Microsoft says it is stepping up security for users of Microsoft Defender for Endpoint by changing a key setting, switching the default from optional automatic malware fixes to fully automatic remediation.
The change means that when Microsoft Defender for Endpoint detects malware on PCs on a network, the antivirus will automatically start analyzing all threats that are related to the alert, poring over files, processes, services, registry keys and all other areas where a threat could reside.
"The result of an automated investigation started by an alert is a list of related entities found on a device and their verdicts (malicious, suspicious, or clean)," Microsoft explains on a blogpost.
SEE: Security Awareness and Training policy (TechRepublic Premium)
"For any malicious entity, the investigation will create a remediation action, an action that, when approved, will remove or contain a malicious entity that was found in the investigation. These actions are defined, managed, and executed by Microsoft Defender for Endpoint without the security operations team having to remotely connect to the device."
The actions taken depend on what level of device automation has been configured. Previously, Microsoft Defender for Endpoint customers that opted into public previews were put on "Semi", which required approval for any remediation. Soon, they'll be moved to the "Full" configuration, which allows for Windows 10 to remediate threats automatically.
With the setting at Semi, administrators might have more control, but as Microsoft points out, admins may lose valuable time to halt the malware from causing further damage, such as affecting other PCs.
Microsoft has made some improvements to its automated malware detection since first releasing it. First, it's boosted malware detection accuracy, so there should be fewer infections and false-positives. Additionally, it's now got better automated investigation capabilities.
"We have seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default 'semi' level, have remained at high risk due to lengthy pending time for approval of actions," the blog warned.
According to Microsoft, customers using full automation have had "40% more high-confidence malware samples removed than customers using lower levels of automation."
This should leave security operations centers with more free time to deal with malware threats that require human intervention.
From February 16, 2021, Microsoft will automatically upgrade organizations that opted for public previews in the Microsoft Defender for Endpoint to "Full-remediate threats automatically".