question

ShaneKing-3381 avatar image
0 Votes"
ShaneKing-3381 asked TeemoTang-MSFT answered

How do I produce a report in Windows Defender (standalone)

Please - read the question in its entirety - I can get half baked, ill thought, incomplete answers anywhere for free, but chose here in the hope of some accurate well considered professional answers.

Windows Defender picked up a number of infections affecting a large number of files on a pc. I hit two problems using defender (i don't have much experience with it coming from the enterprise side of things) and could not work out how to achieve what I needed.

  • How do I produce a report of the files affected when the files are in the hundreds - clicking on the results window is not practical with hundreds of files impacted by multiple infections. The end user is a business who trusted Defender to be their solution. If your answer the list is the only method then give it a try. you'll be back with the same concern as me.

  • Where do we go to see review what the infection/malware has done (e.g. been recording keystrokes, mining bitcoin, encrypting files...)? I tried to advise the user on what had been happening while the malware was present but couldn't locate any details. If its only hijacked the machine for bitcoin mining the impact is less than if the machine malware has been recording logins etc for a period and requires the passwords on literally hundreds of platforms then it wise to provide specific advice. If you say everything then your probably not experienced enough or not put much thought into your answer. .





windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

For standalone Windows Defender without Microsoft Defender for Endpoint, we can’t let it generate a report of the files affected.
But some related events
Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> Windows Defender >> Operational
Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

How to view malware protection history using Windows Security
1.Click on Virus & threat protection.
2.Under the "Current threats" section, click the Protection history option.
3.Confirm the list of threats found by Microsoft Defender Antivirus.(If you don't see any items listed, you can breathe a little easier since it indicates that Microsoft Defender hasn't detected any malware)
4.Select the item to view more information, including malware type, severity level, detection date, category, and information about the item's location.

Review Microsoft Defender Antivirus scan results
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus?view=o365-worldwide


On the other hand, if you use Microsoft Defender for Endpoint or Microsoft Defender ATP, the following two documents are applied.
Report on Microsoft Defender Antivirus
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus?view=o365-worldwide
Create custom reports using Microsoft Defender ATP APIs and Power BI
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/create-custom-reports-using-microsoft-defender-atp-apis-and/ba-p/1007684


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.