Forum Discussion

AnuragSrivastava's avatar
AnuragSrivastava
Iron Contributor
Feb 08, 2021

Windows Defender Antivirus (Active or Passive)

Hi,

I need to get a report of machines with status of Windows Defender Antivirus (Active or Passive).

 

As per the document -https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup#verify-that-microsoft-defender-antivirus-is-in-passive-mode it says to run Get-MpComputerStatus cmdlet in Powershell and check the value for AMRunningMode.

 

When I ran this on a machine where a 3rd party AV was installed with Windows Defender AV running in passive mode, I got the value Normal under AMRunningMode instead of Passive.

 

Is there any other way we can get the status of Windows Defender AV from MDATP Security Center or Intune.

Microsoft Defender ATP

5 Replies

  • GeoffY1's avatar
    GeoffY1
    Copper Contributor
    Jun 16, 2022
    There are 2 other states that need including:
    3 = SxS Passive (side-by-side mode with limited periodic scanning)
    2 = Other ?
    I'd like to know what 2 means - in our shop we have quite a few devices reporting this value.
    • AnuragSrivastava's avatar
      AnuragSrivastava
      Iron Contributor
      Jun 29, 2022
      @GeoffYoung - could be the devices where Defender is disabled or uninstalled.
  • Wintermute110's avatar
    Wintermute110
    Copper Contributor
    Aug 25, 2021

    AnuragSrivastavaCurrently having the same issue. Cannot find anything else in the documentation to suggest any other methods to determine MDE's status.

    Why it isn't showing as Passive when a 3rd party AV solution is present (as per MS documentation) is beyond me.

    • AnuragSrivastava's avatar
      AnuragSrivastava
      Iron Contributor
      Aug 26, 2021
      Wintermute110

      Use TVM data in Advanced Hunting to get that info. Windows 10 and Windows Server 2019 supported.

      Example:

      let avmodetable = DeviceTvmSecureConfigurationAssessment

      | where ConfigurationId == "scid-2010" and isnotnull(Context)

      | extend avdata=parsejson(Context)

      | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))

      | project DeviceId, AVMode;

      DeviceTvmSecureConfigurationAssessment

      | where ConfigurationId == "scid-2011" and isnotnull(Context)

      | extend avdata=parsejson(Context)

      | extend AVSigVersion = tostring(avdata[0][0])

      | extend AVEngineVersion = tostring(avdata[0][1])

      | extend AVSigLastUpdateTime = tostring(avdata[0][2])

      | project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable

      | join avmodetable on DeviceId

      | project-away DeviceId1
      • Wintermute110's avatar
        Wintermute110
        Copper Contributor
        Aug 26, 2021
        Thanks, that has worked.

        Really should be available in the GUI though!

Resources