyper-V and CPU virtualization extensions. It’s not supported within virtual machines or in VDI environments, and it is incompatible with other hypervisors, such as VMware.
To better understand the way in which Microsoft’s various Windows Defender technologies fit into an endpoint security architecture, read our whitepaper on the topic.
“Windows Defender” Technologies at a Glance
The following table summarizes key aspects of the various “Windows Defender” technologies described above:
Why Minerva Cares About “Windows Defender” Names
Minerva Labs’ Anti-Evasion Platform stops threats that bypass other technologies, including traditional and “next-gen” antivirus. We do this without overlapping with the existing endpoint security approaches, since Minerva’s unique capability is to deceive malware in a way that causes it to disarm itself. We work alongside other endpoint security approaches, be they Windows Defender Antivirus and related measures or Endpoint Protection Platforms (EPP) solutions. I found it helpful to explain to customers the nature of security mechanisms they can obtain from Microsoft, so I can clarify the gap that our solution covers on the endpoint.