The road to antivirus integration

Along with LimaCharlie’s ability to monitor the endpoint and secure the network, we get asked a lot about antivirus. To respond to this demand we have started integrating antivirus solutions and are starting with Windows Defender.

Windows Defender is an obvious first choice as it has one of the biggest installation bases of any antivirus in existence, and because it is consistently one of the top-rated free solutions in this product class.

The Windows LimaCharlie sensor can listen, alert and automate based on various Defender events.

This is done through listening for the Defender Event Log Source and using D&R rules to take the appropriate action.

A template to alert on the common Defender events of interest is available here. The template can be used in conjunction with Infrastructure As Code Service or its user interface in the web app.

Specifically, the template alerts on the following Defender events:

windows-defender-malware-detected (event ID 1006)

windows-defender-history-deleted (event ID 1013)

windows-defender-behavior-detected (event ID 1015)

windows-defender-activity-detected (event ID 1116)

If you have a particular anti-virus solution you would like to see integrated next please contact us.