Share via

Windows Defender Advanced Threat Protection downloads folder contain .ps1 scripts

Hakeem Shukor 20 Reputation points
2024-01-31T03:33:26.68+00:00

I have a question about .ps1 scripts located in the downloads folder of Windows Defender Advanced Threat Protection. I receive alerts from my edr about these scripts trying to execute and the operation eventually blocked. The location of the .ps1 scripts are in C:\ProgramData\Windows Defender Advanced Threat Protection\Downloads. What are these files used for? are they updates or policy changes etc.?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments
Accepted answer
  1. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2024-02-02T09:47:41.3933333+00:00

    @Hakeem Shukor

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you need advisory on ps1 scripts found under C:\ProgramData\Windows Defender Advanced Threat Protection\Downloads.

    Please do correct me if this is not the case by responding in the comments section.

    These scripts are used for running device discovery. As per device discovery:

    Standard discovery uses various PowerShell scripts to actively probe devices in the network. Those PowerShell scripts are Microsoft signed and are executed from the following location: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps. For example, C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\UnicastScannerV1.1.0.ps1.

    User's image

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.