How to Detect and Quarantine Malware via RMM Integrations

Deployment of malware detection and containment is one of the best ways to protect endpoints. Moreover, integrating these strategies into Remote Monitoring and Management (RMM) platforms allows Managed Service Providers (MSPs) to optimize tasks by automating responses for reduced reaction time. RMM integrations also increase visibility across all client endpoints, minimizing the attack surface.

This is why it’s essential to understand how to configure RMM integrations to help detect and quarantine malware. With proper integration, MSPs can identify threats and automatically isolate infected machines, escalate alerts, and maintain compliance through logging and reporting. In this guide, we will walk you through the strategies for integrating RMM into your system via PowerShell, CMD, registry monitoring, Group Policy Objects (GPO), and event logs to combat malware attacks. This should help MSPs identify threats.

At a glance

Prerequisites for RMM-based malware response

Before proceeding with RMM-based malware response configuration, make sure your environment meets the following requirements:

• An RMM platform with scripting, alerting, and automation capabilities (e.g., NinjaOne)
• Active antivirus software on endpoints, such as Microsoft Defender or third-party tools like SentinelOne or Bitdefender
• PowerShell 5.1+ or CMD access for scripting AV commands
• Access to antivirus scan logs or Windows Security Event Logs for threat monitoring
• Optional GPO configurations to enforce antivirus settings and enable real-time protection

Task 1: Using PowerShell to detect and quarantine malware

📌 Use Case:

PowerShell enables IT admins to run scripts via RMM to scan for threats, log detection events, and take action. It is functionally integrated with Microsoft Defender, enabling both manual and automated threat management.

Below are recommended tasks that you can do with PowerShell to proactively prevent or respond to malware threats through RMM.

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Run the following commands:

• • To start a quick scan:

Start-MpScan -ScanType QuickScan

• • To review detected threats:

Get-MpThreatDetection | Format-List

• • To quarantine threats:

Remove-MpThreat -ThreatID <ID> -Quarantine

• • To ensure real-time protection is enabled:

Set-MpPreference -DisableRealtimeMonitoring $false

💡RMM role: RMM is an effective tool that help system administrators schedule daily scans, log threats, and automatically quarantine infections across endpoints.

Task 2: Using CMD for antivirus scanning and quarantine

📌 Use Case:

Older devices can benefit from command-line scanning via MpCmdRun.exe. This task is also useful when PowerShell access is limited and the system requires simplified script execution through RMM batch files.

Below are recommended tasks using Microsoft Defender’s command-line tool (MpCmdRun.exe) that you can run with Command Prompt to proactively prevent or respond to malware threats through RMM.

1. Press Windows key + X, then select Command Prompt (Admin) or Windows Terminal (Admin). If using Windows Terminal, ensure you’re in a Command Prompt tab, not PowerShell.
2. Run the following commands:

• • To run a quick scan:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

• • To run a full scan:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

• • To view quarantined threat history:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -GetFiles

💡 RMM role: Use RMM automation to deploy CMD scripts for scheduled or conditional scanning, especially on devices with limited scripting environments.

Task 3: Monitoring event logs for malware activity

📌 Use Case:

IT admins can leverage the ability of Microsoft Defender logs ability to keep records of all major system actions. They can use this as a source for monitoring threat activity.

1. Open Event Viewer by pressing the Windows key + R, typing eventvwr.msc, and pressing Enter.

2. Navigate to:
Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

3. Look for the relevant Event IDs:

• • 1116: Malware detected
  • 1117: Action taken
  • 2001: Threat removed
  • 5001: Real-time protection disabled
  • 5007: Registry modified (possibly by malware)
  • 5010: Malware scanning disabled
  • 5012: Virus scanning disabled
  • 5013: Tamper protection blocked an attempt to modify Microsoft Defender Antivirus settings

4. You can then use PowerShell to monitor these logs by running the following command:

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.Id -eq 1116}

💡 RMM role: RMM policies can be configured to watch for these events and trigger automatic remediation. These actions may include quarantining the endpoint or generating a support ticket.

Task 4: Using registry indicators, DisableAntiSpyware and DisableAntiVirus, for isolation and hardening

📌 Use Case:

IT admins can use registry settings for quick system hardening. Registry indicators also provide insight into the state of antivirus protection and help identify endpoints that need to be isolated.

Note: Microsoft has deprecated the DisableAntiSpyware and DisableAntiVirus registry settings in newer versions of Windows 10 (starting with version 1903) and in Microsoft Defender platform version 4.18.2108.4 and later. Since Microsoft Defender now automatically disables itself when it detects a properly installed third-party antivirus product, these registry keys are no longer necessary. This change does not affect RMM integrations or non-Microsoft antivirus connections within the Windows Security app

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Run the following commands:

• • To check if Defender is disabled:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware","DisableAntiVirus"

• • To re-enable Defender:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 0

• • To enable network protection:

Set-MpPreference -EnableNetworkProtection Enabled

💡 RMM role: Monitoring registry keys via RMM allows detection of malicious modifications and supports quick remediation or rollback actions.

Task 5: Enforcing antivirus settings via Group Policy

📌 Use Case:

Group Policy Objects (GPO) can enforce a stable baseline across devices, ensuring real-time protection and scan settings remain active.

1. Open the Group Policy as an administrator. Press the Windows key, type gpedit.msc, then press Ctrl + Shift + Enter to run it as an administrator.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
3. Check each of the following settings and see if they are configured correctly:

💡 RMM role: Pairing GPO with RMM ensures endpoints stay compliant with security policies and are consistently prepared to respond to malware.

Task 6: Quarantining endpoints via network and service isolation

📌 Use Case:

This task is crucial when trying to protect devices from malware that’s been categorized as high-risk. IT admins can use PowerShell to disable connectivity and risky services.

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Run the following commands:

• • To disable the network adapter:

Disable-NetAdapter -Name "Ethernet" -Confirm:$false

• • To stop key services:

Stop-Service -Name "RemoteRegistry" -Force

Stop-Service -Name "WinRM" -Force

• • To block outbound traffic:

New-NetFirewallRule -DisplayName "BlockOutbound" -Direction Outbound -Action Block -Enabled True

💡 RMM role: System administrators can trigger these scripts conditionally through an RMM tool when malware is detected. This minimizes lateral movement and data exfiltration.

⚠️ Things to look out for

Additional considerations for malware response via RMM

• Third-party AV integration: Some AVs expose CLI/API options for scanning and isolation.
• False positives: Always maintain logs of all events and support manual rollback to avoid disruption.
• Escalation workflows: IT admins can choose from a variety of RMM solutions that also offer integrated PSA tools. This helps streamline reporting and ticketing services.
• Licensing: Confirm Defender or AV features are fully licensed and not disabled via OEM restrictions.

NinjaOne services for detecting and quarantining malware via RMM

NinjaOne and its tools can help enable you to proactively detect and respond to malware threats.

Leveraging RMM in responding to malware threats

Integrating malware detection and quarantine workflows into RMM platforms turns reactive AV tools into proactive cybersecurity solutions. With the help of PowerShell, Command Prompt, and event logs, Managed Service Providers and system administrators can automate malware detection and response. Meanwhile, registry and GPO enforcement help enforce strategies to stabilize security posture.

RMM tools like NinjaOne can complement all the steps outlined to make them scalable. Drastically minimize response time and strengthen your overall endpoint security by investing in RMM integrations to defend against malware.

Related topics:

• What Is Malware? Types, Detection and Prevention
• What Is Quarantine in Cybersecurity?
• How to Use Windows Defender to Scan for Malware
• How to Read Windows Event Logs: Shutdown and Restart
• How to Manually Scan Files, Folders, and Drives for Malware in Windows 10