Forum Discussion

amueller-tf's avatar
amueller-tf
Brass Contributor
Jul 26, 2021

Defender AV - Active/Passive Mode - Advanced Hunting

While researching how to verify if Defender AV is in active or passive mode I found an Advanced Hunting query that searches "DeviceTvmSecureConfigurationAssessment" and then filters "ConfigurationId" by "scid-2010" as the "Context" column contains the status of Defender AV.
 
So far, I discovered that:
  • "0" = Defender AV is active,
  • "1" = Defender AV is passive,
  • "4" = Defender AV is in "EDR Block Mode"
I am not sure what "Unknown" in the "Context" column means though. Does it mean that Defender AV is not installed, or that it was manually disabled (via registry keys, GPO, ...) or that it running but not reporting?
 

 

    • amueller-tf's avatar
      amueller-tf
      Brass Contributor

      peter_georgeCertainly. I found the script at https://www.reddit.com/r/DefenderATP/comments/lfd5zy/comment/gmynulv/?utm_source=share&utm_medium=web2x&context=3. Here it is:

       

      let avmodetable = DeviceTvmSecureConfigurationAssessment
      | where ConfigurationId == "scid-2010" and isnotnull(Context)
      | extend avdata=parsejson(Context)
      | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
      | project DeviceId, AVMode;
      DeviceTvmSecureConfigurationAssessment
      | where ConfigurationId == "scid-2011" and isnotnull(Context)
      | extend avdata=parsejson(Context)
      | extend AVSigVersion = tostring(avdata[0][0])
      | extend AVEngineVersion = tostring(avdata[0][1])
      | extend AVSigLastUpdateTime = tostring(avdata[0][2])
      | project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
      | join avmodetable on DeviceId
      | project-away DeviceId1

       

      • Jonhed's avatar
        Jonhed
        Steel Contributor

        I noticed the server that shows unknown is running Windows Server 2012 R2
        The query looks for Microsoft Defender AV data, which is not integrated in 2012 R2,
        so I am going to assume this query is not able to get the info in question on Windows 2012 R2 machines since Defender does not exist.
        (The link on reddit also does not mention any other platform than Windows 10 and Server 2019)

    • jeremyhAUS's avatar
      jeremyhAUS
      Brass Contributor
      You can add a join to the query above to the one below
      DeviceLogonEvents
      | where ActionType == "LogonSuccess"
      | summarize arg_max(TimeGenerated,*) by DeviceId
      | project TimeGenerated, DeviceId, AccountName, AccountDomain

Resources