Rediger

Del via


Review and remediate endpoint detection and response recommendations (MMA)

Microsoft Defender for Cloud provides health assessments of supported versions of Endpoint protection solutions. This article explains the scenarios that lead Defender for Cloud to generate the following two recommendations:

Note

As the Log Analytics agent (also known as MMA) is set to retire in August 2024, all Defender for Servers features that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.

Tip

At the end of 2021, we revised the recommendation that installs endpoint protection. One of the changes affects how the recommendation displays machines that are powered off. In the previous version, machines that were turned off appeared in the 'Not applicable' list. In the newer recommendation, they don't appear in any of the resources lists (healthy, unhealthy, or not applicable).

Windows Defender

The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Windows Defender:

Recommendation Appears when
Endpoint protection should be installed on your machines Get-MpComputerStatus runs and the result is AMServiceEnabled: False
Endpoint protection health issues should be resolved on your machines Get-MpComputerStatus runs and any of the following occurs:

Any of the following properties are false:

- AMServiceEnabled
- AntispywareEnabled
- RealTimeProtectionEnabled
- BehaviorMonitorEnabled
- IoavProtectionEnabled
- OnAccessProtectionEnabled

If one or both of the following properties are 7 or more:

- AntispywareSignatureAge
- AntivirusSignatureAge

Microsoft System Center endpoint protection

The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Microsoft System Center endpoint protection:

Recommendation Appears when
Endpoint protection should be installed on your machines importing SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1") and running Get-MProtComputerStatus results in AMServiceEnabled = false
Endpoint protection health issues should be resolved on your machines Get-MprotComputerStatus runs and any of the following occurs:

At least one of the following properties is false:

- AMServiceEnabled
- AntispywareEnabled
- RealTimeProtectionEnabled
- BehaviorMonitorEnabled
- IoavProtectionEnabled
- OnAccessProtectionEnabled

If one or both of the following Signature Updates are greater or equal to 7:

- AntispywareSignatureAge
- AntivirusSignatureAge

Trend Micro

The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Trend Micro:

Recommendation Appears when
Endpoint protection should be installed on your machines any of the following checks aren't met:

- HKLM:\SOFTWARE\TrendMicro\Deep Security Agent exists
- HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder exists
- The dsa_query.cmd file is found in the Installation Folder
- Running dsa_query.cmd results with Component.AM.mode: on - Trend Micro Deep Security Agent detected

Symantec endpoint protection

The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Symantec endpoint protection:

Recommendation Appears when
Endpoint protection should be installed on your machines any of the following checks aren't met:

- HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"
- HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1
Or
- HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"
- HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1
Endpoint protection health issues should be resolved on your machines any of the following checks aren't met:

- Check Symantec Version >= 12: Registry location: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion" -Value "PRODUCTVERSION"
- Check Real-Time Protection status: HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 1
- Check Signature Update status: HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 days
- Check Full Scan status: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 days
- Find signature version number Path to signature version for Symantec 12: Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP"
- Path to signature version for Symantec 14: Registry Paths+ "CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP"

Registry Paths:

- "HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path;
- "HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + $Path

McAfee endpoint protection for Windows

The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for McAfee endpoint protection for Windows:

Recommendation Appears when
Endpoint protection should be installed on your machines any of the following checks aren't met:

- HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion exists
- HKLM:\SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL\enableoas = 1
Endpoint protection health issues should be resolved on your machines any of the following checks aren't met:

- McAfee Version: HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion >= 10
- Find Signature Version: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "dwContentMajorVersion"
- Find Signature date: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "szContentCreationDate" >= 7 days
- Find Scan date: HKLM:\Software\McAfee\Endpoint\AV\ODS -Value "LastFullScanOdsRunTime" >= 7 days

McAfee Endpoint Security for Linux Threat Prevention

The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for McAfee Endpoint Security for Linux Threat Prevention:

Recommendation Appears when
Endpoint protection should be installed on your machines any of the following checks aren't met:

- File /opt/McAfee/ens/tp/bin/mfetpcli exists
- "/opt/McAfee/ens/tp/bin/mfetpcli --version" output is: McAfee name = McAfee Endpoint Security for Linux Threat Prevention and McAfee version >= 10
Endpoint protection health issues should be resolved on your machines any of the following checks aren't met:

- "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns Quick scan, Full scan and both of the scans <= 7 days
- "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns DAT and engine Update time and both of them <= 7 days
- "/opt/McAfee/ens/tp/bin/mfetpcli --getoasconfig --summary" returns On Access Scan status

Sophos Antivirus for Linux

The table explains the scenarios that lead Defender for Cloud to generate the following two recommendations for Sophos Antivirus for Linux:

Recommendation Appears when
Endpoint protection should be installed on your machines any of the following checks aren't met:

- File /opt/sophos-av/bin/savdstatus exits or search for customized location "readlink $(which savscan)"
- "/opt/sophos-av/bin/savdstatus --version" returns Sophos name = Sophos Anti-Virus and Sophos version >= 9
Endpoint protection health issues should be resolved on your machines any of the following checks aren't met:

- "/opt/sophos-av/bin/savlog --maxage=7 | grep -i "Scheduled scan .* completed" | tail -1", returns a value
- "/opt/sophos-av/bin/savlog --maxage=7 | grep "scan finished" | tail -1", returns a value
- "/opt/sophos-av/bin/savdstatus --lastupdate" returns lastUpdate, which should be <= 7 days
- "/opt/sophos-av/bin/savdstatus -v" is equal to "On-access scanning is running"
- "/opt/sophos-av/bin/savconfig get LiveProtection" returns enabled

Troubleshoot and support

Troubleshoot

Microsoft Antimalware extension logs are available at: %Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log

Support

For more help, contact the Azure experts in Azure Community Support. Or file an Azure support incident. Go to the Azure support site and select Get support. For information about using Azure Support, read the Microsoft Azure support common questions.