Recently I had a chance to work for a customer who has been using ESET PROTECT antivirus. The Customer however plans to move away from the current antivirus solution, and gradually onboard all the devices into Microsoft Defender for Endpoint [MDE]. Before this can happen, existing settings and configuration of ESET must be reviewed and compared against the target solution, to ensure that rules, conditions, and exceptions can be set in place in MDE, and that MDE can take over the functionality. The exercise will focus on the current ESET PROTECT configuration being in place, not all the features available.
Although both products support multiple platforms including Windows, macOS, iOS and Android, Linux, the article focuses on the features available on Windows platforms. Capabilities on non-Windows platforms may be different.
Microsoft Defender for Endpoint is a part of Microsoft 365 Defender suite of products. A small peek of the suite components is shown in the picture.
Defender for Servers – this is a separate product dedicated for Windows or Linux servers, hosted either on Microsoft Azure, Amazon Web Services [AWS], Google Cloud Platform [GCP], or on-premises.
MDE comes with two licensing plans, and contains following features [although the list is not complete]:
Before proceeding further with comparing two platforms, let’s quickly get through initial steps required to onboard a device into Microsoft Defender. The steps allow devices to register in the portal and to receive policies [For detailed steps on MDE configuration, onboarding the devices, setting up roles & permissions, licenses, etc., please refer to official Microsoft documentation].
To onboard a device, navigate to Microsoft Defender portal -> Settings -> Endpoints -> Device Management -> Onboarding. The onboarding process is well described on the portal page, online documentation and additionally covered by Microsoft video material. It basically comes to selecting supported operating system and deployment method, then downloading the package and deploying to target group of devices. Further down on the page there is also a detection script that can be run against deployed onboarding package, to verify if the device is properly onboarded and reports to the service.
To onboard the devices into Intune, go to Microsoft Defender portal -> Settings -> Endpoints -> Advanced Features and select “Microsoft Intune connection.”
Secondly, the Defender for Endpoint connection needs to be turned on in Intune portal. Navigate to Intune -> Endpoint security -> Microsoft Defender for Endpoint and select “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations”.
It is worth mentioning an MDE Client Analyzer tool provided by Microsoft to download. The tool runs a series of tests against the device and in the end, it presents a detailed report.
Before applying desired settings on target computers, you may consider to set the policies in audit mode. On below example, the Attack Surface Reduction (ASR) is set to audit mode – the settings are not enforced on the device, only registered in the Event Viewer.
The same set of policies can be deployed using on-premises Group Policy Objects, under Computer Configuration / Windows Components / Windows Defender Antivirus / Windows Defender Exploit Guard / Attack Surface Reduction. For more information on ASR, please refer to official Microsoft documentation.
Having the onboarding process shortly described, the next step will focus on comparing current ESET PROTECT configuration with Microsoft Defender for Endpoint equivalent settings.
The ESET PROTECT management console is web-based. After signing in, navigate to Policies, and select policy that configures settings for managed Windows endpoints, in this case “ESET Windows security”.
The policies are grouped into five sections.
Now let’s take a closer look at the current configuration in ESET PROTECT portal and attempt to locate the same [where available] or similar under Microsoft Defender portal. The exercise is presented below in a table, with ESET being on the left, MDE in the middle, and a comment on the right. Also, each presented ESET configuration setting and its Microsoft ‘equivalent’ will have its location/path in the console mentioned.
So, having both products compared with emphasis on the current ESET PROTECT configuration at the customer’s environment, and checking against settings which will take over the functionality on MDE side, I could conclude that the migration can go ahead and move forward. Configuring MDE may require a bit more effort as the configuration is divided into designated profiles which have to be configured separately. In the end however, the result is that the policies apply, the device is protected, and devices which are protected by MDE report no issues.
There are of course many more settings available on both platforms should we want to compare them all. However, in this case, the setup on ESET side was not that sophisticated, hence the effort to migrate the settings and apply additional ones with Microsoft’s best practices was not that challenging 😊