zabbix_export: version: '6.0' date: '2021-11-21T21:44:23Z' groups: - uuid: 7df96b18c230490a9a0a9e2307226338 name: Templates templates: - uuid: 23e0808d1d184a179c43364f165ea8a8 template: 'Windows Defender WMI' name: 'Windows Defender WMI' description: | ## Overview Template utilizes **MSFT\_MpComputerStatus** class in Windows WMI to collect information about Windows Defender, such as: * Antivirus Enabled/Disabled * RealTimeProtection Enabled/Disabled * BehaviorMonitor Enabled/Disabled * OnAccessProtection Enabled/Disabled * IoavProtection Enabled/Disabled * Antispyware Enabled/Disabled * RealTimeProtection Enabled/Disabled * NIS Enabled/Disabled * Age of last Full/Quick scans * Last Date of scans * Computer State * Age of Signatures All WMI information is gathered from official Microsoft documentation. Keep in mind, that his might not work with Older Windows versions. I checked the Min. Zabbix version 3.4, because some items have Regular expression pre-processing. However that could be removed, and template adapted to older Zabbix versions. ## Author Zabbix CookBook groups: - name: Templates items: - uuid: 53fd7bad68d44ff1910db50eda393e23 name: 'Anti Spyware Protection Enabled' key: 'wmi.get["root\microsoft\windows\defender","select AntispywareEnabled from MSFT_MpComputerStatus"]' delay: 1h trends: '0' value_type: CHAR tags: - tag: Application value: Features - uuid: efcfadefbf5c461f95ee191a614e9b67 name: 'AntiSpyware Signature age in days' key: 'wmi.get["root\microsoft\windows\defender","select AntispywareSignatureAge from MSFT_MpComputerStatus"]' delay: 3h units: days tags: - tag: Application value: 'Scan Ages' triggers: - uuid: 16379e121035499d98af0d0d08517240 expression: 'last(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select AntispywareSignatureAge from MSFT_MpComputerStatus"])>5' name: 'Anti Spyware Signature was not updated for more then 5 days on {HOST.HOST}' priority: HIGH - uuid: d382c8772b1e43eb9af93cadbfb8127c name: 'AntiSpyware Signature Last updated' key: 'wmi.get["root\microsoft\windows\defender","select AntispywareSignatureLastUpdated from MSFT_MpComputerStatus"]' delay: 3h trends: '0' value_type: TEXT preprocessing: - type: REGEX parameters: - '([0-9]+)' - \1 tags: - tag: Application value: 'Scan Ages' - uuid: 38698bdbd961412394c83bb8f207b63d name: 'Anti Virus Enabled' key: 'wmi.get["root\microsoft\windows\defender","select AntivirusEnabled from MSFT_MpComputerStatus"]' delay: 1h trends: '0' value_type: CHAR tags: - tag: Application value: Features triggers: - uuid: 92347c34e4d1498d8d8be1dc657f7574 expression: 'find(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select AntivirusEnabled from MSFT_MpComputerStatus"],,"like","True")<>1' name: 'Anti Virus Disabled on {HOST.HOST}' priority: WARNING - uuid: 7e41f4dc5a974310be1e74cbcdce6cf9 name: 'AntiVirus Signature Age' key: 'wmi.get["root\microsoft\windows\defender","select AntivirusSignatureAge from MSFT_MpComputerStatus"]' delay: 3h units: days tags: - tag: Application value: 'Scan Ages' triggers: - uuid: 62853eb231a3480faa3444f8267704fe expression: 'last(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select AntivirusSignatureAge from MSFT_MpComputerStatus"])>5' name: 'Anti Virus Signature was not updated for more then 5 days on {HOST.HOST}' priority: HIGH - uuid: 4918479357f845548a3ad4047c74ce09 name: 'AntiVirus Signature Last updated' key: 'wmi.get["root\microsoft\windows\defender","select AntivirusSignatureLastUpdated from MSFT_MpComputerStatus"]' delay: 3h trends: '0' value_type: TEXT preprocessing: - type: REGEX parameters: - '([0-9]+)' - \1 tags: - tag: Application value: 'Scan Ages' - uuid: a80b7d6e71c94d148e9b5f1e343d70d7 name: 'Behavior Monitor Enabled' key: 'wmi.get["root\microsoft\windows\defender","select BehaviorMonitorEnabled from MSFT_MpComputerStatus"]' delay: 1h trends: '0' value_type: CHAR tags: - tag: Application value: Features triggers: - uuid: c24ad2e784aa44409218741ae3b08c53 expression: 'find(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select BehaviorMonitorEnabled from MSFT_MpComputerStatus"],,"like","True")<>1' name: 'Behavior Monitor Disabled on {HOST.HOST}' priority: WARNING - uuid: bf90f423fc884f08a6e79474b93a5d5a name: 'Current computer state' key: 'wmi.get["root\microsoft\windows\defender","select ComputerState from MSFT_MpComputerStatus"]' delay: 10m tags: - tag: Application value: 'Computer State' triggers: - uuid: c6c671268da543babd21cc40cbe66557 expression: 'last(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select ComputerState from MSFT_MpComputerStatus"])=16' name: 'Windows Defender has failed critically on {HOST.HOST}' priority: HIGH - uuid: 7516fd762a1b42d48ecb53d92cfa2e8c name: 'Full Scan Age' key: 'wmi.get["root\microsoft\windows\defender","select FullScanAge from MSFT_MpComputerStatus"]' delay: 3h units: '!days' tags: - tag: Application value: 'Scan Ages' triggers: - uuid: 2c1e4b794e544575b17f253d839c0773 expression: 'last(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select FullScanAge from MSFT_MpComputerStatus"])>5' name: 'Full Scan was not performed for more then 5 days on {HOST.HOST}' priority: AVERAGE - uuid: 4b32896faae44bb5a2eb1a74b1c7f186 name: 'Ioav Protection Enabled' key: 'wmi.get["root\microsoft\windows\defender","select IoavProtectionEnabled from MSFT_MpComputerStatus"]' delay: 1h trends: '0' value_type: CHAR tags: - tag: Application value: Features triggers: - uuid: f198f5082d874a11a1de4153d79cd753 expression: 'find(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select IoavProtectionEnabled from MSFT_MpComputerStatus"],,"like","True")<>1' name: 'Ioav Protection Disabled on {HOST.HOST}' priority: WARNING - uuid: 91d7a7dc167e4272b381574331ee8504 name: 'NIS Protection Enabled' key: 'wmi.get["root\microsoft\windows\defender","select NISEnabled from MSFT_MpComputerStatus"]' delay: 1h trends: '0' value_type: CHAR tags: - tag: Application value: Features triggers: - uuid: e97d30c875a2492d80925ad435525ace expression: 'find(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select NISEnabled from MSFT_MpComputerStatus"],,"like","True")<>1' name: 'NIS Protection Disabled on {HOST.HOST}' priority: WARNING - uuid: 1d84d26c24514d5ebaaaeea01808f3fd name: 'NIIS Signature age in days' key: 'wmi.get["root\microsoft\windows\defender","select NISSignatureAge from MSFT_MpComputerStatus"]' delay: 3h units: days tags: - tag: Application value: 'Scan Ages' triggers: - uuid: 4c034af7515a46ea907a250f7caccce4 expression: 'last(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select NISSignatureAge from MSFT_MpComputerStatus"])>5' name: 'NIIS Signature was not updated for more then 5 days on {HOST.HOST}' priority: HIGH - uuid: b4efe6bc24034e919253f85309f57634 name: 'NIS Signature Last updated' key: 'wmi.get["root\microsoft\windows\defender","select NISSignatureLastUpdated from MSFT_MpComputerStatus"]' delay: 3h trends: '0' value_type: TEXT preprocessing: - type: REGEX parameters: - '([0-9]+)' - \1 tags: - tag: Application value: 'Scan Ages' - uuid: 6d4fb2634adb474e89ed790b2770ece8 name: 'OnAccess Protection Enabled' key: 'wmi.get["root\microsoft\windows\defender","select OnAccessProtectionEnabled from MSFT_MpComputerStatus"]' delay: 1h trends: '0' value_type: CHAR tags: - tag: Application value: Features triggers: - uuid: 8a02e4cc482944969a4ad407d7205fd7 expression: 'find(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select OnAccessProtectionEnabled from MSFT_MpComputerStatus"],,"like","True")<>1' name: 'OnAccess Protection Disabled on {HOST.HOST}' priority: WARNING - uuid: 09f2269b315440afb648de6627b54437 name: 'Quick Scan Age' key: 'wmi.get["root\microsoft\windows\defender","select QuickScanAge from MSFT_MpComputerStatus"]' delay: 3h units: days tags: - tag: Application value: 'Scan Ages' triggers: - uuid: 433973c35ca8472f804a3145c1c16944 expression: 'last(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select QuickScanAge from MSFT_MpComputerStatus"])>3' name: 'Quick Scan was not performed for more then 3 days on {HOST.HOST}' priority: AVERAGE - uuid: 96561d14da614311b2bd3746f90eda0a name: 'Real Time Protection Enabled' key: 'wmi.get["root\microsoft\windows\defender","select RealTimeProtectionEnabled from MSFT_MpComputerStatus"]' delay: 1h trends: '0' value_type: CHAR tags: - tag: Application value: Features triggers: - uuid: fd190b37d41c4b3f938aa58eb9d1b827 expression: 'find(/Windows Defender WMI/wmi.get["root\microsoft\windows\defender","select RealTimeProtectionEnabled from MSFT_MpComputerStatus"],,"like","True")<>1' name: 'Real Time Protection Disabled on {HOST.HOST}' priority: WARNING