What matters now

CVE-2026-41091 and CVE-2026-45498 affect Microsoft Defender and its underlying Malware Protection Engine and Antimalware Platform. The relevant control is not only the monthly Windows patch level, but whether Defender components on managed clients and servers actually updated.

As a minimum target, Malware Protection Engine 1.1.26040.8 or later and Microsoft Defender Antimalware Platform 4.18.26040.7 or later should be provable. These updates are automatic in default configurations, but enterprise environments often delay them through proxy rules, separated update rings, VDI images, DMZ systems or isolated servers.

Checks for the next few days

  1. Define coverage: Treat Windows clients, Windows servers, VDI/gold images, DMZ systems, isolated networks and older System Center Endpoint Protection estates separately.
  2. Prove versions: Collect engine and platform versions through Defender for Endpoint, Intune, ConfigMgr or locally with Get-MpComputerStatus.
  3. Prioritize stale systems: Do not leave systems below the target version for the next regular patch cycle; update them directly or remove them from risky network paths.
  4. Check the update channel: Signature and engine updates must pass proxy, TLS inspection and firewall rules reliably.
  5. Tighten monitoring: Review Defender service crashes, failed updates, disabled protection features and unusual local privilege escalation activity on Windows systems.

Fast verification

  • Sample per device group: AMEngineVersion, AMProductVersion and latest signature timestamp.
  • Central view: devices with Defender health issues, pending platform updates or unusually old signatures.
  • Exception handling: systems without current Defender components need an owner, deadline and compensating control.

If only one action is possible immediately: inventory Defender component versions and bring stale systems back into managed visibility.