{"id":2690,"date":"2013-10-22T00:01:00","date_gmt":"2013-10-22T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/10\/22\/exploring-the-windows-defender-catalog\/"},"modified":"2013-10-22T00:01:00","modified_gmt":"2013-10-22T00:01:00","slug":"exploring-the-windows-defender-catalog","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/exploring-the-windows-defender-catalog\/","title":{"rendered":"Exploring the Windows Defender Catalog"},"content":{"rendered":"

Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about playing around with the Get-MpThreatCatalog<\/strong> function in Windows 8.1.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. I bet you thought I fell off of the face of the earth. Actually, I have been busy working with Windows 8.1 and Windows Server 2012 R2. There is some really cool stuff that I want to share. Actually, I have been chomping at the bit for some time, but we have been under a gag order until general availability. There is some way cool networking stuff, that I have been working with for a while. I guarantee you will be hearing more lots of my discoveries—and of course about Desired State Configuration in Windows PowerShell 4.0.<\/p>\n

But today, I am sitting at my desk sipping a nice cup of Gunpowder green tea, with organic lemon pith, lime pith, Myers Lemon pith, and some ground fresh ginger. The taste is astoundingly fresh! Pair that with a piece of chocolate covered Biscotti, and it puts me in the mode to write. I am playing Alan Parsons on my Zune HD, and just grooving the afternoon away. October is the reason we put up with all the heat and humidity of the deep south summers. It is gorgeous outside, and the leaves on the maple tree in our front yard have already begun to change colors.<\/p>\n

Cool Windows Defender stuff<\/h2>\n

One of the cool things about Windows 8.1 is the Windows Defender module. Windows Defender in Windows 8.1 has grown to be a full-feature product, and it now has a module to facilitate management, which is way cool. There are eleven functions in the Windows Defender module:<\/p>\n

PS C:\\> Get-Command -Module defender<\/p>\n

 <\/p>\n

CommandType     Name                                               ModuleName<\/p>\n

———–     —-                                               ———-<\/p>\n

Function        Add-MpPreference                                   Defender<\/p>\n

Function        Get-MpComputerStatus                               Defender<\/p>\n

Function        Get-MpPreference                                   Defender<\/p>\n

Function        Get-MpThreat                                       Defender<\/p>\n

Function        Get-MpThreatCatalog                                Defender<\/p>\n

Function        Get-MpThreatDetection                              Defender<\/p>\n

Function        Remove-MpPreference                                Defender<\/p>\n

Function        Remove-MpThreat                                    Defender<\/p>\n

Function        Set-MpPreference                                   Defender<\/p>\n

Function        Start-MpScan                                       Defender<\/p>\n

Function        Update-MpSignature                                 Defender<\/p>\n

Finding general status info<\/h2>\n

I have no idea why all of the Windows Defender functions begin with the letters Mp. I do know that a lot of our teams choose a prefix for their nouns so it makes it easy to differentiate their cmdlets or functions from other teams. A good example of this is the cmdlets from the Active Directory module. All of the cmdlets begin with AD. Hey, that makes sense to me. But Mp? Dude. Oh well. It is not hard to remember. I just think of it as “Microsoft protection,” and boom, it is engrained in my brain.<\/p>\n

So, to find the status, I use the Get-MpComputerStatus<\/strong> function. It requires no parameters; therefore, I can simply type it in my Windows PowerShell console and receive lots of groovy information. The command and its associated output are shown in the image follows:<\/p>\n

\"Image<\/a><\/p>\n

The cool thing, from a management perspective, is that there are a few parameters I can use. These are shown here:<\/p>\n

Get-MpComputerStatus [-CimSession <CimSession[]>] [-ThrottleLimit <int>]<\/p>\n

[-AsJob]  [<CommonParameters>]<\/p>\n

The CimSession<\/strong> takes, well a CimSession. This means that I can create a CimSession that connects to a bunch of remote computers. Therefore, I can get back status information from them all at the same time. If it is going to be something that might take a while, I can run it as a job in the background. If the command it taking too much memory, I can throttle it down a bit by using the ThrottleLimit<\/strong> parameter. This is great stuff.<\/p>\n

But you may say, “It is too much information. What I find myself needing to do is to check version numbers.”<\/p>\n

Hey, no sweat. Remember, this is Windows PowerShell, so everything works the same. AND it works easily. For example, if I need to check only on the versions of the various signatures, I simply use the wildcard character (*) with “version.” This technique is shown here:<\/p>\n

PS C:\\> Get-MpComputerStatus | select *version<\/p>\n

 <\/p>\n

AMEngineVersion             : 1.1.9901.0<\/p>\n

AMProductVersion            : 4.3.9600.16384<\/p>\n

AMServiceVersion            : 4.3.9600.16384<\/p>\n

AntispywareSignatureVersion : 1.159.462.0<\/p>\n

AntivirusSignatureVersion   : 1.159.462.0<\/p>\n

NISEngineVersion            : 2.1.9900.0<\/p>\n

NISSignatureVersion         : 108.1.0.0<\/p>\n

Looking at the catalog<\/h2>\n

The strength of Windows Defender is the catalog. The cool thing is that by using the Get-MpThreatCatalog<\/strong> function, I can examine it and see what exact threats Windows Defender actually defends. By using the Measure-Object<\/strong> cmdlet, I can see that there are 167,741 threats listed in my catalog as shown here:<\/p>\n

PS C:\\> Get-MpThreatCatalog | measure<\/p>\n

 <\/p>\n

Count    : 167741<\/p>\n

Average  :<\/p>\n

Sum      :<\/p>\n

Maximum  :<\/p>\n

Minimum  :<\/p>\n

Property :<\/p>\n

One of the neat things to see is the different types of threats that appear in the catalog. I can do this by grouping by the threat CategoryId<\/strong> property as shown in the following command:<\/p>\n

PS C:\\> Get-MpThreatCatalog | group categoryid | sort count<\/p>\n

 <\/p>\n

Count Name                      Group<\/p>\n

—– —-                      —–<\/p>\n

    1 43                        {MSFT_MpThreatCatalog (ThreatID = 2147483647)}<\/p>\n

    1 44                        {MSFT_MpThreatCatalog (ThreatID = 2147483646)}<\/p>\n

    4 38                        {MSFT_MpThreatCatalog (ThreatID = 17018), MSFT_Mp…<\/p>\n

   12 23                        {MSFT_MpThreatCatalog (ThreatID = 13841), MSFT_Mp…<\/p>\n

   25 27                        {MSFT_MpThreatCatalog (ThreatID = 14852), MSFT_Mp…<\/p>\n

  102 21                        {MSFT_MpThreatCatalog (ThreatID = 3062), MSFT_MpT…<\/p>\n

  103 2                         {MSFT_MpThreatCatalog (ThreatID = 2401), MSFT_MpT…<\/p>\n

  156 11                        {MSFT_MpThreatCatalog (ThreatID = 1605), MSFT_MpT…<\/p>\n

  202 46                        {MSFT_MpThreatCatalog (ThreatID = 2147639756), MS…<\/p>\n

  259 19                        {MSFT_MpThreatCatalog (ThreatID = 2438), MSFT_MpT…<\/p>\n

  281 13                        {MSFT_MpThreatCatalog (ThreatID = 1784), MSFT_MpT…<\/p>\n

  346 12                        {MSFT_MpThreatCatalog (ThreatID = 1594), MSFT_MpT…<\/p>\n

  488 32                        {MSFT_MpThreatCatalog (ThreatID = 77935), MSFT_Mp…<\/p>\n

  506 36                        {MSFT_MpThreatCatalog (ThreatID = 15110), MSFT_Mp…<\/p>\n

  520 9                         {MSFT_MpThreatCatalog (ThreatID = 1592), MSFT_MpT…<\/p>\n

  840 1                         {MSFT_MpThreatCatalog (ThreatID = 1636), MSFT_MpT…<\/p>\n

  969 22                        {MSFT_MpThreatCatalog (ThreatID = 6484), MSFT_MpT…<\/p>\n

 2053 40                        {MSFT_MpThreatCatalog (ThreatID = 4243), MSFT_MpT…<\/p>\n

 4829 30                        {MSFT_MpThreatCatalog (ThreatID = 8497), MSFT_MpT…<\/p>\n

 5145 37                        {MSFT_MpThreatCatalog (ThreatID = 4669), MSFT_MpT…<\/p>\n

 7116 34                        {MSFT_MpThreatCatalog (ThreatID = 6321), MSFT_MpT…<\/p>\n

 7850 39                        {MSFT_MpThreatCatalog (ThreatID = 1596), MSFT_MpT…<\/p>\n

 8405 3                         {MSFT_MpThreatCatalog (ThreatID = 1820), MSFT_MpT…<\/p>\n

18071 5                         {MSFT_MpThreatCatalog (ThreatID = 11559), MSFT_Mp…<\/p>\n

19382 6                         {MSFT_MpThreatCatalog (ThreatID = 1604), MSFT_MpT…<\/p>\n

21652 4                         {MSFT_MpThreatCatalog (ThreatID = 1600), MSFT_MpT…<\/p>\n

28868 8                         {MSFT_MpThreatCatalog (ThreatID = 1974), MSFT_MpT…<\/p>\n

39555 42                        {MSFT_MpThreatCatalog (ThreatID = 2147489034), MS…<\/p>\n

When I spent very much time exploring the threat catalog, I like to store the results in a variable. This is because the catalog is so large, and I don’t want to keep repeating calls to do the same thing over and over again. It is inefficient. So, first I store the results into a variable that I call $mp<\/strong>:<\/p>\n

$mp = Get-MpThreatCatalog<\/p>\n

When I have a collection from the threat catalog, I decide to look through it to find the threats that are in the joke<\/strong> <\/em>category. To do this, I use a simple Where-Object<\/strong> statement, and look for the word joke<\/strong> in the threat name. This is shown here:<\/p>\n

$mp = Get-MpThreatCatalog<\/p>\n

$mp | where threatname -match ‘joke’<\/p>\n

The command and the associated output are shown here:<\/p>\n

\"Image<\/a><\/p>\n

Join me tomorrow when I will talk about more cool stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about playing around with the Get-MpThreatCatalog function in Windows 8.1. Microsoft Scripting Guy, Ed Wilson, is here. I bet you thought I fell off of the face of the earth. Actually, I have been busy working with Windows 8.1 and Windows Server 2012 R2. There is some really cool stuff that I […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[459,460,3,63,461,45],"class_list":["post-2690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-defender","tag-powershell-4","tag-scripting-guy","tag-security","tag-windows-8-1","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about playing around with the Get-MpThreatCatalog function in Windows 8.1. Microsoft Scripting Guy, Ed Wilson, is here. I bet you thought I fell off of the face of the earth. Actually, I have been busy working with Windows 8.1 and Windows Server 2012 R2. There is some really cool stuff that I […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2690"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2690\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}