Freigeben über

Defender PowerShell Module

  • Artikel

As an IT professional it's almost a given that you provide free support to your immediate family, perhaps your not-so-immediate family, occasionally your good friends and sometimes your neighbour's dog!

The other day I was helping the father-in-law remove a third party anti-virus product to reactivate Windows Defender on his laptop. 

I thought it would be a good opportunity to introduce him to some PowerShell!

Here's what we looked at...

 

Defender Status

This cmdlet gives you a view of how Defender is doing:

Get-MpComputerStatus

 

This command shows your signature file was lasted updated. It also shows you how many days ago the last full scan was performed:

Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated,FullScanAge

 

This one shows whether the defender subcomponents are enabled:

Get-MpComputerStatus |

Select-Object -Property AMServiceEnabled, `

AntispywareEnabled, `

AntivirusEnabled, `

BehaviorMonitorEnabled, `

IoavProtectionEnabled, `

NISEnabled, `

OnAccessProtectionEnabled, `

RealTimeProtectionEnabled

 

 

What about exclusions?

Get-MPPreference | Select Exclusion*

 

Threats

Has anything been detected?

Get-MpThreat

 

If anything comes back, pay particular attention to the IsActive and DidThreatExecute properties.

Want to know what threats defender checks for? This makes for very interesting reading:

(Get-MpThreatCatalog).ThreatName | Sort-Object | Out-File .\threat_names.txt

 

Defender Module

Run this:

Get-Command -Module defender

 

Notice the Start-MPScan cmdlet. Have a play; go on now; don't be shy!

 

Well, I'm sad to say that the father-in-law struggled to see the awesomeness of PowerShell, but this was a good start - one battle a war does not make!

Comments

  • Anonymous
    July 19, 2015
    Was the intent here that such a detailed response to his query would discourage him from asking again? ;)
  • Anonymous
    July 19, 2015
    Get-MpComputerStatus : The extrinsic Method could not be executed
    • Anonymous
      May 25, 2016
      Cybil - I ran into this same issue, turns out that this only works on Windows 10 or higher. If you're on Windows 7 then you have to query the event logs for this info. For example:(get-eventlog -LogName system | Where {$_.Message -like 'scan has finished'} |Sort TimeWritten -descending)[0].timewrittenShould give you the last time a scan was finished
  • Anonymous
    August 03, 2015
    JC: of course!
    Cybil: what OS? running as admin?
  • Anonymous
    January 03, 2019
    The comment has been removed