sopygerw jaenelah markeda
Candi Ruman
Windows Defender updates are packaged just like regular windows updates, the only difference being there are multiple of them each day, but if you only sync WSUS once per day you will always be a bit out of date.
Realistically if you are using a 3rd party AV you can probably turn these updates off, or you could have WSUS sync more often and just have a rule to auto release defender updates (think WSUS can do this, been a while since I used it though).
Actually, we could manage the update sources of Windows defender. We could set the scan sources and the scan order using GPO. Just remove the InternalDefinitionUpdateServer from the list thus let it get updates from internet directly.
We are attempting to implement posturing for end-users personal devices so they can access the AnyConnect VPN. One of the requirements we have is to check for up to date anti-malware definitions on the end-users device
However in our testing, we have found that some devices have their own anti-malware such as Avast installed, this stops the windows defender definitions from being updated and causes the problem that the posture module reports it as being out of date.
Cylance disables Windows Defender, and the definition check fails for it. I created a new AM condition (Policy > Policy Elements > Conditions > Posture > Anti-Malware Condition) for vendor Cylance, ANY, ANY, Yes. I then added a second condition to my Any_AM_Definition_Win requirement (Policy > Policy Elements > Results > Posture > Requirements) with "any selected condition succeeds" and the user is now compliant.
@Cristian Matei, I cannot kill the windows defender processes as it is not running on my machine but it is installed and as far as i am aware there is no way to remove it without a lot of effort. The whole idea of the solution as we envisaged it would be to make sure there is an Anti-malware product installed and up to date with no care for the vendor that is being used.
@hslai, we are using these pre-built conditions, the problem is that the posture assessment detects both windows defender and the users own installed anti-malware software such as avast, Symantec etc. However, when these are installed they disabled updates for windows defender somehow and this stops the updates being applied and leaves the definitions out of date.
Today we're going to talk about the best (and worst) methods for Windows Defender definition/intelligence updates and how to configure them. This post from SwiftOnSecurity got me thinking about the way we handle our fallback for definition/intelligence updates, and while I was originally planning on a broader coverage of things like exclusions and other policy settings, this article alone started getting way too long :)
As the above tweet indicates, ConfigMgr is definitely not the best update tool for Windows Defender. We've traditionally used Windows Update as the primary update source and then relied on ConfigMgr/WSUS as fallback methods. While this works, it's pretty terrible because the following has to happen:
First, ConfigMgr tells WSUS to sync with Windows Updates, then it approves the definition update, then it downloads the definition update which means a new revision of the package which now needs to be replicated out to the distribution points. Once the agents on your clients check in and figures out there are updates available, they download the package to the client, kick off the install, and then the agent at some point will report back to ConfigMgr that updates have completed. To make this work effectively, Update Synchronization, Automatic Deployment Rule, and agent check-in must all be very frequent (plus dealing with timing windows), and then you end up looking like this:
There are 5 updates sources available for Definition / Intelligence Updates: Microsoft Update, UNC file shares, WSUS, Configuration Manager, MS Malware Protection Center. That's actually the order of precedence that I use, and while everyone's situation may be different, I think it is helpful to define how each works, when and where we would rely on each, and why. For even more details on these, you can check the docs here: Sources for Defender AV
First up, we have Microsoft Update which has some common misconceptions around it. Many engineers do not choose this option because they are concerned about the network impact, but it's actually far more minimal than you would think. In addition to this, these updates are available outside of your network without having to expose systems to the Internet or tunnel clients back in. This is imperative in our modern "work from anywhere" architecture.
Since the agent knows the update version installed, it only pulls a small delta between the latest version and the version installed. The more frequently you update, the smaller these deltas are, and on average, my deltas have been around 250K per client. Scaled out to 10K machines, we're looking at 2.4GB of data per hour assuming all checked in and pulled down the content. I recommend setting clients to update definitions every 1 hour.
If bandwidth is truly a concern, we can look at UNC shares which not only reduces WAN bandwidth but can also reduce processing time on your endpoints. Essentially, we have a script running on a file server that downloads the latest definitions once, processes them, and the client can more easily consume these updates without having to do the processing or hitting the WAN. To scale, you can use DFS or simply add multiple UNC shares to the policy.
Microsoft has a great document on setting up UNC shares specifically geared toward VDI which I feel is a disservice to this method as it works extremely well for both virtual and non-virtual infrastructure (endpoints): Deployment Guide for Defender AV in VDI
I have loosely based the following content off this document with a few improvements. This method uses a scheduled task to download updates, and it's best practice to use a limited user account to run this. Here's how to set up a gMSA (requires RSAT AD PS modules on the file server), but you could alternatively use a limited service account.
Next, we need to create a share to host the files on and set permissions so that EVERYONE can read (share permission) and only the gMSA can modify (NTFS permissions). For the NTFS permissions, you will need to select Domain as the search location and enable Service Accounts under Object Types, search for the gMSA, and then give it Modify permissions:
In any case, WSUS and Configuration Manager both have the same issue of availability, but they're worse in the syncing windows and having to maintain the WSUS database. For now, I'm leaving these as fallback options, but as we move more workloads into Intune, I think we'll be spinning these down over the summer.
The last option is to use the Malware Protection Center as a fallback, but by default, the agent only checks in after being out of date for more than 14 days ?. While you can change this, I don't think it's worth it, and I'll rely on Microsoft Update and the new file share method.
If you work in K12 or higher ed, we'd love for you to join us on the OpsecEdu Slack. If you have any questions, please feel free to hit me up on Twitter or request an invite to the Slack channel by sending an email to [email protected] using your work email.
For some reason today, every time windows has continued to download the latest security definitions each time an update is searched for. This has resulted in windows downloading the same definitions every few minutes, since these updates are normally hours apart. The only thing I ran was an FRST script at 240am but this seems to have been occuring before that.
Windows Defender updates (or Microsoft Defender updates) are the regular updates released by Microsoft to keep the software up to date with the latest features and to keep bugs at bay. These updates are crucial in keeping your endpoints protected and improving the functionalities and user experience.
Owing to the exponential increase in vulnerabilities and ransomware attacks, data security in today's world is a must. 2023 witnessed a massive rise in the number of vulnerabilities - over 29,000. This alarming spike in vulnerabilities and malware resonates with the glaring need to be on top of your system's security. The prerequisites to fortify the network against such attacks are to update Windows Defender and to timely patch the vulnerabilities.
Microsoft Defender (formerly Windows Defender) is an anti-malware tool by Microsoft that protects your endpoints from data theft, viruses, malware, and so on. Furthermore, it serves to protect your systems by scanning for spyware, and unauthorized software and removing them from the systems. Initially, Windows Defender was launched with the Windows Vista installation pack but is now available as a free download with Microsoft Security Essentials.
That being said, it is imperative to update Windows Defender regularly to ensure that the systems have the latest security updates and features to fend off malware, spyware, and other software that can pose a security risk.
If you're a Microsoft 365 Family or Personal user, the good news is that Microsoft Defender (formerly Windows Defender) is already available as a part of it, without any extra subscription fee. To download the Windows Defender updates, you can follow any of the methods below:
With a patch management tool like Patch Manager Plus you can easily automate the Windows Defender update across your systems and keep track of the latest security intelligence update that is being released now and then. By leveraging the Automate Patch Deployment (APD) functionality in Patch Manager Plus, you devise and schedule policies and windows for the Windows Defender update download automatically.
c01484d022