Scripting Defender - How to get quarantined files?

Hi,

I’m trying to script Windows Defender to make a custom scan on a path and want to find out what actions it made.

So, the hypothesis is to run Start-MpScan, wait for the job to finish and then use Get-MpThreatDetection to find out what happened. But I don’t seem to be able to get all the actions taken as I would kind of expect. In particular, files that are quarantined don’t generally show up, and I don’t quite understand why.

The files are shown in Windows Defender as quarantined, so it’s obviously possible to get the information, but it seems not to be easily accessible from PS.

Any thoughts? Would be most appreciated.

Regards,
/Fredrik

 

For windows 10, you may be able to get the info from several PS cmdlets. I have no way to test as my system is clean.

https://docs.microsoft.com/en-us/powershell/module/defender/get-mpthreat?view=win10-ps

 

Well, yes. But they don’t provide the information I’m looking for, there seem to be a bit more magic involved.

I can, at least occasionally, get some of the files acted on in that output, but far from all. Which seem odd.

Understood.

What do you find here:

C:\ProgramData\Microsoft\Windows Defender\Quarantine

 

Yes, as I wrote in the original post.

To be somewhat more specific. I’m using test-data from the Github repository git@github.com:mattias-ohlsson/eicar-standard-antivirus-test-files.git.

When I use Start-MpScan to do a scan of the folder, 14 files are quarantined and 5 modified to remove harmful macros.

Get-MpThreatDetection will only give me an entry for one of the files, or in one case two, acted on. The others are silently quarantined or modified as far as the PS cmdlets are concerned, but visible in the Windows Defender GUI.

I would like to be able to compile a list of all the files, preferably without having to traverse all of the folders in the path before and after.

The best source I’ve found so far is the event log. A bit cumbersome and doesn’t catch all quarantined files, but at least most of them.

$events = Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -FilterXPath "*[System[EventID=1116]]" | Where-Object {$_.TimeCreated -ge $start_time}
$infected_files = @()

foreach ($event in $events) {
    $xml = [xml]$event.toXml()
    $threat = $xml.Event.EventData.Data | Where {$_.Name -eq 'Threat Name'} | Select -ExpandProperty "#text"
    $resources = $xml.Event.EventData.Data | Where {$_.Name -eq 'Path'} | Select -ExpandProperty "#text"
    foreach ($resource in ($resources -split ';')) {
        if ($resource.Contains($path)) {
            $resource = $resource.Trim()
            $resource = $resource -replace "^(file|containerfile):_", ""
            $resource = $resource -replace "^$([regex]::Escape($path))", ""
            $infected_files += [PSCustomObject]@{Threat = $threat; Resource = $resource}
        }
    }
}