Windows Defender
What Is MPLog?
The Microsoft Protection Log, or MPLog, is a plain-text log file generated by Windows Defender or Microsoft Security Essentials for troubleshooting purposes.
Forensic Value:
Process execution
Threats detected
Scan results and actions taken
Signature update versions
File existence
File Location:
MPLogs
C:\ProgramData\Microsoft\Windows Defender\Support
Defender Registry:
HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
EVTX Defender Logs:
Microsoft-Windows-Windows Defender\Operational
Microsoft-Windows-Windows Defender\WHC
Parse Data:
Considerations:
Example:
MPLogs:
Find detections and scanning information.
SHA1 of file
MPDetection Log:
Find Defender detections.
Defender Registry:
Can look at paths and determine if defender is disabled.
EVTX Defender Logs:
Operational can be used to discover Defender detections.
ID 1116 - Detected malware.
ID 1117 - Taken action against malware.
ID 5007 - Configuration has changed (exclusion added, defender disabled, etc).
Analysis Tips:
Anti-Forensics:
Wipe log files and registry locations.
Last updated