Microsoft Malware Protection Engine Patch – How to find and report all machines that need it

(don’t judge my photoshop skills….)


The Microsoft Malware Protection Engine conveniently comes built in to many Microsoft malware apps. The most common is the default Windows Defender app that ships with Windows 8 OSes and above. You know a vulnerability is serious when Google’s Project Zero team of security analysts finds it, Microsoft credits them for the find, then immediately releases an emergency Microsoft Malware Protection Engine patch. Though they disclosed it privately about a week ago, Microsoft released the security advisory on May 8th.


As per Microsoft:
“The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.”

The Malware Protection Engine Version with the patch is 1.1.13704.0.


Ok great, now what will us IT admins do about it?!


Well, Microsoft provides these instructions on how to find the version….manually….via the GUI of your chosen Microsoft antimalware software….on each machine……(lets not even get into the fact that Windows 10 is missing from the entire instruction set that was last reviewed on Oct 27, 2014…..)

Thanks Microsoft. Thanks.


Below we are going to show you how to use Goverlan to report against your entire Windows OS infrastructure and have it report back all machines and the version of their Microsoft Malware Protection Engine.

(Don’t have Goverlan installed? No problem, here’s a 30 trial of the entire app completely unrestricted throughout the duration of your trial.)

THANKFULLY, Windows writes the version of Microsoft Malware Protection Engine it currently has installed to the Windows Registry.

That magical registry key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates

registry key for Microsoft Malware Protection Engine Version

As shown in the screenshot above, the specific Value is EngineVersion.

Since Goverlan can report against the entire Windows Registry, we will be using the Report > Registry Value action to accomplish this exciting task.


1.Create your new Process Automation and give it a Name and an optional Description, Category:

Goverlan Action - Microsoft Malware Protection Engine 1

2.Next, click add new (1) select your Scope of objects that you would like to report against (2) and name your Scope if you like(3). In this case we named the Scope, Entire Demo Domain.


Goverlan Action - Microsoft Malware Protection Engine 2

3.Next, we will be defining the Action. Click Add new(1), Add/Remove(2) > Report > Registry Value > Manage Accessible Key Paths(3).

Goverlan Action - Microsoft Malware Protection Engine 3


4.The Registry Key Paths Manager will open. Click the green plus sign(1) and paste the full registry key in the Key Path area(2), make sure to not check include child keys. Enter the Display name as DefenderEngine. (Note that the display name can be anything you like.)


Goverlan Action - Microsoft Malware Protection Engine 4



5.Now we are going to select the specific key and value we’d like to report on now that we’ve added it as an accessible path. Click Add/Remove(1) > Registry Value > DefenderEngine (2) > Data as a String (3).


Goverlan Action - Microsoft Malware Protection Engine 5



6.Now we will be configuring the Condition that will evaluate the machine to be included in your report. Select the bottom Add/Remove (1) > Registry Value > DefenderEngine (2) > Name (3).


Goverlan Action – Microsoft Malware Protection Engine 6


7.Finally, set the condition to = and the value to EngineVersion (1).


Goverlan Action - Microsoft Malware Protection Engine 7


That’s it!

After running your report, the results should look as follows, showing you every single Windows machine and their installed Microsoft Malware Protection Engine version:

Goverlan Action - Microsoft Malware Protection Engine 8



For more in depth information on what other cool things Goverlan can do without interrupting your users with a remote control session, check out our website or our Youtube page:






Leave a Reply