-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Defender Status - script lies. Defender NOT Healthy #242
Comments
I'll look into that |
Why not? |
Before # Cleanup some variables for rendering
if ($mpStatus.FullScanAge -ge 4294967295) {
# If never ran, will report an absurdly large number instead.
$FullScanAge = "NEVER RAN"
}
else {
$FullScanAge = "$($mpStatus.FullScanAge) Days ago"
}
if ($mpStatus.QuickScanAge -ge 4294967295) {
# If never ran, will report an absurdly large number instead.
$QuickScanAge = "NEVER RAN"
}
else {
$QuickScanAge = "$($mpStatus.QuickScanAge) Days ago"
} Then swap the 2 corresponding lines in the output with: Write-Output "Full Scan Age: $FullScanAge"
Write-Output "Quick Scan Age: $QuickScanAge" Fixes "Never Ran?" "Never Run?" One of the two is correct, I never remember which is grammatically correct. |
Never ran would be grammatically correct. I was thinking also if it's over a high number to make it never ran. Probably over 6 years (2,190 days) then it's never ran? Does that make sense? |
Yeah, that would work too. One of my boxes reported that specific number as did Silversword's, so that's just what I used. If it's 2190 days, that should be sufficiently useful too. |
on the back of this updated the defender enable script
|
For Defender Status 1.4 Added WarnOnMissedScans switch and date on scan stuff <#
.SYNOPSIS
This script monitors and reports the status of Windows Defender based on specified thresholds and historical data.
.DESCRIPTION
Performs checks on malware threats, scan frequencies, and system health related to Windows Defender, outputting a detailed status report. The script can also exit with a status code indicating the presence of issues if the 'WarnOnMissedScans' parameter is used.
.PARAMETER DaysBack
The number of days to look back for detecting threats and system events.
.PARAMETER FullScanThreshold
The maximum acceptable age (in days) of the last full scan before it's considered outdated.
.PARAMETER QuickScanThreshold
The maximum acceptable age (in days) of the last quick scan before it's considered outdated.
.PARAMETER SignatureUpdateThreshold
The maximum acceptable age (in days) of the signature updates before they're considered outdated.
.PARAMETER WarnOnMissedScans
If set, the script exits with a status code of 1 to indicate critical issues when scans or updates are not in compliance with set thresholds.
.EXAMPLE
-DaysBack 30 -WarnOnMissedScans
Checks the Defender status over the past 30 days and exits with code 1 if any compliance issues are found.
.NOTES
v1 dinger initial release 2021
v1.1 bdrayer Adding full message output if items found
v1.2 added extra event IDs for ASR monitoring suggested by SDM216
v1.3 dinger added Get-MpComputerStatus for comprehensive Defender health status, added parameters and replaced Event Viewer checks with PowerShell commands
v1.4 silversword411 and cdp1337 adding never run output cleaning and WarnOnMissedScans param
#>
param (
[int]$DaysBack = 1,
[int]$FullScanThreshold = 7,
[int]$QuickScanThreshold = 1,
[int]$SignatureUpdateThreshold = 1,
[switch]$WarnOnMissedScans
)
$ErrorActionPreference = 'SilentlyContinue'
$TimeSpan = (Get-Date).AddDays(-$DaysBack)
# Check for detected threats within the date range
$threats = Get-MpThreat | Where-Object { $_.DetectionTime -ge $TimeSpan }
$issueFound = $false
if ($threats) {
Write-Output "Defender has found Threats"
Write-Output "--------------------------------"
$threats | Select-Object -ExpandProperty ThreatName -First 1
$issueFound = $true
Write-Output " "
}
# Check for ASR events in the Event Viewer
$asrEventFilter = @{
LogName = 'Microsoft-Windows-Windows Defender/Operational'
ID = '1122', '1123', '1124', '1125', '1126', '1127', '1128', '1129', '1130', '1131'
StartTime = $TimeSpan
}
$asrEvents = Get-WinEvent -FilterHashtable $asrEventFilter
if ($asrEvents) {
Write-Output "ASR Rule Hit Detected"
Write-Output "--------------------------------"
$asrEvents | Select-Object -ExpandProperty Message -First 1
$issueFound = $true
Write-Output " "
}
# Additional health status from Get-MpComputerStatus
$mpStatus = Get-MpComputerStatus
$defenderErrors = @()
if (-not $mpStatus.AMServiceEnabled) { $defenderErrors += "Antimalware Service is not enabled" }
if (-not $mpStatus.AntispywareEnabled) { $defenderErrors += "Antispyware is not enabled" }
if (-not $mpStatus.AntivirusEnabled) { $defenderErrors += "Antivirus is not enabled" }
if (-not $mpStatus.RealTimeProtectionEnabled) { $defenderErrors += "Real-time protection is not enabled" }
if (-not $mpStatus.NISEnabled) { $defenderErrors += "Network Inspection System is not enabled" }
if ($mpStatus.FullScanAge -gt $FullScanThreshold) { $defenderErrors += "Full scan has not been performed in the last $FullScanThreshold days" }
if ($mpStatus.QuickScanAge -gt $QuickScanThreshold) { $defenderErrors += "Quick scan has not been performed in the last $QuickScanThreshold days" }
if ($mpStatus.FullScanOverdue) { $defenderErrors += "Full scan is overdue" }
if ($mpStatus.QuickScanOverdue) { $defenderErrors += "Quick scan is overdue" }
# Check if signature updates are within the acceptable timeframe
if ($mpStatus.AntivirusSignatureAge -gt $SignatureUpdateThreshold) { $defenderErrors += "Antivirus signatures have not been updated in the last $SignatureUpdateThreshold days" }
if ($defenderErrors.Count -gt 0) {
Write-Output "Issues found with Windows Defender status:"
Write-Output "--------------------------------"
$defenderErrors | ForEach-Object { Write-Output $_ }
$issueFound = $true
Write-Output " "
}
if (-not $issueFound) {
Write-Output "Defender is Healthy"
Write-Output " "
}
# Cleanup some variables for rendering
if ($mpStatus.FullScanAge -ge 2190) {
# If never ran, will report an absurdly large number instead.
$FullScanAge = "NEVER RAN"
}
else {
$FullScanAge = "$($mpStatus.FullScanAge) Days ago"
}
if ($mpStatus.QuickScanAge -ge 2190) {
# If never ran, will report an absurdly large number instead.
$QuickScanAge = "NEVER RAN"
}
else {
$QuickScanAge = "$($mpStatus.QuickScanAge) Days ago"
}
Write-Output "Windows Defender Status Report:"
Write-Output "--------------------------------"
Write-Output "Service Enabled: $($mpStatus.AMServiceEnabled)"
Write-Output "Antispyware Enabled: $($mpStatus.AntispywareEnabled)"
Write-Output "Antivirus Enabled: $($mpStatus.AntivirusEnabled)"
Write-Output "Full Scan Age: $FullScanAge"
Write-Output "Quick Scan Age: $QuickScanAge"
Write-Output "Real Time Protection Enabled: $($mpStatus.RealTimeProtectionEnabled)"
Write-Output "NIS Enabled: $($mpStatus.NISEnabled)"
Write-Output "Engine Version: $($mpStatus.AMEngineVersion)"
Write-Output "Signature Version: $($mpStatus.AntivirusSignatureVersion)"
if ($issueFound) {
if ($WarnOnMissedScans) {
$host.SetShouldExit(1)
} else {
Write-Output "Issues detected, but no exit code 1 due to WarnOnMissedScans not being set."
}
} else {
$host.SetShouldExit(0)
}
|
why? already done, if you set days to 0 then it disables the check unless its felt it should be more obvious, just trying to keep it tidy and variables to a minimum. I have deleted the original as that might have been confusing, also deleted my v2 and left v3 below |
completed status script, any comments welcome
|
i feel like some of the settings you're looking at are somewhat subjective. like CloudExtendedTimeout, CloudBlockLevel, FullScanAge I see some of it is optional as well which is fine. I havent messed with Get-MpThreat much but I think for that you want (Get-MpThreat).IsActive. |
It's all stuff that the enable script enables so makes sense to check for it, ie full scans etc. A lot does have params to enable/disable to make things easier and allow it to be customised. I'll look at get threat and get that added to the script. |
yeah added get-mpthreat and works fine, any other comments? Should we make checking for full and quick scans default to 0? So it doesnt alert on them |
Yes, that was one of the two changes I made above :) |
yeah I changed it all since then :) added in more stuff, if anyone wants to test it and give feedback that would be great |
I wouldn't usually create an issue in community scripts but considering you can disable defender and this script will still say its HEALTHY seems like a huge missing.
community-scripts/scripts/Win_Defender_Status_Report.ps1
Line 35 in 116e51d
The text was updated successfully, but these errors were encountered: