In 2009 Microsoft introduced the Enhanced Mitigation Experience Toolkit or EMET. This freeware tool allowed administrators to enable and fine-tune Windows security features in order to give further protection against malware. Microsoft will officially stop supporting the EMET tool on July 31, 2018 and recommends users upgrade to Windows 10. In lieu of EMET, Microsoft is introducing several new security tools in the Fall Creators Update.

One of the new tools is Windows Defender Exploit Guard which gives security administrators more control of how code is executed on machines. Attack Surface Reduction (ASR) smart rules allow for targeted blocking capabilities such as using rules that block Office files from executing macros that automatically download and execute Internet content. Microsoft also leverages EMET capabilities built into Windows to allow vulnerability mitigation on legacy applications without having to recompile them.

Microsoft is also aggregating security controls into a "single pane of glass" view that gives visibility into Windows endpoint security and allows security teams to react quickly to threats when they happen. Per Microsoft you can:

  • Get access to Windows Defender SmartScreen alerts and events that show if an employee within the company clicked on a specific URL despite receiving warning message
  • See Windows Defender Antivirus detections and actions that took place and connections that got blocked by Windows Defender Firewall
  • View Device Guard events that have surfaced unauthorized applications that have been blocked but may still be present within the environment and then access blocked/audit information from Windows Defender Exploit Guard
  • Get access to events and alerts when Windows Defender Application Guard has successfully isolated and blocked attacks targeting the browser within the Windows Defender Application Guard container

The Fall Creators Update also expands the Windows Defender Advanced Threat Protection (ATP) which is the cloud based heuristic for detecting malware. Microsoft is updating the detection dictionary to include dynamic script-based attacks, network explorations, and keylogging alerts.

Even if malware is breaks through, Windows Defender ATP gives visibility to the event for future investigation in Defender's ATP console. Microsoft states that ATP will cover Windows Server 2012 R2 and 2016, while information on ATP availability on other platforms will be shared later this year.