KnowBe4 Security Awareness Training Blog

Why Is Windows Defender The World's No. 1 Antivirus With More Than Half A Billion EndPoints?

Written by Stu Sjouwerman | Aug 3, 2019 3:16:31 PM
Having been inside the AntiVirus software industry for quite a while, and building an AV tool from the ground up, when I saw Redmond start acquiring several small AV companies in 2008 and 2009 I knew the writing was on the wall: AV will be free and part of the OS.
 
Over the last few years I have been saying more and more frequently that upgrading to Win10 and using Defender is a perfectly acceptable endpoint security strategy. No longer spending money on third party AV frees up your budget for the last line of defense you actually need: new-school security awareness training.
 
Microsoft Is Uniquely Positioned To Deliver The No. 1 Antivirus
 
You may not know this, but Defender is now the largest in the world, it's the primary AV on more than half a billion devices. Having this many machines it uses as sensors gives it a huge advantage and they argue that their use of hardened machine-learning detection models succeed where other antivirus products fail. Redmond's strong "monotonic" machine learning model is resistant to attackers who try to confuse the model with so-called "clean" signals.
 
Here is one example. In June, Defender was able to block Astorath fileless malware that was trying to evade detection by using built-in Windows infrastructure like the Windows Management Instrumentation Command-line (WMIC).  Another strong technology is Defender's "runtime attestation" feature which can block kernel-based token-swap attacks which can allow operating another user account under different system security context.
 
Windows Defender Now Also Has A Target On Its Back
 
Tanmay Ganacharya, general manager of Microsoft ATP security research, told ZDNet: "Windows Defender is protecting more than 50% of the Windows ecosystem, so we're a big target, and everyone wants to evade us to get the maximum number of victims. We've predicted this is going to happen, and this is why we invested in this before it happened."

For instance, the new TrickBot version focuses on defeating Defender. You can count on Redmond being all over this and working in close to real-time to block that malware.

Three Threats That Are Not Solved Yet

There are some dangers that Ganacharya said are lurking around the corner. A main worry is state-backed actors like China, Russia, Iran and North Korea that have zero day exploits they can use to get into systems. The other two are supply-chain attacks—the Target hack being a good example—and of course phishing.

"Supply-chain attacks are also a really great way to attack because you're leveraging trusted channels already established in customers' networks to deliver your payload from. I don't think we're past the rise of the supply-chain attack," said Ganacharya. 

And the one style of attack that isn't going away any time soon is phishing, which Ganacharya notes is useful when exploitation becomes hard. 

Free AV Software Argues For Security Awareness Training

As Win10 Guru Ed Tittle said: "Good Enough” Free AV Software Argues For Security Awareness Training". He makes the point that you can rely on Defender and do not have to spend budget on commercial AV. Are you going to upgrade to Windows 10, rely on Defender and use your AV budget for new-school security awareness training?

Find out how affordable new-school security awareness training is for your organization. Get a quote now.