Microsoft is announcing new Endpoint reporting capabilities within the Microsoft 365 Defender portal that brings together Device Control reports and Windows Firewall reports so admins can see what is happening in their environment in just a few clicks. Show According to Microsoft, the reports are designed to give insight into device behavior and activity while allowing admins to take full advantage of the integrated experiences within the Microsoft 365 Defender portal, including device timeline and advanced hunting. Found in the Reports page in the Endpoints node, the Device Control report, now generally available, displays the activity and usage of external devices. Admins can view events that relate to external media usage on endpoints, including the number of audit events that occur when external media is connected and the number of policy events that occur when a device control policy is triggered. Audit events are generated when a USB drive is mounted or unmounted, when a plug and play or Bluetooth media is connected or when a Removable Storage Access Control Policy is Triggered. According to Microsoft, this gives security administrators the tools to track their organization’s device control security through reports, which can be found in the Microsoft 365 Security Center. Reports show the number of audit events generated by media type of the last 180 days. Admins can access more granular details to see more media usage in the device control report page and they can see real-time activity for the media across the organization. Admins can also see security of the device, including the risk level and exposure level. Also now generally available is the Firewall report, which shows admins the activity and behavior of devices configured with Windows host firewall via the Microsoft 365 Defender portal. This enables admins to view Windows 10, Windows 11, Windows Server 2019 and Windows Server 2022 firewall reporting from a central location. Microsoft notes that admins must enable Audit Events for Windows Defender Firewall with Advanced Security and Group Policy Object Editor, Local Security Policy or the auditpol.exe commands. Firewall reports include a summary of inbound, outbound and application activity and allow admins to drill into the activity of a device via the Device Timeline tab that offers a list of events associated with that device. The reports also support drilling from the card directly into Advanced Hunting, which will provide admins with a report of all related Firewall events from the last 30 days. For more information, read Microsoft’s Tech Community blog on the announcement.  Since employees have switched to remote working during the COVID-19 pandemic, home printers and removable devices have expanded the attack surface to their companies' data and daily business operations. To address this increased security exposure, Microsoft has added new removable storage device and printer controls to Microsoft Defender for Endpoint, the enterprise version of its Windows 10 Defender antivirus. These new capabilities available in the enterprise endpoint security platform (previously known as Microsoft Defender Advanced Threat Protection) will allow access restrictions to removable devices and blocking printing tasks via non-corporate or non-approved printers. "We are excited to announce new device control capabilities in Microsoft Defender for Endpoint to secure removable storage scenarios on Windows and macOS platforms and offer an additional layer of protection for printing scenarios," Microsoft said. "These new device control capabilities further reduce the potential attack surface on user's machines and safeguard organizations against malware and data loss in removable storage media scenarios." Removable device control protection now generally availableRemovable storage access control on Windows and removable storage protection on Mac are generally available, and printer protection on Windows is now available in public preview. The new removable storage access control capabilities added to the Windows version complement already existing device control protection for scenarios such as removable storage Endpoint DLP, device installation, and removable storage BitLocker. USB storage device control added to the Mac version of Microsoft Defender for Endpoint is designed to balance the level of access given to external storage devices using custom policies. Last month, Microsoft Defender for Endpoint also added support for detecting jailbroken iOS devices and mobile application management (MAM) support for non-Intune enrolled Android and iOS devices. By jailbreaking their iOS devices, users gain complete write and execution access elevating their permissions to root, thus removing all Apple-imposed restrictions on installing apps. With no restrictions in place, they can later install potentially malicious applications and, by skipping likely critical security updates to maintain their root access, they will also expose themselves to attacks. Does Windows Defender have behavior monitoring?Microsoft Defender Antivirus uses several methods to provide threat protection: Cloud protection for near-instant detection and blocking of new and emerging threats. Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
What is the difference between Windows Defender and Microsoft Defender?Formerly known as Windows Defender, Microsoft Defender is an antivirus protection program that's included with Windows 10. You can enable or disable Microsoft Defender at any time. There are third-party apps that are free or require a paid subscription that also offer antivirus services.
What is the device control?In Android 11 and later, the Quick Access Device Controls feature allows the user to quickly view and control external devices such as lights, thermostats, and cameras from a user affordance within three interactions from a default launcher.
What is Windows Defender application control?Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.
|
