Document:Prisma Cloud Administrator’s Guide (Compute)

Deploy Windows Defender

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Cluster Context
- Deploy Prisma Cloud Defenders
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Agentless Scanning Modes
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Deploy Windows Defender

Prisma Cloud can secure Windows containers running on Windows Server 2016 and Windows Server 2019 hosts. A single instance of Prisma Cloud Console can simultaneously protect both Windows and Linux containers on both Windows and Linux hosts. Prisma Cloud’s Intelligence Stream includes vulnerability data from Microsoft, so as new CVEs are reported, Prisma Cloud can detect them in your Windows images.

The architecture for Defender on Windows is different than Defender on Linux. The Defender runs as a Docker container on Linux, and as a Windows service on Windows. On Linux, it is implemented as runtime protection in the userspace, and on Windows it is implemented using Windows drivers. This is because there is no concept of capabilities in Windows Docker containers like there is on Linux. Defender on Windows runs as service so it can acquire the permissions it needs to secure the containers on your host. When you deploy the Defender, it appears as a service. The Defender type "Container Defender - Windows" means that Defender is capable of securing your containers, not that it’s deployed as a container.

To deploy Defender on Windows, you’ll copy a PowerShell script from the Prisma Cloud Console and run it on the host where you want to install Defender.

Feature matrix

The following table compares Prisma Cloud’s Windows Server feature support to Linux feature support:

Platform	Vulnerability	Compliance	Runtime defense			Firewalls
			>Processes	>Network	>Filesystem	>CNNS	>WAAS
Linux	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Windows Server 2016	Yes	Yes	No	No	No	No	Yes
Windows Server 2019 (Host Defender)	Yes	Yes	No	No	No	No	Yes
Windows Server 2019 (Container Defender) with Docker runtime	Yes	Yes	Yes	No	No	No	No
Windows Server 2019 (Container Defender) with containerd runtime¹	Yes	Yes	Yes	No	No	No	No

¹Supported on AKS only.

Windows Host Defenders support Windows compliance checks for hosts. Only Windows Container Defenders for Windows based containers support custom compliance checks.

As a quick review, Prisma Cloud runtime defense builds a model of allowed activity for each container image during a learning period. After the learning period has completed, any violation of the model triggers an action as defined by your policy (alert, prevent, block).

As Prisma Cloud builds the model, any interactive tasks that are run are logged. These interactive tasks can be viewed in each model’s history tab. On Windows, Prisma Cloud can’t currently detect when interactive tasks are run with the docker exec command, although Prisma Cloud does correctly record interactive tasks run from a shell inside a container with the docker run -it <IMAGE> sh command. No matter how the interactive task is run, however, the model will correctly allow a process if it’s in learning mode, and it will take action if the model is violated when in enforcement mode.

Windows Container Defenders scan both the containers and the hosts where they run for vulnerabilities.

Deploying Defender on Windows with Docker runtime

Install Prsima Cloud Defenders on every Windows host you want to protect.

Defenders are deployed with with a PowerShell 64-bit script, defender.ps1, which downloads the necessary files from Console. Defender is registered as a Windows service.

Run the Prisma Cloud Defender deployment PowerShell script from a Windows PowerShell 64-bit shell.

Prisma Cloud Windows container defenders are tested and supported for GKE Windows server containers.

After the install is completed, Prisma Cloud files can be found in the following locations:

C:\Program Files\Prisma Cloud\

C:\ProgramData\Prisma Cloud\

Prerequisites:

Windows Server 2016 or Windows Server 2019. Prisma Cloud is not supported on Windows 10 or Hyper-V.

Docker for Windows (1.12.2-cs2-ws-beta) or higher. For more information about installing Docker on Windows, see Windows Containers on Windows Server.

Log into Console

Go to Manage > Defenders > Deploy

Select Single Defender

In Choose the Defender type
, select Container Defender - Windows

Copy the curl script and run it on your host to install Windows Defender

If you install Windows locally on your laptop, the 'netsh' commands are not needed. They are only applicable to the GCE environment.

Deploy Container Defender on Windows with containerd runtime

You can also deploy the Windows container defender to protect your containers running on

Document:Prisma Cloud Administrator’s Guide (Compute)

Deploy Windows Defender

Table of Contents

Deploy Windows Defender

Feature matrix

Deploying Defender on Windows with Docker runtime

Deploy Container Defender on Windows with containerd runtime