Ditching Cisco Antimalware for Windows Defender

Started by Dieselboy, July 05, 2021, 12:26:59 AM

Previous topic - Next topic

Dieselboy

I was testing out SSL decryption and antivirus on my home firewall and Windows Defender (as well as MS Edge) was blocking the file. I hadnt seen it before.

I use Cisco AMP on the business machines. Is Defender a like-for-like replacement in 2021? My thought is that it is a brainless activity to purchase something to replace something else that is free and of the same quality. Is Defender the same quality?

I thought to post this here first and I'll research this and post back.

deanwebb

I see many of my customers using Windows Defender as a "good enough" measure that's also centrally manageable from other Windows Server tools being used to install and maintain endpoint software.

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

So, after research it entirely looks like Defender is not just adequate, but GOOD and there are a number of components which make up the security features of Defender but also others like applocker that should be configured anyway. Ref: https://www.cyber.gov.au/acsc/view-all-content/guidance/operating-system-hardening

So far with Defender I have removed Cisco AMP and enabled cloud protection and MAPS/block at first sight and some other options which are visible in GPO (I checked the docs on those when I enabled them in the test OU GPO)

Refs:
https://techexpert.tips/windows/gpo-controlled-folder-access/
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide

Going to run with this for a bit and see how it goes.

wintermute000

If you pay for it, its actually magic quadrant leader and extend/embrace/extinguishes quite nicely into Azure / Sentinel etc.
These days you really do need a EDR i.e. behavioural AV.

KDog

Yeah as above. If you're a MS based stack (365, Azure, SP, Intune etc) then Defender with Advanced Threat Protection.
Never argue with an idiot.
They will bring you down to their level and beat you with experience.

Dieselboy

We have marked Azure for prod in the near future but it's not set in stone.

Presently I have an on-prem AD env built on 2012. I've gone through docs and I have enabled a bunch of features that are not enabled by default and also hard set certain things on so they cant be turned off by a user. Seems to be working well for me.

There are more features with Azure but in terms of core Defender security features I need to re-check and make a table. I dont think it's a huge issue when you boil it down.

heath

We currently have Cisco Amp for anti-virus and Proofpoint for email protection.  We're a hybrid Azure (local AD synced to Azure) with 365, etc.  We're on A3 licensing, but we're also doing a trial of Teams Voice so have a handful of A5 trial licenses.  While we have the trial A5, I asked my system admin to give Defender, ATP, and the other A5 license tools a good look.  So far, he says he likes the Microsoft options better than Amp and Proofpoint.

Dieselboy

Win11 will apparently have all these options ON by default (hence why TPM is required for win11) but win10 has a lot of these options turned off by default, you just need to turn them on and once AMP is uninstalled, defender will enable itself.

Defender allows you to run Edge browser within a sort of container called application guard https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
just need to turn them on.

wintermute000

MS are gunning for their former partners hard in this space and unlike ye olde Microsoft they actually have good products this time round, throw in 365 / Azure and its Embrace Extend Extinguish in full flight

deanwebb

Quote from: wintermute000 on August 13, 2021, 08:25:01 AM
MS are gunning for their former partners hard in this space and unlike ye olde Microsoft they actually have good products this time round, throw in 365 / Azure and its Embrace Extend Extinguish in full flight

Yep. And it's why I don't buy personal AV anymore and why I see so many customers switching over to Defender - it's included with Windows and all the enterprise management tools are already built-in with it. Ticks all the boxes and has a lower price, so companies that want good and cheap go with it.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

If I remember correctly Win Defender had an allow all traffic outbound by default, allowing the compromised host to 'phone home', and didn't necessarily catch everything.  I've considered ditching my N360, but I am tied into the backups function that is included. N360 also has Android and iPhone apps to protect those phones as part of the license.   
:professorcat:

My Moral Fibers have been cut.

Dieselboy

Quote from: wintermute000 on August 13, 2021, 08:25:01 AM
MS are gunning for their former partners hard in this space and unlike ye olde Microsoft they actually have good products this time round, throw in 365 / Azure and its Embrace Extend Extinguish in full flight

But then the next worry is just that: https://itbrief.com.au/story/how-microsoft-security-infrastructure-can-sink-a-business

Dieselboy

Quote from: icecream-guy on August 15, 2021, 06:18:59 AM
If I remember correctly Win Defender had an allow all traffic outbound by default, allowing the compromised host to 'phone home', and didn't necessarily catch everything.  I've considered ditching my N360, but I am tied into the backups function that is included. N360 also has Android and iPhone apps to protect those phones as part of the license.

Have you looked into Defender ATP? I came across something called "HIPS" - host-based intrusion prevention, and searching on that led me to ATP but that's as far as I could go because I dont have M365 licensing at the moment.

deanwebb

HIPS are very fun things to have, especially when they block all the other security agents that you're trying to run in the enterprise.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.