MANAGEMENTANTIMALWAREPLATFORMMicrosoft MalwareProtection CenterDynamic Signature SvcAvailable only in Windows 8EndpointProtectionManagementSoftwareUpdates +SCUPOperating SystemDeploymentSettingsManagementAntimalwareDynamicTranslationBehaviorMonitoringSoftwareDistributionVulnerabilityShieldingWindowsDefenderOfflineInternetExplorerBitLockerAppLockerAddress SpaceLayoutRandomizationDataExecutionPreventionUser AccessControlSecure Bootthrough UEFIWindowsResourceProtectionMeasured BootEarly LaunchAntimalware(ELAM)MDMSoftware UpdatesELAM &MeasuredBootCloud cleanrestore
Real time Endpoint Protection operations from consoleSimplifiedAdministrationSingle administratorexperience for simplifiedendpoint protection andmanagementSimplified, 3X delivery of definitions through software updatesMalware-driven operations from the consoleClient-side merge of antimalware policiesIntegrated optimizations for Windows Embedded clientsNew and improved Endpoint Protection client
PRIMARY SITEHierarchy (Forest1) Hierarchy (Forest2)ClientClientSoftwareUpdate Point 1SoftwareUpdate Point 2SoftwareUpdate Point 3SoftwareUpdate Point 4Client.Forest1 Client.Forest2
Common antimalware platform across Microsoft AM clientsProactive protection against known and unknown threatsReduced complexity while protecting clientsEnhanced ProtectionProtect against known andunknown threats withendpoint inspection atbehavior, application, andnetwork levelsIntegration with UEFI Trusted Boot, early-launch antimalware
Windows 7 BIOSOS Loader(Malware)3rd Party Drivers(Malware)Anti-MalwareSoftware StartWindows LogonWindows 8 Native UEFIWindows 8OS LoaderAnti-MalwareSoftware Start3rd Party Drivers Windows Logon• Malware is able to boot before Windows and Anti-malware• Malware able to hide and remain undetected• Systems can be compromised before AM starts• Secure Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft• Windows starts AM software before any 3rd party boot drivers• Malware can no longer bypass AM inspection
Windows 8Windows 7• Measurements of some boot components evaluated as part of boot• Only enabled when BitLocker has been provisioned• Measures all boot components• Measurements are stored in a Trusted Platform Module (TPM)• Remote attestation, if available, can evaluate client state• Enabled when TPM is present. BitLocker not required
Simple interface Minimal, high-leveluser interactionsAdministrative Control User configurability options Central policy enforcement UI Lockdown and disableMaintains high productivity CPU throttling during scans Faster scans throughadvanced cachingMinimal network and clientimpact of definition updates
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.