ESET Protect vs. Microsoft Defender for Endpoint (2024)

Recently I had a chance to work for a customer who has been using ESET PROTECT antivirus. The Customer however plans to move away from the current antivirus solution, and gradually onboard all the devices into Microsoft Defender for Endpoint [MDE]. Before this can happen, existing settings and configuration of ESET must be reviewed and compared against the target solution, to ensure that rules, conditions, and exceptions can be set in place in MDE, and that MDE can take over the functionality. The exercise will focus on the current ESET PROTECT configuration being in place, not all the features available.

Although both products support multiple platforms including Windows, macOS, iOS and Android, Linux, the article focuses on the features available on Windows platforms. Capabilities on non-Windows platforms may be different.

Let’s start with Microsoft Defender for Endpoint first.

Microsoft Defender for Endpoint is a part of Microsoft 365 Defender suite of products. A small peek of the suite components is shown in the picture.

Defender for Servers – this is a separate product dedicated for Windows or Linux servers, hosted either on Microsoft Azure, Amazon Web Services [AWS], Google Cloud Platform [GCP], or on-premises.

MDE comes with two licensing plans, and contains following features [although the list is not complete]:

• Plan 1 contains core capabilities like next-generation protection against threats, malware or ransomware, attack surface reduction [ASR], firewall & network protection, and a unified management web portal.
• Plan 2 builds on top of Plan 1, and additionally has full set of capabilities, amongst which you may find functions like Endpoint Detection and Response [EDR], Automated investigation and remediation, threat and vulnerability management, and more.
  Plan 2 also offers “Microsoft Defender Vulnerability Management” as an add-on, which further down extends the offered features.

See Also

Fortinet FortiGate Firewall | External Systems Configuration GuideHow to Open Port in Windows Firewall: Step-by-Step Guide[KB3327] Configure firewall profiles and zones in ESET Cyber Security ProVIDEO solution: Enable the Windows Firewall for the private network and enable "block all connections to apps that are not on the list of allowed apps." Please attach the screenshot below.

ESET PROTECT is a suite of products which offers multiple capabilities.

• Modern endpoint protection [web browser safeguard, network attack protection, sandbox, ransomware shield, exploit protection, UEFI scanner and more],
• Full disk encryption [system disks, partitions, entire drives encryption],
• Advanced threat defense [zero-day threat detection, mail security, proactive protection and more],
• Detection and response (XDR) [threat hunting, anomaly and behavior detection, company policy violation, root cause analysis, blocking zero-day threats, and more],
• Vulnerability and patch management [with automated or manual patching of supported app inventory],
• Cloud App Protection [Microsoft 365 and Google Workspace application protection against malware, spam, phishing attacks],
• Mail Security [offers functionalities like anti-spam, anti-phishing, anti-malware and more],
• Multi-Factor Authentication (MFA) [protection against weak passwords and unauthorized access],
• Managed Detection & Response (MDR) [24/7 threat management service designed to provide sophisticated protection, with AI-powered threat detection and response].

Before proceeding further with comparing two platforms, let’s quickly get through initial steps required to onboard a device into Microsoft Defender. The steps allow devices to register in the portal and to receive policies [For detailed steps on MDE configuration, onboarding the devices, setting up roles & permissions, licenses, etc., please refer to official Microsoft documentation].

To onboard a device, navigate to Microsoft Defender portal -> Settings -> Endpoints -> Device Management -> Onboarding. The onboarding process is well described on the portal page, online documentation and additionally covered by Microsoft video material. It basically comes to selecting supported operating system and deployment method, then downloading the package and deploying to target group of devices. Further down on the page there is also a detection script that can be run against deployed onboarding package, to verify if the device is properly onboarded and reports to the service.

To onboard the devices into Intune, go to Microsoft Defender portal -> Settings -> Endpoints -> Advanced Features and select “Microsoft Intune connection.”

Secondly, the Defender for Endpoint connection needs to be turned on in Intune portal. Navigate to Intune -> Endpoint security -> Microsoft Defender for Endpoint and select “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations”.

It is worth mentioning an MDE Client Analyzer tool provided by Microsoft to download. The tool runs a series of tests against the device and in the end, it presents a detailed report.

Before applying desired settings on target computers, you may consider to set the policies in audit mode. On below example, the Attack Surface Reduction (ASR) is set to audit mode – the settings are not enforced on the device, only registered in the Event Viewer.

ESET Protect

The same set of policies can be deployed using on-premises Group Policy Objects, under Computer Configuration / Windows Components / Windows Defender Antivirus / Windows Defender Exploit Guard / Attack Surface Reduction. For more information on ASR, please refer to official Microsoft documentation.

Having the onboarding process shortly described, the next step will focus on comparing current ESET PROTECT configuration with Microsoft Defender for Endpoint equivalent settings.

The ESET PROTECT management console is web-based. After signing in, navigate to Policies, and select policy that configures settings for managed Windows endpoints, in this case “ESET Windows security”.

The policies are grouped into five sections.

• “Detection Engine”, guards against malicious system attacks.
• “Update” covers configuration related to module and product updates on endpoints.
• “Protections” contains settings with actions against potentially unwanted and unsafe applications.
• “Connectivity” contains proxy settings.
• “User interface”, which sets the password so that user cannot amend changes.

Now let’s take a closer look at the current configuration in ESET PROTECT portal and attempt to locate the same [where available] or similar under Microsoft Defender portal. The exercise is presented below in a table, with ESET being on the left, MDE in the middle, and a comment on the right. Also, each presented ESET configuration setting and its Microsoft ‘equivalent’ will have its location/path in the console mentioned.

Summary

So, having both products compared with emphasis on the current ESET PROTECT configuration at the customer’s environment, and checking against settings which will take over the functionality on MDE side, I could conclude that the migration can go ahead and move forward. Configuring MDE may require a bit more effort as the configuration is divided into designated profiles which have to be configured separately. In the end however, the result is that the policies apply, the device is protected, and devices which are protected by MDE report no issues.

There are of course many more settings available on both platforms should we want to compare them all. However, in this case, the setup on ESET side was not that sophisticated, hence the effort to migrate the settings and apply additional ones with Microsoft’s best practices was not that challenging 😊