locked
Use case of Defender ATP (in combination with Defender) vs other Antivirus products RRS feed

  • Question

  • Hi everyone,

    I've just onboarded some test clients for Defender ATP and executed some shady macros, powershell scripts and used Mimikatz.

    Mimikatz was immediatly blocked by Defender and usage was also reported in ATP (along with other exploits). Great stuff!

    But is Windows Defender ATP only used for reporting and remediation or do you guys see it as a full blown AV product? It seems to me that it's more of an additional product instead of a main AV product? Especially since you can't control scanning, exclusions, custom AV detection,.. And it will only show up in the reporting instead of actively blocking it upon execution..

    We're looking to Windowds Defender ATP to replace our current AV product, but I'm not convinced that we can do this based on the above information.

    Since Windows Defender ATP means we need to buy additional licenses, I don't think we can do this if we need to maintain our current contract with our AV vendor. Since Defender also has limited options to set, I'm not sure if Defender + Defender ATP would be a viable solution.

    What are your opinions on this?

    Regards,

    Sven

    Monday, January 30, 2017 3:45 PM

Answers

  • Windows Defender ATP is not an AV product and was built to run side-by-side with any AV product you might run. While it would detect most malware, you are right that is doesn't block it from running.

    Windows Defender ATP is a post-breach (or EDR) service designed to identify and help remediate attacks that AV and other security measures on the endpoint failed to stop and as such complements AV solutions. It provides you with both the alerts on possible security breaches as well as tools to isolate machines, kill and quarantine files/process, collect samples for sandbox analysis and collect information snapshots from potentially affected machines.

    When deployed together with Windows Defender AV (the Microsoft AV solution), Windows Defender ATP will show the combined detections of both AV+ATP in the portal and light up additional response options such as the option to ban files suspected as bad from the entire network with one click from the portal. 

    Wednesday, February 1, 2017 11:22 PM

All replies

  • Windows Defender ATP is not an AV product and was built to run side-by-side with any AV product you might run. While it would detect most malware, you are right that is doesn't block it from running.

    Windows Defender ATP is a post-breach (or EDR) service designed to identify and help remediate attacks that AV and other security measures on the endpoint failed to stop and as such complements AV solutions. It provides you with both the alerts on possible security breaches as well as tools to isolate machines, kill and quarantine files/process, collect samples for sandbox analysis and collect information snapshots from potentially affected machines.

    When deployed together with Windows Defender AV (the Microsoft AV solution), Windows Defender ATP will show the combined detections of both AV+ATP in the portal and light up additional response options such as the option to ban files suspected as bad from the entire network with one click from the portal. 

    Wednesday, February 1, 2017 11:22 PM
  • Hi Raviv,

    Thanks a lot for the quick and detailed feedback.

    Highly appreciated! This was the answer I was looking for.

    Thanks

    Thursday, February 2, 2017 6:54 AM