The document discusses Microsoft's antimalware management platform which provides a common antimalware platform across Microsoft clients with proactive protection against known and unknown threats while reducing complexity. It integrates features such as early-launch antimalware, measured boot, and secure boot through UEFI to prevent malware from bypassing antimalware inspection during the boot process. The platform also provides simplified administration through a single console experience for endpoint protection and management.

3. MANAGEMENT
ANTIMALWARE
PLATFORM
Microsoft Malware
Protection Center
Dynamic Signature Svc
Available only in Windows 8
Endpoint
Protection
Management
Software
Updates +
SCUP
Operating System
Deployment
Settings
Management
Antimalware
Dynamic
Translation
Behavior
Monitoring
Software
Distribution
Vulnerability
Shielding
Windows
Defender
Offline
Internet
Explorer
BitLockerAppLocker
Address Space
Layout
Randomization
Data
Execution
Prevention
User Access
Control
Secure Boot
through UEFI
Windows
Resource
Protection
Measured Boot
Early Launch
Antimalware
(ELAM)
MDM
Software Updates
ELAM &
Measured
Boot
Cloud clean
restore

4. Real time Endpoint Protection operations from console
Simplified
Administration
Single administrator
experience for simplified
endpoint protection and
management
Simplified, 3X delivery of definitions through software updates
Malware-driven operations from the console
Client-side merge of antimalware policies
Integrated optimizations for Windows Embedded clients
New and improved Endpoint Protection client

10. PRIMARY SITE
Hierarchy (Forest1) Hierarchy (Forest2)
ClientClient
Software
Update Point 1
Software
Update Point 2
Software
Update Point 3
Software
Update Point 4
Client.Forest1 Client.Forest2

12. Common antimalware platform across Microsoft AM clients
Proactive protection against known and unknown threats
Reduced complexity while protecting clients
Enhanced Protection
Protect against known and
unknown threats with
endpoint inspection at
behavior, application, and
network levels
Integration with UEFI Trusted Boot, early-launch antimalware

13. Diagnostics and
Recovery
Toolkit
Windows
Defender
Offline

14. Updates
Engine and
Definitions
Policy
Status
Events
ConfigMgr
Samples, Telemetry, DSS

16. Windows 7 BIOS
OS Loader
(Malware)
3rd Party Drivers
(Malware)
Anti-Malware
Software Start
Windows Logon
Windows 8 Native UEFI
Windows 8
OS Loader
Anti-Malware
Software Start
3rd Party Drivers Windows Logon
• Malware is able to boot before Windows and Anti-malware
• Malware able to hide and remain undetected
• Systems can be compromised before AM starts
• Secure Boot loads Anti-Malware early in the boot process
• Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft
• Windows starts AM software before any 3rd party boot drivers
• Malware can no longer bypass AM inspection

17. Windows 8
Windows 7
• Measurements of some boot components evaluated as part of boot
• Only enabled when BitLocker has been provisioned
• Measures all boot components
• Measurements are stored in a Trusted Platform Module (TPM)
• Remote attestation, if available, can evaluate client state
• Enabled when TPM is present. BitLocker not required

18. Simple interface
 Minimal, high-level
user interactions
Administrative Control
 User configurability options
 Central policy enforcement
 UI Lockdown and disable
Maintains high productivity
 CPU throttling during scans
 Faster scans through
advanced caching
Minimal network and client
impact of definition updates