In today’s Ask the Admin, I’ll discuss whether it’s necessary to use third-party antimalware in Windows 10 and Windows Server 2016 on your company’s PCs.
One of my responsibilities when I started out in IT was managing antivirus on PCs. At that time, there was no built-in antimalware solution in Windows and antivirus usually meant software from Symantec or McAfee. One of our clients had an email gateway that was effective at quarantining viruses. But it was common for PCs to be infected, despite the presence of AV, because in those days AV was bad at detecting zero-day threats.
Move on 18 years, the threat landscape has changed beyond recognition but so has the effectiveness of AV. Windows now has built-in AV in the form of Windows Defender. It sometimes gets a bad rap for being less effective at detecting viruses than the competition and that seems to stack up. According to AV-Test, which is an independent anti-virus research firm, Windows Defender generally performs slightly worse than the best of the competition. For example, in October 2017 Windows Defender detected 96.3 percent of malicious zero-day samples but McAfee Internet Security detected 100 percent. In September 2017, Windows Defender scored 100 percent.
Defender really fell in the number of false positives. It clocked up 21 false positives when scanning the system for malware from a sample size of 1,425,641. In comparison, McAfee didn’t come up with any false positives. But Defender was able to detect most real threats. Defender also falls down slightly in detecting samples that have been known for the past 4 weeks, scoring 99.9 percent in October compared to McAfee’s 100 percent.
In AV Comparatives real-world tests for July to November 2017, out of 1769 test cases used, Defender blocked 1754, Symantec 1765, and McAfee 1749. In the wrongly blocked domains/files test, Defender does badly. It received the second to lowest score of all the products tested. Only F-Secure managed to do even worse. Defender is far from being the worst product overall and sometimes performs better than mature products in the market.
Microsoft could clearly up its game with Windows Defender but bear in mind that the figures provided by AV-Test and others are for the consumer version of Windows Defender. Businesses that have Windows 10 Enterprise E5 licenses can benefit from Windows Defender Advanced Threat Protection (ATP). It is designed to better detect attacks and zero-day exploits using Machine Learning and it includes centralized management. Windows Defender ATP is a post-breach solution that uses sensors to detect unusual behavior. Features in Windows Defender provide pre-breach detection, like Windows Defender Exploit Guard and Application Guard. You can read more about Exploit Guard on Petri here: Windows Defender Exploit Guard Replaces EMET in Fall Creators Update.
I couldn’t find any data to show how Windows ATP compares to other Internet security suites. So, it’s hard to say how it performs compared to more established products. However performance aside, as an integrated solution, Windows Defender ATP does have advantages in terms of management.
Other improvements in the Windows 10 Fall Creators Update (FCU) make Windows Defender what you could call a complete Internet security suite. There are also other security reasons to use Windows 10 Enterprise, such as Credential Guard, which protects sensitive domain credentials with the help of virtualization.
I advocate a defense-in-depth approach to desktop security, where endpoint firewall, application control, removal of administrative privileges, and antimalware are used together. I believe this is the only was to properly secure Windows. If this is the approach you take, then I recommend Windows Defender or Windows Defender ATP as the go-to solution. If your line of defense is less than ideal, then you might consider using a third-party enterprise security suite to help plug some of those holes.
Windows Server 2016 has Windows Defender out-of-the-box and because users don’t log in to servers interactively, servers are less likely to be directly exposed to malware. That doesn’t mean they are immune. Nevertheless, it’s my preference to not use AV on servers unless there’s a specific threat that might deem it necessary. AV can also cause operational issues, like definition updates quarantining critical system files or app failures when real-time protection is enabled.
So, weigh up the risks against potential issues. Also, consider whether you are following server security best practices, like using privileged access workstations to manage Active Directory (AD) and not using privileged AD accounts to manage users’ workstations. Read Managing Privileged Access to Active Directory on Petri to get more details on how to manage AD securely.