Forum Discussion

AmjadGov's avatar
AmjadGov
Copper Contributor
Sep 06, 2022

How to check antimalware client version by using 'Domain name'

Hey,

 

I'm running the following MS script to find out the version of the antimalware client, it works well, however as I have several domains across our estate, I need to lock the script down to each domain name in question.  I tried using the 'DeviceEvents' with 'InitiatingProcessAccountDomain' but can't quite get the format right. Any ideas will be much appreciated:

 

//check the antimalware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc
 
 
Thanks
  • Hello,

    There is an Out of the Box report now under reports - Device health - Microsoft Defender Antivirus Health but indeed it doesn't show you the domain.

    Not sure why you are looking into DeviceFileEvents when you should be looking into DeviceTvmSecureConfigurationAssessment. Check below. You may uncomment the domain and the summarize.

    let avmodetable = DeviceTvmSecureConfigurationAssessment
    | where ConfigurationId == "scid-2010" and isnotnull(Context)
    | extend avdata=parsejson(Context)
    | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
    | project DeviceId, AVMode;
    DeviceTvmSecureConfigurationAssessment
    | where ConfigurationId == "scid-2011" and isnotnull(Context)
    | extend avdata=parsejson(Context)
    | extend AVSigVersion = tostring(avdata[0][0])
    | extend AVEngineVersion = tostring(avdata[0][1])
    | extend AVSigLastUpdateTime = tostring(avdata[0][2])
    | extend PlatformVersion = tostring(avdata[0][3])
    //| where DeviceName contains "domain"
    | project DeviceId, DeviceName, OSPlatform, PlatformVersion, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
    | join avmodetable on DeviceId
    | project-away DeviceId1
    //| summarize dcount(DeviceName) by PlatformVersion
  • Hello,

    There is an Out of the Box report now under reports - Device health - Microsoft Defender Antivirus Health but indeed it doesn't show you the domain.

    Not sure why you are looking into DeviceFileEvents when you should be looking into DeviceTvmSecureConfigurationAssessment. Check below. You may uncomment the domain and the summarize.

    let avmodetable = DeviceTvmSecureConfigurationAssessment
    | where ConfigurationId == "scid-2010" and isnotnull(Context)
    | extend avdata=parsejson(Context)
    | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
    | project DeviceId, AVMode;
    DeviceTvmSecureConfigurationAssessment
    | where ConfigurationId == "scid-2011" and isnotnull(Context)
    | extend avdata=parsejson(Context)
    | extend AVSigVersion = tostring(avdata[0][0])
    | extend AVEngineVersion = tostring(avdata[0][1])
    | extend AVSigLastUpdateTime = tostring(avdata[0][2])
    | extend PlatformVersion = tostring(avdata[0][3])
    //| where DeviceName contains "domain"
    | project DeviceId, DeviceName, OSPlatform, PlatformVersion, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
    | join avmodetable on DeviceId
    | project-away DeviceId1
    //| summarize dcount(DeviceName) by PlatformVersion

Resources