Microsoft New Feature in Defender ATP to Block Malicious Behavior


Microsoft introduced this week a new feature in Advanced Threat Protection (ATP) for Windows Defender designed to prevent and detect malicious behaviour.

Named “Endpoint Detection and Response (EDR) in block mode,” the capability is intended to provide post-breach blocking of malware and other malicious behaviors, taking advantage of built-in machine learning models from Microsoft Defender ATP, Microsoft says.

EDR in block mode aims at detecting threats through conduct analysis, providing real-time protection for organizations even after a threat has been executed. It aims to help businesses respond faster to threats, thwart cyber-attacks and sustain a posture of defense.

In block mode, EDR interrupts processes connected to malicious behaviors or artefacts to block the attack. Reports of these blocks are displayed in Microsoft Defender Security Center to notify security teams and allow further analysis, as well as the detection and removal of similar threats.

EDR in block mode, now available in public preview, has already proven successful in halting cyber-attacks. The capability blocked a NanoCore RAT attack in April, says the tech giant, which began with a spear-phishing email that had an Excel document bearing a malicious macro as attachment.

Microsoft customers who have already turned on Microsoft Defender Security Center preview features will allow EDR in block mode by heading to Settings > Advanced features.

The tech giant invites clients who test EDR in block mode to provide feedback on their experience with Microsoft Defender’s behavioral blocking and containment capabilities.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.