Automated Testing Framework for Malware Detection in Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (MDE) is a widely used security platform that protects enterprise systems against malware and other threats. Despite its powerful capabilities, the detection mechanisms behind MDE remain largely opaque. The detection logic is updated frequently through cloud-driven changes, but without versioning or public documentation. This lack of transparency presents a challenge: security teams are unable to verify whether new threats are being effectively detected or whether previous detection capabilities have silently changed.

This thesis presents an automated testing framework that executes real-world malware samples in isolated virtual machines and analyzes MDE's response via its official cloud Application Programming Interface (API). The system is implemented in PowerShell and uses Microsoft Hyper-V to ensure clean, reproducible testing environments for each sample. Detection results are retrieved and compiled into structured reports that highlight alert types, detection gaps, and behavioral consistency. One key feature is a similarity analysis based on Levenshtein distance, which compares newly returned MDE alert titles against a reference list. This enables the system to flag alerts that may indicate mutated malware or changes in detection terminology, providing early indicators of MDE’s shifting detection patterns. The framework allows configuration through both a Command Line Interface (CLI) and external JavaScript Object Notation (JSON) files, and all results can be stored in a persistent datastore for potential future trend comparison.

By offering a safe, repeatable, and data-driven approach to malware testing, this framework fills a critical visibility gap in endpoint protection assurance. It allows organizations to proactively validate MDE’s responses to threats, understand behavioral changes in its detection engine, and build evidence-based trust in their endpoint defense strategy.