What’s new in Windows Defender ATP Fall Creators Update

    What’s new in Windows Defender ATP Fall Creators Update

    What’s new in Windows Defender ATP Fall Creators Update


    Last Updated: 23 May 2021 at 21:29

    When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop attacks as they happen and before they have impact. This means that our service will expand beyond detection, investigation, and response, and will now allow companies to use the full power of the Windows security stack for preventative protection. The stack will be powered by our cloud-based security intelligence, which moves us from a world of isolated defenses to a smart, interconnected, and coordinated defense grid that is more intelligent, simple to manage, and ever-evolving.

    We will also provide a single pane of glass experience for security professionals. This means that security management (SecMgmt) teams can easily configure a broad set of Windows security stack technologies through an integrated configuration management experience. Security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console. This will not only give companies a full picture of what’s happening on their endpoints, but will also put them in the driver seat to quickly react to threats as they happen. Leveraging our cloud-based security intelligence gives the optics, context, and tools that companies need to quickly investigate and remediate incidents.

    Here are some highlights of the Windows Fall Creators Update:

    • Attack surface reduction with EMET in the box – In the Windows Fall Creators Update, we are introducing Windows Defender Exploit Guard, which gives companies more control on restricting how code runs on their machines and provides tools to mitigate exploits at runtime. Windows Defender Exploit Guard will offer a set of powerful features for intrusion prevention, such as Attack Surface Reduction (ASR) smart rules, which are designed to give laser-focused and targeted blocking capabilities. For example, companies can take advantage of built-in rules that can block Office files containing macros that attempt to download and execute content from the web. Windows Defender Exploit Guard will also help companies take advantage of vulnerability mitigation capabilities that are native to the OS as well as those formerly offered in Enhanced Mitigation Experience Toolkit (EMET) which are now built into Windows. With the addition of EMET technology, companies will be able to apply advanced vulnerability mitigations on legacy apps running on Windows 10 without the need to recompile them. Another powerful Windows Defender Exploit Guard capability will allow automatic blocking of websites known to host malicious code, by leveraging Windows Defender SmartScreen knowledge base. The integration between Windows Defender ATP and Windows Defender Exploit Guard is designed to offer new prevention capabilities that offer smarter and adaptive defenses for companies using our service (Figure 1).



    Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event

    • Single pane of glass view across the Windows security stack – In this release we are exposing a broader set of Windows security stack technologies in a single pane of glass experience to allow SecOps to do more and quickly react to attacks (Figure 2). Here are some examples of what SecOps will be able to perform:
      • Get access to Windows Defender SmartScreen alerts and events that show if an employee within the company clicked on a specific URL despite receiving warning message
      • See Windows Defender Antivirus detections and actions that took place and connections that got blocked by Windows Defender Firewall
      • View Device Guard events that have surfaced unauthorized applications that have been blocked but may still be present within the environment and then access blocked/audit information from Windows Defender Exploit Guard
      • Get access to events and alerts when Windows Defender Application Guard has successfully isolated and blocked attacks targeting the browser within the Windows Defender Application Guard container



    Figure 2: Windows Defender ATP new dashboard view

    • More detection, investigation, and response – Providing advanced detection, investigation, and response capabilities is where Windows Defender ATP started and there are exciting new additions being added to the Windows Fall Creators Update. In this release, we are growing our detection dictionary to include new indicators of attacks (IoA) that cover recent techniques that attackers use. Some of these new detections include dynamic script-based attacks, network explorations, and keylogging alerts. We are offering richer investigation experience across a wide set of Windows 10 security technologies. For example, if a user is tricked into installing malware in their browser, and infection is contained and later discarded in Windows Defender Application Guard without a trace, Windows Defender ATP still gives SecOps visibility to the event for future investigation in Windows Defender ATP console (Figure 3). This will enable them to get to the root cause faster and get complete understanding of the full breadth of the attack footprint. We will offer a set of new and powerful response capabilities to allow SecOps to do more and react faster. For example, users will be able to update and run machine scan using Windows Defender Antivirus, conduct application restriction per machine, and block execution of unknown files using Device Guard technology.



    Figure 3: Windows Defender ATP machine timeline view with Windows Defender Application Guard event

    • New security analytics view – We will provide customers visibility into their company’s security posture with a new security analytics view (Figure 4) that will help shed light on possible vulnerable areas in their endpoints. Customers can monitor overall endpoint security health, quickly identify weak spots in their network, and take the necessary resolution actions. Windows Defender ATP will help identify vulnerable areas in endpoints by providing protection score across a wide set of Windows security technologies.



    Figure 4: Security Analytics

    • Set of new APIs – We are expanding our set of security graph APIs to provide more flexibility to customers interested in using Windows Defender ATP data together with their security information and event management (SIEM) system. Our new APIs will allow customers to get more information on what’s going on and also take actions needed.

    Finally, we plan to extend Windows Defender ATP to also cover the Windows Server platform, starting with Windows Server 2012 R2 and 2016 releases. We are also working on supporting more platforms beyond Windows, and plan to share more information about it later this year as it becomes available.

    We encourage you to learn more and experience the current version of Windows Defender ATP by signing up for our 90-day free trialtoday. Please note that we plan to release our new Fall Creators Update features for preview later this year around the September-October timeframe.

    Avi Sagiv
    Principal Program Manager, Windows Defender ATP


    Source: What's new in Windows Defender ATP Fall Creators Update Windows Security
    Brink's Avatar Posted By: Brink
    28 Jun 2017


  1. Hewjr100
    Posts : 545
    Windows 10 Pro
       New #1

    Well that's very nice if your an Enterprise user, but what about the rest of us? Maybe it will trickle down in RS4.

    Henry
      My Computer
    Quote Quote

  3. ck146745
    Posts : 4
    WX64
       New #2

    Hewjr100 said:
    Well that's very nice if your an Enterprise user, but what about the rest of us? Maybe it will trickle down in RS4.

    Henry
    I know what's new by observation.
    Defender runs all the time.
    In some cases it will reach 50% of the cpu on a dual core.
    Seems to be triggered during some reboots or forever after once triggered, because of some unresolved conflict.
    When defender is forcefully removed and or disabled, the reboots are really fast assuming no updates and no real problems.
    Controls to disable it are removed (some are still in gpedit.msc)
    If disabled by gpedit it turns back on.
    If removed from program files it runs from 2 backup locations.
    If removed from all locations and reinstallation is blocked then it does not run.
    Requires at least a quad core to function without crippling any cpu intensive memory intensive operations.
    If disabled the performance of a dual core will return to normal.
    Turns on settings that will export data from a pc (virus sample?) but this could be a document as well.
    Can interfere with some web based software download and installation
    Requires signed drivers for all hardware (old hardware is not supported)
    Ignores or removes settings that used to be there like disabling it (you don't get a choice here and most old methods to control it no longer work)
    Accounts such as administrator are degraded so you do not control everything. Even running a process or command as system is blocked there is yet another account lock down.
    Can you still control it? Yes from the recovery command prompt its possible to set the machine to not run these.
    Is it safe? Yes if you use a series of add on apps to monitor the PC and check everything that is downloaded.
    Open each app with an archive opener to see what's in it. Monitor network ports. Monitor processes.
    Become familiar with what is normal. Monitor file creation. Uninstall or remove badly behaving programs.
      My Computer
    Quote Quote

 

  Related Discussions
I finally got the "Fall Creators" update a few days ago. So far everything seems to be working fine with two small exceptions: 1) I can no longer minimize games with the Windows key on the keyboard. A lot of games used to seamlessly minimize to...
old defender UI broken in Fall Creators Update 1709
in AntiVirus, Firewalls and System Security

Since the upgrade to Fall Creators update the old style Defender UI MSASCui.exe produces an error if you try to look at Quarantined items on the History tab. Error loading type library/DLL Error code: 0x80029c4a I'm not the only one,...
Source: What's new in the Windows 10 Fall Creators Update - Windows Experience Blog See also: What's new in Windows 10 (Windows 10) | Microsoft Docs How to get the Windows 10 Fall Creators Update - Windows 10 Forums Windows 10 Fall Creators...
Read more: Microsoft will call Windows 10's next update the 'Autumn Creators Update' in the UK | Windows Central Update: The Windows 10 Autumn Creators Update will be called 'Fall Creators Update' after all | Windows Central
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 06:01.
Find Us




Windows 10 Forums