Automating Defender Antivirus (Part 2)

On Windows, PowerShell comes with cmdlets to automate the built-in antivirus engine “Defender”. In this second part, let’s take a look at how you find out the antivirus settings that are active on your machine:

 
PS C:\> Get-MpPreference
AllowDatagramProcessingOnWinServer            : False
AllowNetworkProtectionDownLevel               : False
AllowNetworkProtectionOnWinServer             : False
AllowSwitchToAsyncInspection                  : False
AttackSurfaceReductionOnlyExclusions          : {N/A: Must be and administrator to view exclusions}
AttackSurfaceReductionRules_Actions           : 
AttackSurfaceReductionRules_Ids               : 
CheckForSignaturesBeforeRunningScan           : False
CloudBlockLevel                               : 1
CloudExtendedTimeout                          : 1
ComputerID                                    : 7AB83555-0B97-47C7-A67C-8778E4757F65
ControlledFolderAccessAllowedApplications     : {N/A: Must be and administrator to view exclusions}
ControlledFolderAccessProtectedFolders        : 
DefinitionUpdatesChannel                      : 0
DisableArchiveScanning                        : False
DisableAutoExclusions                         : False
DisableBehaviorMonitoring                     : False
DisableBlockAtFirstSeen                       : False
DisableCatchupFullScan                        : True
DisableCatchupQuickScan                       : True
DisableCpuThrottleOnIdleScans                 : True
DisableDatagramProcessing                     : False
DisableDnsOverTcpParsing                      : False
DisableDnsParsing                             : False
DisableEmailScanning                          : True
DisableFtpParsing                             : False
DisableGradualRelease                         : False
DisableHttpParsing                            : False
DisableInboundConnectionFiltering             : False
DisableIOAVProtection                         : False
DisableNetworkProtectionPerfTelemetry         : False
DisablePrivacyMode                            : False
DisableRdpParsing                             : False
DisableRealtimeMonitoring                     : False
DisableRemovableDriveScanning                 : True
DisableRestorePoint                           : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : False
DisableSmtpParsing                            : False
DisableSshParsing                             : False
DisableTlsParsing                             : False
EnableControlledFolderAccess                  : 0
EnableDnsSinkhole                             : True
EnableFileHashComputation                     : False
EnableFullScanOnBatteryPower                  : False
EnableLowCpuPriority                          : False
EnableNetworkProtection                       : 0
EngineUpdatesChannel                          : 0
ExclusionExtension                            : {N/A: Must be and administrator to view exclusions}
ExclusionIpAddress                            : {N/A: Must be and administrator to view exclusions}
ExclusionPath                                 : {N/A: Must be and administrator to view exclusions}
ExclusionProcess                              : {N/A: Must be and administrator to view exclusions}
ForceUseProxyOnly                             : False
HighThreatDefaultAction                       : 0
IntelTDTEnabled                               : True
LowThreatDefaultAction                        : 0
MAPSReporting                                 : 2
MeteredConnectionUpdates                      : False
ModerateThreatDefaultAction                   : 0
PlatformUpdatesChannel                        : 0
ProxyBypass                                   : 
ProxyPacUrl                                   : 
ProxyServer                                   : 
PUAProtection                                 : 1
QuarantinePurgeItemsAfterDelay                : 90
RandomizeScheduleTaskTimes                    : True
RealTimeScanDirection                         : 0
RemediationScheduleDay                        : 0
RemediationScheduleTime                       : 02:00:00
ReportDynamicSignatureDroppedEvent            : False
ReportingAdditionalActionTimeOut              : 10080
ReportingCriticalFailureTimeOut               : 10080
ReportingNonCriticalTimeOut                   : 1440
ScanAvgCPULoadFactor                          : 50
ScanOnlyIfIdleEnabled                         : True
ScanParameters                                : 1
ScanPurgeItemsAfterDelay                      : 10
ScanScheduleDay                               : 0
ScanScheduleOffset                            : 120
ScanScheduleQuickScanTime                     : 00:00:00
ScanScheduleTime                              : 02:00:00
SchedulerRandomizationTime                    : 4
ServiceHealthReportInterval                   : 60
SevereThreatDefaultAction                     : 0
SharedSignaturesPath                          : 
SignatureAuGracePeriod                        : 0
SignatureBlobFileSharesSources                : 
SignatureBlobUpdateInterval                   : 60
SignatureDefinitionUpdateFileSharesSources    : 
SignatureDisableUpdateOnStartupWithoutEngine  : False
SignatureFallbackOrder                        : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod                   : 120
SignatureScheduleDay                          : 8
SignatureScheduleTime                         : 01:45:00
SignatureUpdateCatchupInterval                : 1
SignatureUpdateInterval                       : 0
SubmitSamplesConsent                          : 1
ThreatIDDefaultAction_Actions                 : {6}
ThreatIDDefaultAction_Ids                     : {311978}
ThrottleForScheduledScanOnly                  : True
TrustLabelProtectionStatus                    : 0
UILockdown                                    : False
UnknownThreatDefaultAction                    : 0
PSComputerName                                :  

As you see from the results, a few settings are protected and need Administrator privileges to query.

If you’d like to change AV settings, simply use the Set verb: Set-MpPreference.

Of course you can filter the returned information to answer specific questions using Select-Object, but what if you’d like to filter the information based on value? Let’s say you need a list of all features that are currently turned off?

Filtering Properties Using PSObject

Here’s a clever approach that uses the underlying PSObject to list the names of all properties, then filters them based on their value:

$preference = Get-MpPreference
[PSObject]$psObject = $preference.PSObject
$psObject.Properties | Where-Object {
    $_.Value -is [bool] -and $_.Value -eq $true
    } | Select-Object -ExpandProperty Name

Likewise, this piece of code lists all currently disabled properties (with a value of $false):

$preference = Get-MpPreference
[PSObject]$psObject = $preference.PSObject
$psObject.Properties | Where-Object {
    $_.Value -is [bool] -and $_.Value -eq $false
    } | Select-Object -ExpandProperty Name

Since the approach above can filter based on (any) property value, you can easily adjust this to i.e. dump only properties that contains a [byte] below 500:

$preference = Get-MpPreference
[PSObject]$psObject = $preference.PSObject
$psObject.Properties | Where-Object {
    $_.Value -is [byte] -and $_.Value -lt 500
    } | Select-Object -Property Name, Value

Here is the result:

 
Name                         Value
----                         -----
CloudBlockLevel                  1
DefinitionUpdatesChannel         0
EnableControlledFolderAccess     0
EnableNetworkProtection          0
EngineUpdatesChannel             0
HighThreatDefaultAction          0
LowThreatDefaultAction           0
MAPSReporting                    2
ModerateThreatDefaultAction      0
PlatformUpdatesChannel           0
PUAProtection                    1
RealTimeScanDirection            0
RemediationScheduleDay           0
ScanAvgCPULoadFactor            50
ScanParameters                   1
ScanScheduleDay                  0
SevereThreatDefaultAction        0
SignatureScheduleDay             8
SubmitSamplesConsent             1
UnknownThreatDefaultAction       0  

For now, the take-away is: by wrapping code inside functions, you make your code reusable, you automatically add scalability (in our example above we now could convert one or thousands of strings in the same call), and your production script code becomes shorter and can focus on what it really wants to accomplish.

 
PS C:\> Get-Command -Module ConfigDefender

CommandType     Name                                   Version    Source
-----------     ----                                   -------    ------
Function        Add-MpPreference                       1.0        ConfigDefender
Function        Get-MpComputerStatus                   1.0        ConfigDefender
Function        Get-MpPreference                       1.0        ConfigDefender
Function        Get-MpThreat                           1.0        ConfigDefender
Function        Get-MpThreatCatalog                    1.0        ConfigDefender
Function        Get-MpThreatDetection                  1.0        ConfigDefender
Function        Remove-MpPreference                    1.0        ConfigDefender
Function        Remove-MpThreat                        1.0        ConfigDefender
Function        Set-MpPreference                       1.0        ConfigDefender
Function        Start-MpRollback                       1.0        ConfigDefender
Function        Start-MpScan                           1.0        ConfigDefender
Function        Start-MpWDOScan                        1.0        ConfigDefender
Function        Update-MpSignature                     1.0        ConfigDefender

Tweet this Tip!