Defender PowerShell Module


As an IT professional it's almost a given that you provide free support to your immediate family, perhaps your not-so-immediate family, occasionally your good friends and sometimes your neighbour's dog!

The other day I was helping the father-in-law remove a third party anti-virus product to reactivate Windows Defender on his laptop. 

I thought it would be a good opportunity to introduce him to some PowerShell!

Here's what we looked at...

 

Defender Status

This cmdlet gives you a view of how Defender is doing:

Get-MpComputerStatus

 

This command shows your signature file was lasted updated. It also shows you how many days ago the last full scan was performed:

Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated,FullScanAge

 

This one shows whether the defender subcomponents are enabled:

Get-MpComputerStatus |

Select-Object -Property AMServiceEnabled, `

AntispywareEnabled, `

AntivirusEnabled, `

BehaviorMonitorEnabled, `

IoavProtectionEnabled, `

NISEnabled, `

OnAccessProtectionEnabled, `

RealTimeProtectionEnabled

 

 

What about exclusions?

Get-MPPreference | Select Exclusion*


 

Threats

Has anything been detected?

Get-MpThreat

 

If anything comes back, pay particular attention to the IsActive and DidThreatExecute properties.

Want to know what threats defender checks for? This makes for very interesting reading:

(Get-MpThreatCatalog).ThreatName | Sort-Object | Out-File .\threat_names.txt

 

Defender Module

Run this:

Get-Command -Module defender


 

Notice the Start-MPScan cmdlet. Have a play; go on now; don't be shy!

 

Well, I'm sad to say that the father-in-law struggled to see the awesomeness of PowerShell, but this was a good start - one battle a war does not make!

 

Comments (5)

  1. JC says:

    Was the intent here that such a detailed response to his query would discourage him from asking again? 😉

  2. Cybil Shepherd says:

    Get-MpComputerStatus : The extrinsic Method could not be executed

    1. Matt Tatum says:

      Cybil – I ran into this same issue, turns out that this only works on Windows 10 or higher. If you’re on Windows 7 then you have to query the event logs for this info.

      For example:

      (get-eventlog -LogName system | Where {$_.Message -like ‘*scan has finished*’} |Sort TimeWritten -descending)[0].timewritten

      Should give you the last time a scan was finished

  3. JC: of course!
    Cybil: what OS? running as admin?

  4. hscowan says:

    Hi, I’m wondering what needs to be turned on or off for Defender commands to work.
    – Using Windows 10 Pro / 64 bit / Powershell ISE in Admin mode.
    – (Commodo AV installed)

    The only Defender command that seems to work is: Get-Command -Module defender
    CommandType Name Version Source
    ———– —- ——- ——
    Function Add-MpPreference 1.0 defender
    Function Get-MpComputerStatus 1.0 defender
    Function Get-MpPreference 1.0 defender
    Function Get-MpThreat 1.0 defender
    Function Get-MpThreatCatalog 1.0 defender
    Function Get-MpThreatDetection 1.0 defender
    Function Remove-MpPreference 1.0 defender
    Function Remove-MpThreat 1.0 defender
    Function Set-MpPreference 1.0 defender
    Function Start-MpScan 1.0 defender
    Function Start-MpWDOScan 1.0 defender
    Function Update-MpSignature 1.0 defender

    ———————————————————————————
    i.e. these don’t execute:

    PS C:\WINDOWS\system32> Get-MpComputerStatus Get-MpComputerStatus : The extrinsic Method could not be executed. At line:1 char:5 + Get-MpComputerStatus + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : MetadataError: (MSFT_MpComputerStatus:ROOT\Microsoft\…pComputerStatus) [Get-MpComp uterStatus], CimException + FullyQualifiedErrorId : MI RESULT 16,Get-MpComputerStatus

    ——————
    PS C:\WINDOWS\system32> Start-MpScan -ScanType QuickScan Start-MpScan : Errors were encountered when attempted to scan your device. At line:1 char:7 + Start-MpScan -ScanType QuickScan + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (MSFT_MpScan:ROOT\Microsoft\…der\MSFT_MpScan) [Start-MpScan], CimExc eption + FullyQualifiedErrorId : HRESULT 0x800106ba,Start-MpScan

    —————-
    I tried many others but to no avail.
    Any enlightenment would be most appreciated.

    Thanks, Scott

Skip to main content