Microsoft Defender for Endpoint (MDE), Common Actions

Below is a collage of common antivirus actions one would want to perform on a client.

Windows

  1. Get Protection Status: Get-MpComputerStatus.
    • This command retrieves the current status of the computer's protection, providing insights into the security features that are enabled and their operational status. It includes information on real-time protection, antivirus version, and last scan time.
  2. Get History of Incidents: Get-MpThreat.
    • This command pulls up a history of threats that have been detected and handled by Microsoft Defender. It helps in auditing and understanding past incidents on the machine.
  3. Run full Scan: start-mpscan -ScanType FullScan.
    • Initiates a full system scan, which thoroughly checks all files and programs on the device for any malicious activity.
  4. Get History of Protection: Get-MpThreatDetection.
    • Note. The difference between the above two commands is, that while Get-MpThreat pulls up the threat history, the Get-MpThreatDetection command pulls up the protection history.
  5. Get Scan Configuration Details: Get-MpPreference
    • Displays the current configuration settings for Microsoft Defender, including scheduled scans, exclusion paths, and actions taken on detections.
  6. Disable Realtime Protection: Set-MpPreference -DisableRealtimeMonitoring $true
    • Disables real-time protection, Should be used with caution as it leaves the system vulnerable.
  7. Enable Realtime Protection: Set-MpPreference -DisableRealtimeMonitoring $false
    • Enables real-time protection to ensure ongoing security monitoring.
  8. Force Update Definitions: Update-MpSignature
    • Manually triggers an update of the antivirus definitions, ensuring the latest threat intelligence is used.
  9. Performance Troubleshooting: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide
    • This guide provides detailed steps and considerations for optimizing Microsoft Defender's performance on your system.

Linux

  1. Get Protection Status: mdatp health
    • Retrieves the current health status of the Microsoft Defender for Endpoint service, including its operational state and last update time.
  2. Get History of Incidents: mdatp threat list
    • Lists all threats detected on the system, providing an overview of past security incidents.
  3. Run full Scan: mdatp scan full
    • Initiates a comprehensive scan of the entire system to detect and mitigate threats.
  4. Connectivity Test: mdatp connectivity test
    • ​​​​​​​Checks the connectivity of the Microsoft Defender service to its cloud components, ensuring that updates and threat intelligence are being received.
  5. Advanced Topics and performance diag: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide
    • This guide covers advanced deployment topics and performance tuning for Microsoft Defender on Linux.
  6. Force Update Definitions: mdatp definitions update
    • ​​​​​​​Forces an update of the antivirus definitions to ensure the latest protection is applied.
  7. Create False Positive incident: wget "https://secure.eicar.org/eicar.com.txt"
    • ​​​​​​​Downloads a text file that is universally recognized as a harmless virus by antivirus products. This can be used to verify the proper functioning of the antivirus software.

View Security Alerts

  • Log into the Azure Portal.
  • In the top search box, type defender for the cloud.
  • Select Defender for Cloud.
    Defender for Cloud
  • On the left, select Security Alerts.
    Security Alerts​​​​​​​

Related Documentation


IFS R&D International (Pvt) Ltd
IFS develops and delivers enterprise software for customers around the world