Vivek Chandran
© 2025 Code Nomad. All rights reserved
menu
Code Nomad / powershell / retrieve-malware-protection-details-from-remote-computers
print lock_open

Retrieve Malware Protection Details from Remote Computers

Author: Vivek Chandran
Date: August 26, 2024

Introduction

In our organization, providing evidence of security configurations is an essential part of the Certification and Accreditation (C&A) process. This often requires screenshots of various configurations from each computer, a task that can become tedious and time-consuming when done manually. To address this challenge, I developed a PowerShell script that retrieves and displays detailed malware protection information from remote computers using Windows Defender. This script allows us to automate the retrieval of malware protection details, making it easier to collect the necessary information quickly. By capturing the output from this script, we can take screenshots and attach them to our evidence documents, significantly reducing the manual effort involved.

Key Features of the Script

  • Remote Execution: Queries Windows Defender status on a specified remote computer.
  • Comprehensive Details: Retrieves a wide range of malware protection details, including engine and signature versions, scan status and real-time protection status.
  • Error Handling: Provides informative error messages if the script fails to connect to the remote computer or execute the command.

Prerequisites

To use this script, ensure you have the following:

  • PowerShell Remoting Enabled: PowerShell Remoting should be enabled on the remote computers.
  • Sufficient Permissions: You need to have the necessary permissions to execute commands on the remote computer.
  • Network Connectivity: Ensure that the remote computer is reachable over the network.

Script to Retrieve Malware Protection Details

Here’s the PowerShell script that retrieves and displays malware protection details from a specified remote computer using Windows Defender:

<#
.SYNOPSIS
    This script retrieves and displays malware protection details from a remote computer using Windows Defender.

.DESCRIPTION
    The script queries Windows Defender's status on a remote computer and returns specific malware protection details.

.PARAMETER ComputerName
    The name of the remote computer on which to run the `Get-MpComputerStatus` command.

.NOTES
    Author: Vivek Chandran
    Created: 26-08-2024
    Script Version: 1.0.0
#>

param (
    [Parameter(Mandatory = $true)]
    [string]$ComputerName
)

# Define the script block to execute on the remote computer
$scriptBlock = {
    # Run the Get-MpComputerStatus command
    $status = Get-MpComputerStatus

    # Select and format the desired properties
    $status | Select-Object `
        AMEngineVersion,
        AMProductVersion,
        AMRunningMode,
        AMServiceEnabled,
        AMServiceVersion,
        AntispywareEnabled,
        AntispywareSignatureAge,
        AntispywareSignatureLastUpdated,
        AntispywareSignatureVersion,
        AntivirusEnabled,
        AntivirusSignatureAge,
        AntivirusSignatureLastUpdated,
        AntivirusSignatureVersion,
        BehaviorMonitorEnabled,
        DefenderSignaturesOutOfDate,
        DeviceControlPoliciesLastUpdated,
        FullScanAge,
        FullScanEndTime,
        FullScanOverdue,
        FullScanRequired,
        FullScanSignatureVersion,
        FullScanStartTime,
        InitializationProgress,
        IoavProtectionEnabled,
        IsTamperProtected,
        NISEnabled,
        NISEngineVersion,
        NISSignatureAge,
        NISSignatureLastUpdated,
        NISSignatureVersion,
        OnAccessProtectionEnabled,
        QuickScanAge,
        QuickScanEndTime,
        QuickScanOverdue,
        QuickScanSignatureVersion,
        QuickScanStartTime,
        RealTimeProtectionEnabled,
        RebootRequired
}

# Use Invoke-Command to run the script block on the remote computer
try {
    $result = Invoke-Command -ComputerName $ComputerName -ScriptBlock $scriptBlock -ErrorAction Stop
    # Display the result
    $result
} catch {
    # Handle any errors
    Write-Host "Error connecting to $ComputerName or executing command. $_" -ForegroundColor Red
}

How to Use This Script

Step 1: Save the Script

Copy and save the above script into a .ps1 file, for example, Get-MalwareProtectionStatus.ps1.

Step 2: Run the Script

Open PowerShell and navigate to the folder where you saved the script. Execute the script using the following command:

.\Get-MalwareProtectionStatus.ps1 -ComputerName "RemoteComputerName"

Replace RemoteComputerName with the name of the remote computer you want to query.

Conclusion

This PowerShell script automates the retrieval of malware protection details from remote computers using Windows Defender, making it easier to monitor and manage security across your network. By running this script, you can efficiently collect comprehensive malware protection data, reducing the need for manual checks and improving overall security management.

Feel free to customize the script as needed to fit your specific requirements and enhance your malware protection monitoring.

This page was last edited on 2024-11-06 18:45

Powered by Wiki|Docs

This page was last edited on 2024-11-06 18:45

Vivek Chandran
© 2025 Code Nomad. All rights reserved

Powered by Wiki|Docs