Microsoft Defender for Endpoint (MDE), Common Actions

Abdul Basith
Jul 04
1.2k
0
1

100

Article

Below is a collage of common antivirus actions one would want to perform on a client.

Windows

Get Protection Status: Get-MpComputerStatus.
- This command retrieves the current status of the computer's protection, providing insights into the security features that are enabled and their operational status. It includes information on real-time protection, antivirus version, and last scan time.
Get History of Incidents: Get-MpThreat.
- This command pulls up a history of threats that have been detected and handled by Microsoft Defender. It helps in auditing and understanding past incidents on the machine.
Run full Scan: start-mpscan -ScanType FullScan.
- Initiates a full system scan, which thoroughly checks all files and programs on the device for any malicious activity.
Get History of Protection: Get-MpThreatDetection.
- Note. The difference between the above two commands is, that while Get-MpThreat pulls up the threat history, the Get-MpThreatDetection command pulls up the protection history.
Get Scan Configuration Details: Get-MpPreference
- Displays the current configuration settings for Microsoft Defender, including scheduled scans, exclusion paths, and actions taken on detections.
Disable Realtime Protection: Set-MpPreference -DisableRealtimeMonitoring $true
- Disables real-time protection, Should be used with caution as it leaves the system vulnerable.
Enable Realtime Protection: Set-MpPreference -DisableRealtimeMonitoring $false
- Enables real-time protection to ensure ongoing security monitoring.
Force Update Definitions: Update-MpSignature
- Manually triggers an update of the antivirus definitions, ensuring the latest threat intelligence is used.
Performance Troubleshooting: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide
- This guide provides detailed steps and considerations for optimizing Microsoft Defender's performance on your system.

Linux

Get Protection Status: mdatp health
- Retrieves the current health status of the Microsoft Defender for Endpoint service, including its operational state and last update time.
Get History of Incidents: mdatp threat list
- Lists all threats detected on the system, providing an overview of past security incidents.
Run full Scan: mdatp scan full
- Initiates a comprehensive scan of the entire system to detect and mitigate threats.
Connectivity Test: mdatp connectivity test
- Checks the connectivity of the Microsoft Defender service to its cloud components, ensuring that updates and threat intelligence are being received.
Advanced Topics and performance diag: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide
- This guide covers advanced deployment topics and performance tuning for Microsoft Defender on Linux.
Force Update Definitions: mdatp definitions update
- Forces an update of the antivirus definitions to ensure the latest protection is applied.
Create False Positive incident: wget "https://secure.eicar.org/eicar.com.txt"
- Downloads a text file that is universally recognized as a harmless virus by antivirus products. This can be used to verify the proper functioning of the antivirus software.