Skip to main content
Splunk Lantern

Windows Defender status disabled or changed

You might need to check if Windows Defender status has been disabled or changed when doing the following:

Prerequisites  

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Windows Defender status is logged to the application folder in Windows Event Viewer. You want to searching for event codes that indicate when Defender real-time monitoring has been turned off or changed in the way that the REvil ransomware typically works. You can search using either application or operational logs, depending on what you send to Splunk.

To optimize the searches shown below, you should specify an index and a time range.

Option 1 - Using Application Logs

  1. Run the following search:
source="WinEventLog:Application" EventCode=15 Message="Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_SNOOZED."
| table _time host Message

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source="WinEventLog:Application"  Search only Windows Application logs.
EventCode=15 Message="Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_SNOOZED." Search for Event Code 15 and the message in the search, which indicates when Defender real-time monitoring status has been set to snoozed.
| table _time host Message Display the results in a table with columns in the order shown.

Result

Just because you see these events does not mean you have been infected, but it does indicate that Defender real-time was turned off. You should run other searches to corroborate your results in this search.

If any of your results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

Option 2 - Using Operational Logs

  1. Run the following search:
source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" EventCode IN (5001, 5004, 5007)
| table _time host Message

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" Search only Windows Defender operational logs.
EventCode IN (5001, 5004, 5007)

Search for Event Codes:

  • 5001 (Windows Defender has been enabled)
  • 5004 (Windows Defender has been disabled)
  • 5007 (Windows Defender configurations have changed)
| table _time host Message Display the results in a table with columns in the order shown.

Result

Just because you see these events does not mean you have been infected, but it does indicate that Defender real-time was turned off. You should run other searches to corroborate your results in this search.

If any of your results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.