Review and remediate endpoint detection and response recommendations (MMA)
Microsoft Defender for Cloud provides health assessments of supported versions of Endpoint protection solutions. This article explains the scenarios that lead Defender for Cloud to generate the following two recommendations:
- Endpoint protection should be installed on your machines
- Endpoint protection health issues should be resolved on your machines
Note
As the Log Analytics agent (also known as MMA) is set to retire in August 2024, all Defender for Servers features that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.
Tip
At the end of 2021, we revised the recommendation that installs endpoint protection. One of the changes affects how the recommendation displays machines that are powered off. In the previous version, machines that were turned off appeared in the 'Not applicable' list. In the newer recommendation, they don't appear in any of the resources lists (healthy, unhealthy, or not applicable).
Windows Defender
The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Windows Defender:
| Recommendation | Appears when |
|---|---|
| Endpoint protection should be installed on your machines | Get-MpComputerStatus runs and the result is AMServiceEnabled: False |
| Endpoint protection health issues should be resolved on your machines | Get-MpComputerStatus runs and any of the following occurs: Any of the following properties are false: - AMServiceEnabled - AntispywareEnabled - RealTimeProtectionEnabled - BehaviorMonitorEnabled - IoavProtectionEnabled - OnAccessProtectionEnabled If one or both of the following properties are 7 or more: - AntispywareSignatureAge - AntivirusSignatureAge |
Microsoft System Center endpoint protection
The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Microsoft System Center endpoint protection:
| Recommendation | Appears when |
|---|---|
| Endpoint protection should be installed on your machines | importing SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1") and running Get-MProtComputerStatus results in AMServiceEnabled = false |
| Endpoint protection health issues should be resolved on your machines | Get-MprotComputerStatus runs and any of the following occurs: At least one of the following properties is false: - AMServiceEnabled - AntispywareEnabled - RealTimeProtectionEnabled - BehaviorMonitorEnabled - IoavProtectionEnabled - OnAccessProtectionEnabled If one or both of the following Signature Updates are greater or equal to 7: - AntispywareSignatureAge - AntivirusSignatureAge |
Trend Micro
The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Trend Micro:
| Recommendation | Appears when |
|---|---|
| Endpoint protection should be installed on your machines | any of the following checks aren't met: - HKLM:\SOFTWARE\TrendMicro\Deep Security Agent exists - HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder exists - The dsa_query.cmd file is found in the Installation Folder - Running dsa_query.cmd results with Component.AM.mode: on - Trend Micro Deep Security Agent detected |
Symantec endpoint protection
The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Symantec endpoint protection:
| Recommendation | Appears when |
|---|---|
| Endpoint protection should be installed on your machines | any of the following checks aren't met: - HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection" - HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1 Or - HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection" - HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1 |
| Endpoint protection health issues should be resolved on your machines | any of the following checks aren't met: - Check Symantec Version >= 12: Registry location: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion" -Value "PRODUCTVERSION" - Check Real-Time Protection status: HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 1 - Check Signature Update status: HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 days - Check Full Scan status: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 days - Find signature version number Path to signature version for Symantec 12: Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP" - Path to signature version for Symantec 14: Registry Paths+ "CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP" Registry Paths: - "HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path; - "HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + $Path |
McAfee endpoint protection for Windows
The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for McAfee endpoint protection for Windows:
| Recommendation | Appears when |
|---|---|
| Endpoint protection should be installed on your machines | any of the following checks aren't met: - HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion exists - HKLM:\SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL\enableoas = 1 |
| Endpoint protection health issues should be resolved on your machines | any of the following checks aren't met: - McAfee Version: HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion >= 10 - Find Signature Version: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "dwContentMajorVersion" - Find Signature date: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "szContentCreationDate" >= 7 days - Find Scan date: HKLM:\Software\McAfee\Endpoint\AV\ODS -Value "LastFullScanOdsRunTime" >= 7 days |
McAfee Endpoint Security for Linux Threat Prevention
The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for McAfee Endpoint Security for Linux Threat Prevention:
| Recommendation | Appears when |
|---|---|
| Endpoint protection should be installed on your machines | any of the following checks aren't met: - File /opt/McAfee/ens/tp/bin/mfetpcli exists - "/opt/McAfee/ens/tp/bin/mfetpcli --version" output is: McAfee name = McAfee Endpoint Security for Linux Threat Prevention and McAfee version >= 10 |
| Endpoint protection health issues should be resolved on your machines | any of the following checks aren't met: - "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns Quick scan, Full scan and both of the scans <= 7 days - "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns DAT and engine Update time and both of them <= 7 days - "/opt/McAfee/ens/tp/bin/mfetpcli --getoasconfig --summary" returns On Access Scan status |
Sophos Antivirus for Linux
The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Sophos Antivirus for Linux:
| Recommendation | Appears when |
|---|---|
| Endpoint protection should be installed on your machines | any of the following checks aren't met: - File /opt/sophos-av/bin/savdstatus exits or search for customized location "readlink $(which savscan)" - "/opt/sophos-av/bin/savdstatus --version" returns Sophos name = Sophos Anti-Virus and Sophos version >= 9 |
| Endpoint protection health issues should be resolved on your machines | any of the following checks aren't met: - "/opt/sophos-av/bin/savlog --maxage=7 | grep -i "Scheduled scan .* completed" | tail -1", returns a value - "/opt/sophos-av/bin/savlog --maxage=7 | grep "scan finished" | tail -1", returns a value - "/opt/sophos-av/bin/savdstatus --lastupdate" returns lastUpdate, which should be <= 7 days - "/opt/sophos-av/bin/savdstatus -v" is equal to "On-access scanning is running" - "/opt/sophos-av/bin/savconfig get LiveProtection" returns enabled |
Troubleshoot and support
Troubleshoot
Microsoft Antimalware extension logs are available at: %Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log
Support
For more help, contact the Azure experts in Azure Community Support. Or file an Azure support incident. Go to the Azure support site and select Get support. For information about using Azure Support, read the Microsoft Azure support common questions.