Deployment of malware detection and containment is one of the best ways to protect endpoints. Moreover, integrating these strategies into Remote Monitoring and Management (RMM) platforms allows Managed Service Providers (MSPs) to optimize tasks by automating responses for reduced reaction time. This also increases visibility across all client endpoints, minimizing the attack surface.
This is why it’s essential to understand how to configure RMM integrations to help detect and quarantine malware. With proper integration, MSPs can identify threats and automatically isolate infected machines, escalate alerts, and maintain compliance through logging and reporting. In this guide, we will walk you through the strategies for integrating RMM into your system via PowerShell, CMD, registry monitoring, Group Policy Objects (GPO), and event logs to combat malware attacks. This should help MSPs identify threats.
At a glance
| Task | Purpose | RMM role |
| Task 1: Using PowerShell to detect and quarantine malware | Detects and quarantines malware via Defender cmdlets | Push scripts, schedule scans, automate quarantine actions |
| Task 2: Using CMD for antivirus scanning and quarantine | Detects and quarantines malware using MpCmdRun.exe | Deploy batch scripts across endpoints |
| Task 3: Monitoring event logs for malware activity | Detects malware activity by monitoring Defender logs | Monitor event IDs, trigger alerts or scripts |
| Task 4: Using registry indicators for isolation and hardening | Detects AV tampering and applies hardening changes | Watch registry keys, enforce or restore settings |
| Task 5: Enforcing antivirus settings via Group Policy | Enforces AV policies, but doesn’t detect threats | Maintain policy baseline, support RMM script behavior |
| Task 6: Quarantining endpoints via network and service isolation | Isolates infected machines from the network | Run reactive isolation scripts based on threat triggers |
Prerequisites for RMM-based malware response
Before proceeding with RMM-based malware response configuration, make sure your environment meets the following requirements:
- An RMM platform with scripting, alerting, and automation capabilities (e.g., NinjaOne)
- Active antivirus software on endpoints, such as Microsoft Defender or third-party tools like SentinelOne or Bitdefender
- PowerShell 5.1+ or CMD access for scripting AV commands
- Access to antivirus scan logs or Windows Security Event Logs for threat monitoring
- Optional GPO configurations to enforce antivirus settings and enable real-time protection
Task 1: Using PowerShell to detect and quarantine malware
📌 Use Case:
PowerShell enables IT admins to run scripts via RMM to scan for threats, log detection events, and take action. It is functionally integrated with Microsoft Defender, enabling both manual and automated threat management.
Below are recommended tasks that you can do with PowerShell to proactively prevent or respond to malware threats through RMM.
- Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
- Run the following commands:
- To start a quick scan:
Start-MpScan -ScanType QuickScan
- To review detected threats:
Get-MpThreatDetection | Format-List
- To quarantine threats:
Remove-MpThreat -ThreatID <ID> -Quarantine
- To ensure real-time protection is enabled:
Set-MpPreference -DisableRealtimeMonitoring $false
💡RMM role: RMM is an effective tool to help system administrators schedule daily scans, log threats, and auto-quarantine infections across endpoints.
Task 2: Using CMD for antivirus scanning and quarantine
📌 Use Case:
Older devices can benefit from command-line scanning via MpCmdRun.exe. This task is also useful when PowerShell access is limited and the system requires simplified script execution through RMM batch files.
Below are recommended tasks using Microsoft Defender’s command-line tool (MpCmdRun.exe) that you can run with Command Prompt to proactively prevent or respond to malware threats through RMM.
- Press Windows key + X, then select Command Prompt (Admin) or Windows Terminal (Admin). If using Windows Terminal, ensure you’re in a Command Prompt tab, not PowerShell.
- Run the following commands:
- To run a quick scan:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
- To run a full scan:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
- To view quarantined threat history:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -GetFiles
💡 RMM role: Use RMM automation to deploy CMD scripts for scheduled or conditional scanning, especially on devices with limited scripting environments.
Task 3: Monitoring event logs for malware activity
📌 Use Case:
IT admins can leverage Microsoft Defender logs’ ability to keep records of all major system actions. They can use this as a source for monitoring threat activity.
- Open Event Viewer by pressing the Windows key + R, typing eventvwr.msc, and pressing Enter.
- Navigate to:
Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational - Look for the relevant Event IDs:
- 1116: Malware detected
- 1117: Action taken
- 2001: Threat removed
- 5007: Registry modified (possibly by malware)
- You can then use PowerShell to monitor these logs by running the following command:
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.Id -eq 1116}
💡 RMM role: RMM policies can be configured to watch for these events and trigger automatic remediation. These actions may include quarantining the endpoint or generating a support ticket.
Task 4: Using registry indicators, DisableAntiSpyware and DisableAntiVirus, for isolation and hardening
📌 Use Case:
IT admins can use registry settings for quick system hardening. Registry indicators also provide insight into the state of antivirus protection and help identify endpoints that need to be isolated.
- Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
- Run the following commands:
- To check if Defender is disabled:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware","DisableAntiVirus"
- To re-enable Defender:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 0
- To enable network protection:
Set-MpPreference -EnableNetworkProtection Enabled
💡 RMM role: Monitoring registry keys via RMM allows detection of malicious modifications and supports quick remediation or rollback actions.
Task 5: Enforcing antivirus settings via Group Policy
📌 Use Case:
Group Policy Objects (GPO) can enforce a stable baseline across devices, ensuring real-time protection and scan settings remain active.
- Open the Group Policy as an administrator. Press the Windows key, type gpedit.msc, then press Ctrl + Shift + Enter to run it as an administrator.
- Navigate to: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
- Check each of the following settings and see if they are configured correctly:
| Setting | Recommended status |
| “Turn off Microsoft Defender Antivirus” | Disabled |
| “Allow antimalware service to remain running always” | Enabled |
| “Turn off real-time protection” | Disabled |
| “Turn on behavior monitoring” | Enabled |
💡 RMM role: Pairing GPO with RMM ensures endpoints stay compliant with security policies and are consistently prepared to respond to malware.
Task 6: Quarantining endpoints via network and service isolation
📌 Use Case:
This task is crucial when malware is categorized as high-risk. IT admins can use PowerShell to disable connectivity and risky services.
- Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
- Run the following commands:
- To disable the network adapter:
Disable-NetAdapter -Name "Ethernet" -Confirm:$false
- To stop key services:
Stop-Service -Name "RemoteRegistry" -Force
Stop-Service -Name "WinRM" -Force
- To block outbound traffic:
New-NetFirewallRule -DisplayName "BlockOutbound" -Direction Outbound -Action Block -Enabled True
💡 RMM role: System administrators can trigger these scripts conditionally through an RMM tool when malware is detected. This minimizes lateral movement and data exfiltration.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Scan does not run | Malware may go undetected, leaving endpoints exposed | Check if Microsoft Defender is enabled and PowerShell has proper permissions. Run scripts as admin or add logging to verify execution. |
| No threats logged | Missed detections may prevent alerts and reporting, reducing visibility | Ensure Defender telemetry and logging are enabled. Use Get-MpComputerStatus to verify logging and protection status. |
| Quarantine fails | Threats may persist on the device and spread laterally across the network | Restart into Safe Mode to run removal, or isolate the device remotely using RMM scripts. |
| NIC disable scripts fail silently | Infected devices remain online, undermining containment efforts | Add -Verbose and transcript logging to the script. Test in a controlled environment before deployment. |
Additional considerations for malware response via RMM
- Third-party AV integration: Some AVs expose CLI/API options for scanning and isolation.
- False positives: Always maintain logs of all events and support manual rollback to avoid disruption.
- Escalation workflows: IT admins can choose from a variety of RMM solutions that also offer integrated PSA tools. This helps streamline reporting and ticketing services.
- Licensing: Confirm Defender or AV features are fully licensed and not disabled via OEM restrictions.
NinjaOne services for detecting and quarantining malware via RMM
NinjaOne and its tools can help enhance the proactive detection and response to malware threats.
| NinjaOne service | What it is | How it helps malware detection and response |
| Script deployment | Distributes PowerShell or CMD-based malware scan and remediation scripts | Automates regular scans and enables fast threat remediation across multiple devices |
| Event log monitoring | Monitors Windows Defender event logs (e.g., Event ID 1116 for malware detection) | Detects threats in real time and triggers automated response workflows |
| Automated quarantine | Runs pre-configured scripts to isolate infected devices from the network | Limits malware spread by cutting off compromised endpoints quickly |
| Policy management | Applies and enforces AV configurations, such as Defender real-time protection and scan settings | Maintains a consistent security baseline across all endpoints |
| Ticketing integration | Generates PSA tickets when malware events are detected | Ensures incidents are documented, assigned, and addressed within SLA windows |
| Audit and reporting | Logs all malware-related activity, including detection, quarantine, and remediation actions | Supports compliance, incident review, and operational transparency |
Leveraging RMM in responding to malware threats
Integrating malware detection and quarantine workflows into RMM platforms turns reactive AV tools into proactive cybersecurity solutions. With the help of PowerShell, Command Prompt, and event logs, Managed Service Providers and system administrators can automate malware detection and response. Meanwhile, registry and GPO enforcement help enforce strategies to stabilize security posture.
RMM tools like NinjaOne can complement all the steps outlined to make them scalable. By embedding these workflows into endpoint management, organizations can drastically reduce response times and strengthen overall protection.
Related topics:
