Detectionmediumstable
Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Christopher PeacockCreated Tue Mar 28Updated Fri May 05dd80db93-6ec2-4f4c-a017-ad40da6ffe81windows
Log Source
Windowswindefend
ProductWindows← raw: windows
Servicewindefend← raw: windefend
Detection Logic
Detection Logic2 selectors
detection:
selection:
EventID:
- 3002 # Real-Time Protection feature has encountered an error and failed
- 3007 # Real-time Protection feature has restarted
filter_optional_network_inspection:
Feature_Name: '%%886' # Network Inspection System
Reason:
- '%%892' # The system is missing updates that are required for running Network Inspection System. Install the required updates and restart the device.
- '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
condition: selection and not 1 of filter_optional_*False Positives
Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
dd80db93-6ec2-4f4c-a017-ad40da6ffe81
Status
stable
Level
medium
Type
Detection
Created
Tue Mar 28
Modified
Fri May 05
Path
rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml
Raw Tags
attack.defense-evasionattack.t1562.001