Day 5: Windows Defender Antivirus Log Analysis

Objective: Investigate malware detection events in Microsoft Defender logs. Defender logs events like 1006 (Malware Detected) and 1007 (Action Taken) under Windows Defender/Operational. Learners will find and interpret these security events[6].

Challenge Description: A security alert reports that Microsoft Defender on the Windows Server 2022 ^{_{DC01.TALOSEC.local}} detected and handled a suspicious file. Your task is to reproduce this event in a controlled environment, identify the corresponding Defender detection events in the Operational log, and analyze details such as the threat name, file path, process involved, and Defender’s action (e.g., quarantined, blocked, cleaned). This exercise demonstrates how Defender logs malware activity for incident response and forensic review.

Tools: Event Viewer (Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational).

Step-by-step Instructions:

Goal: Create a safe ^{_{malware detection}} event without using real malware — using a harmless EICAR test file (an official, non-malicious antivirus test string recognized by all major AV products, including Defender).

Simulation Setup

Set-MpPreference -DisableRealtimeMonitoring $false

💡 If Defender is managed by GPO, you can temporarily remove or disable third-party AV and re-enable Defender via PowerShell:

1. Open Windows Security → Virus & threat protection.

2. Ensure Real-time protection is turned ON.

3. https://www.eicar.org/download-anti-malware-testfile/ download by safe vinroment

Create the EICAR Test File

1. Open Notepad.

2. Copy and paste this official EICAR string (exactly as shown, single line):

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

1. Save the file to your desktop as:

1. Open Defender Operational Log: In Event Viewer, navigate to Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational. 2. Filter for Detection Events: Click Filter Current Log… and enter 1006, 1007 in Event ID ^{_{1006 = malware found, 1007 = action taken}}. Click OK. 3. Inspect the Malware Detected Event: Select the most recent Event ID 1006 entry. In the General tab, you’ll see details like Threat Name, Severity, User, and Process Name. For example:

1. Inspect the Action Taken Event: Just after, there should be an Event ID 1007 indicating what action was taken (e.g., ^{_{quarantined, cleaned}}). It will reference the same threat name and give Action details.

2. Interpret the Detection: In this example, Defender detected malware.exe and prevented it. The Process Name ^_svchost.exe shows which service was handling the file. An analyst would note the threat name and path for response.

3. PowerShell (optional): You can also extract these Defender events:

// powershell command
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
  Where-Object { $_.Id -eq 1006 } | Select -First 2
This lists recent detections by Threat Name and Category.

Simulated Output: The above snippet illustrates a Defender Malware Detected event. It shows the malware name, where it was found, and that it was prevented[6]. In a SOC, such an event is high priority for threat removal and forensic analysis.