Windows 10 users are used to Windows Defender automatically protecting their PC from malware, but enterprise users rely on Microsoft Defender for Endpoint instead, and it’s about to get a lot more effective at dealing with malware thanks to a simple setting change.
In a blog post (via ZDNet), Microsoft explains how Defender has always shipped with the default automation level set to “Semi.” It means the software will automatically inspect “files, processes, services, registry keys, and any area that may contain threat-related evidence” and create remediation action to contain the malicious threat. However, it won’t carry out the action without approval from the security operations team at any given organization. With the latest public preview that’s set to change.
Microsoft is switching the default automation level to be “Full,” which means the malicious threat will be dealt with automatically and without approval. By doing so, the malware can be stopped before doing additional damage which leads to security operators needing to spend more time fixing it.
So why is Microsoft only now switching to automatic remediation? It’s because since the automatic investigation and remediation capabilities were first added to Microsoft Defender for Endpoint, “we have increased our malware detection accuracy, added the option to undo remediation actions, and improved our automated investigation infrastructure. Throughout this time, we have seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default ‘semi’ level, have remained at high risk due to lengthy pending time for approval of actions.”
In other words, Defender is now good enough to not need approval, and even if it makes a mistake, the actions can easily be reversed upon review. So from Feb. 16, “Full” becomes the default setting, but it can be changed if a security team wants to retain control of the action and doesn’t mind the added risk involved.