I’m trying to script Windows Defender to make a custom scan on a path and want to find out what actions it made.
So, the hypothesis is to run Start-MpScan, wait for the job to finish and then use Get-MpThreatDetection to find out what happened. But I don’t seem to be able to get all the actions taken as I would kind of expect. In particular, files that are quarantined don’t generally show up, and I don’t quite understand why.
The files are shown in Windows Defender as quarantined, so it’s obviously possible to get the information, but it seems not to be easily accessible from PS.
To be somewhat more specific. I’m using test-data from the Github repository git@github.com:mattias-ohlsson/eicar-standard-antivirus-test-files.git.
When I use Start-MpScan to do a scan of the folder, 14 files are quarantined and 5 modified to remove harmful macros.
Get-MpThreatDetection will only give me an entry for one of the files, or in one case two, acted on. The others are silently quarantined or modified as far as the PS cmdlets are concerned, but visible in the Windows Defender GUI.
I would like to be able to compile a list of all the files, preferably without having to traverse all of the folders in the path before and after.