Self-Remediation via Okta
Engage end-users during auth to self-remediate issues
Security & Compliance Checks
Monitor your entire Linux, Mac, and Windows fleet
Device Inventory
Your fleet represented in thousands of data points
Implement Zero Trust Access
Prevent unsecure devices from accessing your apps
Achieve 100% Device Compliance
Measure, achieve, and maintain your compliance goals
Gain Fleet Visibility
Become "all knowing" across Linux, Mac, and Windows
Help / Docs Product Changelog App Security Company
From the blog
View Other Properties

Contents

View Other Properties

How to List Defender Settings Across All Windows Devices

Using Kolide, you can easily view and query Windows Defender Settings across your fleet.

Introduction

Windows Defender is the name for the built-in antivirus software that comes with Windows. It can serve as either a full antivirus and anti-malware service or it can augment commercial antivirus software that is installed on the device.

This device property enumerates windows Defender's current status including the state of its various subsystems, when the last time scans were performed, and the version of signatures currently deployed to the software.

What Windows Defender Setting Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Windows Defender Settings from Windows devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Windows Defender Settings Schema

Column Type Description
id Primary Key

Unique identifier for the object
device_id Foreign Key

Device associated with the entry
device_name Text

Display name of the device associated with the entry
am_engine_version Text

The version of the anti-malware engine built-in to Windows Defender
am_engine_version_major Bigint

am_engine_version's semver major version (ex: 4.2.1 would yield 4)
am_engine_version_minor Bigint

am_engine_version's semver minor version (ex: 4.2.1 would yield 2)
am_engine_version_patch Bigint

am_engine_version's semver patch version (ex: 4.2.1 would yield 1)
am_engine_version_subpatch Bigint

am_engine_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)
am_product_version Text

The version of the anti-malware portion of Windows Defender
am_product_version_major Bigint

am_product_version's semver major version (ex: 4.2.1 would yield 4)
am_product_version_minor Bigint

am_product_version's semver minor version (ex: 4.2.1 would yield 2)
am_product_version_patch Bigint

am_product_version's semver patch version (ex: 4.2.1 would yield 1)
am_product_version_subpatch Bigint

am_product_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)
am_service_enabled Boolean

true if the anti-malware portion of Windows Defender is enabled; otherwise false
am_service_version Text

The version of the anti-malware service used by Windows Defender
am_service_version_major Bigint

am_service_version's semver major version (ex: 4.2.1 would yield 4)
am_service_version_minor Bigint

am_service_version's semver minor version (ex: 4.2.1 would yield 2)
am_service_version_patch Bigint

am_service_version's semver patch version (ex: 4.2.1 would yield 1)
am_service_version_subpatch Bigint

am_service_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)
antispyware_enabled Boolean

true if the anti-spyware portion of Windows Defender is enabled; otherwise false
antispyware_signature_age Bigint

anti-spyware signature age in days

Special Values:

  • -1 or 65535 - Signatures have never been updated
antispyware_signature_updated_at Timestamp

The precise time the anti-sypware signatures in Windows Defender last updated
antispyware_signature_version Text

The version of the anti-spyware signatures in Windows Defender
antispyware_signature_version_major Bigint

antispyware_signature_version's semver major version (ex: 4.2.1 would yield 4)
antispyware_signature_version_minor Bigint

antispyware_signature_version's semver minor version (ex: 4.2.1 would yield 2)
antispyware_signature_version_patch Bigint

antispyware_signature_version's semver patch version (ex: 4.2.1 would yield 1)
antispyware_signature_version_subpatch Bigint

antispyware_signature_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)
antivirus_enabled Boolean

true if the antivirus portion of Windows Defender is enabled; otherwise false
antivirus_signature_age Bigint

Antivirus signature age in days

Special Values:

  • 65535 - Signatures have never been updated
antivirus_signature_updated_at Timestamp

The precise time the Antivirus signatures in Windows Defender last updated
antivirus_signature_version Text

The version of the Antivirus signatures in Windows Defender
antivirus_signature_version_major Bigint

antivirus_signature_version's semver major version (ex: 4.2.1 would yield 4)
antivirus_signature_version_minor Bigint

antivirus_signature_version's semver minor version (ex: 4.2.1 would yield 2)
antivirus_signature_version_patch Bigint

antivirus_signature_version's semver patch version (ex: 4.2.1 would yield 1)
antivirus_signature_version_subpatch Bigint

antivirus_signature_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)
behavior_monitor_enabled Boolean

true if the Behavior Monitoring portion of Windows Defender is enabled; otherwise false
computer_id Text

Computer ID created by Microsoft Active Protection Service (MAPS)
computer_state Enum::Text

Information about the current state of the device as it relates to Windows Defender

Can be one of the following:

  • Clean
  • Pending Full Scan
  • Pending Reboot
  • Pending Manual Steps - Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan
  • Pending Offline Scan
  • Pending Critical Failure - Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender
full_scan_age Bigint

Last full scan age in days

Special Values:

  • -1 or 65535 - No scan has been performed
ioav_protection_enabled Boolean

true if the IOAV (the scanning of all downloads and attachments) portion of Windows Defender is enabled; otherwise false
last_full_scan_source Enum::Text

The source of the last full scan

Can be one of the following:

  • Unknown
  • User
  • System
  • Real Time
  • IOAV
last_quick_scan_source Enum::Text

The source of the last quick scan

Can be one of the following:

  • Unknown
  • User
  • System
  • Real Time
  • IOAV
nis_enabled Boolean

true if the Network Inspection Service (NIS) portion of Windows Defender is enabled; otherwise false
nis_engine_version Text

The version of the Network Inspection Service (NIS) in Windows Defender
nis_engine_version_major Bigint

nis_engine_version's semver major version (ex: 4.2.1 would yield 4)
nis_engine_version_minor Bigint

nis_engine_version's semver minor version (ex: 4.2.1 would yield 2)
nis_engine_version_patch Bigint

nis_engine_version's semver patch version (ex: 4.2.1 would yield 1)
nis_engine_version_subpatch Bigint

nis_engine_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)
nis_signature_age Bigint

Network Inspection Service (NIS) signature age in days

Special Values:

  • -1 or 65535 - Signatures have never been updated
nis_signature_updated_at Timestamp

The precise time the Network Inspection Service (NIS) signatures in Windows Defender last updated
nis_signature_version Text

The version of the Network Inspection Service (NIS) signatures used by Windows Defender
nis_signature_version_major Bigint

nis_signature_version's semver major version (ex: 4.2.1 would yield 4)
nis_signature_version_minor Bigint

nis_signature_version's semver minor version (ex: 4.2.1 would yield 2)
nis_signature_version_patch Bigint

nis_signature_version's semver patch version (ex: 4.2.1 would yield 1)
nis_signature_version_subpatch Bigint

nis_signature_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)
on_access_protection_enabled Boolean

true if the on-access protection portion of Windows Defender is enabled; otherwise false
quick_scan_age Bigint

Last quick scan age in days

Special Values:

  • -1 or 65535 - No scan has been performed
quick_scan_ended_at Timestamp

Time of last Quick Scan start
quick_scan_started_at Timestamp

Time of last Quick Scan start
real_time_protection_enabled Boolean

true if the Real Time Protection portion of Windows Defender is enabled; otherwise false
real_time_scan_direction Enum::Text

The source of the last quick scan

Can be one of the following:

  • Both
  • Incoming
  • Outgoing
collected_at Timestamp

Time the row of data was first collected in the database
updated_at Timestamp

Time the row of data was last changed in the database

Why Should I Collect Windows Defender Settings?

IT & Security administrators may review this information to ensure the Windows Defender is updating as expected and has the latest available database of malware signatures.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

This inventory does not capture any personally identifiable information.

When you use Kolide to list Windows Defender Setting data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Windows Defender Threat Detections
defender, anti-virus, security, threats
New
Mac XProtect Reports
anti-virus, threats, security
New
Windows Update Settings
updates, operating-system, security
View full list of Kolide's Device Properties
Book A Demo
Zero Trust Access
Designed for Okta
Book A Demo