Defender – Next Generation Protection

Cyber threats are becoming more complex every day. In the past, an attacker would build a virus and use it to carry out an attack. These viruses had unique signatures, and antivirus software detected them based on those signatures. In today’s world, threats are often polymorphic—meaning that the malware constantly mutates and changes to avoid detection. As a result, signature-based virus scanning solutions are no longer enough. We need the right set of tools, and that’s where Defender’s Next Generation Protection can help.

In our previous article in our series on Microsoft Defender, we looked at the Attack Surface Reduction rules that protected MDE clients. In this article, we’ll define Next Generation Protection and show how this advanced layer of defense can help protect your endpoints, whether they are in the office or remote.

What is Next Generation Protection?

Next Generation Protection is a core part of Microsoft’s Defender for Endpoint platform. This feature is focused on preventing malware, viruses, ransomware, and other types of attacks from infiltrating your systems. It builds on traditional antivirus software but uses new techniques to counter the advanced threats that we face in today’s world. Next Generation Protection uses machine learning, AI, big data analytics, and other modern technologies to detect both known and unknown threats, helping to block attacks before they cause damage.

Next Generation Protection Engines

At the heart of Microsoft Defender for Endpoint are a set of engines that can detect and respond to modern threats. These engines each perform different roles and work together to power Microsoft’s response to these threats. Let’s take a brief look at these engines and explain their roles in stopping threats. First, we will analyze the engines running on the client, and then take a look at those running in the cloud.

Next Generation Client Protection Engines

1. Machine Learning (ML) Engine – This is a set of ML models that can make decisions in milliseconds. These models analyze file types that are commonly used by attackers. For example, some attackers use Office macros, and there is a specific machine learning model designed to stop attacks from coming through these macros.
2. Behavior Monitoring Engine – This engine is designed to look for attacks after they have been executed. Once an attack begins, unusual behaviors will often occur. This engine looks at the behavior of system processes and can identify and block activities that aren’t “following the rules.”
3. Memory Scanning Engine – This engine focuses on the memory space and runs a process designed to find malicious behavior that could be hidden using code obfuscation. Code obfuscation is a technique in which some threats create overly complex code that doesn’t make sense to a human. Hidden within this code could be a threat to your business, and the memory scanning engine can find these threats hidden in memory.
4. AMSI Integration Engine – AMSI (Anti-Malware Scan Interface) is Microsoft’s tool for scanning Windows systems for malware. This integration engine allows Defender to work with AMSI to detect malware that may be hidden through code obfuscation. This integration can stop client-side scripts that could launch dangerous malware.
5. Heuristics Engine – This engine looks for patterns rather than signatures. Often, files that aren’t detected by signature-based methods share many of the same malicious characteristics as known threats. The heuristics engine detects these patterns and helps Defender catch new threats.
6. Emulation Engine – This engine creates an emulation environment that allows Defender to “unpack” malware and see what would happen if it were executed. This is a powerful tool that can expose the behavior of malware or suspected malware.
7. Network Engine – This engine monitors suspicious network activity based on network events occurring on the client.

Next Generation Cloud Protection Engines

Now that we’ve covered the engines running on the client, let’s examine the engines that operate in the cloud.

1. Metadata-Based ML Engine – This engine has several models that analyze files sent by clients. Essentially, if a client cannot determine whether a file is suspicious, this more powerful cloud engine can use metadata to analyze the file and determine whether to allow or block it. Despite being sent to the cloud, this process takes only milliseconds!
2. Behavior-Based ML Engine – If a suspicious behavior sequence begins, this engine can monitor the entire sequence of events in real time. This can happen throughout the attack chain, not just at the beginning. For instance, if an initial behavior is missed but later an elevation attack is detected, this engine can start monitoring and block it if it’s determined to be an attack.
3. AMSI-Paired ML Engine – In addition to the AMSI integration engine on the client side, this cloud-based engine is more powerful and can perform advanced analysis of scripting behavior to catch more sophisticated threats.
4. File Classification ML Engine – This engine can analyze files in much greater detail than the client-side engines. It examines the full contents of a file. If a file is flagged as suspicious, Defender will stop it from running and send it to this engine to determine if it is safe. This deep analysis takes only seconds, after which the file is classified as either safe or unsafe, and the client is informed whether to allow or block it.
5. Detonation-Based ML Engine – This powerful engine can fully detonate a file or virus in a sandbox environment. The detonation process observes the file’s behavior, learns about the attack, and blocks it from executing on the client.
6. Reputation ML Engine – This engine integrates with Microsoft’s intelligence and telemetry from around the world to analyze suspicious URLs, emails, files, and domains. If a particular domain is causing problems in multiple places, this engine coordinates with Defender, quickly recognizes an ongoing threat, and restricts that domain from causing further issues.
7. Smart Rules Engine – This engine allows security experts to create and continually update rules based on research and collective knowledge. New rules can be created and instantly deployed in Defender to provide another layer of adaptive protection.

All of these engines work together to make Defender for Endpoint a powerful tool that can stop threats in their tracks. If the client-side engines do not stop a threat, they send suspicious files to the cloud, where further analysis can stop them. These engines and models are continually updated, and new ones can be added on the fly to keep organizations secure.

Next, let’s look at another feature of Defender for Endpoint: Defender’s Endpoint Detection & Response (EDR) capabilities.