Understand patch management and anti-malware


The first component of PAVC is proactive patch management. Patch management mitigates vulnerabilities by ensuring Microsoft 365 systems are updated quickly when new security patches are released. Microsoft 365 prioritizes new security patches and other security updates according to risk. The Microsoft 365 Security team analyzes available security patches to determine their risk level in the context of our production environments. Their analysis includes severity scores based on the Common Vulnerability Scoring System (CVSS) along with other risk factors.

Microsoft 365 service teams review the analysis from Microsoft 365 Security and update their service components and baseline images with applicable patches within the appropriate remediation timeframe. Security patches are subject to the change management process to ensure adequate testing and management approval before deployment to production environments. Deployment of security patches occurs in stages to enable rollback if a security patch causes unexpected issues. Service teams use vulnerability scan results to validate security patch deployment on applicable system components. Any overdue vulnerabilities are reported on a daily basis and reviewed by management monthly to measure the breadth and depth of patch coverage across the environment and hold ourselves accountable for timely patching.

Anti-malware is the second core component of PAVC. Microsoft 365 uses comprehensive anti-malware software to protect Microsoft 365 Services against viruses and other malware. Baseline operating system images used by Microsoft 365 include this software to maximize coverage throughout the environment.

Every endpoint in Microsoft 365 performs a full anti-malware scan at least weekly. Additional real-time scans are performed on all files as they are downloaded, opened, or executed. These scans use known malware signatures to detect malware and prevent malware execution. Microsoft 365's anti-malware software is configured to download the most recent malware signatures daily to ensure scans are conducted with the most up-to-date information. In addition to signature-based scans, Microsoft 365 anti-malware software uses pattern-based recognition to detect and prevent suspicious or anomalous program behavior.

When our anti-malware products detect viruses or other malware, they automatically generate an alert for the Microsoft 365 Security Response team. In many cases, our anti-malware software can prevent the execution of viruses and other malware in real time without human intervention. When this is not possible, the Microsoft 365 Security Response team resolves malware incidents using the security incident response process.