cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to check antimalware client version by using 'Domain name'

AmjadGov
Copper Contributor

‎Sep 06 2022 06:56 AM

‎Sep 06 2022 06:56 AM

How to check antimalware client version by using 'Domain name'

Hey,

 

I'm running the following MS script to find out the version of the antimalware client, it works well, however as I have several domains across our estate, I need to lock the script down to each domain name in question.  I tried using the 'DeviceEvents' with 'InitiatingProcessAccountDomain' but can't quite get the format right. Any ideas will be much appreciated:

 

//check the antimalware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc
 
 
Thanks
1,080 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by AmjadGov (Copper Contributor)
LuizaT

‎Sep 06 2022 09:31 AM

‎Sep 06 2022 09:31 AM

Solution

Re: How to check antimalware client version by using 'Domain name'

Hello,

There is an Out of the Box report now under reports - Device health - Microsoft Defender Antivirus Health but indeed it doesn't show you the domain.

Not sure why you are looking into DeviceFileEvents when you should be looking into DeviceTvmSecureConfigurationAssessment. Check below. You may uncomment the domain and the summarize.

let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend PlatformVersion = tostring(avdata[0][3])
//| where DeviceName contains "domain"
| project DeviceId, DeviceName, OSPlatform, PlatformVersion, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
//| summarize dcount(DeviceName) by PlatformVersion
0 Likes
Reply
AmjadGov

‎Sep 06 2022 09:44 AM

‎Sep 06 2022 09:44 AM

Re: How to check antimalware client version by using 'Domain name'

Your level of scripting is Jedi Level, thank you so much @LuizaT !
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by AmjadGov (Copper Contributor)
LuizaT

‎Sep 06 2022 09:31 AM

‎Sep 06 2022 09:31 AM

Solution

Re: How to check antimalware client version by using 'Domain name'

Hello,

There is an Out of the Box report now under reports - Device health - Microsoft Defender Antivirus Health but indeed it doesn't show you the domain.

Not sure why you are looking into DeviceFileEvents when you should be looking into DeviceTvmSecureConfigurationAssessment. Check below. You may uncomment the domain and the summarize.

let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend PlatformVersion = tostring(avdata[0][3])
//| where DeviceName contains "domain"
| project DeviceId, DeviceName, OSPlatform, PlatformVersion, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
//| summarize dcount(DeviceName) by PlatformVersion

View solution in original post

0 Likes
Reply