MT.1168 - Cleaned Malware should be retained for at least 30 days
Overviewβ
Verify that cleaned malware is retained for at least 30 days to support forensic analysis and threat investigation.
Short retention may impact forensic analysis and threat investigation.
Remediation action:β
- Open Microsoft Endpoint Manager > Endpoint Security > Antivirus
- Edit the relevant Microsoft Defender Antivirus policy
- Set Days to Retain Cleaned Malware to at least 30 days (recommended: 90 days)
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1168 |
| Severity | High |
| Suite | Maester |
| Category | Defender |
| PowerShell test | Test-MtMdeRetainCleanedMalware |
| Tags | Defender, Maester, MT.1168 |
Sourceβ
- Pester test:
tests/Maester/Defender/Test-MtMdeAntivirusPolicy.Tests.ps1 - PowerShell source:
powershell/public/maester/defender/Test-MtMdeRetainCleanedMalware.ps1