Scripting Defender – How to get quarantined files?

Welcome Forums General PowerShell Q&A Scripting Defender – How to get quarantined files?

Viewing 6 reply threads
  • Author
    Posts
    • #273418
      Participant
      Topics: 1
      Replies: 4
      Points: 57
      Rank: Member

      Hi,

      I’m trying to script Windows Defender to make a custom scan on a path and want to find out what actions it made.

      So, the hypothesis is to run Start-MpScan, wait for the job to finish and then use Get-MpThreatDetection to find out what happened. But I don’t seem to be able to get all the actions taken as I would kind of expect. In particular, files that are quarantined don’t generally show up, and I don’t quite understand why.

      The files *are* shown in Windows Defender as quarantined, so it’s obviously possible to get the information, but it seems not to be easily accessible from PS.

      Any thoughts? Would be most appreciated.

      Regards,
      /Fredrik

       

    • #273445
      Participant
      Topics: 10
      Replies: 201
      Points: 987
      Helping Hand
      Rank: Major Contributor

      For windows 10, you may be able to get the info from several PS cmdlets. I have no way to test as my system is clean.

      https://docs.microsoft.com/en-us/powershell/module/defender/get-mpthreat?view=win10-ps

       

    • #273454
      Participant
      Topics: 1
      Replies: 4
      Points: 57
      Rank: Member

      Well, yes. But they don’t provide the information I’m looking for, there seem to be a bit more magic involved.

      I can, at least occasionally, get some of the files acted on in that output, but far from all. Which seem odd.

    • #273469
      Participant
      Topics: 10
      Replies: 201
      Points: 987
      Helping Hand
      Rank: Major Contributor

      Understood.

      What do you find here:

      C:\ProgramData\Microsoft\Windows Defender\Quarantine

       

    • #273481
      Participant
      Topics: 1
      Replies: 4
      Points: 57
      Rank: Member

      Yes, as I wrote in the original post.

    • #273493
      Participant
      Topics: 1
      Replies: 4
      Points: 57
      Rank: Member

      To be somewhat more specific. I’m using test-data from the Github repository [email protected]github.com:mattias-ohlsson/eicar-standard-antivirus-test-files.git.

      When I use Start-MpScan to do a scan of the folder, 14 files are quarantined and 5 modified to remove harmful macros.

      Get-MpThreatDetection will only give me an entry for one of the files, or in one case two, acted on. The others are silently quarantined or modified as far as the PS cmdlets are concerned, but visible in the Windows Defender GUI.

      I would like to be able to compile a list of all the files, preferably without having to traverse all of the folders in the path before and after.

    • #273624
      Participant
      Topics: 1
      Replies: 4
      Points: 57
      Rank: Member

      The best source I’ve found so far is the event log. A bit cumbersome and doesn’t catch all quarantined files, but at least most of them.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.