Exploring the Windows Defender Catalog

Doctor Scripto

Summary: Microsoft Scripting Guy, Ed Wilson, talks about playing around with the Get-MpThreatCatalog function in Windows 8.1.

Microsoft Scripting Guy, Ed Wilson, is here. I bet you thought I fell off of the face of the earth. Actually, I have been busy working with Windows 8.1 and Windows Server 2012 R2. There is some really cool stuff that I want to share. Actually, I have been chomping at the bit for some time, but we have been under a gag order until general availability. There is some way cool networking stuff, that I have been working with for a while. I guarantee you will be hearing more lots of my discoveries—and of course about Desired State Configuration in Windows PowerShell 4.0.

But today, I am sitting at my desk sipping a nice cup of Gunpowder green tea, with organic lemon pith, lime pith, Myers Lemon pith, and some ground fresh ginger. The taste is astoundingly fresh! Pair that with a piece of chocolate covered Biscotti, and it puts me in the mode to write. I am playing Alan Parsons on my Zune HD, and just grooving the afternoon away. October is the reason we put up with all the heat and humidity of the deep south summers. It is gorgeous outside, and the leaves on the maple tree in our front yard have already begun to change colors.

Cool Windows Defender stuff

One of the cool things about Windows 8.1 is the Windows Defender module. Windows Defender in Windows 8.1 has grown to be a full-feature product, and it now has a module to facilitate management, which is way cool. There are eleven functions in the Windows Defender module:

PS C:\> Get-Command -Module defender

 

CommandType     Name                                               ModuleName

———–     —-                                               ———-

Function        Add-MpPreference                                   Defender

Function        Get-MpComputerStatus                               Defender

Function        Get-MpPreference                                   Defender

Function        Get-MpThreat                                       Defender

Function        Get-MpThreatCatalog                                Defender

Function        Get-MpThreatDetection                              Defender

Function        Remove-MpPreference                                Defender

Function        Remove-MpThreat                                    Defender

Function        Set-MpPreference                                   Defender

Function        Start-MpScan                                       Defender

Function        Update-MpSignature                                 Defender

Finding general status info

I have no idea why all of the Windows Defender functions begin with the letters Mp. I do know that a lot of our teams choose a prefix for their nouns so it makes it easy to differentiate their cmdlets or functions from other teams. A good example of this is the cmdlets from the Active Directory module. All of the cmdlets begin with AD. Hey, that makes sense to me. But Mp? Dude. Oh well. It is not hard to remember. I just think of it as “Microsoft protection,” and boom, it is engrained in my brain.

So, to find the status, I use the Get-MpComputerStatus function. It requires no parameters; therefore, I can simply type it in my Windows PowerShell console and receive lots of groovy information. The command and its associated output are shown in the image follows:

Image of command output

The cool thing, from a management perspective, is that there are a few parameters I can use. These are shown here:

Get-MpComputerStatus [-CimSession <CimSession[]>] [-ThrottleLimit <int>]

[-AsJob]  [<CommonParameters>]

The CimSession takes, well a CimSession. This means that I can create a CimSession that connects to a bunch of remote computers. Therefore, I can get back status information from them all at the same time. If it is going to be something that might take a while, I can run it as a job in the background. If the command it taking too much memory, I can throttle it down a bit by using the ThrottleLimit parameter. This is great stuff.

But you may say, “It is too much information. What I find myself needing to do is to check version numbers.”

Hey, no sweat. Remember, this is Windows PowerShell, so everything works the same. AND it works easily. For example, if I need to check only on the versions of the various signatures, I simply use the wildcard character (*) with “version.” This technique is shown here:

PS C:\> Get-MpComputerStatus | select *version

 

AMEngineVersion             : 1.1.9901.0

AMProductVersion            : 4.3.9600.16384

AMServiceVersion            : 4.3.9600.16384

AntispywareSignatureVersion : 1.159.462.0

AntivirusSignatureVersion   : 1.159.462.0

NISEngineVersion            : 2.1.9900.0

NISSignatureVersion         : 108.1.0.0

Looking at the catalog

The strength of Windows Defender is the catalog. The cool thing is that by using the Get-MpThreatCatalog function, I can examine it and see what exact threats Windows Defender actually defends. By using the Measure-Object cmdlet, I can see that there are 167,741 threats listed in my catalog as shown here:

PS C:\> Get-MpThreatCatalog | measure

 

Count    : 167741

Average  :

Sum      :

Maximum  :

Minimum  :

Property :

One of the neat things to see is the different types of threats that appear in the catalog. I can do this by grouping by the threat CategoryId property as shown in the following command:

PS C:\> Get-MpThreatCatalog | group categoryid | sort count

 

Count Name                      Group

—– —-                      —–

    1 43                        {MSFT_MpThreatCatalog (ThreatID = 2147483647)}

    1 44                        {MSFT_MpThreatCatalog (ThreatID = 2147483646)}

    4 38                        {MSFT_MpThreatCatalog (ThreatID = 17018), MSFT_Mp…

   12 23                        {MSFT_MpThreatCatalog (ThreatID = 13841), MSFT_Mp…

   25 27                        {MSFT_MpThreatCatalog (ThreatID = 14852), MSFT_Mp…

  102 21                        {MSFT_MpThreatCatalog (ThreatID = 3062), MSFT_MpT…

  103 2                         {MSFT_MpThreatCatalog (ThreatID = 2401), MSFT_MpT…

  156 11                        {MSFT_MpThreatCatalog (ThreatID = 1605), MSFT_MpT…

  202 46                        {MSFT_MpThreatCatalog (ThreatID = 2147639756), MS…

  259 19                        {MSFT_MpThreatCatalog (ThreatID = 2438), MSFT_MpT…

  281 13                        {MSFT_MpThreatCatalog (ThreatID = 1784), MSFT_MpT…

  346 12                        {MSFT_MpThreatCatalog (ThreatID = 1594), MSFT_MpT…

  488 32                        {MSFT_MpThreatCatalog (ThreatID = 77935), MSFT_Mp…

  506 36                        {MSFT_MpThreatCatalog (ThreatID = 15110), MSFT_Mp…

  520 9                         {MSFT_MpThreatCatalog (ThreatID = 1592), MSFT_MpT…

  840 1                         {MSFT_MpThreatCatalog (ThreatID = 1636), MSFT_MpT…

  969 22                        {MSFT_MpThreatCatalog (ThreatID = 6484), MSFT_MpT…

 2053 40                        {MSFT_MpThreatCatalog (ThreatID = 4243), MSFT_MpT…

 4829 30                        {MSFT_MpThreatCatalog (ThreatID = 8497), MSFT_MpT…

 5145 37                        {MSFT_MpThreatCatalog (ThreatID = 4669), MSFT_MpT…

 7116 34                        {MSFT_MpThreatCatalog (ThreatID = 6321), MSFT_MpT…

 7850 39                        {MSFT_MpThreatCatalog (ThreatID = 1596), MSFT_MpT…

 8405 3                         {MSFT_MpThreatCatalog (ThreatID = 1820), MSFT_MpT…

18071 5                         {MSFT_MpThreatCatalog (ThreatID = 11559), MSFT_Mp…

19382 6                         {MSFT_MpThreatCatalog (ThreatID = 1604), MSFT_MpT…

21652 4                         {MSFT_MpThreatCatalog (ThreatID = 1600), MSFT_MpT…

28868 8                         {MSFT_MpThreatCatalog (ThreatID = 1974), MSFT_MpT…

39555 42                        {MSFT_MpThreatCatalog (ThreatID = 2147489034), MS…

When I spent very much time exploring the threat catalog, I like to store the results in a variable. This is because the catalog is so large, and I don’t want to keep repeating calls to do the same thing over and over again. It is inefficient. So, first I store the results into a variable that I call $mp:

$mp = Get-MpThreatCatalog

When I have a collection from the threat catalog, I decide to look through it to find the threats that are in the joke category. To do this, I use a simple Where-Object statement, and look for the word joke in the threat name. This is shown here:

$mp = Get-MpThreatCatalog

$mp | where threatname -match ‘joke’

The command and the associated output are shown here:

Image of command output

Join me tomorrow when I will talk about more cool stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

0 comments

Discussion is closed.

Feedback usabilla icon