Ditching Cisco Antimalware for Windows Defender

[Dieselboy]

I was testing out SSL decryption and antivirus on my home firewall and Windows Defender (as well as MS Edge) was blocking the file. I hadnt seen it before.

I use Cisco AMP on the business machines. Is Defender a like-for-like replacement in 2021? My thought is that it is a brainless activity to purchase something to replace something else that is free and of the same quality. Is Defender the same quality?

I thought to post this here first and I'll research this and post back.

[deanwebb]

I see many of my customers using Windows Defender as a "good enough" measure that's also centrally manageable from other Windows Server tools being used to install and maintain endpoint software.

[Dieselboy]

So, after research it entirely looks like Defender is not just adequate, but GOOD and there are a number of components which make up the security features of Defender but also others like applocker that should be configured anyway. Ref: https://www.cyber.gov.au/acsc/view-all-content/guidance/operating-system-hardening

So far with Defender I have removed Cisco AMP and enabled cloud protection and MAPS/block at first sight and some other options which are visible in GPO (I checked the docs on those when I enabled them in the test OU GPO)

Refs:
https://techexpert.tips/windows/gpo-controlled-folder-access/
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide

Going to run with this for a bit and see how it goes.

[wintermute000]

If you pay for it, its actually magic quadrant leader and extend/embrace/extinguishes quite nicely into Azure / Sentinel etc.
These days you really do need a EDR i.e. behavioural AV.

[KDog]

Yeah as above. If you're a MS based stack (365, Azure, SP, Intune etc) then Defender with Advanced Threat Protection.

[Dieselboy]

We have marked Azure for prod in the near future but it's not set in stone.

Presently I have an on-prem AD env built on 2012. I've gone through docs and I have enabled a bunch of features that are not enabled by default and also hard set certain things on so they cant be turned off by a user. Seems to be working well for me.

There are more features with Azure but in terms of core Defender security features I need to re-check and make a table. I dont think it's a huge issue when you boil it down.

[heath]

We currently have Cisco Amp for anti-virus and Proofpoint for email protection.  We're a hybrid Azure (local AD synced to Azure) with 365, etc.  We're on A3 licensing, but we're also doing a trial of Teams Voice so have a handful of A5 trial licenses.  While we have the trial A5, I asked my system admin to give Defender, ATP, and the other A5 license tools a good look.  So far, he says he likes the Microsoft options better than Amp and Proofpoint.

[Dieselboy]

Win11 will apparently have all these options ON by default (hence why TPM is required for win11) but win10 has a lot of these options turned off by default, you just need to turn them on and once AMP is uninstalled, defender will enable itself.

Defender allows you to run Edge browser within a sort of container called application guard https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
just need to turn them on.

[wintermute000]

MS are gunning for their former partners hard in this space and unlike ye olde Microsoft they actually have good products this time round, throw in 365 / Azure and its Embrace Extend Extinguish in full flight

[deanwebb]

MS are gunning for their former partners hard in this space and unlike ye olde Microsoft they actually have good products this time round, throw in 365 / Azure and its Embrace Extend Extinguish in full flight

Yep. And it's why I don't buy personal AV anymore and why I see so many customers switching over to Defender - it's included with Windows and all the enterprise management tools are already built-in with it. Ticks all the boxes and has a lower price, so companies that want good and cheap go with it.

[icecream-guy]

If I remember correctly Win Defender had an allow all traffic outbound by default, allowing the compromised host to 'phone home', and didn't necessarily catch everything.  I've considered ditching my N360, but I am tied into the backups function that is included. N360 also has Android and iPhone apps to protect those phones as part of the license.   

[Dieselboy]

MS are gunning for their former partners hard in this space and unlike ye olde Microsoft they actually have good products this time round, throw in 365 / Azure and its Embrace Extend Extinguish in full flight

But then the next worry is just that: https://itbrief.com.au/story/how-microsoft-security-infrastructure-can-sink-a-business

[Dieselboy]

If I remember correctly Win Defender had an allow all traffic outbound by default, allowing the compromised host to 'phone home', and didn't necessarily catch everything.  I've considered ditching my N360, but I am tied into the backups function that is included. N360 also has Android and iPhone apps to protect those phones as part of the license.

Have you looked into Defender ATP? I came across something called "HIPS" - host-based intrusion prevention, and searching on that led me to ATP but that's as far as I could go because I dont have M365 licensing at the moment.

[deanwebb]

HIPS are very fun things to have, especially when they block all the other security agents that you're trying to run in the enterprise.