Question Reviewing Microsoft Defender Antivirus event logs for malicious activity ?

[Oblivion77]

Hello

When reviewing event logs for Microsoft Defender Antivirus, and wanting to find out if something malicious was stopped, quarantined, removed etc.

What else should I consider looking for besides the above?
(I know some of them are mentioned more than once):

Detection:
1006
1015
1116
1117
1118
1119 (fail)
1127

Quarantine:
1007
1008
1117
1118
1119

Removal:
1007
1008
1011
1117
1118
1119

There is also:
1123 - Remediation completed successfully
5010 - File scanned and determined to be infected

I assume that Windows Security Center only gives a brief overview of the most important things, and the event log and error codes (above), gives more information?

Thank you

 

[helpstar]

edit:
double click on an ID and have a look what defender found
list of IDs:
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus


install malwarebytes, update it, then scan your drives

 

[Ralston18]

@Oblivion77

You can also use Microsofts' Powershell to delve into Event IDs.

FYI:

https://www.commandinline.com/cheat-sheet/get-eventlog/

https://www.commandinline.com/cheat-sheet/get-eventlog/

Other similar links can be found.

You can use the Powershell cmdlets to customize searches and create more advanced scripts to access the logs as required.

 

[Oblivion77]

I have never encoutered any messages, notifications, logs etc. in Windows Security Center that showed a threat was blocked, deleted or in quarantine.
So I am not sure, how much and if all important info is displayed in Windows Security Center.

As for below point 3.
"Protection history" has always been empty on my system.
How long can you see Protection history? Does it empty itself after some time?

AI says:
To find out if Windows Defender has stopped malware, check the Protection History within the Windows Security app. This section displays recent actions taken by Windows Defender, including blocked threats and removed Potentially Unwanted Apps. You can also perform a manual scan to check for and remove any potential threats.

Here's how to check:

1. Open Windows Security: Click the shield icon in the system tray or search for "Windows Security" in the Start menu.
   
   
2. Navigate to Virus & threat protection: Select "Virus & threat protection" from the main menu.
   
   
3. Access Protection history: Scroll down and click on "Protection history".
   
   
4. Review the list: Examine the list of actions. If a threat was blocked or removed, it will be listed here, along with the date and time it was addressed.
   
   
5. Check for quarantined items: You can also filter the list to show quarantined items to see if anything was isolated.