In plain English
Defender for Endpoint goes beyond traditional antivirus. It continuously monitors device behaviour, detects suspicious activity that signature-based tools miss, provides a detailed investigation timeline when an incident occurs, and can isolate a compromised device from the network with one click.
Full definition
Traditional antivirus works by matching files against a list of known signatures. Defender for Endpoint does that too, but it also watches what processes are doing, what files they are touching, what network connections they are making, and how that behaviour compares to the baseline for that device. When something looks wrong, it raises an alert with a full investigation timeline showing exactly what happened, in what order, and on which accounts.
The isolation capability is one of the most useful features during an active incident. If a device is confirmed or suspected to be compromised, an analyst can cut it off from the rest of the network with a single action in the Microsoft Defender portal. The device loses all network access except its connection to the Defender service, so the analyst can continue investigating remotely while the threat is contained. That stops without requiring anyone to physically locate the machine.
For Australian businesses, Defender for Endpoint also directly supports compliance. Threat and Management inside the product scans devices for missing patches and misconfigurations, mapping each finding to its severity and exploitability. can block common malware techniques, including Office macros dropping executables, which is an Essential Eight requirement at 2. The product is included in Business Premium and several enterprise licences.
