Defender PowerShell Module


As an IT professional it's almost a given that you provide free support to your immediate family, perhaps your not-so-immediate family, occasionally your good friends and sometimes your neighbour's dog!

The other day I was helping the father-in-law remove a third party anti-virus product to reactivate Windows Defender on his laptop. 

I thought it would be a good opportunity to introduce him to some PowerShell!

Here's what we looked at...

 

Defender Status

This cmdlet gives you a view of how Defender is doing:

Get-MpComputerStatus

 

This command shows your signature file was lasted updated. It also shows you how many days ago the last full scan was performed:

Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated,FullScanAge

 

This one shows whether the defender subcomponents are enabled:

Get-MpComputerStatus |

Select-Object -Property AMServiceEnabled, `

AntispywareEnabled, `

AntivirusEnabled, `

BehaviorMonitorEnabled, `

IoavProtectionEnabled, `

NISEnabled, `

OnAccessProtectionEnabled, `

RealTimeProtectionEnabled

 

 

What about exclusions?

Get-MPPreference | Select Exclusion*


 

Threats

Has anything been detected?

Get-MpThreat

 

If anything comes back, pay particular attention to the IsActive and DidThreatExecute properties.

Want to know what threats defender checks for? This makes for very interesting reading:

(Get-MpThreatCatalog).ThreatName | Sort-Object | Out-File .\threat_names.txt

 

Defender Module

Run this:

Get-Command -Module defender


 

Notice the Start-MPScan cmdlet. Have a play; go on now; don't be shy!

 

Well, I'm sad to say that the father-in-law struggled to see the awesomeness of PowerShell, but this was a good start - one battle a war does not make!

 

Comments (4)

  1. JC says:

    Was the intent here that such a detailed response to his query would discourage him from asking again? 😉

  2. Cybil Shepherd says:

    Get-MpComputerStatus : The extrinsic Method could not be executed

    1. Matt Tatum says:

      Cybil – I ran into this same issue, turns out that this only works on Windows 10 or higher. If you’re on Windows 7 then you have to query the event logs for this info.

      For example:

      (get-eventlog -LogName system | Where {$_.Message -like ‘*scan has finished*’} |Sort TimeWritten -descending)[0].timewritten

      Should give you the last time a scan was finished

  3. JC: of course!
    Cybil: what OS? running as admin?

Skip to main content