Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
Avik Sengupta
02/09/2022, 10:02 PMDoes anyone have a query or a policy handy that checks if windows defender is enabled on a machine? Thanks!
n
Noah Talerman
02/09/2022, 11:03 PM@Guillaume IIRC you’re currently working on a policy that checks this or something like it.
g
Guillaume
02/09/2022, 11:04 PMYes! I am adding it to the Fleet website tomorrow. @Avik Sengupta I’m going to give you one that is a regular query, and another one that is a policy query:
This one lets you query normally:
SELECT antivirus, signatures_up_to_date from windows_security_center CROSS JOIN windows_security_products WHERE type = 'Antivirus';:ty: 1
This one is the policy query
SELECT 1 from windows_security_center CROSS JOIN windows_security_products WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;`:ty: 1
a
Avik Sengupta
02/09/2022, 11:06 PMThanks a ton, that's perfect!
g
Guillaume
02/10/2022, 11:29 AMYou're welcome!