Identify malware using the Malware Assessment solution in Log Analytics
You can use the Antimalware solution in Log Analytics to report on the status of antimalware protection in your infrastructure. Installing the solution updates the OMS agent and base configuration for OMS. Antimalware protection status and detected threats on the monitored servers are read. Then, the data is sent to the Log Analytics service for processing. Logic is applied to the received data and the cloud service records the data. Servers with detected threats and servers with insufficient protection are shown in the Antimalware dashboard. By using the information on the Antimalware dashboard, you can identify a plan to apply protection to the servers that need it.
Installing and configuring the solution
Use the following information to install and configure the solution.
- In order to use the Malware Assessment solution, you must subscribe to the Security & Compliance solution offering.
- Add the Malware Assessment solution to your OMS workspace from Azure marketplace. Or you can use the process at Add Log Analytics solutions from the Solutions Gallery. Additional configuration is not required.
Log Analytics reports antimalware status for:
- Computers running Windows Defender on Windows 8, Windows 8.1, Windows 10, and Windows Server 2016
- Windows Security Center (WSC) on Windows 8, Windows 8.1, Windows 10, Windows Server 2016
- Servers running System Center Endpoint Protection (v4.5.216 or later), Azure virtual machines with the antimalware extension, and Windows Malicious Software Removal Tool (MSRT)
- Servers with Windows Management Framework 3 (or later) WMF 3.0, WMF 4.0.
- Symantec Endpoint Protection 12.1.1100 and higher
- Trend Micro Deep Security version 9.6 on computers running Windows
In addition to detecting when third party solutions are installed, an additional assessment is also done to determine whether protection by agents is operational. Specifically, OMS Security tests to see if the antimalware agents from these vendors on the monitored servers are:
- Running scans at regular intervals
- Using signatures no older than seven days
The antimalware solution does not currently report on:
- Servers running Windows Server 2008 and earlier
- Web and Worker roles in Microsoft Azure
Help us prioritize new features by voting or by adding a new suggestion on our feedback page.
Malware Assessment data collection details
Malware Assessment collects configuration data, metadata, and state data using the agents that you have enabled.
The following table shows data collection methods and other details about how data is collected for Malware Assessment.
|platform||Direct Agent||Operations Manager agent||Azure Storage||Operations Manager required?||Operations Manager agent data sent via management group||collection frequency|
The following table shows examples of data types collected by Malware Assessment:
|Configuration||CustomerID, AgentID, EntityID, ManagedTypeID, ManagedTypePropertyID, CurrentValue, ChangeDate|
|Metadata||BaseManagedEntityId, ObjectStatus, OrganizationalUnit, ActiveDirectoryObjectSid, PhysicalProcessors, NetworkName, IPAddress, ForestDNSName, NetbiosComputerName, VirtualMachineName, LastInventoryDate, HostServerNameIsVirtualMachine, IP Address, NetbiosDomainName, LogicalProcessors, DNSName, DisplayName, DomainDnsName, ActiveDirectorySite, PrincipalName, OffsetInMinuteFromGreenwichTime|
|State||StateChangeEventId, StateId, NewHealthState, OldHealthState, Context, TimeGenerated, TimeAdded, StateId2, BaseManagedEntityId, MonitorId, HealthState, LastModified, LastGreenAlertGenerated, DatabaseTimeModified|
Review threats for servers
When your computers are adequately protected, active threats are quickly quarantined by your antimalware software and should rarely appear as active threats. For that reason, review remediated threats that show the effectiveness of the Antimalware Assessment solution in the following example procedure:
- On the Overview page, click the Antimalware Assessment tile.
- On the Antimalware dashboard, review the Detected Threats area and click a server name with remediated threats.
- On the Search page, you can see detailed information about the quarantined threat. Next to Threat, click View.
- On the Search the malware encyclopedia page, click the malware item to view more details about it.
- On the Microsoft Malware Protection Center page for the malware item, review information in the Summary section. It describes how your antimalware software can detect and remove the threat. It also provides information about what threat the malware might have to your computers.
Review protection status
- On the Antimalware dashboard, review the Protection Status area and click No real-time protection.
- Search shows a list of servers without protection.
- Servers without real-time protection are displayed.
Computers that do not have supported antimalware software are reported as No real-time protection.
- Use Log searches in Log Analytics to view detailed malware assessment data.