Dynamic Signature Svc
Microsoft Malware
Protection Center
MANAGEMENT
ANTIMALWARE
Software
Updates +
SCUP
Endpoint
Protection
Management
Settings
Operating System Software
Management
Deployment Distribution
Windows
Behavior Dynamic Vulnerability
Cloud clean
Antimalware
Defender
Monitoring Translation Shielding
restore
Offline
PLATFORM
Internet
Explorer
AppLocker
Windows
Resource
Protection
Available only in Windows 8
MDM
ELAM &
Measured
Boot
Address Space
Data
User Access
Layout
BitLocker
Execution
Control
Prevention Randomization
Early Launch
Secure Boot
Antimalware Measured Boot
through UEFI
(ELAM)
Software Updates
Simplified
Administration
Real time Endpoint Protection operations from console
Malware-driven operations from the console
Client-side merge of antimalware policies
Simplified, 3X delivery of definitions through software updates
Single administrator
experience for simplified
endpoint protection and
management
Integrated optimizations for Windows Embedded clients
New and improved Endpoint Protection client
Hierarchy (Forest1)
Hierarchy (Forest2)
PRIMARY SITE
Software
Update Point 2
Software
Update Point 1
Software
Update Point 3
Client
Client
Client.Forest1
Client.Forest2
Software
Update Point 4
Enhanced Protection
Common antimalware platform across Microsoft AM clients
Proactive protection against known and unknown threats
Integration with UEFI Trusted Boot, early-launch antimalware
Protect against known and
unknown threats with
endpoint inspection at
behavior, application, and
network levels
Reduced complexity while protecting clients
Diagnostics and
Recovery
Toolkit
Windows
Defender
Offline
Policy
ConfigMgr
Status
Samples, Telemetry, DSS
Events
Updates
Engine and
Definitions
Live system monitoring identifies
new threats
RESEARCHERS
REAL-TIME
SIGNATURE
DELIVERY
BEHAVIOR
CLASSIFIERS
REPUTATION
 Tracks behavior of unknown
processes and known bad processes
 Multiple sensors to detect
OS anomaly
Microsoft Active
Protection Service
Updates for new threats delivered
through the cloud in real time
 Real time signature delivery with
Microsoft Active Protection Service
 Immediate protection against
new threats without waiting for
scheduled updates
Properties/
Behavior
1
Sample
request
2
Sample
submit
Real-time
signature
3
4
Industry-leading
proactive detection
 Emulation based detection
helps provide better protection
 Safe translation in a virtual
environment for analysis
Potential
Malware
Execution attempt
on the system
Real Time
Protection
Driver
Intercepts
Safe
Translation
Using DT
Malware
Detected
Malicious
File Blocked
Enables faster scanning
and response to threats
 Heuristics enable one signature
to detect thousands of variants
VIRTUALIZED
RESOURCES
Advanced system file cleaning
through replacement
 Replaces infected system files with
clean versions from a cloud source.
 Uses a trusted Microsoft cloud source
for the replacement file
 Restart requirements orchestrated on
system and wired to client UI (for in
use file replacement).
Microsoft Symbol Store
Request new
file
2
1
System file
compromise
detected
(RTP or scan)
Download
replacement
file
3
4
Compromised
file replaced
Windows 7
BIOS
OS Loader
(Malware)
3rd Party Drivers
(Malware)
Anti-Malware
Software Start
Windows Logon
• Malware is able to boot before Windows and Anti-malware
• Malware able to hide and remain undetected
• Systems can be compromised before AM starts
Windows 8
Native UEFI
Windows 8
OS Loader
Anti-Malware
Software Start
3rd Party Drivers
Windows Logon
• Secure Boot loads Anti-Malware early in the boot process
• Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft
• Windows starts AM software before any 3rd party boot drivers
• Malware can no longer bypass AM inspection
Windows 7
BIOS
MBR & Boot
Sector
OS Loader
Kernel
Initialization
3rd Party
Drivers
Anti-Malware
Software Start
• Measurements of some boot components evaluated as part of boot
• Only enabled when BitLocker has been provisioned
Windows 8
UEFI
•
•
•
•
Windows 8
OS Loader
Windows
Kernel &
Drivers
Anti-Malware
Software
3rd Party
Drivers
Measures all boot components
Measurements are stored in a Trusted Platform Module (TPM)
Remote attestation, if available, can evaluate client state
Enabled when TPM is present. BitLocker not required
Remote
Attestation
Secure Boot
prevents
malicious OS
loader
UEFI Boot
Measurements of components
including AM software are Client retrieves TPM
stored in the TPM
measurements of client
Boot Policy
1
TPM
3
Windows
OS Loader
AM Policy
Windows Kernel
and Drivers
AM Software
Client provides
attempts Client
to access
Health
Claim.
Server
resource.
Server
requests
reviews
and grants
Client Health
Claim.access
to healthy clients.
Remote Resource
(File
(Fie Server)
5
2
AM software is
started before
all 3rd party
software
and sends it to Remote
Attestation Service
7
4
3rd Party
Software
Windows Logon
Client
6
Client Health
Claim
Remote Attestation
Service issues Client
Health Claim to Client
Remote Attestation
Service
Simple interface
 Minimal, high-level
user interactions
Administrative Control
 User configurability options
 Central policy enforcement
 UI Lockdown and disable
Maintains high productivity
 CPU throttling during scans
 Faster scans through
advanced caching
Minimal network and client
impact of definition updates
Launching a Windows Defender Offline Scan with Configuration Manager 2012 OSD
Operating System Deployment and Endpoint Protection Client Installation
Software Update Content Cleanup in System Center 2012 Configuration Manager
Building Custom Endpoint Protection Reports in System Center 2012 Configuration
Manager
Managing Software Updates in Configuration Manager 2012
Endpoint Protection by the numbers
Group Policy Preferences and Software Updates
Software Update Points in Configuration Manager 2012 SP1
How-to-Videos
Product Documentation
Security and Compliance Manager – Configuration Packs