The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

List all inactive security products

Description: Threat actors disable AV to evade detection. The proposed query probes the state of registered Windows security products. T1562.001 is the sub-technique for this detection.

What The Data Shows:  Inactive security products on a host is shown.

SQL: SELECT * FROM windows_security_products WHERE state = 'Off';


Tags (1)
1 Comment
Carbon Black Employee
Status changed to: Approved