Редагувати

Поділитися через


Evaluate Microsoft Defender Antivirus using Powershell

Applies to:

In Windows 10 or newer and Windows Server 2016 or newer you can use next-generation protection features offered by Microsoft Defender Antivirus(MDAV) and Microsoft Defender Exploit Guard (Microsoft Defender EG).

This topic explains how to enable and test the key protection features in Microsoft Defender AV and Microsoft Defender EG, and provides you with guidance and links to more information.

We recommend you use this evaluation PowerShell script to configure these features, but you can individually enable each feature with the cmdlets described in the rest of this document.

See the following product documentation libraries for more information about our EPP products:

This article describes configuration options in Windows 10 or newer and Windows Server 2016 or newer.

If you have any questions about a detection that Microsoft Defender AV makes, or you discover a missed detection, you can submit a file to us at our sample submission help site.

Use PowerShell to enable the features

This guide provides the Microsoft Defender Antivirus cmdlets that configure the features you should use to evaluate our protection.

To use these cmdlets:

1. Open an elevated instance of PowerShell (choose to Run as administrator).

2. Enter the command listed in this guide and press Enter.

You can check the status of all settings before you begin, or during your evaluation, by using the Get-MpPreference PowerShell cmdlet.

Microsoft Defender AV indicates a detection through standard Windows notifications. You can also review detections in the Microsoft Defender AV app.

The Windows event log also records detection and engine events. See the Microsoft Defender Antivirus events article for a list of event IDs and their corresponding actions.

Cloud protection features

Standard definition updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds.

More details are available in Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.

Description PowerShell Command
Enable the Microsoft Defender Cloud for near-instant protection and increased protection Set-MpPreference -MAPSReporting Advanced
Automatically submit samples to increase group protection Set-MpPreference -SubmitSamplesConsent Always
Always Use the cloud to block new malware within seconds Set-MpPreference -DisableBlockAtFirstSeen 0
Scan all downloaded files and attachments Set-MpPreference -DisableIOAVProtection 0
Set cloud block level to 'High' Set-MpPreference -CloudBlockLevel High
High Set cloud block timeout to 1 minute Set-MpPreference -CloudExtendedTimeout 50

Always-on protection (real-time scanning)

Microsoft Defender AV scans files as soon as they're seen by Windows, and will monitor running processes for known or suspected malicious behaviors. If the antivirus engine discovers malicious modification, it will immediately block the process or file from running.

See Configure behavioral, heuristic, and real-time protection for more details on these options.

Description PowerShell Command
Constantly monitor files and processes for known malware modifications Set-MpPreference -DisableRealtimeMonitoring 0
Constantly monitor for known malware behaviors – even in 'clean' files and running programs Set-MpPreference -DisableBehaviorMonitoring 0
Scan scripts as soon as they are seen or run Set-MpPreference -DisableScriptScanning 0
Scan removable drives as soon as they are inserted or mounted Set-MpPreference -DisableRemovableDriveScanning 0

Potentially Unwanted Application protection

Potentially unwanted applications are files and apps that are not traditionally classified as malicious. These include third-party installers for common software, ad-injection, and certain types of toolbars in your browser.

Description PowerShell Command
Prevent grayware, adware, and other potentially unwanted apps from installing Set-MpPreference -PUAProtection Enabled

Email and archive scanning

You can set Microsoft Defender Antivirus to automatically scan certain types of email files and archive files (such as .zip files) when they are seen by Windows. More information about this feature can be found under the Manage email scans in Microsoft Defender article.

Description PowerShell Command
Scan email files and archives Set-MpPreference -DisableArchiveScanning 0
Set-MpPreference -DisableEmailScanning 0

Manage product and protection updates

Typically, you receive Microsoft Defender AV updates from Windows update once per day. However, you can increase the frequency of those updates by setting the following options, and ensuring that your updates are managed either in System Center Configuration Manager, with Group Policy, or in Intune.

Description PowerShell Command
Update signatures every day Set-MpPreference -SignatureUpdateInterval
Check to update signatures before running a scheduled scan Set-MpPreference -CheckForSignaturesBeforeRunningScan 1

Advanced threat and exploit mitigation and prevention Controlled folder access

Microsoft Defender Exploit Guard provides features that help protect devices from known malicious behaviors and attacks on vulnerable technologies.

Description PowerShell Command
Prevent malicious and suspicious apps (such as ransomware) from making changes to protected folders with Controlled folder access Set-MpPreference -EnableControlledFolderAccess Enabled
Block connections to known bad IP addresses and other network connections with Network protection Set-MpPreference -EnableNetworkProtection Enabled
Apply a standard set of mitigations with Exploit protection Invoke-WebRequest
https://demo.wd.microsoft.com/Content/ProcessMitigation.xml -OutFile ProcessMitigation.xml
Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml
Block known malicious attack vectors with Attack surface reduction Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADCAD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5- 9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556801D275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917- 57927947596D -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536- B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93- 3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7- 1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6- 9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3FA12568109D35 -AttackSurfaceReductionRules_Actions Enabled

Some rules may block behavior you find acceptable in your organization. In these cases, change the rule from Enabled to Audit to prevent unwanted blocks.

One-click Microsoft Defender Offline Scan

Microsoft Defender Offline Scan is a specialized tool that comes with Windows 10 or newer, and allows you to boot a machine into a dedicated environment outside of the normal operating system. It's especially useful for potent malware, such as rootkits.

See Microsoft Defender Offline for more information on how this feature works.

Description PowerShell Command
Ensure notifications allow you to boot the PC into a specialized malware removal environment Set-MpPreference -UILockdown 0

Resources

This section lists many resources that can assist you with evaluating Microsoft Defender Antivirus.