Is Windows Defender Mature Enough to Replace Third-Party Anti-virus/Anti-malware?

Think you already know everything you need to know about Windows Defender Antivirus versus third-party solutions? If you haven’t heard what Sami Laiho has to say, then I suggest you read on just to be 100% certain.

Sami is an elite global cybersecurity speaker and author. He provided a very interesting take in a recent webinar, Get Smart on Windows 10 Application Security. (View the full webinar here.)

The Young Adulthood of Windows Defender

When Windows Defender was first released in 2006, Microsoft described it as “not great, but better than nothing.” I’m paraphrasing, but was the essence of their message at launch.

Microsoft told corporate customers not to abandon third-party anti-malware solutions in favor of Windows Defender. (Note: I’m using “anti-malware” even though the official name is “Windows Defender Antivirus” because viruses are a subset of malware.)

In the past dozen years, businesses’ need for comprehensive cybersecurity has skyrocketed. In response, Microsoft has continued to improve Windows Defender. As IT pros roll out Windows 10, they are re-evaluating their need for third-party anti-malware.

Is Windows Defender Grown Up Enough?

Instead of being coy, I’ll tell you flat out: Yes, Windows Defender is good enough to replace third-party anti-malware in most businesses, regardless of size. This does not mean it’s the right choice for every business, but it’s a viable option.

Now let’s talk about why! The logic is not very intuitive, so I’ll break it down. It starts with this premise:

Traditional anti-malware software—whether Windows Defender or third party—cannot be your primary endpoint protection anymore.

For many years, traditional anti-malware software was the backbone of Windows application security. At the core of these technologies is an engine that looks for software on your system—both on disk and in memory—that matches patterns of malware. The search for malware can be more sophisticated than just matching patterns, but that’s historically been the heart of it.

The patterns are stored in a definition file. You can think of it as a catalog of data used to identify malware. That definition file is frequently updated and distributed to all endpoints.

You are probably aware of more advanced anti-malware solutions that use things like real-time telemetry, cloud databases and artificial intelligence. One example of these is Microsoft Advanced Threat Protection (ATP), though many third-party solutions compete here, too. This blog references only traditional anti-malware engines, where Windows Defender competes.

If you suggest using Windows Defender, some IT pros may argue, “Third-party anti-malware solutions catch 99% of malware, and Windows Defender only catches around 94%. So why would I use Windows Defender?” While the exact numbers may vary, nobody disputes that third-party engines catch more malware than Windows Defender.

This is where it gets interesting …

All the major anti-malware providers find more than 1,000,000 new malware samples every day.

Whoa, what!? Yes, it’s right here on Sami’s slide from the webinar.

So, even at 99% coverage, an antimalware engine is missing more than 10,000 different pieces of malicious software every day. That’s a lot of pieces of badness flying under your radar daily. It only takes one to compromise your organization.

To make your company’s applications totally secure, you have to take additional measures. These start with using other Windows 10 security features such as whitelisting, exploit protection and many others. You may want to deploy other types of third-party security software (beyond anti-malware). Plus, you’ll need to apply myriad best practices throughout your organization.

In the context of this bigger picture, Windows Defender makes sense:

  • It will catch the overwhelming majority of malware.
  • It’s distributed and updated as a part of Windows 10 itself.
  • A strong security strategy does not rely on antimalware to catch everything.

What’s the Catch?

Windows Defender’s biggest disadvantage is that it does not have a centralized logging and alerting system. This can, however, be mitigated in several different ways:

  • Microsoft System Center Endpoint Protection can address this need for businesses using Microsoft System Center Configuration Manager.
  • Companies using Microsoft  can set up alerting through Windows Defender ATP.
  • A third-party security information event management (SIEM) system can track Windows Defender activity and provide alerting.
  • Event forwarding (a.k.a. log forwarding) may be a good option as well for smaller companies.

Log Forwarding

For organizations that don’t have an advanced solution for managing centralized logging and alerting from Windows Defender, log forwarding is a viable option. Log forwarding was originally released as part of Windows Vista, so it’s been around for a while.

Basically, you could allocate a centralized server for alerting and management with Windows Defender. Use group policy to forward events from every client to the central server. Create a task on the server that runs a PowerShell script to evaluate events, and send an email or take other action when alerting is merited.

Yes, Windows Defender Is All Grown Up

Windows Defender is a mature technology that is more than adult enough for your company to rely on. Even large enterprises can adopt it, though that doesn’t mean they should. Your organization’s technologies, challenges and processes are unique. Nobody can rightfully tell you “XYZ is the best anti-malware in all cases.”

That said, you can’t ignore Windows Defender anymore! It may make your life a little easier because it’s built into Windows. So, if you can make it work, it could free up some of the time you now spend managing anti-malware engines. Then you can use that time to work on the million other cybersecurity tasks on your list!

Bill Bernat, director at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please and follow the company on LinkedIn, Facebook, and Twitter.