Configure Run Antivirus Scan capability in Microsoft Defender for Endpoint

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. Run the scan as part of the investigation or response process.

    Before you begin

    Role required: sn_si.admin or sn_si.analyst

    Table 1. Requirements for Run Antivirus Scan capability
    Input Description
    Scan Type (Required) Type of the Scan (Full or Quick).
    Comment (Required) Comment to associate with the action.

    Procedure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the Microsoft Defender for Endpoint information.
      1. In the related links section, click Run Additional Actions on Endpoint.
      2. Browse and select the required capability.
        For example, click Run Antivirus Scan capability.
      Figure 1. Run Antivirus Scan
      Run Antivirus scan capability implementation
      Alternatively, you can perform the following steps:
      1. In the related lists section, click Show All Related Lists.
      2. Click the Configuration Item related list.
      3. Select the added configuration items, and from the Actions on selected rows, select Run Additional Actions on Endpoint.
      After you select the Run Antivirus Scan capability implementation, the Additional Scan Type and Comment input fields are displayed.
    3. Select the Scan type that you want to run (Quick or Full), and add a comment before executing the scan.
    4. To initiate the antivirus scan, click Run Additional Action.
    5. View the automation activities of the execution, and validate them.
    6. Validate the status of the action on the Additional Actions on Endpoint related lists.