Tag Archives: antivirus

How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API

How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API. Hello everyone! In this episode, I would like to tell you how I tried to get automatically antivirus-related data (current status, engine and signature version, last full scan date) from Microsoft Defender for Endpoint using Microsoft Intune and the Graph API.

Why is this necessary?

You might assume that if the Defender for Endpoint agent is installed on the host, everything should be fine automatically. But in fact, the antivirus engine and signature versions may be outdated, real-time protection may be disabled. And so all this needs to be monitored.

Grapf API

This will be the third episode about Microsoft Enterprise Security APIs. The first was about Defender and Defender API, the second was about Intune and the Intune API. And today I’m going to talk about the Grapf API, which should probably replace all the other APIs and should be more logical and easier. Although in my opinion it is even strangier and poorly documented. I didn’t like it.

Continue reading

Why Asset Management is so important for Vulnerability Management and Infrastructure Security?

Why Asset Management is so important for Vulnerability Management and Infrastructure Security? When people ask me how should they start building Vulnerability Management process in their organization (well, sometimes it happens), I advice them to create an effective Asset Management process first. Because it’s the foundation of the whole Infrastructure Security.

Asset Management. Because someone has to clean up this mess.

The term “Asset Management” has different meanings and if you start to google it, you will get some results related mainly to finance sphere. I use this term as Qualys and Tenable. For me Asset Management is the process of dealing with network hosts.

So, what should you do in situation described in the tweet above, when you don’t know exactly how many Windows hosts you have in your corporate IT environment? And, more importantly, why do you need to know?

Continue reading

Carbon Blacking your sensitive data it’s what the agents normally do

Carbon Blacking your sensitive data it’s what the agents normally do. But usually without such consequences. In this situation with Carbon Black, I am most interested in the actual reasons of all this media noise. From what point business as usual becomes a scandal. Ok, when you see Carbon Black customer’s private files in public access at Virus Total it’s a 100% epic fail. But what about other options.

Carbon Black and DirectDefense Illustration from investigation by DirectDefense 

  1. Agent makes file analysis by himself on user’s host. It’s probably ok. Some paranoid person, like me, may say that it’s possible that data may leak during the update process, like in case of M.E.Doc. But it probably can be detected it in traffic somehow.
  2. Agent sends file to the vendor’s cloud for further analysis in some private multiscanner. Vendor will have copy of your private data. What if this data will leak? Are you sure that vendor will bear responsibility for this?
  3. Agent sends file to vendor’s cloud, vendor than sends it to some third-party for analysis. Are you sure vendors that you use doesn’t do this? How can you investigate this? What will be your next actions if you figure out that they do it without your permission?
  4. Agent sends file to the vendor’s cloud, vendor then sends it to some third-party for analysis, third-party opens access to this file for a wide range of people.

Continue reading