Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Endpoint Plan 1
Want to experience Defender for Endpoint? Sign up for a free trial.
Platforms
- Windows
- macOS
- Android
In the Microsoft Defender portal, you can view and manage threat detections using the following steps:
Visit Microsoft XDR portal and sign-in.
On the landing page, you see the Devices with active malware card with the following information:
- Display text: Applies to Intune-managed devices. Devices with multiple malware detections may be counted more than once.
- Last updated date and time.
- A bar with the Active and Malware remediated portions as per your scan.
You can select View Details for more information.
Once remediated, you see the following text being displayed:
Malware found on your devices have been remediated successfully.
Manage threat detections in Microsoft Intune
You can manage threat detections for any devices that are enrolled in Microsoft Intune using the following steps:
Go to the Microsoft Intune admin center at intune.microsoft.com and sign-in.
In the navigation pane, select Endpoint security.
Under Manage, select Antivirus. You see tabs for Summary, Unhealthy endpoints, and Active malware.
Review the information on the available tabs, and then take action as necessary.
For example, when you can select a device that is listed under the Active malware tab, you can choose one action from the list of actions provided:
- Restart
- Quick Scan
- Full Scan
- Sync
- Update signatures
FAQs
In the Microsoft XDR portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?
To see when the malware was detected, you can take the following steps:
Since this is an integration with Intune, visit Intune portal and select Antivirus and then select Active malware tab.
Select Export.
On your device, go to Downloads, and extract the
Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zipfile.Open the CSV and find the LastStateChangeDateTime column to see when malware was detected.
In the devices with malware detections report, why can't I see any information about which malware was detected on the device.
To see the malware name, visit the Intune portal as this is an integration with Intune, select Antivirus, and select Active malware tab and you see a column named Malware name.
I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware.
The Devices with active malware report is based on the devices that were active within the last 1 day (24 hours) and had malware detections within the last 15 days.
Use the following Advanced Hunting query:
DeviceInfo
| where Timestamp > startofday(datetime(2024-01-29 00:00:00))
| where OnboardingStatus == "Onboarded"
| where SensorHealthState == "Active"
| distinct DeviceId, DeviceName
| join kind=innerunique (
AlertEvidence
| where Timestamp > ago(15d)
| where ServiceSource == "Microsoft Defender for Endpoint"
| where DetectionSource == "Antivirus")
on DeviceName
| distinct DeviceName, DeviceId, Title, AlertId, Timestamp
I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
Use the Advanced Hunting query that is mentioned here for details such as unique DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT admin's to make sure that the devices are uniquely named. If a device is retired, use tags to decommission it.
I see malware detection in Intune and on the Devices with active malware report, but I don't see it in the MDE Alerts queue or in the Incidents queue.
It might be that the URL's Cloud Protection is currently not being allowed through your firewall or proxy.
You need to ensure that when you run %ProgramFiles%\Windows Defender\MpCmdRun.exe -ValidateMapsConnection on your device, the reporting is Ok.
I see a device that has been inactive for 180+ days but still showing up on the report for 'Devices with active malware'. The device doesn't show in the "Device inventory", can't be turned on and can't be offboarded from Microsoft Defender for Endpoint.
The device has not been retired from Intune.