Microsoft’s big Windows Defender ATP update: bad macros, fileless malware and faster response

Microsoft has released new feature updates to Windows Defender ATP for the enterprise that aimed at reducing the attack surface and giving security teams faster response capabilities.  

The updates, detailed today, beef up Defender ATP feature “attack surface reduction” with two new rules that allow enterprise to prevent Outlook and Adobe Reader from creating child processes, which should wipe out attacks that use malicious macros in Office documents to download malware, as well as exploits for vulnerabilities in both Reader and Office. 

The new additions bring the total number of attack surface reduction rules to 14, which all target common malware techniques and help defenders mitigate ransomware, untrusted executables in email, malware that attempts to steal credentials from lsass.exe — the Windows local security authority subsystem — and unsigned processes running from USB drives. 

Another update aims to help defenders during a security crisis, such as a fast moving malware outbreak. The new emergency security intelligence updates can be issued by Microsoft’s Windows Defender ATP research team to all cloud-connected devices in an enterprise. 

It’s a fast-track to accessing updates from Microsoft’s Defender ATP cloud, which could take the heat off security admins who might otherwise be waiting hours for updates from their own internal Windows infrastructure.