Windows Defender Grace Period Expired

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

Sigma rule (View on GitHub)

 1title: Windows Defender Grace Period Expired
 2id: 360a1340-398a-46b6-8d06-99b905dc69d2
 3related:
 4    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 5      type: obsolete
 6status: stable
 7description: |
 8        Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
 9references:
10    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
12    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
13author: Ján Trenčanský, frack113
14date: 2020-07-28
15modified: 2023-11-22
16tags:
17    - attack.defense-impairment
18    - attack.t1685
19logsource:
20    product: windows
21    service: windefend
22detection:
23    selection:
24        EventID: 5101 # The antimalware platform is expired.
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

Windows Defender Grace Period Expired

Sigma rule (View on GitHub)

References

https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md

https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/

Related rules