From 0b66bc4a9b1a9f94f52d856ca3ec7f37f42fb729 Mon Sep 17 00:00:00 2001
From: JD <spokanemac@users.noreply.github.com>
Date: Mon, 29 Apr 2024 07:53:04 -0700
Subject: [PATCH] Add Windows AV policy (#18551)

Adds policy and query to verify Windows Defender is installed and
working on Windows. https://github.com/fleetdm/fleet/issues/18494
---
 .../lib/collect-windows-defender.queries.yml           | 10 ++++++++++
 it-and-security/lib/windows-device-health.policies.yml |  6 ++++++
 2 files changed, 16 insertions(+)
 create mode 100644 it-and-security/lib/collect-windows-defender.queries.yml

diff --git a/it-and-security/lib/collect-windows-defender.queries.yml b/it-and-security/lib/collect-windows-defender.queries.yml
new file mode 100644
index 000000000000..739dfcd9992a
--- /dev/null
+++ b/it-and-security/lib/collect-windows-defender.queries.yml
@@ -0,0 +1,10 @@
+- name: Collect Windows Defender
+  automations_enabled: false
+  description: Collects the pid, process name, user, path and command line for Windows Defender installed on hosts.
+  discard_data: false
+  interval: 3600
+  logging: snapshot
+  min_osquery_version: ""
+  observer_can_run: true
+  platform: "windows"
+  query: SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
\ No newline at end of file
diff --git a/it-and-security/lib/windows-device-health.policies.yml b/it-and-security/lib/windows-device-health.policies.yml
index 5a15b90cc557..40e276caae13 100644
--- a/it-and-security/lib/windows-device-health.policies.yml
+++ b/it-and-security/lib/windows-device-health.policies.yml
@@ -22,4 +22,10 @@
   description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
   resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock"
   platform: windows
+- name: Windows - Antivirus healthy
+  query: SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;
+  critical: false
+  description: Checks the status of antivirus and signature updates from the Windows Security Center.
+  resolution: "Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center."
+  platform: windows