Deploy Windows Defender
Table of Contents
Self.Hosted 31.xx
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Deploy Windows Defender
Prisma Cloud can secure Windows containers running on Windows Server 2016 and Windows Server 2019 hosts.
A single instance of Prisma Cloud Console can simultaneously protect both Windows and Linux containers on both Windows and Linux hosts.
Prisma Cloud’s Intelligence Stream includes vulnerability data from Microsoft, so as new CVEs are reported, Prisma Cloud can detect them in your Windows images.
The architecture for Defender on Windows is different than Defender on Linux.
The Defender runs as a Docker container on Linux, and as a Windows service on Windows.
On Linux, it is implemented as runtime protection in the userspace, and on Windows it is implemented using Windows drivers.
This is because there is no concept of capabilities in Windows Docker containers like there is on Linux.
Defender on Windows runs as service so it can acquire the permissions it needs to secure the containers on your host.
When you deploy the Defender, it appears as a service.
The Defender type "Container Defender - Windows" means that Defender is capable of securing your containers, not that it’s deployed as a container.
To deploy Defender on Windows, you’ll copy a PowerShell script from the Prisma Cloud Console and run it on the host where you want to install Defender.
Feature matrix
The following table compares Prisma Cloud’s Windows Server feature support to Linux feature support:
Platform | Vulnerability | Compliance | Runtime defense | Firewalls | |||
|---|---|---|---|---|---|---|---|
>Processes | >Network | >Filesystem | >CNNS | >WAAS | |||
Linux | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Windows Server 2016 | Yes | Yes | No | No | No | No | Yes |
Windows Server 2019 (Host Defender) | Yes | Yes | No | No | No | No | Yes |
Windows Server 2019 (Container Defender) with Docker runtime | Yes | Yes | Yes | No | No | No | No |
Windows Server 2019 (Container Defender) with containerd runtime 1 | Yes | Yes | Yes | No | No | No | No |
Windows Server 2022 (Container Defender) with Docker runtime | Yes | Yes | Yes | No | No | No | No |
Windows Server 2022 (Container Defender) with containerd runtime 1 | Yes | Yes | Yes | No | No | No | No |
1
Supported on AKS only.Windows Host Defenders support Windows compliance checks for hosts.
Only Windows Container Defenders for Windows based containers support custom compliance checks.
As a quick review, Prisma Cloud runtime defense builds a model of allowed activity for each container image during a learning period.
After the learning period has completed, any violation of the model triggers an action as defined by your policy (alert, prevent, block).
As Prisma Cloud builds the model, any interactive tasks that are run are logged.
These interactive tasks can be viewed in each model’s history tab.
On Windows, Prisma Cloud can’t currently detect when interactive tasks are run with the docker exec command, although Prisma Cloud does correctly record interactive tasks run from a shell inside a container with the docker run -it <IMAGE> sh command.
No matter how the interactive task is run, however, the model will correctly allow a process if it’s in learning mode, and it will take action if the model is violated when in enforcement mode.
Windows Container Defenders scan both the containers and the hosts where they run for vulnerabilities.
Deploying Defender on Windows with Docker runtime
Prisma Cloud Console must be first installed on a Linux host.
Prisma Cloud Defenders are then installed on each Windows host you want to protect.
For more information about installing Console, see Getting Started.
The Onebox install is the fastest way to get Console running on a stand-alone Linux machine.
Defenders are deployed with with a PowerShell 64-bit script, defender.ps1, which downloads the necessary files from Console.
Defender is registered as a Windows service.
Run the Prisma Cloud Defender deployment PowerShell script from a Windows PowerShell 64-bit shell.
Prisma Cloud Windows container defenders are tested and supported for GKE Windows server containers.
After the install is completed, Prisma Cloud files can be found in the following locations:
Prerequisites:
- Windows Server 2016 or Windows Server 2019. Prisma Cloud is not supported on Windows 10 or Hyper-V.
- Docker for Windows (1.12.2-cs2-ws-beta) or higher. For more information about installing Docker on Windows, see Windows Containers on Windows Server.
- Log into Console
- Go toManage > Defenders > Deploy
- SelectSingle Defender
- InChoose the Defender type, selectContainer Defender - Windows
- Copy the curl script and run it on your host to install Windows DefenderIf you install Windows locally on your laptop, the 'netsh' commands are not needed. They are only applicable to the GCE environment.
Deploy Container Defender on Windows with containerd runtime
You can also deploy the Windows container defender to protect your containers running on
Azure Kubernetes Service (AKS)
Windows nodes with containerd
runtime.
By installing the Defender you will be able to view the running containers and images on the Radar and leverage Prisma Cloud Runtime Defense capabilities on the running containers.Prerequisites:
- Make sure you are using Windows Server 2019 with containerd runtime.
- The nodes are part of an Azure Kubernetes Service (AKS) Windows Server node pool
- Learn more about Using containerd with Windows Server node pools (preview)
- Log into Console.
- Go toManage > Defenders > Deploy
- SelectSingle Defender
- InChoose the Defender type, selectContainer Defender - Windows
- Set the option forNode is using containerd, not DockertoOn
- Copy the curl script and run it on your host to install Windows DefenderTwistcli can’t be used on Windows machines running containerd.
Registry scanning
To scan Windows images in your registry, you must install at least one Windows Defender.
Prisma Cloud automatically distributes the scan job across available Defenders.
To scan registries that hold both Windows and Linux images, install at least one Linux Defender and one Windows Defender in your environment.
Registry scan settings can include a mix of both Defenders running on hosts with Docker Engine and containerd as scanners.
Uninstalling Defender
You can uninstall Defender directly from the Console UI.
You can also manually uninstall Defender from the command line by running:
C:\Program Files\Twistlock\scripts\defender.ps1 -uninstall
Since Defender runs as a Windows service, decommissioning it will stop the service.
Some remnant files might need to be deleted manually.
- Go toManage > Defenders > Manage.This page shows a list of Defenders deployed in your environment and connected to Console.
- Click theDecommissionbutton.
Limitations
Be aware of the following limitations:
- Windows Defenders support Windows compliance checks for hosts and custom compliance checks only. Image and container compliance checks aren’t supported.
- Windows requires the host OS version to match the container OS version. If you want to run a container based on a newer Windows build, make sure you have an equivalent host build. Otherwise, you can use Hyper-V isolation to run older containers on new host builds. For more information, see Windows containers version compatibility.