windows defender

Manage and Disable Windows Defender Using PowerShell


Windows Defender first appeared as an anti-virus utility for Windows XP. Since Vista it was built into all Microsoft OS as a protection against viruses, worms, trojans and other type of malicious software. In Windows 8 it was merged with another antivirus product—Microsoft Security Essentials, and now it is a full-featured antivirus software. Windows Defender is productive enough and has low system requirements. It can be updated from online Microsoft website or from an internal WSUS server. That allows you to use it not only on home computers, but also in SMB and enterprise corporate networks. In this article we will take a closer look on how to manage different settings and enable/disable Windows Defender using PowerShell.

Manage and Enable/Disable Windows Defender Using PowerShell

The main advantage of Defender is that it is easy to use, it’s already pre-installed in Windows 10 and 8.1, enabled by default and practically doesn’t need manual configuration.

windows defender status

Tip. At the moment, Windows Defender is a part of the only client side OS and not available in the current versions of Windows Server. Although, in a recent preview versions of Windows Server 2016, Windows Defender can be installed as a server feature (Install-WindowsFeature-Name Windows-Server-Antimalware).

In most cases, Windows Defender works well with the default settings, but sometimes user needs to change its behavior. A large number of settings available from the PowerShell console, through a special module Defender. It appeared first time in PowerShell 4.0 and designed specifically for Windows Defender management. This module contains 11 cmdlets, which we are reviewing today.

Windows Defender list of PowerShell cmdlets

To display a list of cmdlets contained in the module, run following command:

Get-Command -Module Defender

powershell module defender

  • Add-MpPreference—used to change Windows Defender settings;
  • Get-MpComputerStatus—allows you to get the status of anti-virus software on your computer;
  • Get-MpPreference—used to get Windows Defender scan and update options for;
  • Get-MpThreat—view the history of detected threats on your computer;
  • Get-MpThreatCatalog—allows you to get known threats from the definitions directory;
  • Get-MpThreatDetection—displays a list of active and recent threats detected on the computer;
  • Remove-MpPreference—allows you to remove Windows Defender settings or exceptions;
  • Remove-MpThreat—allows you to remove active threats from your computer;
  • Set-MpPreference—used to change scan and update options;
  • Start-MpScan—run a computer scan;
  • Update-MpSignature—anti-virus definition database update;
  • Start-MpWDOScan—launch Windows Defender offline scan;

To get full help on a specific cmdlet of the Defender module, use the command:

Get-Help cmdlet name –Full

If you need only examples of PowerShell commands, run:

Get-Help cmdlet name -Examples

Before using PowerShell cmdlets to control Windows Defender, it is advisable to check that the service is running. Run the command:

sc query Windefend

windefend

Get-MpComputerStatus allows you to display current status of Windows Defender: enabled options, virus definition date and version, last scan time and other.

Add-MpPreference

To display current Windows Defender settings you can use cmdlet Get-MpPreference, to change settings use – Set-MpPreference.

In the Windows Defender settings the IPS, removable disk check, email and some others checks are disabled by default. For example, you need to enable scanning of removable drives. Let’s get the current settings using command:

Get-MpPreference | fl disable*

As you can see, scan removable drives is disabled (DisableRemovableDriveScanning = True). Turn it on using following command:

Set-MpPreference -DisableRemovableDriveScanning $false

get-mppreference

By default, Windows Defender doesn’t check the archive files (RAR, ZIP, CAB), which can potentially contain malicious files. You can enable the checking of archive files by running:

Set-MpPreference -DisableArchiveScanning 0

After that, Windows Defender will start scanning all opened archive files in real time, as well as when scanning a disk.

Also, to change or remove the antivirus settings, you can use Add-MpPreference and Remove-MpPreference cmdlets. For example, let’s add some folders to the antivirus exclusion path:

Add-MpPreference -ExclusionPath C:\Video, C:\install

Display a list of path exceptions for Windows Defender:

Get-MpPreference | fl excl*

To exclude anti-virus scanning of certain processes, run the following command:

Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"

To remove an exception for a particular directory:

Remove-MpPreference -ExclusionPath C:\install

set-mppreference

Windows Defender has a hidden function to protect unwanted programs (Potentially Unwanted Program—PUP, Potentially Unwanted Application—PUA). By default, it is accessible only in Windows 10 Enterprise edition, but with the help of the following command you can enable PUP/PUA protection in any Windows 10 edition:

Set-MpPreference -PUAProtection 1

After you turn on protection, when you try to launch or install potentially unwanted programs on your computer, you will receive the following notification from Defender in Windows 10.

Windows Defender took action

Your settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device.

windows defender took action

Using UpdateSource Argument

To start the antivirus signature update, you can use command Update-MpSignature. By default, Windows Defender updates with standard computer settings, but using UpdateSource argument let you to specify where exactly you want to take the virus definition updates.

The following sources are available:

  • MicrosoftUpdateServer
  • MMPC Microsoft Malware Protection Center;
  • FileShares
  • InternalDefinitionUpdateServer — internal WSUS server

To update antivirus from file share, at first you need to download necessary definition update files from https://www.microsoft.com/security/portal/definitions/adl.aspx and place them into shared network folder on a file server in your network. Then you have to specify that Windows Defender should be updated from a network shared folder (use UNC path):

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \DESKTOP-V20E3PO\Updates

To run virus update and malware definitions manually:

Update-MpSignature -UpdateSource FileShares
Update-MpSignature

powershell update mpsignature

In some cases, after receiving an incorrect update, Windows Defender may not work correctly. In this case, it is recommended to reset the current thread definition databases and reload them from source:

"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All
"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" –SignatureUpdate

To perform antivirus scanning of your computer use the Start-MpScan cmdlet. With ScanType argument, you can choose one of three scan modes:

  • FullScan — scan is performed for all files on your computer, as well as the system registry and and currently running apps;
  • QuickScan — analysis of only those areas that are most likely may be infected by malware (registry,active RAM, system folders);
  • CustomScan — user selects the folders and drives to be scanned.

For example, run a custom scan for check system folder “C:\Program Files”:

Start-MpScan -ScanType CustomScan -ScanPath ”C:\Program Files”

powershell start mpscan

All Defender module cmdlets can be performed both for the local and remote computers. To connect to remote computer you need to use CimSession option. For example, to get the date of the last scan from the remote computer with hostname lnd_wks21 run the following commands (WimRM must be enabled):

$session = NewCimSession -ComputerName lnd_wks21
 Get-MpComputerStatus -CimSession $session | fl fullscan*

Disable Windows Defender using PowerShell

If you want to disable Defender real-time protection:

Set-MpPreference -DisableRealtimeMonitoring $true

To completely disable Windows Defender on a computer use the command:

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

powershell newitemproperty

You may also like:

Sysprep Windows 10 Machine: Step by Step Guide In this article we will show you how to use PowerShell and Windows System Preparation Tool to prepare a highly customized, personal Windows 10 install...
How to Convert ESD to WIM File on Windows 10 In this tutorial we will show you how to convert ESD to WIM file using Command Prompt. ESD file is a new thing within Windows 10 OS, that Microsoft is...
Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on how to add calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or...
Integrate WSUS Offline Updater with MDT 2013 to De... In this article we will show you how to install updates offline gained using WSUS Offline Updater, inside MDT 2013 task sequences to deploy fully patc...
Capture Windows 10 Image using MDT 2013 In this article we are going to show you how to capture Windows 10 image using Microsoft Deployment Toolkit 2013 (MDT 2013). Later you can use such im...
Comments
  1. Posted by Nehemoth

Add Your Comment