There are several ways to manage and configure Windows Defender, such as via the System Center Configuration Manager (SCCM), Desired State Configuration (DSC), Intune, and Group Policy. The Defender PowerShell module is another tool you can use. In this article, I will provide an introduction to the Defender module and examples of using its commands.

With the release of the Windows 10 Anniversary Update, Microsoft has improved their antivirus (AV) solution by adding features, including the ability to perform offline scans, cloud integration, and enhanced notifications as noted here. One advantage of Windows Defender over third-party AV products is Defender's built-in PowerShell support.

Running Get-Command -Module Defender shows the cmdlets you can use to work with Defender. Essentially, you can manage preferences, threats, definitions, scans, and get the current status of Windows Defender.

Windows Defender PowerShell cmdlets

Windows Defender PowerShell cmdlets

Managing preferences ^

The cmdlets Add-MpPreference, Get-MpPreference, Remove-MpPreference, and Set-MpPreference allow you configure the Windows Defender preferences. For instance, you can use Add-MpPreference to exclude an extension, path, or process from virus scans.

In the example below, I will add the paths "C:\Users\Dan\Test" and "C:\Windows\AVTest" as scan exclusions.

Add-MpPreference -ExclusionPath ('C:\Users\Dan\test','C:\Windows\AVtest')
Get-MpPreference | Select-Object ‑Property ExclusionPath
Add paths to exclusion list

Add paths to exclusion list

Set-MpPreference can also change the settings in Windows Defender, but it will remove any current settings. Conversely, Add-MpPreference just adds values to current settings. As you can see in the screenshot below, Get-Help reveals the numerous parameters of Set-MpPreference.

Set MpPreference parameters

Set MpPreference parameters

In the next example, I will set a full scan to start every Sunday at 2 a.m., enable UI lockdown, exclude the process "test" from the scan, and set Defender so it never uses more than 20 percent of the CPU during a scan. I use the value of 120 as the remediation schedule time because the parameter requires the number of minutes after midnight.

PS C:\> Set-MpPreference -UILockdown:$True -ExclusionProcess test ‑ScanAvgCPULoadFactor 20 ‑RemediationScheduleDay Sunday ‑RemediationScheduleTime 120

Threats ^

The Defender PowerShell module can detect, view, and remove active threats, view the threat history, and view threats listed in the definitions catalog. Below, I have attempted to download the EICAR test file to my computer with Google Chrome. Using Get-MpThreatDetection, I can view the action taken against the threat, the user account this occurred under, the detection time, the remediation time, and the action taken.

PS C:\> Get-MpThreatDetection

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.10.14393.1066
CleaningActionID               : 2
CurrentThreatExecutionStatusID : 1
DetectionID                    : {76183E03-EFA6-4097-96B5-38FD9473D0D8}
DetectionSourceTypeID          : 3
DomainUser                     : DOMAIN\dfrancis
InitialDetectionTime           : 4/30/2017 7:04:06 AM
LastThreatStatusChangeTime     : 4/30/2017 7:04:11 AM
ProcessName                    : C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
RemediationTime                : 4/30/2017 7:04:11 AM
Resources                      : {file:_C:\Users\dfrancis\Downloads\Unconfirmed 69517.crdownload}
ThreatID                       : 2147519003
ThreatStatusErrorCode          : -2142207965
ThreatStatusID                 : 3
PSComputerName                 :
Displaying the number of Defender definitions in PowerShell

Displaying the number of Defender definitions in PowerShell

I also have the ability to search by a threat ID or use the Where-Object command to search by threat name, such as one that contains the string "Harnig.X."

PS C:\> Get-MpThreatCatalog | Where-Object {$_.ThreatName -like "*Harnig.X*"}


CategoryID     : 4
SeverityID     : 5
ThreatID       : 26276
ThreatName     : TrojanDownloader:Win32/Harnig.X
TypeID         : 0
PSComputerName :

Updating definitions ^

The Update-MpSignature cmdlet uses an update source (by default the Microsoft Update Server) to download the most recent definitions. You can also choose a difference source via the -UpdateSource parameter to specify an internal definition server, the Microsoft Malware Protection Center (MMPC), or a file share.

Scanning ^

As previously stated, in addition to the traditional quick and full scan options, Windows Defender now also allows performing an offline scan. An offline scan restarts your computer and begins scanning outside of the Windows kernel with the intention of finding viruses and rootkits that can infect the master boot record.

To start an offline scan, you can run Start-MpWSOScan.

Start-MpWDOScan

Note this will automatically begin rebooting the target computer and will start the offline scan with no warning.

To start a quick or full scan, I can use Start-MpScan.

Start-MpScan -ScanType QuickScan

Using with CIM ^

The Defender module has built-in capabilities for the Common Information Model (CIM) with the use of the -CimSession parameter on all commands. This easily allows administrators to query or change settings on multiple computers remotely.

For example, to view EICAR threats (threat ID of 2147519003) detected within the last day for the computers "test-1" and "test-2," I could run this command:

PS C:\> Get-MpThreatDetection -CimSession test-1,test-2 -ThreatID 2147519003 | Where-Object {$_.InitialDetectionTime -gt (Get-Date).AddDays(-1)} | Select-Object PSComputerName,ProcessName

In this scenario, I would like to start a full scan on all computers in a particular Active Directory organizational unit, in this case "Win10." To accomplish this, I can use Get-ADComputer and use the-SearchBase parameter.

Subscribe to 4sysops newsletter!

PS C:\> Start-MpScan -CimSession (Get-ADComputer -Filter * -SearchBase "OU=WIN10,DC=DOMAIN,DC=COM" | Select-Object -ExpandProperty Name) -ScanType FullScan ‑AsJob

Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
118    CimJob44        CimJob          Running       True            win10fall16, bhit... Start-MpScan -CimSessi...
+3
2 Comments
  1. Paul Wormull 4 years ago

    Can you use Add-MpPreference to set the Offline Scan to run a FULL scan please ?

    thanks

    Paul

    +3

  2. mi-skam 1 year ago

    Hi, 

    after I updated to Windows 10 2004

    Set-MpPreference -DisableRealtimeMonitoring 1

    is not working anymore.

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account