Find Windows Defender Installations With Scan Problems
Microsoft released a new update for Windows defender. Unfortunately, version 4.18.1908.7 has a critical bug that breaks manual and scheduled scanning. This means that the Quick, Full antivirus scans and also scans you scheduled are not performed.
Microsoft released a fix for the issue shortly after complaints came in with a Windows defender definition update KB2267602 (Version 1.301.1684.0). To make sure that your computers and servers are not affected, you can run the audit below which checks your Windows Defender version and the definition version.
Both the version and definition version can be retrieved through custom registry scanning.
Windows Defender Version Query
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
Case
When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> ''
Then 'Yes'
Else 'No'
End As VersionFound,
SubQuery1.Value As InstallLocation,
Case
When SubQuery2.Valuename Is Not Null And SubQuery2.Valuename <> ''
Then 'Yes'
Else 'No'
End As DefinitionVersionFound,
SubQuery2.Value As AVSignatureVersion,
Case
When SubQuery1.Value Like '%4.18.1908.7%' And SubQuery2.DefinitionVersion >=
130116840 Then 'Safe'
When SubQuery1.Value Not Like '%4.18.1908.7%' Then 'Safe'
When SubQuery1.Valuename Is Null Then 'RegKey not found'
Else 'Update Defender Definition'
End As Status,
tblAssets.Lastseen,
tblAssets.Lasttried,
TsysLastscan.Lasttime As LastRegistryScan,
Case
When TsysLastscan.Lasttime < GetDate() - 1 Then
'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.'
End As Comment,
Case
When SubQuery1.Value Like '%4.18.1908.7%' And SubQuery2.DefinitionVersion >=
130116840 Then '#d4f4be'
When SubQuery1.Value Not Like '%4.18.1908.7%' Then '#d4f4be'
When SubQuery1.Valuename Is Null Then ''
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where tblRegistry.Regkey Like '%SOFTWARE\Microsoft\Windows Defender' And
tblRegistry.Valuename = 'InstallLocation') SubQuery1 On
SubQuery1.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
Convert(bigint,Replace(tblRegistry.Value, '.',
'')) As DefinitionVersion,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Microsoft\Windows Defender\Signature Updates' And
tblRegistry.Valuename = 'AVSignatureVersion') SubQuery2 On
SubQuery2.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry' And
tsysOS.OSname In ('Win 10', 'Win 7', 'Win 8', 'Win 8.1', 'Win 2016',
'Win 2008 R2', 'Win 2012', 'Win 2012 R2', 'Win 2019')
Order By tblAssets.Domain,
tblAssets.AssetName
