Building on Windows Platform security MANAGEMENT ANTIMALWARE PLATFORM
Building on Windows Platform security MANAGEMENT ANTIMALWARE PLATFORM Software Updates + SCUP Endpoint Protection Management Settings Operating System Software Management Deployment Distribution Windows Cloud clean Behavior Dynamic Vulnerability Antimalware Defender restore Monitoring Translation Shielding Offline Internet Explorer App. Locker Windows Resource Protection Available only in Windows 8 Dynamic Signature Svc Microsoft Malware Protection Center MDM ELAM & Measured Boot Address Space Data User Access Layout Bit. Locker Execution Control Prevention Randomization Early Launch Secure Boot Antimalware Measured Boot through UEFI (ELAM) Software Updates
Simplified Administration Real time Endpoint Protection operations from console Malware-driven operations from the console Client-side merge of antimalware policies Simplified, 3 X delivery of definitions through software updates Single administrator experience for simplified endpoint protection and management Integrated optimizations for Windows Embedded clients New and improved Endpoint Protection client
Hierarchy (Forest 1) Hierarchy (Forest 2) PRIMARY SITE Software Update Point 2 Software Update Point 1 Software Update Point 3 Client. Forest 1 Client. Forest 2 Software Update Point 4
Enhanced Protection Common antimalware platform across Microsoft AM clients Proactive protection against known and unknown threats Integration with UEFI Trusted Boot, early-launch antimalware Protect against known and unknown threats with endpoint inspection at behavior, application, and network levels Reduced complexity while protecting clients
Diagnostics and Recovery Toolkit Windows Defender Offline
Policy Config. Mgr Status Samples, Telemetry, DSS Events Updates Engine and Definitions
Live system monitoring identifies new threats RESEARCHERS REAL-TIME SIGNATURE DELIVERY BEHAVIOR CLASSIFIERS REPUTATION § Tracks behavior of unknown processes and known bad processes § Multiple sensors to detect OS anomaly Microsoft Active Protection Service Updates for new threats delivered through the cloud in real time § Real time signature delivery with Microsoft Active Protection Service § Immediate protection against new threats without waiting for scheduled updates Properties/ Behavior 1 Sample request 2 Sample submit Real-time signature 3 4
Industry-leading proactive detection § Emulation based detection helps provide better protection § Safe translation in a virtual environment for analysis Potential Malware Execution attempt on the system Real Time Protection Driver Intercepts Safe Translation Using DT Malware Detected Malicious File Blocked Enables faster scanning and response to threats § Heuristics enable one signature to detect thousands of variants VIRTUALIZED RESOURCES
Advanced system file cleaning through replacement § Replaces infected system files with clean versions from a cloud source. § Uses a trusted Microsoft cloud source for the replacement file § Restart requirements orchestrated on system and wired to client UI (for in use file replacement). Microsoft Symbol Store Request new file 2 1 System file compromise detected (RTP or scan) Download replacement file 3 4 Compromised file replaced
Windows 7 BIOS OS Loader (Malware) 3 rd Party Drivers (Malware) Anti-Malware Software Start Windows Logon • Malware is able to boot before Windows and Anti-malware • Malware able to hide and remain undetected • Systems can be compromised before AM starts Windows 8 Native UEFI Windows 8 OS Loader Anti-Malware Software Start 3 rd Party Drivers Windows Logon • Secure Boot loads Anti-Malware early in the boot process • Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft • Windows starts AM software before any 3 rd party boot drivers • Malware can no longer bypass AM inspection
Windows 7 BIOS MBR & Boot Sector OS Loader Kernel Initialization 3 rd Party Drivers Anti-Malware Software Start • Measurements of some boot components evaluated as part of boot • Only enabled when Bit. Locker has been provisioned Windows 8 UEFI • • Windows 8 OS Loader Windows Kernel & Drivers Anti-Malware Software 3 rd Party Drivers Measures all boot components Measurements are stored in a Trusted Platform Module (TPM) Remote attestation, if available, can evaluate client state Enabled when TPM is present. Bit. Locker not required Remote Attestation
Secure Boot prevents malicious OS loader UEFI Boot Measurements of components including AM software Client retrieves TPM stored in the TPM measurements of client Boot Policy 1 TPM 3 Windows OS Loader AM Policy Windows Kernel and Drivers AM Software Client provides attempts Client to access Health Claim. Server resource. Server requests reviews and grants Client Health Claim. access to healthy clients. Remote Resource (File (Fie Server) 5 2 AM software is started before all 3 rd party software and sends it to Remote Attestation Service 7 4 3 rd Party Software Windows Logon Client 6 Client Health Claim Remote Attestation Service issues Client Health Claim to Client Remote Attestation Service
Simple interface § Minimal, high-level user interactions Administrative Control § User configurability options § Central policy enforcement § UI Lockdown and disable Maintains high productivity § CPU throttling during scans § Faster scans through advanced caching Minimal network and client impact of definition updates
Launching a Windows Defender Offline Scan with Configuration Manager 2012 OSD Operating System Deployment and Endpoint Protection Client Installation Software Update Content Cleanup in System Center 2012 Configuration Manager Building Custom Endpoint Protection Reports in System Center 2012 Configuration Manager Managing Software Updates in Configuration Manager 2012 Endpoint Protection by the numbers Group Policy Preferences and Software Updates Software Update Points in Configuration Manager 2012 SP 1 How-to-Videos Product Documentation Security and Compliance Manager – Configuration Packs
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a Comm. Net kiosk or log on at www. 2013 mms. com. Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
- Slides: 33