Microsoft Defender antivirus is included in every Windows OS and there are many components and options available to manage, protect and monitor endpoints.
I was not surprised a few months ago when I needed to implement a monitoring check for Nagios that there was a dedicated PowerShell module that did exactly what I needed.
Naming things is hard
Microsoft Defender was previously known as Windows Defender Antivirus or Windows Defender. In Windows 10, the host-based firewall service is now called Windows Defender Firewall. Just to complicate the picture a bit more, Microsoft has recently used “Defender” for Microsoft Defender for Endpoint, Microsoft 365, and Identity just to name a few.
To improve the user experience on Windows 10, for instance, the “Windows Security” menu contains the “Virus & Threat Protection” (aka Microsoft Defender) which is a simplified menu where the end-user has visibility and access to the main functionalities of the tool.
Official Powershell module of Microsoft Defender
This is the official documentation: https://docs.microsoft.com/en-us/powershell/module/defender/?view=windowsserver2019-ps
List of Cmdlets available in the PowerShell module
To retrieve a list of the commands you can use get-command limiting the results to the defender module as it is shown below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
PS C:\Users\Paolo> get-command -module defender CommandType Name Version Source ----------- ---- ------- ------ Function Add-MpPreference 1.0 defender Function Get-MpComputerStatus 1.0 defender Function Get-MpPreference 1.0 defender Function Get-MpThreat 1.0 defender Function Get-MpThreatCatalog 1.0 defender Function Get-MpThreatDetection 1.0 defender Function Remove-MpPreference 1.0 defender Function Remove-MpThreat 1.0 defender Function Set-MpPreference 1.0 defender Function Start-MpScan 1.0 defender Function Start-MpWDOScan 1.0 defender Function Update-MpSignature 1.0 defender |
Powershell is not only useful for automation
Servers and Workstation can be successfully managed with policies to bring the behavior and configuration consistently and reliably to the desired end state.
But there are definitely operations such as upgrades that can require disabling the AV solutions during the installation process and mistakes in policy changes or human errors can leave the AV solution not running.
As I mentioned before this is not about automating a solution that works but monitoring its state.
Nagios is a monitoring solution that can perform black-box and white-box monitoring as well, in this case, will require an agent called NSClient++ on the target system. I wrote an article 3 years ago that can be also useful on this subject.
Check-Defender
This is the Powershell script I wrote:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
#Paolo Frigo, https://scriptinglibrary.com #This is a simple powershell script to monitor MS Defender for Endpoints and it can be used with Nagios Core / Nagios XI $DefenderRunninigAndRealTimesOn = $(Get-Service Windefend).Status -eq "Running" -and $(Get-MpComputerStatus).RealTimeProtectionEnabled $ExitStatus = 0 $Message = "OK" if ($DefenderRunninigAndRealTimesOn -eq $False){ $Message = "CRITICAL - Microsoft Defender is not running or the real-time protection was disabled" $ExitStatus = 2 } if ([bool] (Get-MpThreatDetection) -eq $True){ $Message = "CRITICAL - Microsoft Defender has detected some threats recently" $ExitStatus = 2 } if ([bool]((Get-MpComputerStatus).AntivirusSignatureLastUpdated -lt (Get-date).AddDays(-7)) -eq $True) { $Message = "CRITICAL - Microsoft Defender AV Definitions are older than a week" $ExitStatus = 2 } Write-Output $Message exit $ExitStatus |
I hope you’ll find this article useful, as usual, you can find this script on my GitHub repository.
Good job! Thanks