This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 70%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWR%3C/text%3E%3C/svg%3E)
Hello,
I am looking for a query that will show me outdated AV signatures on Linux machines.
I found this query: https://github.com/alexverboon/MDATP/blob/master/AdvancedHunting/MDE%20-%20Outdated%20Defender%20Signatures.md but it does not provide accurate results.
As an example, I just ran it now and here are the results:
Those signatures have been released yesterday. From within the VM everything is in order:
Does anyone perhaps have a different query and would be willing to share?
Thank you,
Wojciech
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Wojciech Rozanski Got an alternate query to achieve the above outcome.
DeviceTvmInfoGathering
| where OSPlatform in ("Linux")
| where LastSeenTime >= ago(7d)
| join (DeviceInfo | where isnotempty(OSVersion) |summarize arg_max(Timestamp, *) by DeviceId) on DeviceId
| where OnboardingStatus == "Onboarded"
| extend AvMode = iif(tostring(AdditionalFields.AvMode) == '0', 'Active', iif(tostring(AdditionalFields.AvMode) == '1', 'Passive',iif(tostring(AdditionalFields.AvMode) == '2', 'Disabled', iif(tostring(AdditionalFields.AvMode) == '5', 'PassiveAudit',iif(tostring(AdditionalFields.AvMode) == '4', 'EDR Block Mode' ,'Unknown')))))
| extend PlatformVersion =tostring(AdditionalFields.AvPlatformVersion)
| extend SignatureVersion = tostring(AdditionalFields.AvSignatureVersion)
| extend EngineVersion = tostring(AdditionalFields.AvEngineVersion)
| where AvMode != "Unknown" and isnotempty(PlatformVersion)
| project DeviceName, OSPlatform, AvMode,OSVersion, LastSeenTime, PlatformVersion, SignatureVersion, LastSigUpdate = AdditionalFields.AvSignatureUpdateTime , EngineVersion
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
@Wojciech Rozanski Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Fantastic. Thank you!!!
@Wojciech Rozanski Thank you for reaching out to us, just check if this query mentioned over here - https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-defender-vulnerability-management-part5/#:~:text=Parsed_json%20KQL%20query%20for%20SCID%2D2011%20%E2%80%93%20Query%20with%20extracted/%20parsed%20%E2%80%9Ccontext%E2%80%9D%20field%3A helps to get the accurate results, in the meantime I will check with my team internally on this requirement.