Use PowerShell to Update Windows Defender Signatures

Doctor Scripto

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell 4.0 in Windows 8.1 to update Windows Defender signatures.

Microsoft Scripting Guy, Ed Wilson, is here. Well, it is nearly time. Tomorrow the Scripting Wife and I leave for Atlanta for Windows PowerShell Saturday. Obviously, Windows PowerShell Saturday begins on a Saturday—it is just that we are leaving on Friday because it is a pretty good drive from Charlotte to Atlanta and it is nearly impossible to fly to Atlanta from Charlotte. With a two-hour check-in rule, an hour drive to the airport, and then being on the wrong side of Atlanta after completing the 50-minute flight, it is actually faster to drive to Atlanta than to fly. It’s just one of those things. Mark Schill has done a fine job lining up a very strong program. It will be educational, fun, informative, and practical—a great combination. There are still some seats available, so the signup is still open. The event is being held in the Microsoft Office in Alpharetta, which is a really nice venue.

Note  This is the third part in a series about the Windows Defender module in Windows 8.1.

One of the really cool things about Windows 8.1 is the Windows Defender module. It answers a common question that I receive, “How can I update my antimalware signature, and how can I initiate a scan?”

Both of these tasks are easy to do by using the built-in Windows Defender module for Windows PowerShell 4.0 in Windows 8.1. Because Windows Defender is much more than just an antivirus feature, I am always interested in more than when the antivirus signature was last updated. In fact, I am not always sure what all the names of the different things are, but if I am using Windows PowerShell it does not matter. I use a wildcard character to pick up all of the last updates and all of the package versions. Here is the command I use:

Get-MpComputerStatus | select *updated, *version

The command and the output associated with the command are shown here.

Image of command output

Updating the signatures

Updating the antimalware signatures goes really fast. I mean really, really fast. At least on my computer, it goes fast. A standard Windows PowerShell progress bar appears and then disappears. Because I know things go fast, I captured a screenshot of the progress bar:

Image of progress bar

After I updated my signatures, I ran my previous command to ensure that things did update. As shown here…yep, at least one item updated.

Image of command output

Kicking off a scan

Now that I have updated my antimalware signatures, it is a good time to kick off a scan. The cool thing about the Start-MpScan function is that it is really powerful. I can kick off the following types of scans:

  • FullScan
  • QuickScan
  • CustomScan

In addition, I can specify the path for the scan. The path can be a file, a folder, or even a remote UNC path. The folder can be a drive root such as C:\.

I am going to kick off a quick scan. To do this, I use the following command:

Start-MpScan -ScanType quick

The command produces a Windows PowerShell progress bar that lets me know how things are going. This time, it does not go really quickly, but it is over in less than a minute.

Image of progress bar

I can use the Windows Defender tool to verify that I did in fact kick off a quick scan. I open the tool by typing defender at the Windows 8.1 Start screen. Search realizes what I want to do, and opens the tool. The output is shown here.

Image of menu

I have to tell you, this is all really cool. I have spoken about doing this interactively and locally to introduce the functions that are available through the Windows Defender module for Windows PowerShell 4.0 in Windows 8.1. Keep in mind that this is just the beginning because this is Windows PowerShell.

This means that I can create CIM sessions to remote computers and run these functions remotely. I can use the Windows PowerShell Job Scheduler to kick off the scans at a certain time. The other thing that is cool is that the Windows Defender logs the advanced diagnostic logs, and I can use Get-WinEvent to query these. In the Event Viewer, the log is located under Applications and Services Logs/Microsoft/Windows/Windows Defender. There are two logs in that location as shown here.

Image of menu

That is all there is to using Windows PowerShell to update Windows Defender signatures and to kick off a scan. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 


Discussion is closed.

Feedback usabilla icon