New trick will help Microsoft Defender for Endpoint stop malware from getting into its tracks

One thing most malware needs to do is seek further instructions from its command and control (C2) server. By capturing this traffic before any information is exchanged, Microsoft hopes to prevent many attacks.

The company recently added a new feature to its Microsoft Defender for Endpoint (MDE) security platform that notifies administrators when malicious connections are made. It is able to terminate the connection and log the details for further evaluation.

According to BleepingComputer, the new feature is currently in public preview.

Early detection

When the new feature is enabled, Defender for Endpoint’s Network Protection (NP) agent will map IP addresses, ports, hostnames, and other data for all outbound connections, as well as data from the Microsoft cloud. If it finds a connection that the company’s artificial intelligence scoring engine deems malicious, the tool blocks it and rolls back the malware binary to prevent further damage.

It will then add a log stating “Network protection blocked a potential C2 connection” which the SecOps team can evaluate later.

“SecOps teams need precise alerts that can accurately define attacked areas and previous connections to known malicious IPs,” said MDE Senior Program Manager Oludele Ogunrinde.

Windows-hace-cambios-en-Microsoft-Defender-para-impedir-el-robo-de-contrasenas

“With new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks early in the attack chain, minimize propagation by quickly blocking any further attack propagation, and easily remove malicious binaries needed to time to reduce remission.”

To use the new features, users need to activate Microsoft Defender Antivirus with real-time protection and cloud-delivered protection. Additionally, they require MDE in active mode, network protection in blocking mode, and engine version 1.1.17300.4.

After the preview rollout is complete, the new features will be available on Windows 10 1709 and later, Windows Server 1803, and Windows Server 2019.

For the latest tech news and reviews, follow RedTom on Facebook: https://www.facebook.com/RedTomElectronics