Tabular array of Contents

  • Introduction
  • The Cmdlets
  • Getting the System Antimalware Protection Status
  • Working with Defender Preferences
    • Getting Windows Defender Preferences
    • Setting Windows Defender Preferences
    • Adding Windows Defender Preferences
    • Removing Windows Defender Preferences
  • Getting Threats' information
    • Getting the history of detected threats
    • Getting active and by malware threats
    • Getting known threats from the definitions catalog
  • Updating Antimalware Definitions
  • Performing a System Scan
    • Performing an Online Scan
    • Performing an Offline Scan
  • Removing Threats from the Arrangement
  • See Also

Introduction

All the Windows and Windows Server users know that the operating system features a born antimalware protection tool named Windows Defender.
The UI of this tool has passed through several changes, but that's not the but fashion Windows Defender can be managed: a Windows PowerShell module named "Defender" (provided inside the operating system'due south PowerShell) can be used to manage Windows Defender without using the GUI and this could exist useful in automation scenarios of Defender, specially when the GUI is not available as in Windows Server Core installations.

Let's accept a look at what we can exercise on Windows Defender via PowerShell.

The Cmdlets

Having a comprehensive overview of the PowerShell cmdlets for Windows Defender is quite simple and relies (of class) on the Go-Command cmdlet: open an administrative PowerShell window and execute the post-obit

Go-Command -Module Defender

The output of the execution of the cmdlets displays the short listing of bachelor cmdlets included in the "Defender" module. Utilise the Get-Assist cmdlet to go a detailed description of each cmdlet aw well as usage examples.
Let'south take a wait at each of them.

Getting the Arrangement Antimalware Protection Status

Before using any of the cmdlets bachelor in the "Defender" module, y'all probably would be sure that all the Windows Defender related services are upward and running: this tin can be easily checked by using the Become-Service cmdlet and filtering its output as post-obit

The first cmdlet in the "Defender" module you'd probably execute would be Get-MpComputerStatus to get the condition of the antimalware protection software installed on the computer: simply type Get-MpComputerStatus and striking ENTER to brandish a bunch of properties related to the status of Windows Defender.

Each of these properties provide you with information nigh the status of Windows Defender.
Permit's take a look at some of them:

  • AMEngineVersion: version of the antimalware engine
  • NISEngineVersion: version of the network inspection system engine
  • AMServiceEnabled: activation of the antimalware service
  • AMProductVersion: antimalware client version
  • AMServiceVersion: antimalware service version
  • AntispywareEnabled: antispyware protection activation status
  • AntispywareSignatureLastUpdated: threat definitions' creation date
  • AntispywareSignatureVersion: antivirus signatures version
  • AntivirusSignatureVersion: antispyware signatures version
  • NISSignatureVersion: network inspection system signatures version
  • AntivirusEnabled: antivirus protection activation status
  • AntivirusSignatureLastUpdated: engagement and fourth dimension of terminal update for the antivirus signatures
  • FullScanAge: number of days since the last system'southward full scan
  • FullScanEndTime: end engagement and fourth dimension of the final full scan of the system
  • FullScanStartTime: outset date and time of the terminal full scan of the system
  • NISEnabled: network inspection system activation status
  • NISSignatureLastUpdated: date and time of final update for the network inspection organization's signatures
  • QuickScanAge: number of days since the last quick browse of the system
  • QuickScanEndTime: cease appointment and time of the last quick browse of the organisation
  • QuickScanStartTime: start date and time of the final quick scan of the system
  • RealTimeProtectionEnabled: real-time protection activation status

Working with Defender Preferences

The Windows Defender preferences tin can exist viewed or manipulated by using a group of four cmdlets: Get-MpPreference, Gear up-MpPreference, Add together-MpPreference and Remove-MpPreference.

Getting Windows Defender Preferences

The Become-MpPreference cdmlet gets and displays the current preferences for Windows Defender scans and updates.

The cmdlet's execution displays a huge set of properties, such as:

  • CheckForSignaturesBeforeRunningScan: if $True, Windows Defender will check for new virus and spyware definitions before running a scan
  • DisableArchiveScanning: if set to either 0 or $False or not specified, Windows Defender scans annal files
  • ExclusionExtension: specifies an array of file name extensions to exclude from scheduled, custom and real-fourth dimension scanning.
  • ExclusionPath: specifies an array of file paths to exclude from scheduled and existent-time scanning; specifying a binder volition exclude all the files nether the folder.
  • ExclusionProcess: specifies an array of paths to process images; whatsoever files opened by the specified processes will be excluded from scheduled and existent-fourth dimension scanning (the processes themselves will not be excluded).

The -CimSession parameter tin be used to run the cmdlet in a remote session or on a remote computer.

Setting Windows Defender Preferences

The Fix-MpPreference cmdlet configures preferences for Windows Defender scans and updates.

Calculation Windows Defender Preferences

The Add-MpPreference cmdlet modifies settings for Windows Defender. The parameters for this cmdlet allows the user to

  • -ExclusionPath: add exclusions for file name paths
  • -ExclusionExtension: add exclusions for file proper name extensions
  • -ExclusionProcess: add exclusions for file name processes
  • -ThreatIDDefaultAction_Actions: specify an array of the deportment to have for the IDs specified by using the ThreatIDDefaultAction_Ids parameter; the acceptable values for this parameter are
    • 1: Clean
    • ii: Quarantine
    • 3: Remove
    • 4: Allow
    • 8: UserDefined
    • 9: NoAction
    • 10: Block
  • -ThreatIDDefaultAction_Idsspecify an array of threat IDs to utilise the dafult activeness to

Removing Windows Defender Preferences

The Remove-MpPreference cmdlet removes exclusions or default actions; it can exist used to remove exclusions for file proper name extensions, paths and processes, or default actions for high, moderate and low threats. The parameters for this cmdlet allows the user to

  • -Force: force the cmdlet's execution without user confirmation
  • -HighThreatDefaultAction: remove the automatic remediation action specified for the loftier threat alert level
  • -LowThreatDefaultAction: remove the automatic remediation action specified for the low threat alert level
  • -ModerateThreatDefaultAction: remove the automated remediation activeness specified for the moderate threat alert level
  • -SevereThreatDefaultAction: remove the automatic remediation action specified for the astringent threat alert level
  • -ThreatIDDefaultAction_Ids: array of threat IDs for which the default action must be removed
  • -ThrottleLimit: maximum number of concurrent operations that can be established to run the cmdlet; if 0 or omitted, an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer is calculated
  • -UnknownThreatDefaultAction: remove the automated remediation action specified for the severe threat alarm level

Getting Threats' data

There are three cmdlets aimed at getting and displaying information about threats: Get-MpThreats, Go-MpThreatDetection and Get-MpThreatCatalog.

Getting the history of detected threats

The Get-MpThreat cmdlet gets the history of threats that Windows Defender detected on the calculator; if y'all want information about a specific threat, use the -ThreatID parameter and laissez passer an array of threat IDs.

Getting agile and by malware threats

The Get-MpThreatDetection cmdlet gets active and past malware threats that Windows Defender detected in the systrem; if you want information about a specific threat, use the -ThreatID parameter and pass an assortment of threat IDs.

Getting known threats from the definitions catalog

The Get-MpThreatCatalog cmdlet displays information near known threats from the definitions itemize; equally per the previous two cmdlets, if you lot desire data about a specific threat, use the -ThreatID parameter and pass an array of threat IDs.

Each item returned by the cmdlet is an object of type Microsoft.Direction.Infrastructure.CimInstance#ROOT/Microsoft/Windows/Defender/MSFT_MpThreatCatalog and its backdrop can be easily displayed as follows.

Updating Antimalware Definitions

To update antimalware definitions with the latest definitions available simply execute the Update-MpSignature cmdlet.

The -UpdateSource parameter allows to specify the update source (by default, the Microsoft Update Server is used) to download the latest definitions: it can assume the post-obit values

  • InternalDefinitionUpdateServer: Windows Software Update Services (WSUS) server
  • MicrosoftUpdateServer: Microsoft Update Server
  • MMPC: Microsoft Malware Protection Center
  • FileShares: a network file share

Performing a Arrangement Scan

There are ii cmdlets that can exist used to perform a system browse: Starting time-MpScan and Beginning-MpWDOScan.

Performing an Online Browse

The Start-MpScan cmdlet starts a scan on the calculator.
The target to scan can be the whole system or a specific file or folder path: in this case, the -ScanPath parameter will be used to specify the scan's target.

The -ScanType parameter allows the user to specify the type of scan to be performed: the adequate values for this parameter are:

  • FullScan
  • QuickScan
  • CustomScan

Performing an Offline Scan

Windows Defender Offline is an antimalware scanning tool that lets you lot kicking and run a browse from a trusted environment: the browse runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such every bit viruses and rootkits that infect or overwrite the master boot tape (MBR).
In guild to perform an offline scan, you accept to execute the Start-MpWDOScan cmdlet: this kind of scan volition make the system restart and perform the scan (it volition have about 15 minutes to complete).

Removing Threats from the Organisation

If i or more threats have been detected in the organization, removal is a very unproblematic activity: just execute the Remove-MpThreat cmdlet to remove all of them.

See Also

  • Windows Defender cmdlets reference
  • Windows Defender: How To Actuate Potentially Unwanted Applications (PUA) Protection