Microsoft has invested heavily in Microsoft Defender Antivirus (known as Windows Defender) over the years to reduce the attack surface on the Windows environment against viruses and spyware, and ransomware.
There are multiple ways of managing Windows Defender, such as PowerShell, GPO, UI…etc. In this post, the focus is on managing Windows Defender by using PowerShell. Seems good… so let’s start.
Table of Contents
How to Get Windows Defender Realtime Protection Status using PowerShell
To get Windows Defender’s real-time protection status using PowerShell, you need to:
- Open Windows PowerShell, and make sure you start PowerShell as Administrator.
- Type the following PowerShell line
Get-MpComputerStatus | select RealTimeProtectionEnabledThe output shows the status of Windows Defender.
How to get The Defender Status on a Remote Machine using WMI.
To get Windows Defender status on a remote machine, you can use WMI:
- Open Windows PowerShell, and make sure you start PowerShell as Administrator.
- Type the following PowerShell line
Get-CimInstance -ComputerName MyRemoteServer -Query 'Select * from MSFT_MPComputerStatus' -Namespace 'root\Microsoft\Windows\Defender' | Select RealTimeProtectionEnabled,PSComputerNameThe result shows the current Windows Defender status on the remote server.
All the Windows Defender WMI classes are located under Root\Microsoft\Windows\Defender namespace.
Disable Windows Defender Using PowerShell.
To turn off or disable Windows Defender using PowerShell, start with the following.
- Open Windows PowerShell, and make sure you start PowerShell as Administrator.
- Type the following PowerShell line
Set-MpPreference -DisableRealtimeMonitoring $trueNo result appears after the execution, but you can confirm that Windows Defender is disabled by running the PowerShell line.
Get-MpPreference | Select-Object DisableRealtimeMonitoringThe Return of the line above will be $True
Enable Windows Defender Using PowerShell
To turn on or Enable Windows Defender using PowerShell, start with the following.
- Open Windows PowerShell, and make sure you start PowerShell as Administrator.
- Type the following PowerShell line.
set-MpPreference -DisableRealtimeMonitoring $False
There will be no result return, but you can confirm that settings are disabled by running the following cmdlet.
Get-MpPreference | Select-Object DisableRealtimeMonitoringThe return of the command line should be $False
Updating Windows Defender Definitions
Get the Definition Date and Age
Windows Defender requires an internet connection to get the latest signature and antivirus database as with any security solution. So let’s see how to update the definitions online.
Its possible to download the definitions as an offline package, but to utilize the best protection and AI integration with Microsoft cloud, its highly recommended to keep ensure your computer is connected to the internet.
First, let’s get the details of the current definition.
Get-MpComputerStatus | Select-Object *LastUpdated,*SignatureAge
Using Get-MpComputerStatus lists all the computer protection details, such as last scan time, the scanned score, real-time protection status, etc. But to get the result related to the signature info, use the Select-Object
Look at the dates as it gives the last time the update was completed. Also, the AntispywareSignatureAge, AntivirusSignatureAge, and NISSignatureAge represent the gap between today and the last successful update. So this is a pretty old definition and should be updated as soon as possible.
Its also possible to get the protection details on a remote computer using the following line
Invoke-Command -ScriptBlock {Get-MpComputerStatus} -ComputerName Your_Remote_ServerUpdate The Signature Definitions Using PowerShell.
To Update the signature definition using PowerShell.
- Open Windows PowerShell, and make sure you start PowerShell as Administrator.
- In the prompt, type
Update-MpSignature
PowerShell will connect to the Microsoft update repo and get the latest definitions. This might take a while and during this process, there is no activity on the screen. It’s not stuck. This is normal.
If the computer is not connected to the internet, you can download an offline copy of the definition from microsoft website
You might see a quick progress bar, but it depends on the internet connection speed.
If the computer is connected to the internet, the Antivirus engine gets its update. There will be no output from the console unless the -Verbose parameter is enabled. The console will return.
VERBOSE: Virus and spyware definitions update was completed successfully.
If the computer is not connected to the internet and PowerShell cannot complete the update, the following error is returned, and you need to get the offline package from the Microsoft website.
Update-MpSignature : Virus and spyware definitions update was completed with errors.
How to Update Windows Defender on a Remote Machine using PowerShell
To update windows defender on a remote machine using PowerShell, do the following steps:
- Open Windows PowerShell, and make sure to start it as Run As Administrator
- Type the command
Update-MPSignature -CimSessionRemoteMahcineName
How to Start Windows Defender Scan using PowerShell
Before starting the scanning, you need to know the three scanning types available.
- FullScan: Scan the computer for any threat.
- QuickScan: Scan System directories, Memory, and common locations.
- CustomScan: Require to set the
ScanPathparameter and type the path to scan
Once you know which scan type is needed, follow the steps below to start the scan you need:
- Open Windows PowerShell, and make sure you start PowerShell as Administrator.
- Type the following PowerShell line.
#Start Full Scan
Start-MpScan -ScanType FullScan
#Scan Quick Scan
Start-MpScan -ScanType QuickScan
#Scan Custom Scan
Start-MpScan -ScanType CustomScan -ScanPath C:\windowsHow to Find the Detected Threat and remove them using PowerShell
To know the history of detected threats using PowerShell:
- Open Windows PowerShell, and make sure you Run as Administrator.
- Use the command
Get-MpThreat
If you want to test your antivirus functionality and confirm that its able to do a basic detection, then download the Eicar virus test file
To remove the detected threat, follow these steps:
- Open Windows PowerShell, and make sure you Run As Administrator
- Type the following command
Remove-MpThreat - The command has no return unless the
-Verboseparameter is set
How to Get all Windows Defender Configuration using PowerShell
To get all the configuration using PowerShell, use the following cmdlet Get-MpPreference.
Take a small break and go through them. You can google any unclear value. But do not worry, as I will take you through some examples and show you how to change these values.
AllowNetworkProtectionOnWinServer : False
AttackSurfaceReductionOnlyExclusions :
AttackSurfaceReductionRules_Actions :
AttackSurfaceReductionRules_Ids :
CheckForSignaturesBeforeRunningScan : False
CloudBlockLevel : 0
CloudExtendedTimeout : 0
ComputerID : 91244B04-B3E5-47DA-AAC2-064CF85D0A1D
ControlledFolderAccessAllowedApplications :
ControlledFolderAccessProtectedFolders :
DisableArchiveScanning : False
DisableAutoExclusions : False
DisableBehaviorMonitoring : False
DisableBlockAtFirstSeen : False
DisableCatchupFullScan : True
DisableCatchupQuickScan : True
DisableCpuThrottleOnIdleScans : True
DisableDatagramProcessing : False
DisableEmailScanning : True
DisableIntrusionPreventionSystem :
DisableIOAVProtection : False
DisablePrivacyMode : False
DisableRealtimeMonitoring : False
DisableRemovableDriveScanning : True
DisableRestorePoint : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : False
EnableControlledFolderAccess : 0
EnableFileHashComputation : False
EnableFullScanOnBatteryPower : False
EnableLowCpuPriority : False
EnableNetworkProtection : 0
ExclusionExtension :
ExclusionIpAddress :
ExclusionPath :
ExclusionProcess :
ForceUseProxyOnly : False
HighThreatDefaultAction : 0
LowThreatDefaultAction : 0
MAPSReporting : 2
MeteredConnectionUpdates : False
ModerateThreatDefaultAction : 0
ProxyBypass :
ProxyPacUrl :
ProxyServer :
PUAProtection : 0
QuarantinePurgeItemsAfterDelay : 90
RandomizeScheduleTaskTimes : True
RealTimeScanDirection : 0
RemediationScheduleDay : 0
RemediationScheduleTime : 02:00:00
ReportingAdditionalActionTimeOut : 10080
ReportingCriticalFailureTimeOut : 10080
ReportingNonCriticalTimeOut : 1440
ScanAvgCPULoadFactor : 50
ScanOnlyIfIdleEnabled : True
ScanParameters : 1
ScanPurgeItemsAfterDelay : 15
ScanScheduleDay : 0
ScanScheduleQuickScanTime : 00:00:00
ScanScheduleTime : 02:00:00
SevereThreatDefaultAction : 0
SharedSignaturesPath :
SignatureAuGracePeriod : 0
SignatureBlobFileSharesSources :
SignatureBlobUpdateInterval : 60
SignatureDefinitionUpdateFileSharesSources :
SignatureDisableUpdateOnStartupWithoutEngine : False
SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 0
SubmitSamplesConsent : 1
ThreatIDDefaultAction_Actions :
ThreatIDDefaultAction_Ids :
UILockdown : False
UnknownThreatDefaultAction : 0
PSComputerName :
How to Disable or Enable Windows Defender Archive (Compressed file) Scanning.
- Open Windows PowerShell (Run As Administrator)
- Use the
Set-MpPreferencewith DisableArchiveScanning as a parameter- $True: means disable the archive scanning
- $False: means don’t disable the archive scanning
So the full command looks like this:
Set-MpPreference -DisableArchiveScanning $trueTo confirm the change, you can run the
Get-MpPreference
How to Disable or Enable Windows Defender Email scanning using PowerShell.
To disable or enable Windows defender email scanning for incoming and outgoing emails using PowerShell:
- Start by opening Windows PowerShell (Run As Administrator)
- Use the
Set-MpPreferencewith DisableEmailScanning as a parameter:- :$True: disable the archive scanning.
- $False: don’t disable the archive scanning.
So the full command looks like this:
Set-MpPreference -DisableEmailScanning $true
How to Exclude an Extension from Windows Defender Scanning using PowerShell
To exclude an extension from Windows Defender Scanning using PowerShell:
- Open PowerShell (Run As Administrator).
- Use the
Set-MpPreferencecmdlet with-ExclusionExtensionparameter. - You can add a single or multiple extensions separated by a comma.
So the full command looks like this:
Set-MpPreference -ExclusionExtension *.mp3,*.MP4,*.wav,*.EDB
How to Exclude a path from Windows Defender using PowerShell
You can exclude a path or multiple paths from Windows Defender scanning using Powershell using the following steps:
- Start Windows PowerShell, and make sure you Run As Administrator.
- Use the
Set-MpPreferencecmdlet with-ExclusionPathparameter. - You can add single or multiple paths separated by a comma.
So the full command looks like this:
Set-MpPreference -ExclusionPath C:\Windows,C:\Users
If the path contain any white space, make sure to include it between quotation mark.
Set-MpPreference -ExclusionPath 'C:\123 abd\'
How to configure Windows Defender Scanning schedule using PowerShell.
The Schedule consists of three elements:
- Type of Scan (Full or Quick).
- Time To start the scan.
- Days of the week to start the scan.
These are the elements you need to understand to create the schedule, so let’s put it all into action.
To configure Windows Defender Scanning Schedule using PowerShell:
- Open PowerShell, and make sure you Run As Administrator.
- Use the
Set-MpPreferencewith theScanParameterset toFullScanorQuickScan. So the full command for a full scan looks likeSet-MpPreference -ScanParameters FullScan - Let’s configure the starting time. Note that the time is in a 24 Hours format and written as 00:00:00. For example, if the schedule should start at 10 AM, the entire command looks like this:
Set-MpPreference -ScanScheduleTime 10:00:00
Another example, If the schedule starts at 11 PM, the entire command looks like this:Set-MpPreference -ScanScheduleTime 23:00:00 - The last step is to select which day of the week to start the scan on time specified in step two. To set the day, use the parameter.
ScanScheduleDay.ScanScheduleDayaccepts the following values- 0: Everyday
- 1: Sunday
- 2: Monday
- 3: Tuesday
- 4: Wednesday
- 5: Thursday
- 6: Friday
- 7: Saturday
- 8: Never
So to enable scanning every day the full command looks like this: Set-MpPreference -ScanScheduleDay 0 or you can replace the number with the value like Set-MpPreference -ScanScheduleDay Sunday. Another example, let set the schedule every Monday and Friday, the PowerShell line looks like this:
Set-MpPreference -ScanScheduleDay Monday,Friday
So to put it all together, the following line triggers a full scan on Sunday at 11 PM
Set-MpPreference -ScanScheduleDay Everyday -ScanScheduleTime 23:00:00 -ScanParameters FullScanLimit Access to Windows Defender UI using PowerShell
To limit access to Windows defender user interface (UI) using PowerShell:
- Open Windows PowerShell, and make sure you start PowerShell as Administrator.
- Use the
Set-MpPreferencewithUILockdownparameter set to $true, so the full command looks like this:
Set-MpPreference -UILockdown $trueWhen a user tries to open the application interface, the user will get an error indicating that the Administrator has limited access to this part of the application.
Your IT administrator has limited access to some areas of this app, and the item you tried to access is not available. Contact IT Helpdesk for more information
Also, you will notice that the antivirus icon disappears from the Security Center.
To gain back access to the antivirus, use the following command
Set-MpPreference -UILockdown $FalseThis should be effective within a minute.
Read More
I hope you like this post. I think you will enjoy the following post on how to Control your infrastructure using Telegram and PowerShell.
