top of page
Writer's pictureWill Francillette

MDE: Keeping your Antivirus up to date - deep dive

Updated: Jan 14

Immutable laws of security

If you have a look at Microsoft Cybersecurity Reference Architecture (MCRA) and Microsoft Zero Trust implementation guidance, you will come across the immutable laws of security: The immutable laws of security | Microsoft Learn

This is a set of 10 commandments or statements meant to bust prevalent security myths.

The 8th law, stating that an out-of-date antimalware scanner is only marginally better than no scanner at all, inspired this blog.

Despite being, in my opinion, an amazing product, Defender for Endpoint can be complex due to its multiple components and updates, specifically across Windows operating systems, require a good understanding of the product.


In this blog, we will focus on the antivirus/malware (AV) and endpoint detection and response (EDR) components, and dive in configuring and monitoring Defender for Endpoint update status in your environment.

 

Table of contents:

.

 

What are the different types of updates in MDE?

A - On Windows

 

  • The AV engine agent updates are part of the platformUpdate package included in KB4052623

This package is installed under c:\programdata\Microsoft\Windows Defender\Platform\<version>

The application mpcmdeng.exe run as a service named windefend with Windows Defender as display name

 

  • The EDR sensor agent updates are part of Sense package included in the KB5005292

This package is installed under c:\programdata\Microsoft\Windows Defender Advanced Threat Protection\Platform\<version>

The application sense.exe run as a service named sense with Windows Defender Advanced Threat Protection as display name

 

  • The signature definition updates are included in KB2267602

They can be found under c:\programdata\Microsoft\Windows Defender\Definition Updates\<guid>

 

B - On Linux

 

With:

<os> your distribution such as ubuntu, amazonlinux etc

<version>: such as 16.04 for ubuntu

<channel>: insiders-fast insiders-slow and prod

<year>: such as 2023

You can retrieve previous versions from this location

 

For example:

 

 

C - On MacOS

Updates are managed using Microsoft Auto Update  (MAU) and msupdate

 

How often updates are released?

  • AV and EDR prod agents are released monthly with hotfixes released when necessary.

It is highly recommended to use the latest versions and benefit from the latest features and fixes

 

  • Signature definitions are released approximately every 4 hours.

You should make sure to retrieve the latest package and check every 1-2 hours for new release.

 

You can subscribe to the RSS feed to be alerted when those webpages are updated, ie new version are released https://learn.microsoft.com/api/search/rss?search=%22Microsoft+Defender+Antivirus+security+intelligence+and+product+updates%22&locale=en-us


You can also integrate that feed with Microsoft Teams or Exchange Online using Power Automate. Nikkie Chapple has already demonstrated this on her blog, please have a look at Nikkie's work:


How can I manually retrieve updates?

A - On Windows

You can configure where to retrieve agent updates and signatures, either directly from Microsoft, your update orchestrator such as WSUS or config Manager (SCCM), or a central share.

To initiate a manual update of the signature definitions you can use PowerShell:

Update-MpSignature

Or command prompt:

c:\programdata\Microsoft\Windows Defender Advanced Threat Protection\Platform\<version>\MpCmdRun.exe -SignatureUpdate

 

To update the agents manually, go to Microsoft Update Catalog , search for and install KB4052623 (AV) or KB5005292 (EDR)

 

B- On Linux

Signature updates are retrieved from Microsoft and agent updates will depend on your package config file. You could edit it to refer to a local satellite, or retrieving them directly from Microsoft.

To update signature definition run:

mdatp definitions update

 

To update your agent, update mdatp package using your package manager for example

yum update mdatp -y

 

C - On MacOs

Updates are retrieved from Microsoft directly

 

To update signature definition run:

mdatp definitions update

 

To update the agent manually, open Microsoft Auto Update (MAU) and press check for update

MacOs MAU

How do I configure automatic updates?

A - On Windows

KB4052623 and KB5005292, the AV and EDR agents updates are categorised as Microsoft Defender for Endpoint  product in Microsoft Update Catalog so ensure this category is enabled in your standalone WSUS server or part of your Configuration Manager farm.

 

Signature definitions are configured using Group Policy, Configuration Manager, Intune, PowerShell or WMI with the below settings:

  • SignatureFallbackOrder

  • SignatureDefinitionUpdateFileSharesSource

  • SignatureScheduleDay

  • SignatureScheduleTime

  • SignatureUpdateInterval

 

Reference:

SignatureFallbackOrder

This setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. The possible values are:

  • InternalDefinitionUpdateServer: Configuration Manager or WSUS

  • MicrosoftUpdateServer: Windows update (recommended)

  • MMPC: Microsoft Malware Protection center

  • FileShares : a File Share configured

 

The setting will be displayed differently depending on the deployment method:

  • Group Policy:  Location: Computer Settings > Administrative templates > Windows components > Windows Defender > Signature updates Display name: Define the order of sources for downloading security intelligence updates

  • Configuration Manager: Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Set sources and order for Endpoint Protection client updates

  • Intune: Location: Endpoint security > Antivirus Display name: Define the order of sources for downloading definition updates

 

SignatureDefinitionUpdateFileSharesSource

This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }".

 

The setting will show as:

  • Group Policy:  Location: Computer Settings > Administrative templates > Windows components > Windows Defender > Signature updates Display name: Define file shares for downloading security intelligence updates

  • Configuration Manager:  Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Configure Definition Update Sources and select Updates from UNC file shares.

  • Intune: Location: Endpoint security > Antivirus Display name: Define file shares for downloading definition updates

 

SignatureScheduleDay

This policy setting allows you to specify an the day to check for security intelligence updates.

 

The setting will show as:

  • Group Policy:  Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the day of the week to check for security intelligence updates

  • Configuration Manager: N/A

  • Intune: N/A

 

SignatureScheduleTime

This policy setting allows you to specify an the time to check for security intelligence updates.

 

The setting will show as:

  • Group Policy: Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the time to check for security intelligence updates

  • Configuration Manager:  Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Check for Endpoint Protection security intelligence daily at.

  • Intune: N/A

 

SignatureUpdateInterval

This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).

 

The setting will show as:

  • Group Policy: Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the interval to check for security intelligence updates

  • Configuration Manager:  Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Check for Endpoint Protection security intelligence at a specific interval (hours).

  • Intune: Location: Endpoint security > Antivirus Display name: Enter how often (0-24 hours) to check for security intelligence updates

 

 

B- On Linux

You can configure your signature update settings using the CLI, the configuration file and Intune/Defender XDR using the Security Setting Management. They can only be retrieved from Microsoft directly

 

There is only a single setting available:

  • CLI: mdatp config automatic_definition_update_enabled --value true/false

  • Configuration file:

{
	...
   	"cloudService":{
      	"enabled":true,
      	"diagnosticLevel":"optional",
      	"automaticSampleSubmissionConsent":"safe",
      	"automaticDefinitionUpdateEnabled":true,
      	"proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"
   	}
}
  • Intune:

Intune Automatic update enablement

Reference


C -On MacOS

You can configure your signature update settings using the CLI, the Microsoft Auto Update and Intune and Defender XDR Security settings, or JAMF using the Security Setting Management. They can only be retrieved from Microsoft directly

 

There is only a single setting available:

  • CLI: mdatp config automatic_definition_update_enabled --value true/false

  • MAU:

MAU update

  • Intune:

Intune Security Settings update


Reference


How do I monitor my update status?

 

Microsoft Defender XDR is where all the magic happen 🤩.

 

You would find built-in reports and be creative with KQL and advanced hunting.

 

1- Microsoft Antivirus health


You'll find an aggregated and interactive report from Defender XDR > Reports > Device health > Microsoft Antivirus health

 

MDAV report

You can customize this view with a rich set of filters

MDAV report filter

You can also export this report as CSV and find the current AV engine version, signature updates for each devices

MDAV report export

2- Vulnerability management

 

You can find devices out of date from the MDVM recommendation section ( Defender XDR > Vulnerability management > Recommendations) and look for

  • Update Microsoft Defender for Endpoint core components

  • Update Microsoft Defender Antivirus definitions

The exposed devices tab will display those out of date devices and allow you to export that list.

MDVM out of date AV

3- KQL

 

I'll share a few queries to retrieve the versions of each components and will be looking more particularly at DeviceTvmSecureConfigurationAssessment

 

  • This table contains all the vulnerabilities from Defender for Vulnerability detected in your environment. Those are referred by a ConfigurationId. To retrieve the detail of every item you can use DeviceTvmSecureConfigurationAssessmentKB as shown below. We will filter that list for update only.

 

DeviceTvmSecureConfigurationAssessment
| join kind=leftouter (DeviceTvmSecureConfigurationAssessmentKB) on ConfigurationId
| distinct ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact
| sort by ConfigurationId asc
|where ConfigurationName  contains "Update"
KQL MDVM SCIDs

We will focus on

-Scid-2011: Signatures definition updates for Windows OS - We will retrieve all components version from this item

-Scid-2030: EDR agent update for Windows OS

-Scid-5095: Signatures definition updates for MacOS

-Scid-6095: Signatures definition updates for Linux


  • From there we can retrieve all devices out of date as followed

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsCompliant == 0
//| where OSPlatform  contains "WindowsServer"
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
//| where RegistryDeviceTag startswith "MyTag"

 

I commented 2 filters to customize the query as required: OS platform and tags (the tags referred as GROUP)

 

  • You can also render the non-compliance results as a pie chart for example

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsCompliant == 0
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
//| summarize by DeviceName,IsCompliant,OSPlatform,ConfigurationSubcategory,sigversion,engversion,platformversion,lastupdatetime
| summarize count() by OSPlatform
|render piechart
KQL PieChart
  • To retrieve the detail of your Windows devices components, use

let updateSCID = dynamic (["scid-2011"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID)
//| where OSPlatform  contains "WindowsServer2012R2"
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
| extend avdata=parsejson(Context)
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])

 

This configuration item retrieves 4 additional information:

-Signature definition version

-AV engine version

-EDR agent version

-And the last time an update occurred


  • To retrieve the version for the all platforms,

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsApplicable
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])
  • Regarding the IsCompliant field used in the 2 first queries, Microsoft considers an AV out of date if it didn't update for 5 or 7d (not entirely sure). We can refine this threshold using the below query to monitor the Signature Definition update frequency.

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
let OutOfDateThreshold = 3d;
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsApplicable
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
| extend avdata=parsejson(Context)
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])
| where lastupdatetime < ago(OutOfDateThreshold)
| summarize by DeviceId,DeviceName,OSPlatform,sigversion,engversion,platformversion,lastupdatetime

How to automate the monitoring notifications?

Overview

There is no built-in way to schedule and automate the reports generation.

You MDVM logs aren't enabled natively in Sentinel via Microsoft Defender XDR connector however it is marked as coming soon


Sentinel MDVM signals

As an alternative, we can use the Graph API and automate the query from an automation account in Azure

Azure Automation Flow Chart
  1. An Azure Automation account connect to the Graph API using a system managed identity

  2. The Graph Advanced Hunting module is used to retrieve the out of date devices

  3. The automation account generate a csv report

  4. The csv report is stored in a blob storage

  5. An email is sent to a shared mailbox/ distribution list including the csv report

Azure automation Account configuration

1- Create an Azure automation account

Azure Automation Account

2- Enable the system managed identity

Azure Automation System Managed Identity

3- Assign Managed Identity Graph and Exchange Online permissions using the script provided in my repo:


Required permissions:

  • ThreatHunting.Read.All

  • Mail.Send

  • Exchange.ManagedAsApp





Managed Identity Permissions









4- Although creating custom Azure role is not recommended, I wanted to ensure least privilege is respected for any write operation, so I've created the following roles by cloning  existing roles and removing the unnecessary permissions:

Assigned Role

Cloned Role

Removed Permissions 

Scope

Reader



Storage Account

Storage Account Key Reader

Storage Account Key Operator Service Role

Regenerate Storage Account Keys

Storage Account

Storage Blob Data Appender

Storage Blob Data Contributor

Delete blob container Delete blob

Container

Azure Automation Runbook


The runbook is configured using a PowerShell 5.1 script performing the following high level steps:

  1.  Retrieve variables

  2. Query advanced hunting

  3. Export report to storage account

  4. Send email notifications

This script is available in my repo: Monitor-MDEOutOfDateDevice.ps1 


You can use Azure Automation variables to store the script variables

Azure Automation Variables

This is the variables description:

  • OutOfDateThreshold: This is the threshold to consider a device as out of date. This is used in the KQL query and is in the timespan format such as 1d or 8h

  • StorageAccountRg: the storage account resource group

  • StorageAccountName: the storage account name

  • StorageAccountContainerName: the blob container name

  • NotificationSenderEmail: the notification sender email, can be a shared mailbox

  • NotificationRecipientsTo: the list of recipient email addresses separated by ; to be added to the To field

  • NotificationRecipientsCc: the list of recipient email addresses separated by ; to be added to the Cc field

Azure Automation Schedule

Based on your schedule you will receive an email

Email Notification Sample

And find the report in your storage account

Report samples

Conclusion

 

I hope this blog will help clarifying MDE update mechanism and bring food for thoughts to monitor and keep your environment healthy. I used the Azure Automation to save the report and send a notification emails but it could also be adapted to create a Teams notification, generate an ITSM ticket or trigger an Azure LogicApp runbook. A key aspect of MDE is its visibility capabilities and combined with Microsoft ecosystem and a bit of imagination, you can achieve anything at a reasonable price.

Thanks for reading!



 

I am a Microsoft Solutions Architect for Threatscape specialized in Microsoft 365 security, Azure and a cloud passionate. I am a big fan of automation, DevOps and PowerShell.

I own a 'few' MS certifications and have worked in IT across multiple and diverse industries for over 15 years now.


1 Comment


zulfiqar ahmed
zulfiqar ahmed
Jul 24

I have a question regarding the Defender security intelligence updates. As I understand, security intelligence updates are released a couple of times a day. Do you think these updates could cause an outage similar to the one that occurred with CrowdStrike, where updates led to an outage? How can we address and prevent such issues related to security intelligence updates?

Like
bottom of page