Microsoft is bringing its Windows Defender anti-malware application to macOS—and more platforms in the future—as it expands the reach of its Defender Advanced Threat Protection (ATP) platform. To reflect the new cross-platform nature, the suite is also being renamed to Microsoft Defender ATP, with the individual clients being labelled “for Mac” or “for Windows.”
macOS malware is still something of a rarity, but it’s not completely unheard of. Ransomware for the platform was found in 2016, and in-the-wild outbreaks of other malicious software continue to be found. Apple has integrated some malware protection into macOS, but we’ve heard from developers on the platform that Mac users aren’t always very good at keeping their systems on the latest point release. This situation is particularly acute in corporate environments; while Windows has a range of tools to ensure that systems are kept up-to-date and alert administrators if they fall behind, a similar ecosystem hasn’t been developed for macOS.
One would hope that Defender for Mac will also trap Windows malware to prevent Mac users from spreading malware to their Windows colleagues.
The initial preview of Defender for Mac will focus on signature-based malware detection. This is just the start, however. Defender ATP for Windows tracks various system behaviors and reports them to the ATP cloud service, which can be used to detect threats even without identifying any specific piece of malware. For example, if a system is iteratively opening and overwriting all its documents, there’s a good chance that it’s running some kind of ransomware process that’s systematically encrypting the user’s files. ATP can alert administrators that this is happening. The Mac client should over time grow to include similar reporting capabilities. Microsoft is also integrating it into other cloud services, such as Intune device management.
Those cloud services are growing ever more capable, too. Microsoft’s system-management software can already report on systems that are using insecure configurations or running out-of-date software, but Defender ATP’s new Threat & Vulnerability Management will expand this. The various risk factors will be prioritized according to the current threat landscape—for example, updating systems running insecure software versions becomes more pressing if there’s active exploitation in the wild—so that administrators can focus on the software updates and configuration changes that offer the most bang for their buck in terms of improving their exposure to risks.
Further, TVM will integrate with Intune and System Center Configuration Manager to push the recommended fixes to machines that need them. TVM can then track the progress of these remediation activities as they’re rolled out.
Microsoft hasn’t said explicitly which other platforms will be Defender’s next targets. However, its video promotion for Defender for Mac sports a surprising number of penguins, making Linux a likely candidate.
