{"id":5970,"date":"2023-01-03T21:51:44","date_gmt":"2023-01-03T19:51:44","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=5970"},"modified":"2024-01-03T18:28:05","modified_gmt":"2024-01-03T16:28:05","slug":"microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6\/","title":{"rendered":"Microsoft Defender for Endpoint series \u2013 Validate Defender protection and additional troubleshooting \u2013 Part6"},"content":{"rendered":"\n
It is time for part 6 of the Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on onboarding and configuration and Microsoft Defender Vulnerability Management. Now it is time for the initial testing of the Defender for Endpoint component and check of all protection components are working correctly with some troubleshooting explanation. <\/p>\n\n\n\n
After onboarding and configuration, it is critical to validate all key features and protection states. Microsoft provides some test scripts, all there are some other ways of testing the protection capabilities. <\/p>\n\n\n\n
NOTE: The blog series focuses on features in Microsoft Defender for Endpoint P2<\/strong> all Microsoft Defender for Endpoint P1<\/strong> features are available in P2.<\/p>\n\n\n\n Specific question or content idea part of Defender for Endpoint? Use the contact submission<\/a> form and share the post ideas.<\/strong><\/p>\n\n\n\n After the initial onboarding of Defender for Endpoint and configuration of Defender AV\/ NGP, it is important to make sure all Defender protections are in a good state and doing the job. Based on experience it is recommended to provide a good test plan for different types of computers and networks and confirm the state during the roll-out. In this part of the MDE series the Defender protection test capabilities will be explained. Part 6 contains more in-depth troubleshooting based on Defender AV and Defender for Endpoint. <\/p>\n\n\n\n The following is part of the blog:<\/p>\n\n\n\n First, it is recommended to test and validate the AV state of the device. After configuring Defender for Endpoint and the additional protections it is critical to confirm and validate the state. There are multiple options available for checking the Defender state on the device. <\/p>\n\n\n\n The simplest way is with the use of the Get-MpComputerStatus<\/strong> and Get-MpPreference<\/strong> commands. <\/p>\n\n\n\n Get-MpComputerStatus <\/strong>gets the antimalware status of Defender AV. Use the command for validating the running mode. Check the following items: <\/p>\n\n\n\n For the signature updates check the AntispywareSignatureAge<\/strong> and AntivirusSignatureAge<\/strong>. Ideally, the signature must be updated multiple times a day. The AntiVirusSignatureLastUpdated<\/strong> shows the latest update time for the signature. With the AntivirusSignatureVersion<\/strong> it is possible to check the actual installed version and compare it with the latest released signature information. <\/p>\n\n\n\n For Tamper Protection important to check the isTamperProtected <\/strong>field and TamperProtectionSource<\/strong>. When enabled via the service settings the TamperProtectionSource<\/strong> contains ATP. IsTamperProtected<\/strong> must be showing True. True means: the device is protected with Tamper Protection. <\/p>\n\n\n\n With the use of Defender Vulnerability Management, it is possible to check the protection configuration based on the available SCID entries. See Part 5<\/a> for more in-depth information and example queries for each core component. <\/p>\n\n\n\n One of the most common questions is; can we see which configuration is applied on the machine? The answer is yes; it is possible to see which value is configured for each setting. With the use of the Get-MpPreference<\/strong> command we can show all configured settings: <\/p>\n\n\n\n Use the Set-MpPreference reference page for the value explanation. Set-MpPreference (Defender) | Microsoft Learn<\/a><\/p>\n\n\n\n Important for the protection state to check the following items: <\/p>\n\n\n\n Network Protection for servers<\/strong><\/p>\n\n\n\n Protection<\/strong><\/p>\n\n\n\n After checking the Defender AV configuration, it is needed to validate and confirm the onboarding of Defender for Endpoint. <\/p>\n\n\n\n When the device is correctly onboarded in Defender for Endpoint the device is visible with the state Onboarded. <\/strong>There are different states which can give some confusion:<\/p>\n\n\n\n After onboarding make sure the full data sync is initiated. Sometimes the device is visible in MDE with the state Onboarded <\/strong>without the additional dataset in MDE. The dataset can be confirmed with the following items:<\/p>\n\n\n\n For the first onboarded devices it is recommended to test the device actions (isolate, restrict, live response) to make sure all features are working correctly. <\/p>\n\n\n\n KQL for checking the events:<\/strong><\/p>\n\n\n\n Use the button Go Hunt<\/strong> and run the query against all available tables. Check of additional events are available for the device: <\/p>\n\n\n\n Sometimes the devices will not be onboarded for various reasons (onboarding, hardware conflict, network). With the use of additional logging the issues can be tracked\/ investigated. The following log locations\/ event locations are available: <\/p>\n\n\n\n These log locations apply to systems onboarded with the unified solution for 2012R2\/ 2016 or on newer operating systems.<\/p>\n\n\n\n The Sense Agent-related logs are based on the EDR component (SENSE) and used by the following operating systems:<\/p>\n\n\n\n Log locations<\/strong><\/p>\n\n\n\n Log and configuration validation of Microsoft Defender AV can be done by reviewing the following locations:<\/p>\n\n\n\n Some example scenarios that can be investigated by looking into these locations are:<\/p>\n\n\n\n Log locations<\/strong><\/p>\n\n\n\n Defender AV operational: Event Viewer – Applications and Services Logs > Microsoft -> Windows > Windows Defender<\/em><\/p>\n\n\n\n Direct logs are directly available on the system without collecting additional logs. The following overview gives the most common log files and locations for Defender Antivirus and Defender for Endpoint. <\/p>\n\n\n\n Defender Antivirus log files:<\/strong><\/p>\n\n\n\n Additional verbose logging can be collected with other diagnostic data collection. Use the following command for getting all additional data in a cab file: <\/p>\n\n\n\n Cab file is by default located in the following folder: C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpSupportFiles.cab<\/p>\n\n\n\n Some examples of files part of the mpsupportfiles.cab which can be useful for further troubleshooting:<\/p>\n\n\n\n A more in-depth investigation is possible with the collection of additional log files for the Defender for Endpoint product. With the use of the Microsoft Defender for Endpoint Client Analyzer tool there is the option to analyze the system and review the configuration. <\/p>\n\n\n\n The download MDEClientAnalyzer.zip can be unzipped. When unzipped the MDEClientAnalyzer folder exists of several files. <\/p>\n\n\n\n From the MDEClientAnalyzer folder, we can run the MDEClientAnalyzer.cmd <\/em><\/strong>script. One of the options is to run this script without additional parameters. Without parameters the analyzer provides generic log output including a connectivity test, related logs, and related event files. <\/p>\n\n\n\n It can take some time when the MDEClientAnalyzer.cmd is completed. When completed there is an MDEClientAnalyzerResult<\/em> folder created including all files and additional configuration. The MDEClientAnalyzer.html file contains the overview page including detailed results and possible errors. <\/p>\n\n\n\n <\/p>\n\n\n\nIntroduction<\/h2>\n\n\n\n
\n
\n\n\n\nCheck the device state<\/h2>\n\n\n\n
<\/figure>\n\n\n\n
\n
\n\n\n\nCheck the configuration state<\/h2>\n\n\n\n
<\/figure>\n\n\n\n
\n
\n
\n\n\n\nCheck Defender for Endpoint<\/h2>\n\n\n\n
\n
\n
<\/figure>\n\n\n\n
let deviceName = \"cpc-jeffrey6-0a\";\nlet deviceId = \"af21d57a4686a0f6d684be606c4beb05ab871a\";\nsearch in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,DeviceProcessEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceRegistryEvents,DeviceLogonEvents,DeviceImageLoadEvents,DeviceEvents)\nTimestamp between (ago(1d) .. now())\nand (DeviceName == deviceName)\n| take 100<\/code><\/pre>\n\n\n\n
\n\n\n\nAdditional troubleshooting with event logs and log locations<\/h2>\n\n\n\n
Sense Agent related logs (MDE)<\/strong><\/h3>\n\n\n\n
\n
\n
Defender AV-related logs (MDAV)<\/h3>\n\n\n\n
\n
Additional log locations<\/h3>\n\n\n\n
C:\\ProgramData\\Microsoft\\Windows Defender\\Support<\/code><\/pre>\n\n\n\n
C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -GetFiles<\/code><\/pre>\n\n\n\n
<\/figure>\n\n\n\n
\n
\n\n\n\nCollecting additional data<\/h2>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n