For the purpose of this blog, the organisation will be referred to as Contoso. When new devices are onboarded in Defender for Endpoint, one of Microsoft’s recommendations is to run a full scan initially. Subsequent scans will then be quick scans.

Executing a full scan can be challenging for various reasons, such as devices going to sleep or being turned off before the scan completes.

Microsoft Defender for Endpoint is a next-generation EDR solution that provides real-time protection against malicious behaviour on endpoint devices. No security vendor can claim their service can protect against a zero-day exploit. However, a next-gen EDR solution like Defender for Endpoint does not need to know the file hash of a malicious file or attack process.

Mimikatz is one of the most notorious malware programs. However, the Mimikatz.exe file could simply be renamed, resulting in a new file hash.

Legacy EDR solutions typically depend on the file hashes of malicious files like Mimikatz.

Microsoft Defender for Endpoint guards against malicious behaviour and connects to the Microsoft Security Center, which quickly learns from trillions of daily transactions to detect new and emerging threats.

If an organization is managed by SCCM, the following query can be run against all machines to establish the full scan status:

Select SMS_R_System.ResourceID from SMS_R_System
Where SMS_R_System.ResourceID in
(Select SMS_G_System_ANTIMALWAREHEALTHSTATUS.ResourceID from SMS_G_System_ANTIMALWAREHEALTHSTATUS Where SMS_G_System_ANTIMALWAREHEALTHSTATUS.LastFullScanAge = -1)

To query the full scan status on machines using the security.microsoft.com portal, the following KQL query can be used:

DeviceEvents
| where ActionType == "AntivirusScanCompleted"
| summarize arg_max(Timestamp, *) by DeviceId
| extend ScanType = tostring(parse_json(AdditionalFields).ScanTypeIndex), DaysAgo = datetime_diff('day', now(), Timestamp)
| project DeviceName, ActionType, ScanType, DaysAgo
| where DaysAgo > 0
| sort by DaysAgo