Identify malware using the Malware Assessment solution in Log Analytics

Antimalware Assessment symbol

You can use the Antimalware solution in Log Analytics to report on the status of antimalware protection in your infrastructure. Installing the solution updates the OMS agent and base configuration for OMS. Antimalware protection status and detected threats on the monitored servers are read. Then, the data is sent to the Log Analytics service for processing. Logic is applied to the received data and the cloud service records the data. Servers with detected threats and servers with insufficient protection are shown in the Antimalware dashboard. By using the information on the Antimalware dashboard, you can identify a plan to apply protection to the servers that need it.

Installing and configuring the solution

Use the following information to install and configure the solution.

Use Antimalware

Log Analytics reports antimalware status for:

  • Computers running Windows Defender on Windows 8, Windows 8.1, Windows 10, and Windows Server 2016
  • Windows Security Center (WSC) on Windows 8, Windows 8.1, Windows 10, Windows Server 2016
  • Servers running System Center Endpoint Protection (v4.5.216 or later), Azure virtual machines with the antimalware extension, and Windows Malicious Software Removal Tool (MSRT)
  • Servers with Windows Management Framework 3 (or later) WMF 3.0, WMF 4.0.
  • Symantec Endpoint Protection 12.1.1100 and higher
  • Trend Micro Deep Security version 9.6 on computers running Windows

In addition to detecting when third party solutions are installed, an additional assessment is also done to determine whether protection by agents is operational. Specifically, OMS Security tests to see if the antimalware agents from these vendors on the monitored servers are:

  • Enabled
  • Running scans at regular intervals
  • Using signatures no older than seven days

The antimalware solution does not currently report on:

  • Servers running Windows Server 2008 and earlier
  • Web and Worker roles in Microsoft Azure

Help us prioritize new features by voting or by adding a new suggestion on our feedback page.

Malware Assessment data collection details

Malware Assessment collects configuration data, metadata, and state data using the agents that you have enabled.

The following table shows data collection methods and other details about how data is collected for Malware Assessment.

platform Direct Agent Operations Manager agent Azure Storage Operations Manager required? Operations Manager agent data sent via management group collection frequency
Windows hourly

The following table shows examples of data types collected by Malware Assessment:

Data type Fields
Configuration CustomerID, AgentID, EntityID, ManagedTypeID, ManagedTypePropertyID, CurrentValue, ChangeDate
Metadata BaseManagedEntityId, ObjectStatus, OrganizationalUnit, ActiveDirectoryObjectSid, PhysicalProcessors, NetworkName, IPAddress, ForestDNSName, NetbiosComputerName, VirtualMachineName, LastInventoryDate, HostServerNameIsVirtualMachine, IP Address, NetbiosDomainName, LogicalProcessors, DNSName, DisplayName, DomainDnsName, ActiveDirectorySite, PrincipalName, OffsetInMinuteFromGreenwichTime
State StateChangeEventId, StateId, NewHealthState, OldHealthState, Context, TimeGenerated, TimeAdded, StateId2, BaseManagedEntityId, MonitorId, HealthState, LastModified, LastGreenAlertGenerated, DatabaseTimeModified

Review threats for servers

When your computers are adequately protected, active threats are quickly quarantined by your antimalware software and should rarely appear as active threats. For that reason, review remediated threats that show the effectiveness of the Antimalware Assessment solution in the following example procedure:

  1. On the Overview page, click the Antimalware Assessment tile.
    Malware Assessment Tile
  2. On the Antimalware dashboard, review the Detected Threats area and click a server name with remediated threats.
    Antimalware dashboard
  3. On the Search page, you can see detailed information about the quarantined threat. Next to Threat, click View.
    Search page
  4. On the Search the malware encyclopedia page, click the malware item to view more details about it.
    Malware Protection Center page
  5. On the Microsoft Malware Protection Center page for the malware item, review information in the Summary section. It describes how your antimalware software can detect and remove the threat. It also provides information about what threat the malware might have to your computers.
    summary information about the threat

Review protection status

  1. On the Antimalware dashboard, review the Protection Status area and click No real-time protection.
    Antimalware dashboard
  2. Search shows a list of servers without protection.
    Search page showing servers without protection
  3. Servers without real-time protection are displayed.

Computers that do not have supported antimalware software are reported as No real-time protection.

Next steps