Is Windows Defender Mature Enough to Replace Third-Party Anti-virus/Anti-malware?

Think you already know everything you need to know about Windows Defender Antivirus versus third-party solutions? If you haven’t heard what Sami Laiho has to say, then I suggest you read on just to be 100% certain.

Sami is an elite global cybersecurity speaker and author. He provided a very interesting take in a recent webinar, Get Smart on Windows 10 Application Security. (View the full webinar here.)

The Young Adulthood of Windows Defender

When Windows Defender was first released in 2006, Microsoft described it as “not great, but better than nothing.” I’m paraphrasing, but was the essence of their message at launch.

Microsoft told corporate customers not to abandon third-party anti-malware solutions in favor of Windows Defender. (Note: I’m using "anti-malware" even though the official name is “Windows Defender Antivirus” because viruses are a subset of malware.)

In the past dozen years, businesses’ need for comprehensive cybersecurity has skyrocketed. In response, Microsoft has continued to improve Windows Defender. As IT pros roll out Windows 10, they are re-evaluating their need for third-party anti-malware.

Is Windows Defender Grown Up Enough?

Instead of being coy, I’ll tell you flat out: Yes, Windows Defender is good enough to replace third-party anti-malware in most businesses, regardless of size. This does not mean it’s the right choice for every business, but it’s a viable option.

Now let’s talk about why! The logic is not very intuitive, so I’ll break it down. It starts with this premise:

Traditional anti-malware software—whether Windows Defender or third party—cannot be your primary endpoint protection anymore.

For many years, traditional anti-malware software was the backbone of Windows application security. At the core of these technologies is an engine that looks for software on your system—both on disk and in memory—that matches patterns of malware. The search for malware can be more sophisticated than just matching patterns, but that’s historically been the heart of it.

The patterns are stored in a definition file. You can think of it as a catalog of data used to identify malware. That definition file is frequently updated and distributed to all endpoints.

You are probably aware of more advanced anti-malware solutions that use things like real-time telemetry, cloud databases and artificial intelligence. One example of these is Microsoft Advanced Threat Protection (ATP), though many third-party solutions compete here, too. This blog references only traditional anti-malware engines, where Windows Defender competes.

If you suggest using Windows Defender, some IT pros may argue, “Third-party anti-malware solutions catch 99% of malware, and Windows Defender only catches around 94%. So why would I use Windows Defender?” While the exact numbers may vary, nobody disputes that third-party engines catch more malware than Windows Defender.

This is where it gets interesting …

All the major anti-malware providers find more than 1,000,000 new malware samples every day.

Whoa, what!? Yes, it’s right here on Sami’s slide from the webinar.

So, even at 99% coverage, an antimalware engine is missing more than 10,000 different pieces of malicious software every day. That’s a lot of pieces of badness flying under your radar daily. It only takes one to compromise your organization.

To make your company’s applications totally secure, you have to take additional measures. These start with using other Windows 10 security features such as whitelisting, exploit protection and many others. You may want to deploy other types of third-party security software (beyond anti-malware). Plus, you’ll need to apply myriad best practices throughout your organization.

In the context of this bigger picture, Windows Defender makes sense:

What’s the Catch?

Windows Defender’s biggest disadvantage is that it does not have a centralized logging and alerting system. This can, however, be mitigated in several different ways:

Log Forwarding

For organizations that don’t have an advanced solution for managing centralized logging and alerting from Windows Defender, log forwarding is a viable option. Log forwarding was originally released as part of Windows Vista, so it’s been around for a while.

Basically, you could allocate a centralized server for alerting and management with Windows Defender. Use group policy to forward events from every client to the central server. Create a task on the server that runs a PowerShell script to evaluate events, and send an email or take other action when alerting is merited.

Yes, Windows Defender Is All Grown Up

Windows Defender is a mature technology that is more than adult enough for your company to rely on. Even large enterprises can adopt it, though that doesn’t mean they should. Your organization’s technologies, challenges and processes are unique. Nobody can rightfully tell you “XYZ is the best anti-malware in all cases.”

That said, you can’t ignore Windows Defender anymore! It may make your life a little easier because it’s built into Windows. So, if you can make it work, it could free up some of the time you now spend managing anti-malware engines. Then you can use that time to work on the million other cybersecurity tasks on your list!