Microsoft Defender is now rolling out a new feature on Windows to help organizations act fast in dealing with malware.
Microsoft has introduced a new feature that will be added to Microsoft Defender for Endpoints (MDE). This new capability will assist companies in preventing malware and attackers from leveraging compromised unmanaged devices to spread all over the network.
This new feature employs protection of the next generation, which is designed to identify and neutralize all forms of developing threats. This helps to further fortify the security perimeter of a user's network.
Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower security operation centers (SOCs) to identify and respond to threats quickly and accurately.
Microsoft Defender
The new feature called "Contain" gives network administrators the ability to contain unmanaged Windows devices on their networks in the event that a system on the network is being attacked by malicious threat actors through the deployment of destructive malware.
As reported by Bleeping Computer, once it has been determined that the threat has been contained, the business endpoint security platform will direct all Windows systems connected to the network to prevent any communication to or from the device.
This feature can be extremely helpful in preventing further damage as it stops the spread of malware from one device to another. This feature will also block the further movement of threat actors to unmanaged devices.
Unfortunately, the new feature of MDE can only be utilized if organizations are running Windows 10 up to its latest version on their devices. This means that despite having Microsoft Defender on a device, if it does not have Windows 10 and up, this feature cannot be used and the risk of infecting other networks will still be possible.
According to Microsoft, "Only devices running on Windows 10 and above will perform the contain action, meaning that only devices running Windows 10 and above that are enrolled in Microsoft Defender for Endpoint will block 'contained' devices at this time."
Furthermore, users will be able to adaptively assess the security state of their internal network with the assistance of Microsoft Secure Score for Devices, which is a feature in Microsoft Defender for Endpoints. This will allow users to identify unprotected systems and take recommended initiatives to improve the cybersecurity of their organizations.
How to contain compromised Windows devices
Here are the following steps to be carried out by administrators in order to secure a device that may have been compromised:
Navigate to the page labeled Device inventory, then choose the device users want to contain.
From the actions menu in the device flyout, click the option to Contain device.
In the popup for the contained device, enter a comment and then pick the Confirm button.
According to Microsoft, "It can take up to 5 minutes for the details about a newly contained device to reach Microsoft Defender for Endpoint onboarded devices."
If there is an unexpected behavior in your system after you contain a device, make sure to verify that the Base Filtering Engine (BFE) service is enabled on the Defender for Endpoint onboarded devices.
Furthermore, if users want to stop containing a device, they will be able to easily undo it at any given time.
Choose the device from the list of devices in the inventory, or open the page for the device.
From the action menu, choose the option to Release from containment. The network connection of this device will be restored once this step is performed.