This guide will briefly explain what Windows Defender and Windows PowerShell are. It will then give you a short introduction on how Windows PowerShell works and how to use PowerShell to manage Windows Defender. We will lastly see how we can use PowerShell to see which viruses Windows Defender can identify by looking into its signature definitions database.
What is Windows Defender?
Windows Defender is malware protection that is included with and built into Windows. This software helps identify and remove viruses, spyware, and other malicious software. Windows Defender runs in the background and notifies you when you need to take specific action. However, you can use it anytime to scan for malware if your computer isn’t working properly or if you clicked a suspicious link online or in an email message. Windows Defender appears to be slated for a transition into a modern Windows app after years with a similar user interface. Windows Defender first appeared as an anti-virus utility for Windows XP. Since Vista version it was built into all Microsoft OS as a protection against malicious software. Before Windows 8, Windows Defender protected against spyware. It included a number of real-time security agents that monitored several common areas of Windows for changes which might have been caused by spyware. It also included the ability to easily remove installed ActiveX software. In Windows 8 Windows Defender was merged with another antivirus product – Microsoft Security Essentials – and now it became a full-featured antivirus software. In Windows 10, Windows Defender settings are controlled by the Settings app accessed from the Settings. The Windows 10 Anniversary Update, now allows toast notifications to appear and announce the results of a scan, even if no viruses are found. The main advantage of Defender is that it is easy to use, it’s already pre-installed in Windows, enabled by default and practically does not need manual configuration. It is also a very light-weight application and will not bother you with pop-ups all the time.
What is Windows PowerShell?
Windows PowerShell is a shell developed by Microsoft for purposes of task automation and configuration management. This powerful shell is based on the .NET framework and it includes a command-line shell and a scripting language. Initially a Windows component only, PowerShell was made open-source and cross-platform on 18 August 2016 meaning anyone could develop commands to use with PowerShell. Windows Defender has always had a command line version that you can run in your normal Command Prompt Window. However, windows 10 brings with it cmdlets for Windows Defender. A cmdlet (pronounced as command-let) is a lightweight command that is used in the Windows PowerShell environment. The Windows PowerShell runtime invokes these cmdlets within the context of automation scripts that are provided at the command line. The Windows PowerShell runtime also invokes them programmatically through Windows PowerShell APIs (Application program interface). Cmdlets perform an action and typically return a Microsoft .NET Framework object to the next command in the pipeline. Like any other command prompt action, a cmdlet must exist in order to return results, otherwise an error will be displayed.
How to launch Windows PowerShell in administrator mode
You can run PowerShell by typing “PowerShell” in the Run Window, but that won’t quite cut it. This is because this method will not run PowerShell in administrator mode, and without administrator mode, you are limited on what you can do due to permissions. Here are the ways to start PowerShell in administrator mode.
PowerShell’s Defender cmdlets and how to use them
We have talked of what cmdlets are, so how do you use them? You simply have to type this commands into the PowerShell window. Windows PowerShell provides 12 cmdlets for Windows Defender. To see them, just type Get-Command -Module Defender into the PowerShell command prompt window and hit enter. Here is the full list of cmdlets for Windows Defender.
Getting help from PowerShell when you are stuck
PowerShell includes its own extensive, console-based help. If you get stuck or you simply desire help, description or examples about a cmdlet, use these commands to get information. If you can’t get back any information, you will have to update the Windows Defender cmdlet help files. To update the help menu, type this command in the windows PowerShell window Update-Help and wait a few minutes for the latest help files to be downloaded and installed.
A few standard operations on PowerShell to manage Windows Defender
The Start-MpScan cmdlet on the PowerShell prompt lets you run a scan on your system. These are the Windows Defender scans that you can run on your PC using Windows PowerShell. If you want to check for new virus signature definition updates and update Windows Defender, you’ll use the command: Update-MpSignature To display current status of Windows Defender – enabled options, virus definition date and version, last scan time and other – type this command into PowerShell: Get-MpComputerStatus If you want to disable Defender real-time protection use the command: Set-MpPreference -DisableRealtimeMonitoring $true There are a lot more and even complicated Windows Defender cmdlets, but this page will not delve into that. Now that you know the basic windows defender cmdlets, we will look at how to get a peek into the Windows Defender signature definitions database.
Accessing the Windows Defender malware signature definitions database using PowerShell
The Windows Defender signature definitions database tells you what windows defender can identify as a threat and neutralize it successfully. The Get-MpThreatCatalog cmdlet will let you do this. The whole list will be lengthy and will be generated at a blistering speed on your screen. However, you could take your time to find what you are looking for and what might be missing. Simply type this command into the PowerShell command prompt and hit enter. Get-MpThreatCatalog You can use the Pause/Break button on your PC to temporarily pause the output. To entirely stop or cancel the whole list from generating, press Ctrl + C. If you do either of the two, you’ll see a record for each threat in the database with six fields. Here is an example: CategoryID: 4 SeverityID: 5 ThreatID: 5145 ThreatName: TrojanDownloader:Win32/Zlob.CH TypeID: 0 PSComputerName: Let us briefly look at what each field means. CategoryID: This will indicate the type of malware/threat listed. Here are the known values so far, and the type of threat/malware they point to: SeverityID: This is a scale of 1-5 that identifies how bad a threat is, 5 being the highest. Here is what they mean. ThreatID: This is a number that has been assigned to the malware/threat as a form of identification. ThreatName: This is the name given to the malware that corresponds to the ThreatID number. TypeID: The TypeID value specifies how Windows Defender identifies the malware. Is it a known or unknown threat? Here are the values and what they mean. You might notice that all threats that appear on your screen are type (0) threats. This is because most of the signature definitions that have already been added have been researched and the type of threat they pose has been documented. PSComputerName: The name of the computer where the activity is running. This will usually be empty if you are not on a network and for a simple reason that this database is a catalog, and not an activity. Things to remember Querying the Windows Defender Signature Definitions Database A query is a simply a request for refined information/data that meets a certain criteria from a database. We have seen what the Windows Defender definitions database looks like. We now know that it is an extremely huge database. But you can always trim down the amount of information that can be displayed by adding a few parameters to your cmdlet. Here are a few examples of how you can do that. Get-MpThreatCatalog | where-object {$.SeverityID -eq “5”} The value “5” will return definitions with the severity level of 5 only. Get-MpThreatCatalog | where-object {$.ThreatName -Match “^Virus.”} You can also use more than one criterion to query the database. Let us say, for example, you need to see all viruses with a severity of 5. Simply type this command into the PowerShell window: Get-MpThreatCatalog | where-object {$.SeverityID -eq “5”} | where-object {$.ThreatName -Match “^Virus.”} This way, you can have several more query criteria to narrow down the information displayed. Get-MpThreatCatalog | where-object {$.SeverityID -eq “5”} | select ThreatName | more Or Get-MpThreatCatalog | where-object {$.SeverityID -eq “5”} | where-object {$_.ThreatName -Match “^Virus.*”} | select ThreatName | more This command line pipes the output into the more command, which in turn displays the output one page at a time. To advance to the next page, press [Spacebar]. If you press [Enter], the screen will advance one line at a time. This will save you a lot of waiting time that is needed to display all the data at once before you can start viewing and scrolling through your results. There are a lot more commands that you can use to narrow down your query. Using the information and examples we have listed, you will be able to easily do this. Remember that the version of Windows Defender and the version of Windows PowerShell will determine if you will be able to use cmdlets for Windows Defender. This has been tested for Windows 10. The Microsoft support page indicates that this is available for Windows Server 2016 and Windows 10. The retail (not updated) version of Windows 7 does not seem to recognize this cmdlets. In fact windows 7’s PowerShell will throw errors or return blanks when you type this cmdlets. Updating these two applications (Defender and PowerShell) might get you back on track.
FIX: Windows Defender Error 0x80240022 ‘Definitions couldn’t be updated’How to Resolve ‘Virus Definitions Update Failed’ in Avast Antivirus?How to Investigate and Troubleshoot DNS using DNS AuditNintendo to Investigate Claims of Sexual Harassment Among Q&A Testers
