Jetzt Ausprobieren

Windows Defender Antivirus Broken Scan Audit

Security Software

Find Windows Defender Installations With Scan Problems

Microsoft released a new update for Windows defender. Unfortunately, version 4.18.1908.7 has a critical bug that breaks manual and scheduled scanning. This means that the Quick, Full antivirus scans and also scans you scheduled are not performed.

Microsoft released a fix for the issue shortly after complaints came in with a Windows defender definition update KB2267602 (Version 1.301.1684.0). To make sure that your computers and servers are not affected, you can run the audit below which checks your Windows Defender version and the definition version.

Both the version and definition version can be retrieved through custom registry scanning.

To run this audit, you will have to add the following registry keys and value names to custom registry scanning configuration.

Rootkey: HKEY_LOCAL_MACHINE
Regpath: SOFTWARE\Microsoft\Windows Defender
Regvalue: InstallLocation 

Rootkey: HKEY_LOCAL_MACHINE
Regpath: SOFTWARE\Microsoft\Windows Defender\Signature Updates
Regvalue: AVSignatureVersion

Windows defender audit

 

Windows Defender Version Query

Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  Case
    When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> ''
    Then 'Yes'
    Else 'No'
  End As VersionFound,
  SubQuery1.Value As InstallLocation,
  Case
    When SubQuery2.Valuename Is Not Null And SubQuery2.Valuename <> ''
    Then 'Yes'
    Else 'No'
  End As DefinitionVersionFound,
  SubQuery2.Value As AVSignatureVersion,
  Case
    When SubQuery1.Value Like '%4.18.1908.7%' And SubQuery2.DefinitionVersion >=
      130116840 Then 'Safe'
    When SubQuery1.Value Not Like '%4.18.1908.7%' Then 'Safe'
    When SubQuery1.Valuename Is Null Then 'RegKey not found'
    Else 'Update Defender Definition'
  End As Status,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  TsysLastscan.Lasttime As LastRegistryScan,
  Case
    When TsysLastscan.Lasttime < GetDate() - 1 Then
      'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.'
  End As Comment,
  Case
    When SubQuery1.Value Like '%4.18.1908.7%' And SubQuery2.DefinitionVersion >=
      130116840 Then '#d4f4be'
    When SubQuery1.Value Not Like '%4.18.1908.7%' Then '#d4f4be'
    When SubQuery1.Valuename Is Null Then ''
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblRegistry.AssetID,
        tblRegistry.Regkey,
        tblRegistry.Valuename,
        tblRegistry.Value,
        tblRegistry.Lastchanged
      From tblRegistry
      Where tblRegistry.Regkey Like '%SOFTWARE\Microsoft\Windows Defender' And
        tblRegistry.Valuename = 'InstallLocation') SubQuery1 On
    SubQuery1.AssetID = tblAssets.AssetID
  Left Join (Select Top 1000000 tblRegistry.AssetID,
        tblRegistry.Regkey,
        tblRegistry.Valuename,
        tblRegistry.Value,
        Convert(bigint,Replace(tblRegistry.Value, '.',
        '')) As DefinitionVersion,
        tblRegistry.Lastchanged
      From tblRegistry
      Where
        tblRegistry.Regkey Like
        '%SOFTWARE\Microsoft\Windows Defender\Signature Updates' And
        tblRegistry.Valuename = 'AVSignatureVersion') SubQuery2 On
    SubQuery2.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry' And
  tsysOS.OSname In ('Win 10', 'Win 7', 'Win 8', 'Win 8.1', 'Win 2016',
  'Win 2008 R2', 'Win 2012', 'Win 2012 R2', 'Win 2019')
Order By tblAssets.Domain,
  tblAssets.AssetName

Show

Hide