You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/review-detected-threats.md
+20-12Lines changed: 20 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.collection:
12
12
- tier2
13
13
- mde-edr
14
14
ms.topic: conceptual
15
-
ms.date: 05/29/2024
15
+
ms.date: 06/21/2024
16
16
ms.subservice: edr
17
17
search.appverid: met150
18
18
---
@@ -39,15 +39,15 @@ In the Microsoft Defender portal, you can view and manage threat detections usin
39
39
40
40
1. Visit [Microsoft XDR portal](https://security.microsoft.com/) and sign-in.
41
41
42
-
On the landing page, you'll see the **Devices with active malware** card with the following information:
42
+
On the landing page, you see the **Devices with active malware** card with the following information:
43
43
44
44
- Display text: Applies to Intune-managed devices. Devices with multiple malware detections may be counted more than once.
45
45
- Last updated date and time.
46
46
- A bar with the Active and Malware remediated portions as per your scan.
47
47
48
48
You can select **View Details** for more information.
49
49
50
-
2. Once remediated, you'll see the following text being displayed:
50
+
2. Once remediated, you see the following text being displayed:
51
51
52
52
*Malware found on your devices have been remediated successfully*.
53
53
@@ -59,7 +59,7 @@ You can manage threat detections for any devices that are [enrolled in Microsoft
59
59
60
60
2. In the navigation pane, select **Endpoint security**.
61
61
62
-
3. Under **Manage**, select **Antivirus**. You'll see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**.
62
+
3. Under **Manage**, select **Antivirus**. You see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**.
63
63
64
64
4. Review the information on the available tabs, and then take action as necessary.
65
65
@@ -72,20 +72,23 @@ You can manage threat detections for any devices that are [enrolled in Microsoft
72
72
73
73
## FAQs
74
74
75
-
### In the Microsoft XDR portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?
75
+
####In the Microsoft XDR portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?
76
76
77
-
To see when the malware was detected, you can do the following:
77
+
To see when the malware was detected, you can take the following steps:
78
78
79
79
1. Since this is an integration with Intune, visit [**Intune portal**](https://intune.microsoft.com) and select **Antivirus** and then select **Active malware** tab.
80
+
80
81
2. Select **Export**.
81
-
3. On your device, go to Downloads, and extract the Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip.
82
+
83
+
3. On your device, go to Downloads, and extract the `Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip` file.
84
+
82
85
4. Open the CSV and find the **LastStateChangeDateTime** column to see when malware was detected.
83
86
84
-
### In the devices with malware detections report, why can't I see any information about which malware was detected on the device.
87
+
####In the devices with malware detections report, why can't I see any information about which malware was detected on the device.
85
88
86
-
To see the malware name, visit the [Intune portal](https://intune.microsoft.com) as this is an integration with Intune, select **Antivirus**, and select **Active malware** tab and you'll see a column named **Malware name**.
89
+
To see the malware name, visit the [Intune portal](https://intune.microsoft.com) as this is an integration with Intune, select **Antivirus**, and select **Active malware** tab and you see a column named **Malware name**.
87
90
88
-
### I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware.
91
+
####I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware.
89
92
90
93
The **Devices with active malware** report is based on the devices that were active within the last 1 day (24 hours) and had malware detections within the last 15 days.
### I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
112
+
####I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
110
113
111
114
Use the Advanced Hunting query that is mentioned [here](#i-see-a-different-number-for-active-malware-in-devices-with-active-malware-report-when-compared-to-numbers-i-see-using-reports--detected-malware-and-intune--antivirus--active-malware) for details such as unique DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT admin's to make sure that the devices are uniquely named. If a device is retired, use [tags to decommission it.](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058)
112
115
113
-
### I see malware detection in Intune and on the Devices with active malware report, but I don't see it in the MDE Alerts queue or in the Incidents queue.
116
+
####I see malware detection in Intune and on the Devices with active malware report, but I don't see it in the MDE Alerts queue or in the Incidents queue.
114
117
115
118
It might be that the URL's [Cloud Protection](configure-network-connections-microsoft-defender-antivirus.md) is currently not being allowed through your firewall or proxy.
116
119
117
120
You need to ensure that when you run `%ProgramFiles%\Windows Defender\MpCmdRun.exe -ValidateMapsConnection` on your device, the reporting is Ok.
118
121
122
+
#### I see a device that has been inactive for 180+ days but still showing up on the report for 'Devices with active malware'. The device doesn't show in the "Device inventory", can't be turned on and can't be offboarded from Microsoft Defender for Endpoint.
123
+
124
+
125
+
The device has not been [retired](/mem/intune/remote-actions/devices-wipe) from Intune.
126
+
119
127
## Related articles
120
128
121
129
-[Alerts in Microsoft Defender for Endpoint](investigate-alerts.md)
0 commit comments