The New Security Features in Windows Creators Update and Their Impact on Ransomware Protection
There are multiple resources online that discuss the new features in the Windows Creators Update to various degrees of detail. Some of them focus on the security piece, a significant update from the previous version. We are going to focus on how the new security features help combat ransomware, one of the goals of our products as well.
There are three major areas of interest when it comes to malware and ransomware in particular: improvements to Microsoft Edge for a reduced attack surface, improvements to Windows Defender for enhanced detection and control and last but not least, greater visibility into security threats, and improved reaction capabilities.
Reduced attack surface with Microsoft Edge security features
Given that many attacks come through the browser and, at the same time, browsers are complex applications that need to serve different kinds of potentially dangerous content, enhancing the security of Microsoft Edge with an important Windows update, is always a priority. Microsoft Edge uses application containers to be able to isolate various content types, particularly internet content from intranet content. Flash Player is a frequent target for attackers seeking to exploit vulnerabilities and a sensitive component that requires constant maintenance. With the Creators Update, Flash Player was moved to its own application container for better control and a reduced attack surface area for Flash-based vulnerability exploits. Also, the application containers now have reduced privileges which contribute to exposing less code and a smaller attack surface for web attacks.
An important technology upgrade to Windows Defender
Far more than a simple UI enhancement to group the existing Windows security features, the new Windows Defender Security Center takes a major step forward in the detection and control of threats of all kinds.
While before only files, network traffic and behavioral patterns were scanned, the Windows Defender Advanced Threat Protection (ATP) detection technology has been enhanced by adding sensors to detect kernel and memory level attacks that were previously undetected, significantly improving the performance against zero-day threats.
The information is aggregated into an improved interface within the new Security Center where it can be mixed with information from other sources, to allow the tracking of security alerts and react accordingly. This update introduces new reactions like isolating machines, kill and clean processes and quarantine files with a single click.
Web browsing became safer with the introduction of Windows Defender Application Guard. This technology uses Hyper-V virtualization to run Microsoft Edge in a sandbox environment (a new Windows instance at the hardware level) whenever the browser loads an untrusted website. This feature protects the primary operating system from browser-based exploits.
How the improvements help against ransomware
Although there is no specific anti-ransomware functionality added with the Windows Creators Update, the new security features help further reducing the risk of ransomware infections, to a level comparable with the protection offered by seasoned anti-virus engines.
The Edge browser enhancements decrease the risk of getting ransomware from the web, but we need to keep in mind that the largest ransomware infection vector is the e-mail.
The Windows Defender detection enhancements allow better performance against malware in general, especially when it comes to identifying obfuscation techniques and infection patterns. This feature does not improve on detecting the actual ransomware payloads but may help to block such payloads only because they are packed and deployed in ways that trigger these sensors.
Do you need even more protection?
For best protection, we recommend using employee awareness training to further reduce the risk of a ransomware infection as well as specialized anti-ransomware technology to augment the new capabilities of Windows Defender or those of other generic antivirus tools. TEMASOFT develops advanced anti-ransomware software that detects and blocks most present and future ransomware and allows file recovery if successful attacks occur. TEMASOFT Ranstop focuses on the malicious behavior of ransomware to identify and stop it, making an excellent companion for Windows Defender and other antivirus engines by significantly improving the protection, especially against zero-day and targeted ransomware.
For more information, follow us on social media and subscribe to our newsletter.
References: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/