Add Windows AV policy (#18551)

Adds policy and query to verify Windows Defender is installed and working on Windows. #18494
fleetdm · Apr 29, 2024 · 0b66bc4 · 0b66bc4
1 parent ea86f9e
commit 0b66bc4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/it-and-security/lib/collect-windows-defender.queries.yml b/it-and-security/lib/collect-windows-defender.queries.yml
@@ -0,0 +1,10 @@
+- name: Collect Windows Defender
+  automations_enabled: false
+  description: Collects the pid, process name, user, path and command line for Windows Defender installed on hosts.
+  discard_data: false
+  interval: 3600
+  logging: snapshot
+  min_osquery_version: ""
+  observer_can_run: true
+  platform: "windows"
+  query: SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
diff --git a/it-and-security/lib/windows-device-health.policies.yml b/it-and-security/lib/windows-device-health.policies.yml
@@ -22,4 +22,10 @@
   description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
   resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock"
   platform: windows
+- name: Windows - Antivirus healthy
+  query: SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;
+  critical: false
+  description: Checks the status of antivirus and signature updates from the Windows Security Center.
+  resolution: "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center."
+  platform: windows