TEAM: Huntress Managed Endpoint Detection and Response (EDR)
PRODUCT: Managed Defender
ENVIRONMENT: Windows
SUMMARY: Managed Defender allows Huntress to manage specific policies used by Defender antivirus, while collecting log data to streamline information to the Huntress SOC team.
In this article
Supported Operating Systems
Please see Supported Operating Systems / System Requirements / Compatibility for full list of supported Operating Systems.
Important: Any machine that is joined to an Active Directory Domain that is unable to communicate with the domain controller will be unable to set local policies and therefore will be unable to use the Managed Defender policy until communication is restored.
Agent View
Security Center Status
-
- Enabled
- Disabled
- Missing
Service Status
-
- Running
- Stopped
- N/A
- Error
Most of the status messages are self-explanatory except for "Error." Error is usually a temporary issue that will be resolved in a day or two. It is caused by what is unofficially known as "Patch Tuesday." On the second Tuesday of each month, Microsoft releases security updates and patches for its software products. These are intended to help keep systems secure by addressing vulnerabilities and improving overall functionality.
Why the Error?
This occurs when Defender is put into a state where some of the API calls to it fail.
How can you resolve the error manually instead of waiting for it to self-heal?
The Endpoint can be manually restarted, which usually resolves the issue after a short delay once the host is brought back online.
What is Huntress doing to prevent these in the future?
We are working on new ways of talking to Defender to reduce or prevent this error from occurring.
Alerting and Detections
All Defender detections can be seen on the Managed Defender dashboard by clicking 'view all detections' in your dashboard. The Huntress SOC team will send off an incident report for any high severity Defender detections that aren't successfully remediated by Defender.
If Huntress is showing "Defender Disabled," please see: Enable Microsoft Defender via Powershell) and Remove Third Party Antivirus Solutions (Client OS only)
Additional Information
The Managed Defender feature utilizes the Microsoft Defender Antivirus that is built into Windows 10 Operating Systems or newer (and Windows Server 2016 or newer) and does not require additional licensing. Microsoft Defender is consistently ranked as a top product for protection, performance, and security by AV-Test. Additionally, cybersecurity experts like Tavis Ormandy (Google Project Zero), Robert O'Callahan (Ex-Mozilla Engineer), and Justin Schuh (Google Chrome Team, Former NSA/CIA) continue to highlight how the Non-ATP Defender produces solid results while introducing minimal additional attack surface, unlike many 3rd party antivirus products.
For more information on Why Microsoft Defender Antivirus is worth another look, follow the link to view our blog.
Please see the Managed Defender section of our knowledgebase for additional information.