Using PowerShell to Investigate Windows Defender’s Malware Signature Definitions

Windows Defender can now be fully described as an antivirus after the release of windows 10. Like any antivirus, Windows Defender has a database definition that it uses to identify and block or remove threats or malware. A database definition is a collection of malware signatures that an antivirus has been programmed to identify. If a certain signature is identified with a certain program, then that program is flagged as a security threat.  Now Windows PowerShell lets you have a peek under the hood and see the engine that runs Windows Defender. You can do a lot more without much effort.

This guide will briefly explain what Windows Defender and Windows PowerShell are. It will then give you a short introduction on how Windows PowerShell works and how to use PowerShell to manage Windows Defender. We will lastly see how we can use PowerShell to see which viruses Windows Defender can identify by looking into its signature definitions database.

What is Windows Defender?

Windows Defender is malware protection that is included with and built into Windows. This software helps identify and remove viruses, spyware, and other malicious software. Windows Defender runs in the background and notifies you when you need to take specific action. However, you can use it anytime to scan for malware if your computer isn’t working properly or if you clicked a suspicious link online or in an email message.

Windows Defender appears to be slated for a transition into a modern Windows app after years with a similar user interface. Windows Defender first appeared as an anti-virus utility for Windows XP. Since Vista version it was built into all Microsoft OS as a protection against malicious software. Before Windows 8, Windows Defender protected against spyware. It included a number of real-time security agents that monitored several common areas of Windows for changes which might have been caused by spyware. It also included the ability to easily remove installed ActiveX software.

In Windows 8 Windows Defender was merged with another antivirus product – Microsoft Security Essentials – and now it became a full-featured antivirus software. In Windows 10, Windows Defender settings are controlled by the Settings app accessed from the Settings. The Windows 10 Anniversary Update, now allows toast notifications to appear and announce the results of a scan, even if no viruses are found.

The main advantage of Defender is that it is easy to use, it’s already pre-installed in Windows, enabled by default and practically does not need manual configuration. It is also a very light-weight application and will not bother you with pop-ups all the time.

What is Windows PowerShell?

Windows PowerShell is a shell developed by Microsoft for purposes of task automation and configuration management. This powerful shell is based on the .NET framework and it includes a command-line shell and a scripting language. Initially a Windows component only, PowerShell was made open-source and cross-platform on 18 August 2016 meaning anyone could develop commands to use with PowerShell.

Windows Defender has always had a command line version that you can run in your normal Command Prompt Window. However, windows 10 brings with it cmdlets for Windows Defender.

A cmdlet (pronounced as command-let) is a lightweight command that is used in the Windows PowerShell environment. The Windows PowerShell runtime invokes these cmdlets within the context of automation scripts that are provided at the command line. The Windows PowerShell runtime also invokes them programmatically through Windows PowerShell APIs (Application program interface). Cmdlets perform an action and typically return a Microsoft .NET Framework object to the next command in the pipeline. Like any other command prompt action, a cmdlet must exist in order to return results, otherwise an error will be displayed.

How to launch Windows PowerShell in administrator mode

You can run PowerShell by typing “PowerShell” in the Run Window, but that won’t quite cut it. This is because this method will not run PowerShell in administrator mode, and without administrator mode, you are limited on what you can do due to permissions. Here are the ways to start PowerShell in administrator mode.

  1. In Windows 10, the easiest and quickest way to do so is to launch File/Windows Explorer, open any folder, pull down the File menu, go to Open Windows PowerShell, and then select the Open Windows PowerShell as Administrator command.
  2. The other option is to go to the folder C:\Windows\System32\WindowsPowerShell\v1.0 or any version available. Right click on the file named PowerShell.exe and open as administrator. The file named PowerShell_ise.exe provides PowerShell in Graphical User Interface rather than the Command Prompt, but they both work the same way using the same cmdlets.
  3. The last option is to open Command Prompt as an administrator and use it to open PowerShell. Go to Start > All Apps/All Programs > Windows System/Accessories > Right Click on Command Prompt and run as administrator. In the Command Prompt window that appears, type “PowerShell” and hit Enter. The path will change to “PS C:\Windows\System32>”. This means you are ready to use the PowerShell environment.

PowerShell’s Defender cmdlets and how to use them

We have talked of what cmdlets are, so how do you use them? You simply have to type this commands into the PowerShell window.

Windows PowerShell provides 12 cmdlets for Windows Defender. To see them, just type Get-Command -Module Defender into the PowerShell command prompt window and hit enter. Here is the full list of cmdlets for Windows Defender.

SerialCmdletDescription
 Add-MpPreferenceModifies settings for Windows Defender.
 Get-MpComputerStatusGets the status of anti-malware software on the computer.
 Get-MpPreferenceGets preferences for the Windows Defender scans and updates.
 Get-MpThreatGets the history of threats detected on the computer.
 Get-MpThreatCatalogGets known threats from the definitions catalog.
 Get-MpThreatDetectionGets active and past malware threats that Windows Defender detected.
 Remove-MpPreferenceRemoves exclusions or default actions.
 Remove-MpThreatRemoves active threats from the computer.
 Set-MpPreferenceConfigures preferences for Windows Defender scans and updates.
 Start-MpScanStarts a scan on the computer.
 Start-MpWDOScanStarts a Windows Defender offline scan.
 Update-MpSignatureUpdates the anti-malware definitions on the computer.

Getting help from PowerShell when you are stuck

PowerShell includes its own extensive, console-based help. If you get stuck or you simply desire help, description or examples about a cmdlet, use these commands to get information.

Get-Help <cmdlet name> -DetailedThis will give you a detailed description of what the cmdlet is associated to and what it does including the parameters needed.
Get-Help <cmdlet name> -ExamplesThis command will give you examples on how to use the cmdlet.
Get-Help <cmdlet name> -FullThis will give a detailed description including examples.

If you can’t get back any information, you will have to update the Windows Defender cmdlet help files. To update the help menu, type this command in the windows PowerShell window Update-Help and wait a few minutes for the latest help files to be downloaded and installed.

A few standard operations on PowerShell to manage Windows Defender

The Start-MpScan cmdlet on the PowerShell prompt lets you run a scan on your system. These are the Windows Defender scans that you can run on your PC using Windows PowerShell.

  1. FullScan — this scan is performed for all files on your computer, as well as the system registry and current apps running. Just use this command to do a full scan: Start-MpScan -ScanType QuickScan
  2. QuickScan — this will do an analysis of only those areas that are most likely may be infected by malware. To do a quick scan, use the following command: Start-MpScan -ScanType FullScan
  3. CustomScan — a custom scan will let a user select the folders and drives to be scanned. A path parameter is needed for this scan. Here is a cmdlet example to run a custom scan: Start-MpScan -ScanPath C:\Users\User1\Downloads

If you want to check for new virus signature definition updates and update Windows Defender, you’ll use the command: Update-MpSignature

To display current status of Windows Defender – enabled options, virus definition date and version, last scan time and other – type this command into PowerShell: Get-MpComputerStatus

If you want to disable Defender real-time protection use the command: Set-MpPreference -DisableRealtimeMonitoring $true

There are a lot more and even complicated Windows Defender cmdlets, but this page will not delve into that. Now that you know the basic windows defender cmdlets, we will look at how to get a peek into the Windows Defender signature definitions database.

Accessing the Windows Defender malware signature definitions database using PowerShell

The Windows Defender signature definitions database tells you what windows defender can identify as a threat and neutralize it successfully.  The Get-MpThreatCatalog cmdlet will let you do this. The whole list will be lengthy and will be generated at a blistering speed on your screen. However, you could take your time to find what you are looking for and what might be missing. Simply type this command into the PowerShell command prompt and hit enter.

Get-MpThreatCatalog

You can use the Pause/Break button on your PC to temporarily pause the output. To entirely stop or cancel the whole list from generating, press Ctrl + C. If you do either of the two, you’ll see a record for each threat in the database with six fields. Here is an example:

CategoryID: 4

SeverityID: 5

ThreatID: 5145

ThreatName: TrojanDownloader:Win32/Zlob.CH

TypeID: 0

PSComputerName:

Let us briefly look at what each field means.

CategoryID: This will indicate the type of malware/threat listed. Here are the known values so far, and the type of threat/malware they point to:

ID Type of malware
0Invalid
1Adware
2Spyware
3Passwordstealer
4Trojandownloader
5Worm
6Backdoor
7Remoteaccesstrojan
8Trojan
9Emailflooder
10Keylogger
11Dialer
12Monitoringsoftware
13Browsermodifier
14Cookie
15Browserplugin
16Aolexploit
17Nuker
18Securitydisabler
19Jokeprogram
20Hostileactivexcontrol
21Softwarebundler
22Stealthnotifier
23Settingsmodifier
24Toolbar
25Remotecontrolsoftware
26Trojanftp
27Potentialunwantedsoftware
28Icqexploit
29Trojantelnet
30Filesharingprogram
31Malware_Creation_Tool
32Remote_Control_Software
33Tool
34Trojan_Denialofservice
36Trojan_Dropper
37Trojan_Massmailer
38Trojan_Monitoringsoftware
39Trojan_Proxyserver
40Virus
42Known
43Unknown
44Spp
45Behavior
46Vulnerability
47Policy

SeverityID: This is a scale of 1-5 that identifies how bad a threat is, 5 being the highest. Here is what they mean.

ID Severity
0Unknown
1Low
2Moderate
4High
5Severe

 

ThreatID: This is a number that has been assigned to the malware/threat as a form of identification.

ThreatName: This is the name given to the malware that corresponds to the ThreatID number.

TypeID: The TypeID value specifies how Windows Defender identifies the malware. Is it a known or unknown threat? Here are the values and what they mean.

IDIdentification method
0Known bad threat
1Behavior monitoring
2Unknown threat
3Known good threat
4Network Inspection System (NIS) threat

You might notice that all threats that appear on your screen are type (0) threats. This is because most of the signature definitions that have already been added have been researched and the type of threat they pose has been documented.

PSComputerName: The name of the computer where the activity is running. This will usually be empty if you are not on a network and for a simple reason that this database is a catalog, and not an activity.

Things to remember

  1. The signature definitions is quite a huge catalog, so it might take quite a while before you see any generated data on your screen. Be patient.
  2. Since the database is huge, it might choke up your memory. However, cmdlets have a limit on the memory they use, and you are likely to see this message: “WARNING: Memory usage of a cmdlet has exceeded a warning level.” PowerShell may recover and continue with the process or just return you to the prompt pipeline. Be patient. Otherwise you can cancel the event by hitting Ctrl + C.
  3. If your screen becomes too crowded type the command ‘CLS’ to clear the screen. This will also improve memory usage.

Querying the Windows Defender Signature Definitions Database

A query is a simply a request for refined information/data that meets a certain criteria from a database. We have seen what the Windows Defender definitions database looks like. We now know that it is an extremely huge database. But you can always trim down the amount of information that can be displayed by adding a few parameters to your cmdlet. Here are a few examples of how you can do that.

  1. To see all the records in the database for the most severe malware, use this cmdlet:

Get-MpThreatCatalog | where-object {$_.SeverityID -eq “5”}

The value “5” will return definitions with the severity level of 5 only.

  1. There are several types of malware that Windows Defender can identify. To zero in on one type only you will have to pass a TypeID parameter or more conveniently, a ThreatName parameter. An example would be to see only threats that are known as viruses. Simply type this into the PowerShell command prompt window:

Get-MpThreatCatalog | where-object {$_.ThreatName -Match “^Virus.*”}

You can also use more than one criterion to query the database. Let us say, for example, you need to see all viruses with a severity of 5. Simply type this command into the PowerShell window:

Get-MpThreatCatalog | where-object {$_.SeverityID -eq “5”} | where-object {$_.ThreatName -Match “^Virus.*”}

This way, you can have several more query criteria to narrow down the information displayed.

  1. Even after querying your database, you might still find a lot of data is being displayed on your screen. If you would rather see the output on the screen one page at a time, type the following command at the PowerShell prompt:

Get-MpThreatCatalog | where-object {$_.SeverityID -eq “5”} | select ThreatName | more

Or

Get-MpThreatCatalog | where-object {$_.SeverityID -eq “5”} | where-object {$_.ThreatName -Match “^Virus.*”} | select ThreatName | more

This command line pipes the output into the more command, which in turn displays the output one page at a time. To advance to the next page, press [Spacebar]. If you press [Enter], the screen will advance one line at a time. This will save you a lot of waiting time that is needed to display all the data at once before you can start viewing and scrolling through your results.

There are a lot more commands that you can use to narrow down your query. Using the information and examples we have listed, you will be able to easily do this. Remember that the version of Windows Defender and the version of Windows PowerShell will determine if you will be able to use cmdlets for Windows Defender. This has been tested for Windows 10. The Microsoft support page indicates that this is available for Windows Server 2016 and Windows 10. The retail (not updated) version of Windows 7 does not seem to recognize this cmdlets. In fact windows 7’s PowerShell will throw errors or return blanks when you type this cmdlets. Updating these two applications (Defender and PowerShell) might get you back on track.

ABOUT THE AUTHOR

Kevin Arrows


Kevin Arrows is a highly experienced and knowledgeable technology specialist with over a decade of industry experience. He holds a Microsoft Certified Technology Specialist (MCTS) certification and has a deep passion for staying up-to-date on the latest tech developments. Kevin has written extensively on a wide range of tech-related topics, showcasing his expertise and knowledge in areas such as software development, cybersecurity, and cloud computing. His contributions to the tech field have been widely recognized and respected by his peers, and he is highly regarded for his ability to explain complex technical concepts in a clear and concise manner.