There are several ways to manage and configure Windows Defender, such as via the System Center Configuration Manager (SCCM), Desired State Configuration (DSC), Intune, and Group Policy. The Defender PowerShell module is another tool you can use. In this article, I will provide an introduction to the Defender module and examples of using its commands.

Dan Franciscus

Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog or his Twitter at @dan_franciscus.

With the release of the Windows 10 Anniversary Update, Microsoft has improved their antivirus (AV) solution by adding features, including the ability to perform offline scans, cloud integration, and enhanced notifications as noted here. One advantage of Windows Defender over third-party AV products is Defender's built-in PowerShell support.

Running Get-Command -Module Defender shows the cmdlets you can use to work with Defender. Essentially, you can manage preferences, threats, definitions, scans, and get the current status of Windows Defender.

Windows Defender PowerShell cmdlets

Windows Defender PowerShell cmdlets

Managing preferences ^

The cmdlets Add-MpPreference, Get-MpPreference, Remove-MpPreference, and Set-MpPreference allow you configure the Windows Defender preferences. For instance, you can use Add-MpPreference to exclude an extension, path, or process from virus scans.

In the example below, I will add the paths "C:\Users\Dan\Test" and "C:\Windows\AVTest" as scan exclusions.

Add paths to exclusion list

Add paths to exclusion list

Set-MpPreference can also change the settings in Windows Defender, but it will remove any current settings. Conversely, Add-MpPreference just adds values to current settings. As you can see in the screenshot below, Get-Help reveals the numerous parameters of Set-MpPreference.

Set MpPreference parameters

Set MpPreference parameters

In the next example, I will set a full scan to start every Sunday at 2 a.m., enable UI lockdown, exclude the process "test" from the scan, and set Defender so it never uses more than 20 percent of the CPU during a scan. I use the value of 120 as the remediation schedule time because the parameter requires the number of minutes after midnight.

Threats ^

The Defender PowerShell module can detect, view, and remove active threats, view the threat history, and view threats listed in the definitions catalog. Below, I have attempted to download the EICAR test file to my computer with Google Chrome. Using Get-MpThreatDetection, I can view the action taken against the threat, the user account this occurred under, the detection time, the remediation time, and the action taken.

Displaying the number of Defender definitions in PowerShell

Displaying the number of Defender definitions in PowerShell

I also have the ability to search by a threat ID or use the Where-Object command to search by threat name, such as one that contains the string "Harnig.X."

Updating definitions ^

The Update-MpSignature cmdlet uses an update source (by default the Microsoft Update Server) to download the most recent definitions. You can also choose a difference source via the -UpdateSource parameter to specify an internal definition server, the Microsoft Malware Protection Center (MMPC), or a file share.

Scanning ^

As previously stated, in addition to the traditional quick and full scan options, Windows Defender now also allows performing an offline scan. An offline scan restarts your computer and begins scanning outside of the Windows kernel with the intention of finding viruses and rootkits that can infect the master boot record.

To start an offline scan, you can run Start-MpWSOScan.

Note this will automatically begin rebooting the target computer and will start the offline scan with no warning.

To start a quick or full scan, I can use Start-MpScan.

Using with CIM ^

The Defender module has built-in capabilities for the Common Information Model (CIM) with the use of the -CimSession parameter on all commands. This easily allows administrators to query or change settings on multiple computers remotely.

For example, to view EICAR threats (threat ID of 2147519003) detected within the last day for the computers "test-1" and "test-2," I could run this command:

In this scenario, I would like to start a full scan on all computers in a particular Active Directory organizational unit, in this case "Win10." To accomplish this, I can use Get-ADComputer and use the-SearchBase parameter.

Win the monthly 4sysops member prize for IT pros

Share
1+

Related Posts

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account