Endpoint protection assessment and recommendations in Microsoft Defender for Cloud

Note

As the Log Analytics agent (also known as MMA) is set to retire in August 2024, all Defender for Servers features that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.

Microsoft Defender for Cloud provides health assessments of supported versions of Endpoint protection solutions. This article explains the scenarios that lead Defender for Cloud to generate the following two recommendations:

Tip

At the end of 2021, we revised the recommendation that installs endpoint protection. One of the changes affects how the recommendation displays machines that are powered off. In the previous version, machines that were turned off appeared in the 'Not applicable' list. In the newer recommendation, they don't appear in any of the resources lists (healthy, unhealthy, or not applicable).

Windows Defender

  • Defender for Cloud recommends Endpoint protection should be installed on your machines when Get-MpComputerStatus runs and the result is AMServiceEnabled: False

  • Defender for Cloud recommends Endpoint protection health issues should be resolved on your machines when Get-MpComputerStatus runs and any of the following occurs:

    • Any of the following properties are false:

      • AMServiceEnabled
      • AntispywareEnabled
      • RealTimeProtectionEnabled
      • BehaviorMonitorEnabled
      • IoavProtectionEnabled
      • OnAccessProtectionEnabled
    • If one or both of the following properties are 7 or more:

      • AntispywareSignatureAge
      • AntivirusSignatureAge

Microsoft System Center endpoint protection

  • Defender for Cloud recommends Endpoint protection should be installed on your machines when importing SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1") and running Get-MProtComputerStatus results in AMServiceEnabled = false.

  • Defender for Cloud recommends Endpoint protection health issues should be resolved on your machines when Get-MprotComputerStatus runs and any of the following occurs:

    • At least one of the following properties is false:

      • AMServiceEnabled
      • AntispywareEnabled
      • RealTimeProtectionEnabled
      • BehaviorMonitorEnabled
      • IoavProtectionEnabled
      • OnAccessProtectionEnabled
    • If one or both of the following Signature Updates are greater or equal to 7:

      • AntispywareSignatureAge
      • AntivirusSignatureAge

Trend Micro

  • Defender for Cloud recommends Endpoint protection should be installed on your machines when any of the following checks aren't met:
    • HKLM:\SOFTWARE\TrendMicro\Deep Security Agent exists
    • HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder exists
    • The dsa_query.cmd file is found in the Installation Folder
    • Running dsa_query.cmd results with Component.AM.mode: on - Trend Micro Deep Security Agent detected

Symantec endpoint protection

Defender for Cloud recommends Endpoint protection should be installed on your machines when any of the following checks aren't met:

  • HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"
  • HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1

Or

  • HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"
  • HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1

Defender for Cloud recommends Endpoint protection health issues should be resolved on your machines when any of the following checks aren't met:

  • Check Symantec Version >= 12: Registry location: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion" -Value "PRODUCTVERSION"
  • Check Real-Time Protection status: HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 1
  • Check Signature Update status: HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 days
  • Check Full Scan status: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 days
  • Find signature version number Path to signature version for Symantec 12: Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP"
  • Path to signature version for Symantec 14: Registry Paths+ "CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP"

Registry Paths:

  • "HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path;
  • "HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + $Path

McAfee endpoint protection for Windows

Defender for Cloud recommends Endpoint protection should be installed on your machines when any of the following checks aren't met:

  • HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion exists
  • HKLM:\SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL\enableoas = 1

Defender for Cloud recommends Endpoint protection health issues should be resolved on your machines when any of the following checks aren't met:

  • McAfee Version: HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion >= 10
  • Find Signature Version: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "dwContentMajorVersion"
  • Find Signature date: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "szContentCreationDate" >= 7 days
  • Find Scan date: HKLM:\Software\McAfee\Endpoint\AV\ODS -Value "LastFullScanOdsRunTime" >= 7 days

McAfee Endpoint Security for Linux Threat Prevention

Defender for Cloud recommends Endpoint protection should be installed on your machines when any of the following checks aren't met:

  • File /opt/McAfee/ens/tp/bin/mfetpcli exists
  • "/opt/McAfee/ens/tp/bin/mfetpcli --version" output is: McAfee name = McAfee Endpoint Security for Linux Threat Prevention and McAfee version >= 10

Defender for Cloud recommends Endpoint protection health issues should be resolved on your machines when any of the following checks aren't met:

  • "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns Quick scan, Full scan and both of the scans <= 7 days
  • "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns DAT and engine Update time and both of them <= 7 days
  • "/opt/McAfee/ens/tp/bin/mfetpcli --getoasconfig --summary" returns On Access Scan status

Sophos Antivirus for Linux

Defender for Cloud recommends Endpoint protection should be installed on your machines when any of the following checks aren't met:

  • File /opt/sophos-av/bin/savdstatus exits or search for customized location "readlink $(which savscan)"
  • "/opt/sophos-av/bin/savdstatus --version" returns Sophos name = Sophos Anti-Virus and Sophos version >= 9

Defender for Cloud recommends Endpoint protection health issues should be resolved on your machines when any of the following checks aren't met:

  • "/opt/sophos-av/bin/savlog --maxage=7 | grep -i "Scheduled scan .* completed" | tail -1", returns a value
  • "/opt/sophos-av/bin/savlog --maxage=7 | grep "scan finished" | tail -1", returns a value
  • "/opt/sophos-av/bin/savdstatus --lastupdate" returns lastUpdate, which should be <= 7 days
  • "/opt/sophos-av/bin/savdstatus -v" is equal to "On-access scanning is running"
  • "/opt/sophos-av/bin/savconfig get LiveProtection" returns enabled

Troubleshoot and support

Troubleshoot

Microsoft Antimalware extension logs are available at: %Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log

Support

For more help, contact the Azure experts on the MSDN Azure and Stack Overflow forums. Or file an Azure support incident. Go to the Azure support site and select Get support. For information about using Azure Support, read the Microsoft Azure support common questions.