LoFP LoFP / auto updates of windows defender causes restarts

Techniques

Sample rules

Windows Defender Threat Detection Disabled - Service

Description

Detects the “Windows Defender Threat Protection” service has been disabled

Detection logic

condition: selection
selection:
  EventID: 7036
  Provider_Name: Service Control Manager
  param1:
  - Windows Defender Antivirus Service
  - Service antivirus Microsoft Defender
  param2:
  - stopped
  - "arr\xEAt\xE9"