A year ago, my very short wife sat in a restaurant during March Madness on a bar stool that was too tall for her. The result was that while getting down off the stool, she blew out a disk in her back and was in tremendous pain. We went to a local ortho walk-in clinic. They sent us to their excellent spine surgeon. We got an MRI and listened to what he had to say. Simultaneously, we made an appointment at the Hospital for Special Surgery and brought our MRI for the consultation.
The good news was that both excellent surgeons had the same opinion. And the best news was that my wife's situation was resolved without surgery.
But we got a second opinion because our insurance would pay for it.
What amazes me with many clients is that you have a "free" second opinion available to you on most of your endpoints and servers that many of you have chosen to turn off.
The second opinion for many of you is Microsoft's built-in Windows Defender.
Windows Defender is obviously a basic tool, but comparison after comparison says it is functionally just as good as other low-end commercial antivirus products. Windows Defender has also gotten good at identifying "Potentially Unwanted Programs (PUP)." I used to say run MalwareBytes to sift through all that junk. MalwareBytes is still very good at eliminating that noise, but Windows Defender alone is also now very good.
Microsoft realizes that you may invest in a commercial antivirus or, better yet, an EDR/MDR/XDR type product. That is why it was designed to switch from active to passive protection. There is an option under Microsoft Defender Antivirus options to continually periodically scan with Windows Defender while using your primary product for real-time protection.
All commercial products like to take over control of your machine and turn off everything except their product. However, if Windows Defender is free, if it plays nicely with your primary tool and provides a second opinion now and again about what is going on, why wouldn't you enable periodic scanning?
If you use Huntress, they specifically seek out and manage Windows Defender as part of their console and actively use the telemetry feed.
Windows Defender settings can be controlled via Group Policy.
Remember that layers of protection with different tools looking at your network—each from its perspective—are the best security defense. Even if all that Windows Defender does is act as the "canary in the coal mine" and alert you that something bad is going on as an attacker attempts to take out your primary protection tool, that is a very good thing.
Remember, we want attackers to be forced to make as much noise as possible on the network in order to get what they want.
Noise = Greater odds of prompt detection before the bad stuff starts happening.
This is a free noisemaker; once in a while, it sees things that other products may not see.
If you are one of those districts that have turned this off, maybe now is the time to turn that back on.
If you need help doing that, please give us a call.
-Scott Quimby, CISSP
You must be logged in to post a comment.