Introduction
Antivirus that's installed but disabled is worse than no antivirus, because everyone assumes the device is covered. The Antivirus monitor catches that gap. It watches each device's protection status and alerts within about a minute of antivirus being disabled, definitions going stale, or real-time protection getting turned off.
There's nothing to configure. Add it to a policy and it starts watching.
Antivirus Monitor
The Antivirus monitor reads the device's Windows Security Center status. It's not tied to any specific product: it reports Security Center's health assessment of whatever antivirus is registered, whether that's Microsoft Defender or a third-party product (SentinelOne, Bitdefender, Webroot, and others). What you see in the alert mirrors what you'd see in the Windows Security app on the device.
Security Center reports one of five states. The monitor alerts on anything that isn't Good:
State | Alerts? | Meaning |
Good | No | Antivirus is present, enabled, and up to date |
Poor | Yes | Antivirus is registered but unhealthy (disabled, or definitions out of date) |
Not Monitored | Yes | Security Center isn't monitoring the antivirus |
Snoozed | Yes | Antivirus alerts are snoozed in Windows Security |
Unknown | Yes | No antivirus is registered with Security Center, or the status couldn't be determined |
The alert payload reads Antivirus status: <state>, so the alert itself tells you which state triggered it.
🖥️ PLATFORM NOTE:
Windows: Workstations only (Windows 10/11). Security Center doesn't exist on Windows Server, so the monitor can't evaluate servers. It won't throw a false "no antivirus" alert on a server; it simply won't report a status.
macOS: Not supported.
Linux: Not supported.
ℹ️ NOTE: The monitor reflects whatever antivirus is registered with Security Center. If a third-party product runs without registering (some enterprise EDR agents do this), the status reads Unknown and the monitor alerts, even though that AV is technically running. Either register the product with Security Center or exclude those devices from the policy.
Configuring Antivirus Monitor
Open the monitor policy you want to add this to, then click + Add new monitor (or open an existing Antivirus monitor to edit it). The Edit monitor panel opens on the right.
Name and Type
Enter a name in the Name field. Be specific. "Workstations - AV Health" reads better in an alert list than "Antivirus Monitor."
Set Type to Antivirus. The dropdown labels it Windows only.
Severity
Set Severity to match how your team should respond:
Information — low priority, FYI-level
Warning — worth attention but not urgent
Critical — requires prompt response
Emergency — drop everything
💡 TIP: Critical is a sensible default here. A device without working antivirus is an active exposure, not a maintenance item.
Detection Conditions
There's no threshold, breach duration, or condition to set. The agent checks Security Center status about once a minute and creates an alert on the first reading that isn't Good (see the state table above).
ℹ️ NOTE: Security Center's own status can lag reality slightly. If antivirus is turned off or definitions go stale, it may take a moment before Security Center reflects it and the monitor picks it up.
Auto-Resolve
Auto-resolve alert when conditions clear closes the alert automatically once Security Center reports Good again, for example after definitions update or real-time protection is re-enabled.
Leave it on unless you want every AV lapse to stay open for manual review.
Remediation
Attach one or more automations to run when this monitor fires. A common pattern: reinstall or repair the AV agent, force a definition update, or re-enable real-time protection via script.
Click in the Remediation field and select an automation.
To add more, click + Add another remediation.
To remove one, click the × next to it.
Once attached, open the automation from the link icon to assign the monitor's payload to an automation variable if you want to pass alert context into the automation's logic.
💡 TIP: If a device legitimately shouldn't run your standard AV (a lab machine, an isolated test box), exclude it from the policy's target tags rather than ignoring repeat alerts.
Notifications
Under Notify recipients, two checkboxes control whether the policy's recipients get emailed:
On alert creation — recipients get an email when the alert fires
On alert resolution — recipients get an email when the alert resolves
Recipients are managed at the monitor policy level, in the Recipients section.
FAQ
Who can create and edit monitors? Technicians with access to the relevant monitor policy. Permission settings are managed in Workspace → Permissions.
Will this work with my third-party antivirus, or just Defender? It works with any antivirus that registers with Windows Security Center, which includes most commercial products. It's reading Security Center's health assessment, not checking for a specific product.
Why isn't this monitor firing on my Windows Server? Security Center doesn't exist on Windows Server, so the monitor can't evaluate it. It only applies to Windows workstations. It also won't generate false alerts on servers.
Can I monitor antivirus on macOS or Linux? Not with this monitor. For other platforms, use a Run Script monitor that checks your AV agent's status directly.
What exactly triggers the alert? Any Security Center state other than Good: Poor (disabled or stale definitions), Not Monitored, Snoozed, or Unknown. The alert payload tells you which one.
My EDR is running but the monitor says "Antivirus status: Unknown." Why? The product isn't registered with Security Center, so Windows can't vouch for it. Check whether your EDR has a Security Center registration option, or exclude those devices from the policy if you're confident in your coverage.
The alert fired but the AV looks fine on the device. What gives? Security Center status can lag briefly after an AV product updates or restarts. If the alert doesn't auto-resolve within a few minutes, open Windows Security → Virus & threat protection on the device to see what Security Center is actually reporting.