What is Windows Defender ATP & Is It Any Good? - Expel.io (2023)

It’s no secret that the industry has eyes for Defender for Endpoint. After a few months of using and integrating it with our platform, we feel the same.

In a few other posts, we’ve shared our thought process on how we think about security operations at scale and the decision support we provide our analysts through our robots. In short, Defender for Endpoint made it really easy for us to get to our standard of investigative quality and response time without requiring the heavy lift to get the features we needed upfront.

So what is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is an enterprise endpoint security product that supports Mac, Linux and Windows operating systems. There are a ton of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation) however from our vantage point, we know it best for its detection and response capabilities.

Defender for Endpoint is unique because not only does it combine an EDR and anti-virus (AV) detection engine into the same product, but for Windows 10 hosts this functionality is built into the operating system (removing the need to install an endpoint agent). With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out of the box protection without the need to mass-deploy software or provision sensors across your fleet.

What is EDR and how do these tools help us

When we integrate with an endpoint detection and response (EDR) product, our goal is to predict the investigative questions that an analyst is going to ask and then have the robot perform the action of getting the necessary data from that tool. This frees up our analyst to make the decision. We think Defender for Endpoint provides the right toolset for helping us easily reach that goal via its API.

WhyMicrosoft Defender for Endpoint is the best

Thanks to Defender for Endpoint’s robust APIs, we augmented its capability to provide upfront decision support to our analysts that arms them with the answers to the basic investigative questions that we ask ourselves with every alert.

To find these answers, there’s a few specific capabilities of Defender for Endpoint that we tap into that allow us to pull this information into each alert. This way, our analysts don’t need to worry about using the tool, but instead, get to focus on analyzing the rich data that it provides:

  • Advanced hunting database
  • Prevalence information
  • Detailed process logging
  • AV actions

Like we mentioned, Defender for Endpoint is an amazing investigative tool out of the box, but it only gets better once you start peeking under the hood. Our favorite for Endpoint feature? The API.

Here at Expel, robots are our friends. They help us with decision support. This is what enables our analysts to focus on making decisions rather than worrying about how to use 30+ different technologies to gather the data we need to answer investigative questions. To be effective, our robots must not only be good at collecting the data needed but preparing it for interpretation as well. Therefore our robots aren’t just good at collecting data, they also translate it into a format our analysts can easily work with and is consistent across multiple technologies.

With Defender’s rich API, we have an opportunity to replicate the manual scoping actions our analysts would take in the console and perform them automatically in our own platform.

Now that we’ve written our love letter to Defender for Endpoint, we’ll show you a real example of how we use this tool to triage an alert.

Triaging an alert using Microsoft Defender for Endpoint

First things first: here’s how we break down an alert.

At a high level, we’re looking to answer five basic investigative questions:

  1. What is it?
  2. Where is it?
  3. How did we detect it?
  4. How did it get there?
  5. When did it get there?

Defender for Endpoint’s features help us easily answer these questions.

Here’s an example of what a Defender for Endpoint alert looks like when it initially comes through the Expel Workbench:

(Video) Goodbye Microsoft Defender

Initial lead of suspicious commands

Here’s what we know

What is it?

  • Suspicious net commands being run by this user

Where is it?

  • One host

How did we detect it?

  • EDR alert – execution of suspicious commands

What we don’t know, how and when did it get here

Now to answer the money questions. We need to ask ourselves the last two of our investigative questions (How did it get there? When did it get there?) to understand how we will need to proceed in our investigation. And, as with any investigation, they will require additional data to answer.

An analyst’s measure of a good EDR platform will always be biased towards whether or not the data they need is available, easy to obtain and to understand. In our experience, Defender for Endpoint does an excellent job of anticipating these questions and providing easy access to detailed process information that allows an analyst to quickly and confidently make decisions.

To highlight this, let’s attempt to answer How did it get there? using some of the data provided to us with the Defender for Endpoint alert.

Our favorite way to answer this? The Alert Process tree.

Process tree of activity flagged in the alert

As analysts, we love to see a nice process tree (like the one you see above). Being able to visualize the lineage of a process is extremely helpful, especially when time is of the essence. Defender for Endpoint presents us with a detailed hierarchy of the processes involved in an alert, marking anything it believes to be suspicious with a yellow lightning bolt.

By looking at the process tree, we can easily identify that the suspicious net commands spawned from the parent process “httpd.exe.”

Why is this detail relevant?

This is common behavior associated with webshells from a remote attacker. By knowing this, we now have evidence to suggest an anomalous process relationship and likely an incident.

(Video) Windows Defender vs Ransomware 2022

With a suspected webshell on the brain, now we have a little bit of clarity on how these suspicious commands were executed. But two important questions still remain:

  • How did this webshell get here?
  • When did the webshell first enter the environment?

Again, these are high-level questions and an experienced analyst is naturally going to attempt to identify the sources and frequency of the webshell interaction as well. But regardless, the Timeline feature of the Incident pane allows us to answer all of these.

Check out this output when we search for the process “httpd.exe” on the alerted host.

Timeline view to filter network connections from the httpd.exe process

We can answer When did it get there? by filtering network connections, helping us clearly identify network connections related to the suspicious “httpd.exe” activity and determining the time they first started.

More than likely, these connections are the Command and Control we would expect from webshell interaction; containing the “net” commands that we were alerted to initially.

Seeing the whole picture

With just a few tools in the Defender for Endpoint console, we can easily scope this activity and answer all five of our initial investigative questions.

What is it?

  • Reconnaissance commands being executed by an attacker

Where is it?

  • One host (Web application host)

How did we detect it?

  • EDR alert – execution of suspicious commands

How did it get there?

  • A webshell deployed through an application vulnerability

When did it get there?

  • A few hours prior to our original alert

How do we use Defender’s features to our advantage?

If you asked a robot what it’s job at Expel is, it would likely respond in a JSON blob. JSON is great for transferring and formatting data in an efficient way, but it’s not great for a human to read.

Therefore outside of just collecting the data, our robots are also responsible for making this data ready for interpretation by an analyst in a format that is readable and consistent.

(Video) How to Use Windows Defender in Windows 10 (Creators Update)

So how do our robots pull this off?

Well, our robots speak API. It all starts with them being able to ask some very simple questions of Defender for Endpoint.

We’ve found that Defender for Endpoint has a rich API that allows us to automate our entire triage process.

Let’s take a look at what this looks like with our lead alert.

Defender for Endpoint Alert decision support

Prevalence Information

Where is it?

As an analyst, this is probably one of the first (and most powerful) questions you can ask yourself in an investigation. The lower the prevalence, the more likely you’re looking at something out of place. The way we do this with Defender for Endpoint is by normalizing the process arguments that were alerted on, and query for them in the Advanced Hunting Database.

As you can see above, our analysts immediately know that in the past seven days these commands are completely unique compared to the one host we’re already investigating. We can see this by looking at how common these process arguments are in the environment.

We also do this with the normalized file path to help identify whether or not the alerted activity is being executed out of an abnormal location, or is simply a commonly installed binary in the environment by showing us everywhere the file is seen. With this information we can easily spot legitimate binaries in abnormal locations, or spoofed binaries that are executing out of legitimate directories.

Defender for Endpoint Alert decision support

Auto-Timeline Generation

Your next logical question as an analyst is usually: How did it get there? We anticipate this and provide a timeline of the activity that occurred in a five minute window around the time of the alert. Since this comes with the alert, there’s no wasting time learning a query language, logging into the console, waiting for the query to run and parsing the data. All in all, we save at least five to 10 minutes per alert when this data is retrieved and interpreted by our robot.

This data comes back in a normalized CSV format so an analyst can easily open and filter that data in Excel.

Below, you’ll see an example of an automatic timeline generated for the host involved in the alert.

(Video) Windows Defender vs Ransomware

Defender for Endpoint Decision support

Our Timeline format is very simple, and emulates the format in which we keep our master incident Timelines. That way we can easily take data from multiple sources and combine them into a master Timeline that tracks an incident across multiple hosts, users and organizations (note that columns are redacted).

Timeline acquired through our robots in CSV format

AV Actions

One of the greatest features of Defender for Endpoint is its configurable remediation policies. As defenders we usually want to know pretty early on whether or not a specific file was allowed to execute, or was blocked/ended by Defender for Endpoint at runtime. Our robots reach out to get us that context on each alert, and alert us to what Defender for Endpoint action was applied to the suspicious activity (if any) so that we can make smarter decisions about our response. For example, no one wants to spin up an incident for a blocked stage one download, but if the second stage was allowed to execute – let’s call in the troops.

In the example below we see that a file matching a signature for the Skeeyah trojan was identified and blocked at runtime. Before having to prove execution, we now know the scope is limited to simply answering one question (How did it get here?) rather than a bunch of post-exploitation questions right off the bat:

  • What other actions happened as a result?
  • What C2 did it communicate with?
  • How many other machines are infected?

We save a lot of time knowing this up front as there is no ambiguity on the action taken by the tool or having to parse detailed logs to find this information.

Defender for Endpoint Decision Support

Putting it all Together

The decision support Defender for Endpoint enables us to generate is powerful because it allows us to become specialists at analysis rather than specialists of a specific technology.

Don’t get us wrong, there are always benefits to knowing the tool. But a carpenter building a house isn’t usually the same person who forged the hammer. Decision support allows us to be flexible in the tools that we’re using but also to be consistent in the response we provide to our customers.

By standardizing the investigative questions and building our robots to answer those questions automatically, we can uplevel the capability of our analysts. Defender for Endpoint provides a platform that allows our analysts to quickly and accurately answer important questions during an investigation. But most importantly, having these capabilities emulated in the API allowed us to build on top of the Defender for Endpoint platform to be more efficient in our goal of providing high-quality detection and response across multiple organizations.

Have questions? Let’s chat.


Is Windows Defender ATP any good? ›

Microsoft Defender for Endpoint is the #2 ranked solution in endpoint security software, top Anti-Malware Tools, and EDR tools. PeerSpot users give Microsoft Defender for Endpoint an average rating of 8.0 out of 10.

What is the difference between Microsoft Defender and Microsoft Defender ATP? ›

Microsoft Defender — not to be confused with Microsoft Defender ATP — provides anti-malware and anti-virus capabilities for the Windows 10 OS, whilst the ATP product is a post-breach solution that complements Microsoft Defender AV.

How good is Microsoft ATP? ›

Office 365 ATP: Great platform to detect malware, threats and attacks on systems. It is a great tool that provides advance protection against malware and viruses to emails that are sent or received by people in an organization. It also provides protection against harmful links and clicks.

Is Microsoft Defender an ATP antivirus? ›

Windows Defender Advanced Threat Protection (ATP) is a Microsoft security product that is designed to help enterprise-class organizations detect and respond to security threats. ATP is a preventative and post-detection, investigative response feature to Windows Defender.

Is there a better antivirus than Windows Defender? ›

Answer: AV- comparatives conducted tests and the results showed that while the detection rate for Windows Defender was 99.5%, Avast anti-virus led by detecting 100% of malware. Avast also has a lot of advanced features that are not available on Windows Defender.

What replaced Microsoft ATP? ›

The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.

Should I use Defender or McAfee? ›

Spoiler alert: McAfee is the best choice. Although it's not free like Microsoft Defender, McAfee ensures you get what you pay for, providing all-around protection from online threats to save you money in the longer term. Keep reading to find out how I tested both providers to select the ultimate antivirus solution.

Should I delete Microsoft Defender Antivirus? ›

There's no harm deleting the Windows Defender files on your computer. Deleting this file will not affect any of your applications or software on your computer since they're just temporary files. You can delete it to free up some space on your drive.

Is Microsoft Defender for Office 365 the same as ATP? ›

Microsoft Defender for Office 365 (formerly ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard your organization from harmful links in real time.

What data does Microsoft Defender ATP collect? ›

What data does Microsoft Defender for Endpoint collect? Microsoft Defender for Endpoint will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.

Does Microsoft 365 include ATP? ›

Microsoft Office 365 Advanced Threat Protection pricing

Microsoft includes ATP with its top-tier Office 365 Enterprise E5 subscription, but organizations can add the service to other Exchange and Office 365 subscriptions for $2 per user, per month.

What is Microsoft ATP used for? ›

Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing zero-day protection and safeguarding versus phishing and other unsafe links, in real time.

What is the name of the antivirus app built into Windows 10? ›

Windows Security is built-in to Windows and includes an antivirus program called Microsoft Defender Antivirus. (In early versions of Windows 10, Windows Security is called Windows Defender Security Center).

How do I know if I have Defender ATP installed? ›

How do I confirm Microsoft Defender ATP is running on my University-owned device? In Windows 10, the Windows Security Center icon should be present in the system tray with a green checkmark if Defender is running.

What is the number 1 best antivirus? ›

The Best Antivirus Software of 2022
  • Avira: Best Value.
  • McAfee: Best for Comprehensive Features.
  • Avast: Best for Solopreneurs and Remote Workers.
  • Bitdefender: Best for Prevention.
  • Emsisoft: Best for High-Tech Defenses.
  • F-Secure: Best for Customization.
  • Malwarebytes: Best for Real-Time Protection.
18 Nov 2022

Do I need another antivirus if I have Windows Defender? ›

Windows Defender scans a user's email, internet browser, cloud, and apps for the above cyberthreats. However, Windows Defender lacks endpoint protection and response, as well as automated investigation and remediation, so more antivirus software is necessary.

What is the safest antivirus to use? ›

To help protect your Windows 11 or Windows 10 computer, here's our rating of the Best Antivirus Software of 2022:
  • #1 Bitdefender.
  • #2 Norton.
  • #3 Kaspersky.
  • #4 ESET.
  • #5 Webroot.
  • #5 Avast.
  • #5 McAfee.
  • #5 Trend Micro.
1 Nov 2022

What three apps are a good substitute for Microsoft? ›

Top 10 Alternatives to Microsoft 365
  • Google Workspace.
  • WPS Office.
  • OpenOffice.
  • LibreOffice.
  • WordPerfect.
  • Polaris Office.
  • ThinkFree.

What is the difference between defender ATP and azure ATP? ›

While Azure ATP monitors the traffic on your domain controllers, Windows Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment.”

How do I turn off Microsoft Defender ATP? ›

Turn off Defender antivirus protection in Windows Security
  1. Select Start and type "Windows Security" to search for that app.
  2. Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings.
  3. Switch Real-time protection to Off.

Can Windows Defender get hacked? ›

Useful Link: Cyberattacks Increase 50% in 2021, Peaking All-time High of 925 Weekly Attacks per Organization! The security researchers found that the list of locations exempted from Microsoft Defender scanning is unsecured, and any unprivileged user can access it.

How effective is Windows Defender at removing viruses? ›

One of the most recent Real-World Protection reports is from February 2022, which used 362 test malware cases. Windows Defender scored 98.9% and didn't present any false positives (identifying verified software as malware incorrectly).

Is Windows Defender 2022 Good? ›

Microsoft Defender scores 9.6, which is quite a good score. It's better than any other free product tested with this same sample set. Adaware, Avast, and Bitdefender Antivirus Free Edition all score 9.2, while Kaspersky, Panda, and Avira score still lower.

Which is better Norton or Defender? ›

Microsoft Defender vs Norton conclusion

Norton 360 takes the top spot as the better antivirus option against Microsoft Defender. While Microsoft Defender provides a great real-time malware detection rate, it doesn't match up to the Norton 360, which detected and blocked every threat thrown its way.

Is it OK to run Windows Defender and McAfee at the same time? ›

You can run one Anti Virus at a time. You can't turn On both McAfee & Defender at the same time to protect your system. You can have only one AV protection turned On at a time that will protect your computer.

Is there a better antivirus than McAfee? ›

If you don't have time to read the full McAfee vs Norton comparison, I can tell you that the winner is Norton. It boasts superior malware protection results from independent labs and better additional security features such as a VPN, cloud backup and webcam protection.

Can Microsoft Defender detect all viruses? ›

Microsoft Defender Antivirus detects and protects against the following kinds of threats: Viruses, malware, and web-based threats on devices. Phishing attempts.

What happens if I remove Windows Defender? ›

You cannot uninstall it as it it part of the Windows 10 operating system. If you disable it as you have found out it will just turn itself back on.

What is included in Microsoft Defender ATP? ›

Microsoft Defender for Endpoint
  • Core Defender Vulnerability Management. ...
  • Attack surface reduction. ...
  • Next-generation protection. ...
  • Endpoint detection and response. ...
  • Automated investigation and remediation. ...
  • Microsoft Secure Score for Devices. ...
  • Microsoft Threat Experts. ...
  • Centralized configuration and administration, APIs.
29 Sept 2022

Does Microsoft Defender include VPN? ›

Microsoft Defender for Endpoint uses a virtual private network (VPN) to provide Web Protection capabilities that protect you against phishing or web-based attacks. This is a local (or self-looping) VPN, and unlike traditional VPNs, it can't direct or redirect traffic off the device.

Which Microsoft 365 Defender solution can detect a malware installation? ›

Microsoft Defender SmartScreen protects users from running malicious apps.

Why am I being charged for Microsoft Defender? ›

A fake invoice will be sent alongside text that claims you have been charged a Defender subscription fee — or that a transaction payment is required. Of course, as with most in-built software, Microsoft Defender Antivirus is completely free, and you will NEVER incur a charge for its use.

Why is Microsoft Defender taking up so much CPU? ›

This issue with MsMpEng.exe taking 100% of the hard drive and CPU usually occurs when Windows Defender is scanning the computer for malware. The Windows Defender scan is getting stuck on a few files while checking malware. When that is happening, it should be restricted/disabled to bring it back to normal use.

Is Windows Defender a vulnerability scanner? ›

The Microsoft Defender Vulnerability Management offering includes discovery, inventory, and vulnerability assessments of Windows and non-Windows assets and coverage for network shares and browser extensions, as well as CIS security assessments.

How much is Microsoft ATP? ›

The new Microsoft Defender for Endpoint standalone retail cost via CSP is $5.20/mo per user for up to 5 machines.

What are the disadvantages of Microsoft 365? ›

Disadvantages of Office 365
  • Subscriptions aren't for everyone. You don't have to pay out one-time costs, but you do have to pay every month. ...
  • Compatibility issues with bespoke systems. ...
  • Constant updates mean constant changes. ...
  • Most people only use 20% of the functionality. ...
  • You don't actually own the software.

What are the two versions of Microsoft Defender for Office 365 called? ›

Microsoft Defender for Office 365 comes in two different Plan types. You can tell if you have Plan 1 if you have 'Real-time Detections', and Plan 2, if you have Threat Explorer. The Plan you have influences the tools you will see, so be certain that you're aware of your Plan as you learn.

Is defender ATP the same as defender for Endpoint? ›

Defender for Endpoint (formerly Defender ATP) Defender for Endpoint is an enterprise endpoint security platform designed to help enterprises prevent, detect, investigate, and respond to advanced threats.

Is Microsoft ATP antivirus? ›

Microsoft Defender ATP is a unified platform for Windows protection that includes a broad range of capabilities, some of which include: Antivirus.

How do I use ATP with Windows Defender? ›

Onboard the devices

In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies. Select Create Microsoft Defender ATP Policy to open the policy wizard. Type the Name and Description for the Microsoft Defender for Endpoint policy and select Onboarding.

Should I not install antivirus on Windows 10? ›

You do need an antivirus for Windows 10, even though it comes with Microsoft Defender Antivirus. That's because this software lacks endpoint protection and response plus automated investigation and remediation.

How do I know if I have a virus on Windows 10? ›

Open your Windows Security settings. Select Virus & threat protection > Scan options. Select Windows Defender Offline scan, and then select Scan now.

Is there a truly free antivirus for Windows 10? ›

Avast provides the best free antivirus for Windows 10 and protects you against all types of malware.

Is ATP defender free? ›

Microsoft Defender for Endpoint offers a free trial and several different pricing plans from $10 per user per month up to $57 per user per month. For more information, visit microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans.

Is Microsoft Defender installed on my computer? ›

Use the Windows Security app to check the status of Microsoft Defender Antivirus. On your Windows device, select the Start menu, and begin typing Security . Then open the Windows Security app in the results. Select Virus & threat protection.

Do I need Norton if I have Windows Defender? ›

Norton 360 takes the top spot as the better antivirus option against Microsoft Defender. While Microsoft Defender provides a great real-time malware detection rate, it doesn't match up to the Norton 360, which detected and blocked every threat thrown its way.

Do I need McAfee if I have Windows Defender? ›

Windows Defender is a big upgrade to Microsoft's security game, and it means that you don't strictly need to install additional security software like McAfee or Norton.

How do I know if I have defender ATP installed? ›

How do I confirm Microsoft Defender ATP is running on my University-owned device? In Windows 10, the Windows Security Center icon should be present in the system tray with a green checkmark if Defender is running.

How do I stop Windows Defender ATP service? ›

Turn off Defender antivirus protection in Windows Security
  1. Select Start and type "Windows Security" to search for that app.
  2. Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings.
  3. Switch Real-time protection to Off.

Does Windows Defender come with a VPN? ›

Defender for Identity collects VPN data that helps profile the locations from which computers connect to the network and to be able to detect suspicious VPN connections. To configure VPN data in Defender for Identity in Microsoft 365 Defender: In Microsoft 365 Defender, go to Settings and then Identities. Select VPN.

Can Microsoft Defender see browsing history? ›

Neither Microsoft nor your organization can see data from apps installed on your device, browsing content, or stored browsing history.


1. Windows Defender vs Ransomware
(The PC Security Channel)
2. How to Disable or Enable Windows Defender on Windows 10
3. Can you DISABLE Windows Defender Antivirus?
(John Hammond)
4. Best Way To Turn Off or Disable Windows Defender in Windows 10 (2021)
5. Microsoft Defender for Endpoint (MDATP) webinar: Get started with MDATP | from zero to hero
(Microsoft Security Community)
6. Expel Detection Day (Monitoring Microsoft): How to use Defender to investigate a ransomware incident
Top Articles
Latest Posts
Article information

Author: Jonah Leffler

Last Updated: 02/09/2023

Views: 5898

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.