Forum Discussion
What does the Antivirus status mean? Disabled, Not supported, Not updated, Unknown
What steps need to be taken to get the devices to show status as Updated
- Hi Deleted,
Device health and compliance report in Microsoft Defender for Endpoint
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-reports?view=o365-worldwide
Disabled, it means that the Microsoft Defender Antivirus is disabled. Such as by using this policy (or mdm policy) "Turn off Microsoft Defender Antivirus" Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus?view=o365-worldwide
Or if you are running a 3rd party antivirus which might disable Microsoft Defender Antivirus.
Please review: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
"Not updated", the "Security Intelligence Update" (Signature/Definitions) might be outdated. Depending on the management product that you are using, make sure that the systems are getting an updated "Security intelligence update" that is not older than 3-10 days (ideally < 1 day).
Reference: Manage the sources for Microsoft Defender Antivirus protection updates
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide
and
Manage Microsoft Defender Antivirus updates and apply baselines
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide
"Not supported" can be OS'es such as iOS which do not have an antimalware.
"Unknown" can be, if you have Windows Server 2012 R2 and/or Windows Server 2016, and you are not using the latest unified MDE for downlevel Windows Servers.
For details: Defending Windows Server 2012 R2 and 2016
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292
Or
If you are running MDE for macOS or MDE for Linux, make sure that you have the bits from at least March of 2022 (ideally 101.73.77 which enables the new antimalware engine). For more info, check out "What's new" here: aka.ms/MDEforMac and aka.ms/MDEforLinux.
For more info about the new antimalware engine:
Enhanced antimalware engine capabilities for Linux and macOS
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enhanced-antimalware-engine-capabilities-for-linux-and-macos/ba-p/3292003
Thanks,
Yong Rhee - MSFT
yongrheemsft
Microsoft
MicrosoftHi Deleted,
Device health and compliance report in Microsoft Defender for Endpoint
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-reports?view=o365-worldwide
Disabled, it means that the Microsoft Defender Antivirus is disabled. Such as by using this policy (or mdm policy) "Turn off Microsoft Defender Antivirus" Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus?view=o365-worldwide
Or if you are running a 3rd party antivirus which might disable Microsoft Defender Antivirus.
Please review: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
"Not updated", the "Security Intelligence Update" (Signature/Definitions) might be outdated. Depending on the management product that you are using, make sure that the systems are getting an updated "Security intelligence update" that is not older than 3-10 days (ideally < 1 day).
Reference: Manage the sources for Microsoft Defender Antivirus protection updates
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide
and
Manage Microsoft Defender Antivirus updates and apply baselines
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide
"Not supported" can be OS'es such as iOS which do not have an antimalware.
"Unknown" can be, if you have Windows Server 2012 R2 and/or Windows Server 2016, and you are not using the latest unified MDE for downlevel Windows Servers.
For details: Defending Windows Server 2012 R2 and 2016
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292
Or
If you are running MDE for macOS or MDE for Linux, make sure that you have the bits from at least March of 2022 (ideally 101.73.77 which enables the new antimalware engine). For more info, check out "What's new" here: aka.ms/MDEforMac and aka.ms/MDEforLinux.
For more info about the new antimalware engine:
Enhanced antimalware engine capabilities for Linux and macOS
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enhanced-antimalware-engine-capabilities-for-linux-and-macos/ba-p/3292003
Thanks,
Yong Rhee - MSFT
Device health and compliance report in Microsoft Defender for Endpoint
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-reports?view=o365-worldwide
Disabled, it means that the Microsoft Defender Antivirus is disabled. Such as by using this policy (or mdm policy) "Turn off Microsoft Defender Antivirus" Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus?view=o365-worldwide
Or if you are running a 3rd party antivirus which might disable Microsoft Defender Antivirus.
Please review: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
"Not updated", the "Security Intelligence Update" (Signature/Definitions) might be outdated. Depending on the management product that you are using, make sure that the systems are getting an updated "Security intelligence update" that is not older than 3-10 days (ideally < 1 day).
Reference: Manage the sources for Microsoft Defender Antivirus protection updates
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide
and
Manage Microsoft Defender Antivirus updates and apply baselines
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide
"Not supported" can be OS'es such as iOS which do not have an antimalware.
"Unknown" can be, if you have Windows Server 2012 R2 and/or Windows Server 2016, and you are not using the latest unified MDE for downlevel Windows Servers.
For details: Defending Windows Server 2012 R2 and 2016
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292
Or
If you are running MDE for macOS or MDE for Linux, make sure that you have the bits from at least March of 2022 (ideally 101.73.77 which enables the new antimalware engine). For more info, check out "What's new" here: aka.ms/MDEforMac and aka.ms/MDEforLinux.
For more info about the new antimalware engine:
Enhanced antimalware engine capabilities for Linux and macOS
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enhanced-antimalware-engine-capabilities-for-linux-and-macos/ba-p/3292003
Thanks,
Yong Rhee - MSFT
yongrheemsftHi, is there anyway I can get Antivirus Status information beside of Exporting from Device Inventory? For example: via Advanced Hunting tables or via MDE API.
