The change to a key setting is designed to limit the damage that an infection can cause in an enterprise setting.
Microsoft is enhancing security for users of Microsoft Defender for Endpoint by changing a key setting in the software. Specifically, they are switching the default setting from optional automatic malware fixes to fully automatic remediation.
Israel Cohen-Pavon of Microsoft announced the new change in a blog post this week.
“We are excited to announce that we are about to increase our customers’ protection by upgrading the default automation level of our Microsoft Defender for Endpoint customers who have opted into public previews from Semi – require approval for any remediation to Full – remediate threats automatically,” he wrote.
How it works
When Microsoft Defender for Endpoint raises an alert, an automated investigation immediately starts running on the machine where it has detected the suspicious activity, Cohen-Pavon explains.
The investigation begins with an analysis of the malicious entities that are part of the alert and continues with collection and examination of other entities associated with it. The automated investigation then inspects files, processes, services, registry keys, and any area that may contain threat-related evidence.
Automated investigations result in a list of related entities found on a device and their verdicts. The verdicts could be either “malicious”, “suspicious”, or “clean”.
For any malicious entity, the investigation will create a remediation action. Once the admin approves it, this action will remove or contain a malicious entity that it found in the investigation.
Microsoft Defender for Endpoint defines, manages and executes these actions without the security operations team having to remotely connect to the device, Cohen-Pavon confirms.
Why make the change?
When Microsoft first introduced automated investigation and remediation capabilities, they set the default automation level to “semi – require approval for any remediation.”
However, Microsoft says that data collected and analysed over the past year shows that organizations who are using full automation have had 40% more high-confidence malware samples removed than customers using lower levels of automation.
For that reason, starting February 16, 2021, Microsoft will automatically upgrade tenants who have opted in for public previews in the Microsoft Defender for Endpoint to the new default automation level (i.e., Full-remediate threats automatically).