MDE: Keeping your Antivirus up to date - deep dive

If you have a look at Microsoft Cybersecurity Reference Architecture (MCRA) and Microsoft Zero Trust implementation guidance, you will come across the immutable laws of security: The immutable laws of security | Microsoft Learn

This is a set of 10 commandments or statements meant to bust prevalent security myths.

The 8th law, stating that an out-of-date antimalware scanner is only marginally better than no scanner at all, inspired this blog.

Despite being, in my opinion, an amazing product, Defender for Endpoint can be complex due to its multiple components and updates, specifically across Windows operating systems, require a good understanding of the product.

In this blog, we will focus on the antivirus/malware (AV) and endpoint detection and response (EDR) components, and dive in configuring and monitoring Defender for Endpoint update status in your environment.

Table of contents:

1. What are the different types of updates in MDE?

2. How often updates are released?

3. How can I manually retrieve updates?

4. How do I configure automatic updates?

5. How do I monitor my update status?

6. How to automate the monitoring notifications?

7. Conclusion

.

What are the different types of updates in MDE?

A - On Windows

• The AV engine agent updates are part of the platformUpdate package included in KB4052623

This package is installed under c:\programdata\Microsoft\Windows Defender\Platform\<version>

The application mpcmdeng.exe run as a service named windefend with Windows Defender as display name

• The EDR sensor agent updates are part of Sense package included in the KB5005292

This package is installed under c:\programdata\Microsoft\Windows Defender Advanced Threat Protection\Platform\<version>

The application sense.exe run as a service named sense with Windows Defender Advanced Threat Protection as display name

• The signature definition updates are included in KB2267602

They can be found under c:\programdata\Microsoft\Windows Defender\Definition Updates\<guid>

B - On Linux

• The agent update packages are available from https://packages.microsoft.com/<os>/<version>/<channel>/<year>/Packages/m 

With:

<os> your distribution such as ubuntu, amazonlinux etc

<version>: such as 16.04 for ubuntu

<channel>: insiders-fast insiders-slow and prod

<year>: such as 2023

You can retrieve previous versions from this location

• When using your favourite package manager such as apt-get or yum, you need to configure the repo using https://packages.microsoft.com/config/<os>/<version>/<channel>.<extension> 

For example:

sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/prod.repo

C - On MacOS

Updates are managed using Microsoft Auto Update  (MAU) and msupdate

Deploy updates for Microsoft Defender for Endpoint on Mac | Microsoft Learn

How often updates are released?

• AV and EDR prod agents are released monthly with hotfixes released when necessary.

It is highly recommended to use the latest versions and benefit from the latest features and fixes

Microsoft Defender Antivirus security intelligence and product updates | Microsoft Learn

• Signature definitions are released approximately every 4 hours.

You should make sure to retrieve the latest package and check every 1-2 hours for new release.

Antimalware updates change log - Microsoft Security Intelligence

You can subscribe to the RSS feed to be alerted when those webpages are updated, ie new version are released https://learn.microsoft.com/api/search/rss?search=%22Microsoft+Defender+Antivirus+security+intelligence+and+product+updates%22&locale=en-us

You can also integrate that feed with Microsoft Teams or Exchange Online using Power Automate. Nikkie Chapple has already demonstrated this on her blog, please have a look at Nikkie's work:

How to track Microsoft Docs page updates in Microsoft To-do (nikkichapple.com)

How can I manually retrieve updates?

A - On Windows

You can configure where to retrieve agent updates and signatures, either directly from Microsoft, your update orchestrator such as WSUS or config Manager (SCCM), or a central share.

To initiate a manual update of the signature definitions you can use PowerShell:

Update-MpSignature

Or command prompt:

c:\programdata\Microsoft\Windows Defender Advanced Threat Protection\Platform\<version>\MpCmdRun.exe -SignatureUpdate

To update the agents manually, go to Microsoft Update Catalog , search for and install KB4052623 (AV) or KB5005292 (EDR)

B- On Linux

Signature updates are retrieved from Microsoft and agent updates will depend on your package config file. You could edit it to refer to a local satellite, or retrieving them directly from Microsoft.

To update signature definition run:

mdatp definitions update

To update your agent, update mdatp package using your package manager for example

yum update mdatp -y

C - On MacOs

Updates are retrieved from Microsoft directly

To update signature definition run:

mdatp definitions update

To update the agent manually, open Microsoft Auto Update (MAU) and press check for update

How do I configure automatic updates?

A - On Windows

KB4052623 and KB5005292, the AV and EDR agents updates are categorised as Microsoft Defender for Endpoint  product in Microsoft Update Catalog so ensure this category is enabled in your standalone WSUS server or part of your Configuration Manager farm.

Signature definitions are configured using Group Policy, Configuration Manager, Intune, PowerShell or WMI with the below settings:

• SignatureFallbackOrder

• SignatureDefinitionUpdateFileSharesSource

• SignatureScheduleDay

• SignatureScheduleTime

• SignatureUpdateInterval

Reference:

• Manage how and where Microsoft Defender Antivirus receives updates | Microsoft Learn

• Schedule Microsoft Defender Antivirus protection updates | Microsoft Learn

• Endpoint Protection antimalware policies - Configuration Manager | Microsoft Learn

• Windows Antivirus policy settings for Microsoft Defender Antivirus for Intune | Microsoft Learn

SignatureFallbackOrder

This setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. The possible values are:

• InternalDefinitionUpdateServer: Configuration Manager or WSUS

• MicrosoftUpdateServer: Windows update (recommended)

• MMPC: Microsoft Malware Protection center

• FileShares : a File Share configured

The setting will be displayed differently depending on the deployment method:

• Group Policy:  Location: Computer Settings > Administrative templates > Windows components > Windows Defender > Signature updates Display name: Define the order of sources for downloading security intelligence updates

• Configuration Manager: Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Set sources and order for Endpoint Protection client updates

• Intune: Location: Endpoint security > Antivirus Display name: Define the order of sources for downloading definition updates

SignatureDefinitionUpdateFileSharesSource

This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }".

The setting will show as:

• Group Policy:  Location: Computer Settings > Administrative templates > Windows components > Windows Defender > Signature updates Display name: Define file shares for downloading security intelligence updates

• Configuration Manager:  Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Configure Definition Update Sources and select Updates from UNC file shares.

• Intune: Location: Endpoint security > Antivirus Display name: Define file shares for downloading definition updates

SignatureScheduleDay

This policy setting allows you to specify an the day to check for security intelligence updates.

The setting will show as:

• Group Policy:  Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the day of the week to check for security intelligence updates

• Configuration Manager: N/A

• Intune: N/A

SignatureScheduleTime

This policy setting allows you to specify an the time to check for security intelligence updates.

The setting will show as:

• Group Policy: Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the time to check for security intelligence updates

• Configuration Manager:  Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Check for Endpoint Protection security intelligence daily at.

• Intune: N/A

SignatureUpdateInterval

This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).

The setting will show as:

• Group Policy: Location: Computer Settings > Administrative templates > Windows components > Microsoft Defender Antivirus > Security Intelligence Updates Display name: Specify the interval to check for security intelligence updates

• Configuration Manager:  Location: Assets and Compliance > Endpoint Protection > Antimalware Policies > Security Intelligence updates Display name: Check for Endpoint Protection security intelligence at a specific interval (hours).

• Intune: Location: Endpoint security > Antivirus Display name: Enter how often (0-24 hours) to check for security intelligence updates

B- On Linux

You can configure your signature update settings using the CLI, the configuration file and Intune/Defender XDR using the Security Setting Management. They can only be retrieved from Microsoft directly

There is only a single setting available:

• CLI: mdatp config automatic_definition_update_enabled --value true/false

• Configuration file:

{
	...
   	"cloudService":{
      	"enabled":true,
      	"diagnosticLevel":"optional",
      	"automaticSampleSubmissionConsent":"safe",
      	"automaticDefinitionUpdateEnabled":true,
      	"proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"
   	}
}

• Intune:

Reference

• Set preferences for Microsoft Defender for Endpoint on Linux | Microsoft Learn

• Use Intune to manage Microsoft Defender security settings management on devices not enrolled with Microsoft Intune | Microsoft Learn

C -On MacOS

You can configure your signature update settings using the CLI, the Microsoft Auto Update and Intune and Defender XDR Security settings, or JAMF using the Security Setting Management. They can only be retrieved from Microsoft directly

There is only a single setting available:

• CLI: mdatp config automatic_definition_update_enabled --value true/false

• MAU:
  

• Intune:

Reference

• Set preferences for Microsoft Defender for Endpoint on Mac | Microsoft Learn

• Use Intune to manage Microsoft Defender security settings management on devices not enrolled with Microsoft Intune | Microsoft Learn

How do I monitor my update status?

Microsoft Defender XDR is where all the magic happen 🤩.

You would find built-in reports and be creative with KQL and advanced hunting.

1- Microsoft Antivirus health

You'll find an aggregated and interactive report from Defender XDR > Reports > Device health > Microsoft Antivirus health

 https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/images/device-health-defender-antivirus-health-tab.png?view=o365-worldwide

You can customize this view with a rich set of filters

You can also export this report as CSV and find the current AV engine version, signature updates for each devices

2- Vulnerability management

You can find devices out of date from the MDVM recommendation section ( Defender XDR > Vulnerability management > Recommendations) and look for

• Update Microsoft Defender for Endpoint core components

• Update Microsoft Defender Antivirus definitions

The exposed devices tab will display those out of date devices and allow you to export that list.

3- KQL

I'll share a few queries to retrieve the versions of each components and will be looking more particularly at DeviceTvmSecureConfigurationAssessment

• This table contains all the vulnerabilities from Defender for Vulnerability detected in your environment. Those are referred by a ConfigurationId. To retrieve the detail of every item you can use DeviceTvmSecureConfigurationAssessmentKB as shown below. We will filter that list for update only.

DeviceTvmSecureConfigurationAssessment
| join kind=leftouter (DeviceTvmSecureConfigurationAssessmentKB) on ConfigurationId
| distinct ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact
| sort by ConfigurationId asc
|where ConfigurationName  contains "Update"

We will focus on

-Scid-2011: Signatures definition updates for Windows OS - We will retrieve all components version from this item

-Scid-2030: EDR agent update for Windows OS

-Scid-5095: Signatures definition updates for MacOS

-Scid-6095: Signatures definition updates for Linux

• From there we can retrieve all devices out of date as followed

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsCompliant == 0
//| where OSPlatform  contains "WindowsServer"
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
//| where RegistryDeviceTag startswith "MyTag"

I commented 2 filters to customize the query as required: OS platform and tags (the tags referred as GROUP)

• You can also render the non-compliance results as a pie chart for example

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsCompliant == 0
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
//| summarize by DeviceName,IsCompliant,OSPlatform,ConfigurationSubcategory,sigversion,engversion,platformversion,lastupdatetime
| summarize count() by OSPlatform
|render piechart

• To retrieve the detail of your Windows devices components, use

let updateSCID = dynamic (["scid-2011"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID)
//| where OSPlatform  contains "WindowsServer2012R2"
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
| extend avdata=parsejson(Context)
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])

This configuration item retrieves 4 additional information:

-Signature definition version

-AV engine version

-EDR agent version

-And the last time an update occurred

• To retrieve the version for the all platforms,

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsApplicable
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])

• Regarding the IsCompliant field used in the 2 first queries, Microsoft considers an AV out of date if it didn't update for 5 or 7d (not entirely sure). We can refine this threshold using the below query to monitor the Signature Definition update frequency.

let updateSCID = dynamic (["scid-2011","scid-2030","scid-5095","scid-6095"]);
let OutOfDateThreshold = 3d;
 DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in (updateSCID) and IsApplicable
| join (
    DeviceInfo
    | summarize by DeviceId,SensorHealthState,RegistryDeviceTag
    )
    on DeviceId
| where SensorHealthState == "Active"
| extend avdata=parsejson(Context)
| extend sigversion = tostring(avdata[0][0])
| extend engversion = tostring(avdata[0][1])
| extend platformversion = tostring(avdata[0][3])
| extend lastupdatetime = todatetime(avdata[0][2])
| where lastupdatetime < ago(OutOfDateThreshold)
| summarize by DeviceId,DeviceName,OSPlatform,sigversion,engversion,platformversion,lastupdatetime

How to automate the monitoring notifications?

Overview

There is no built-in way to schedule and automate the reports generation.

You MDVM logs aren't enabled natively in Sentinel via Microsoft Defender XDR connector however it is marked as coming soon

As an alternative, we can use the Graph API and automate the query from an automation account in Azure

1. An Azure Automation account connect to the Graph API using a system managed identity

2. The Graph Advanced Hunting module is used to retrieve the out of date devices

3. The automation account generate a csv report

4. The csv report is stored in a blob storage

5. An email is sent to a shared mailbox/ distribution list including the csv report

Azure automation Account configuration

1- Create an Azure automation account

2- Enable the system managed identity

3- Assign Managed Identity Graph and Exchange Online permissions using the script provided in my repo:

Assign-ManagedIdentityGraphPermission.ps1

Required permissions:

• ThreatHunting.Read.All

• Mail.Send

• Exchange.ManagedAsApp

4- Although creating custom Azure role is not recommended, I wanted to ensure least privilege is respected for any write operation, so I've created the following roles by cloning  existing roles and removing the unnecessary permissions:

Azure Automation Runbook

The runbook is configured using a PowerShell 5.1 script performing the following high level steps:

1.  Retrieve variables

2. Query advanced hunting

3. Export report to storage account

4. Send email notifications

This script is available in my repo: Monitor-MDEOutOfDateDevice.ps1 

You can use Azure Automation variables to store the script variables

This is the variables description:

• OutOfDateThreshold: This is the threshold to consider a device as out of date. This is used in the KQL query and is in the timespan format such as 1d or 8h

• StorageAccountRg: the storage account resource group

• StorageAccountName: the storage account name

• StorageAccountContainerName: the blob container name

• NotificationSenderEmail: the notification sender email, can be a shared mailbox

• NotificationRecipientsTo: the list of recipient email addresses separated by ; to be added to the To field

• NotificationRecipientsCc: the list of recipient email addresses separated by ; to be added to the Cc field

Based on your schedule you will receive an email

And find the report in your storage account

Conclusion

I hope this blog will help clarifying MDE update mechanism and bring food for thoughts to monitor and keep your environment healthy. I used the Azure Automation to save the report and send a notification emails but it could also be adapted to create a Teams notification, generate an ITSM ticket or trigger an Azure LogicApp runbook. A key aspect of MDE is its visibility capabilities and combined with Microsoft ecosystem and a bit of imagination, you can achieve anything at a reasonable price.

Thanks for reading!

About William Francillette:

I am a Microsoft Solutions Architect for Threatscape specialized in Microsoft 365 security, Azure and a cloud passionate. I am a big fan of automation, DevOps and PowerShell.

I own a 'few' MS certifications and have worked in IT across multiple and diverse industries for over 15 years now.