Defender Module for PowerShell

PS C:\> Get-Command -Module Defender

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Add-MpPreference                                   1.0        Defender
Function        Get-MpComputerStatus                               1.0        Defender
Function        Get-MpPreference                                   1.0        Defender
Function        Get-MpThreat                                       1.0        Defender
Function        Get-MpThreatCatalog                                1.0        Defender
Function        Get-MpThreatDetection                              1.0        Defender
Function        Remove-MpPreference                                1.0        Defender
Function        Remove-MpThreat                                    1.0        Defender
Function        Set-MpPreference                                   1.0        Defender
Function        Start-MpScan                                       1.0        Defender
Function        Start-MpWDOScan                                    1.0        Defender
Function        Update-MpSignature                                 1.0        Defender

Status:

PS C:\> Get-MpComputerStatus

<SNIP>
AntivirusSignatureLastUpdated    : 4/8/2024 3:02:58 PM
<SNIP>
IsTamperProtected                : False
IsVirtualMachine                 : True
<SNIP>
RealTimeProtectionEnabled        : True

Get-MpThreat can be used to view the history of threats detected on the computer

PS C:\> Get-MpThreat

CategoryID       : 6
DidThreatExecute : False
IsActive         : False
Resources        :
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147894794
ThreatName       : Backdoor:Win64/CobaltStrike!pz
TypeID           : 0
PSComputerName   :

<SNIP>

Get-MpThreatDetection: allows users to view the threat detection history on a computer. We could specify the ThreatID as an additonal parameter

PS C:\> Get-MpThreatDetection -ThreatID 2147894794

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24020.7
CleaningActionID               : 2
CurrentThreatExecutionStatusID : 1
DetectionID                    : {BD0541EE-FDE0-4001-9BEF-13CEA41FC7DE}
DetectionSourceTypeID          : 3
DomainUser                     : WIN-I092S2V54F8\Administrator
InitialDetectionTime           : 4/9/2024 9:38:39 AM
LastThreatStatusChangeTime     : 4/9/2024 9:38:55 AM
ProcessName                    : C:\Windows\explorer.exe
RemediationTime                : 4/9/2024 9:38:55 AM
Resources                      : {file:_C:\artifact_x64.exe}
ThreatID                       : 2147894794
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 3
PSComputerName

Get-MpPreference and Set-MpPreference may be used to configure Defender - enable/disable real-time protection to avoid files getting deleted

PS C:\> Set-MpPreference -DisableRealTimeMonitoring $true
Disable / Remove AV Defender and Firewall
PreviousToolsNextStatic Analysis

Last updated