Exploring the Windows Defender Catalog2013年老贴,很有用,不要藏着掖着,别放肆,没什么用。  正文请自已翻译。贴中运行的结果仅供参考。出处:https://devblogs.microsoft.com/scripting/exploring-the-windows-defender-catalog/
Summary: Microsoft Scripting Guy, Ed Wilson, talks about playing around with the Get-MpThreatCatalog function in Windows 8.1. Microsoft Scripting Guy, Ed Wilson, is here. I bet you thought I fell off of the face of the earth. Actually, I have been busy working with Windows 8.1 and Windows Server 2012 R2. There is some really cool stuff that I want to share. Actually, I have been chomping at the bit for some time, but we have been under a gag order until general availability. There is some way cool networking stuff, that I have been working with for a while. I guarantee you will be hearing more lots of my discoveries—and of course about Desired State Configuration in Windows PowerShell 4.0. But today, I am sitting at my desk sipping a nice cup of Gunpowder green tea, with organic lemon pith, lime pith, Myers Lemon pith, and some ground fresh ginger. The taste is astoundingly fresh! Pair that with a piece of chocolate covered Biscotti, and it puts me in the mode to write. I am playing Alan Parsons on my Zune HD, and just grooving the afternoon away. October is the reason we put up with all the heat and humidity of the deep south summers. It is gorgeous outside, and the leaves on the maple tree in our front yard have already begun to change colors. Cool Windows Defender stuffOne of the cool things about Windows 8.1 is the Windows Defender module. Windows Defender in Windows 8.1 has grown to be a full-feature product, and it now has a module to facilitate management, which is way cool. There are eleven functions in the Windows Defender module: PS C:\> Get-Command -Module defender
CommandType Name ModuleName ———– —- ———- Function Add-MpPreference Defender Function Get-MpComputerStatus Defender Function Get-MpPreference Defender Function Get-MpThreat Defender Function Get-MpThreatCatalog Defender Function Get-MpThreatDetection Defender Function Remove-MpPreference Defender Function Remove-MpThreat Defender Function Set-MpPreference Defender Function Start-MpScan Defender Function Update-MpSignature Defender Finding general status infoI have no idea why all of the Windows Defender functions begin with the letters Mp. I do know that a lot of our teams choose a prefix for their nouns so it makes it easy to differentiate their cmdlets or functions from other teams. A good example of this is the cmdlets from the Active Directory module. All of the cmdlets begin with AD. Hey, that makes sense to me. But Mp? Dude. Oh well. It is not hard to remember. I just think of it as “Microsoft protection,” and boom, it is engrained in my brain. So, to find the status, I use the Get-MpComputerStatus function. It requires no parameters; therefore, I can simply type it in my Windows PowerShell console and receive lots of groovy information. The command and its associated output are shown in the image follows: The cool thing, from a management perspective, is that there are a few parameters I can use. These are shown here: Get-MpComputerStatus [-CimSession <CimSession[]>] [-ThrottleLimit <int>] [-AsJob] [<CommonParameters>] The CimSession takes, well a CimSession. This means that I can create a CimSession that connects to a bunch of remote computers. Therefore, I can get back status information from them all at the same time. If it is going to be something that might take a while, I can run it as a job in the background. If the command it taking too much memory, I can throttle it down a bit by using the ThrottleLimit parameter. This is great stuff. But you may say, “It is too much information. What I find myself needing to do is to check version numbers.” Hey, no sweat. Remember, this is Windows PowerShell, so everything works the same. AND it works easily. For example, if I need to check only on the versions of the various signatures, I simply use the wildcard character (*) with “version.” This technique is shown here: PS C:\> Get-MpComputerStatus | select *version
AMEngineVersion : 1.1.9901.0 AMProductVersion : 4.3.9600.16384 AMServiceVersion : 4.3.9600.16384 AntispywareSignatureVersion : 1.159.462.0 AntivirusSignatureVersion : 1.159.462.0 NISEngineVersion : 2.1.9900.0 NISSignatureVersion : 108.1.0.0 Looking at the catalogThe strength of Windows Defender is the catalog. The cool thing is that by using the Get-MpThreatCatalog function, I can examine it and see what exact threats Windows Defender actually defends. By using the Measure-Object cmdlet, I can see that there are 167,741 threats listed in my catalog as shown here: PS C:\> Get-MpThreatCatalog | measure
Count : 167741 Average : Sum : Maximum : Minimum : Property : One of the neat things to see is the different types of threats that appear in the catalog. I can do this by grouping by the threat CategoryId property as shown in the following command: PS C:\> Get-MpThreatCatalog | group categoryid | sort count 此处:categoryid可以替换为threatname。
Count Name Group —– —- —– 1 43 {MSFT_MpThreatCatalog (ThreatID = 2147483647)} 1 44 {MSFT_MpThreatCatalog (ThreatID = 2147483646)} 4 38 {MSFT_MpThreatCatalog (ThreatID = 17018), MSFT_Mp… 12 23 {MSFT_MpThreatCatalog (ThreatID = 13841), MSFT_Mp… 25 27 {MSFT_MpThreatCatalog (ThreatID = 14852), MSFT_Mp… 102 21 {MSFT_MpThreatCatalog (ThreatID = 3062), MSFT_MpT… 103 2 {MSFT_MpThreatCatalog (ThreatID = 2401), MSFT_MpT… 156 11 {MSFT_MpThreatCatalog (ThreatID = 1605), MSFT_MpT… 202 46 {MSFT_MpThreatCatalog (ThreatID = 2147639756), MS… 259 19 {MSFT_MpThreatCatalog (ThreatID = 2438), MSFT_MpT… 281 13 {MSFT_MpThreatCatalog (ThreatID = 1784), MSFT_MpT… 346 12 {MSFT_MpThreatCatalog (ThreatID = 1594), MSFT_MpT… 488 32 {MSFT_MpThreatCatalog (ThreatID = 77935), MSFT_Mp… 506 36 {MSFT_MpThreatCatalog (ThreatID = 15110), MSFT_Mp… 520 9 {MSFT_MpThreatCatalog (ThreatID = 1592), MSFT_MpT… 840 1 {MSFT_MpThreatCatalog (ThreatID = 1636), MSFT_MpT… 969 22 {MSFT_MpThreatCatalog (ThreatID = 6484), MSFT_MpT… 2053 40 {MSFT_MpThreatCatalog (ThreatID = 4243), MSFT_MpT… 4829 30 {MSFT_MpThreatCatalog (ThreatID = 8497), MSFT_MpT… 5145 37 {MSFT_MpThreatCatalog (ThreatID = 4669), MSFT_MpT… 7116 34 {MSFT_MpThreatCatalog (ThreatID = 6321), MSFT_MpT… 7850 39 {MSFT_MpThreatCatalog (ThreatID = 1596), MSFT_MpT… 8405 3 {MSFT_MpThreatCatalog (ThreatID = 1820), MSFT_MpT… 18071 5 {MSFT_MpThreatCatalog (ThreatID = 11559), MSFT_Mp… 19382 6 {MSFT_MpThreatCatalog (ThreatID = 1604), MSFT_MpT… 21652 4 {MSFT_MpThreatCatalog (ThreatID = 1600), MSFT_MpT… 28868 8 {MSFT_MpThreatCatalog (ThreatID = 1974), MSFT_MpT… 39555 42 {MSFT_MpThreatCatalog (ThreatID = 2147489034), MS… When I spent very much time exploring the threat catalog, I like to store the results in a variable. This is because the catalog is so large, and I don’t want to keep repeating calls to do the same thing over and over again. It is inefficient. So, first I store the results into a variable that I call $mp: $mp = Get-MpThreatCatalog When I have a collection from the threat catalog, I decide to look through it to find the threats that are in the jokecategory. To do this, I use a simple Where-Object statement, and look for the word joke in the threat name. This is shown here: $mp = Get-MpThreatCatalog $mp | where threatname -match ‘joke’ The command and the associated output are shown here: Join me tomorrow when I will talk about more cool stuff. I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at [url=]scripter@microsoft.com[/url], or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace. Ed Wilson, Microsoft Scripting Guy
Dr ScriptoScripter, PowerShell, vbScript, BAT, CMD Follow Dr Scripto
https://twitter.com/WDSecurity
没事可以关注一下。有问题可以私信。
如果真想把WD用好,还是需要投入很大的精力的。别看GUI那么丑。什么那么卡exe。
现在不讲内涵的,都是流氓!
别评论。别加分。别捧场。没用。多看多用就行。人咋那么浮躁呢!
| 
发表于 2019-9-25 15:57:12
楼主
