Manage Microsoft Endpoint Security with PowerShell

June 20, 2018 | Views: 2635

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

The Microsoft System Center Configuration Manager, or SCCM, has seven reports that you can use to help manage your Microsoft Endpoint Protection software. From an Overall Status and History to Top User Threat List, you can usually get what you need. In some cases though, you may have to dig into a few reports, export the data to an Excel sheet, and then start combining this data just to get some basic details.

Here, I am going to show you a couple of PowerShell scripts that will help you manage your Endpoint Protection software at a glance.

The first script, Endpoint Protection Status, will give you a quick overview of a machine and whether or not it’s up to date, the last scan run, the last infection found, if any, and the results of that infection. (Editor’s Note: All scripts provided are as is. They are written to allow you to cycle through computers instead of running the script separately on each computer.)

EndPointProtectionStatusCheck.ps1

The status of a machine’s security software is vital, and it needs to be known immediately. Without digging through reports or waiting for SCCM to load, this PowerShell script will do that.

This is the general output for a non-infected machine and an infected machine. All data was retrieved in under 30 seconds.
PowerShell Endpoint Status
 
PowerShell Endpoint Status

 

The PowerShell Script:

`Clear-Host
while (1 -ne 2){
$Computer = $Null
$OS = $Null
$Computer = Read-Host “Enter Computer to Scan, or EXIT to quit”
Write-Host “”
if ($Computer -eq “EXIT”) {exit;}
if(Test-Connection -ComputerName $Computer -Count 1 -Quiet -WarningAction SilentlyContinue -ErrorAction SilentlyContinue){

$PCHEALTH = Get-WmiObject -Query “select * from AntiMalwareHealthStatus” -Namespace “rootMicrosoftSecurityClient” -ComputerName $Computer | Select-Object PSComputerName,AntispywareEnabled,AntispywareSignatureUpdateDateTime,AntivirusEnabled,AntivirusSignatureUpdateDateTime,LastFullScanDateTimeEnd,RtpEnabled,NisEnabled,NisSignatureVersion,Version, AntispywareSignatureVersion, AntiVirusSignatureVersion, EngineVersion
$PCINFSTAT = Get-WmiObject -Query “select * from AntiMalwareInfectionStatus” -Namespace “rootMicrosoftSecurityClient” -ComputerName $Computer | Select-Object CriticallyFailedDetections,PendingFullScan,PendingReboot,RecentlyCleanedDetections
$PCDETECTION = Get-WmiObject -Query “select * from Malware” -Namespace “rootMicrosoftSecurityClient” -ComputerName $Computer | Select-Object ThreatName,path, SeverityID, User,DetectionTime,ActionSuccess
$Client = Get-WmiObject -Query “select * from AntiVirusProduct” -Namespace “rootSecurityCenter2” -ComputerName $Computer
Write-Host “EndPoint Status Check”

$Object = New-Object PSObject -Property ([ordered]@{
ComputerName = $PCHEALTH.PSComputerName
Client = $Client.displayname
“Engine Version” = $PCHEALTH.EngineVersion
“AntiVirus Sig Version” = $PCHEALTH.AntiVirusSignatureVersion
“AntiSpyware Sig Version” = $PCHEALTH.AntispywareSignatureVersion
“AntiSpyware Enabled” = $PCHEALTH.AntispywareEnabled
“Spyware Definition Update” = $PCHealth.AntispywareSignatureUpdateDateTime
“AntiVirus Enabled” = $PCHealth.AntivirusEnabled
“AntiVirus Definitions” =$PCHealth.AntivirusSignatureUpdateDateTime
“Last Full Scan” = $PCHealth.LastFullScanDateTimeEnd
“RealTimeProtection” = $PCHealth.RtpEnabled
“AntiMaleware Enabled” = $PCHealth.NisEnabled
“AntiMalware Def” = $PCHealth.NisSignatureVersion
“Failed Detections” = $PCINFSTAT.CriticallyFailedDetections -join “`n”
“Pending Full Scan” = $PCINFSTAT.PendingFullScan
“Pending Reboot” = $PCINFSTAT.PendingReboot
“Recently Cleaned” = $PCINFSTAT.RecentlyCleanedDetections
“Threat Name” = $PCDETECTION.ThreatName -join “`n”
“Severity” = $PCDETECTION.SeverityID
“Path” = $PCDETECTION.Path -join “`n”
“User” = $PCDETECTION.User -join “`n”
“Infection Reported” = $PCDETECTION.DetectionTime -join “`n”
“Able To Clean” = $PCDETECTION.ActionSuccess
} )
Write-Output $Object

} else {
Write-Host “$Computer is not online.`n”;continue
}
}`

Forcing a machine to update its Endpoint Protection or starting a scan can be managed with PowerShell too. Here are the scripts used. Both will provide a PID number in the terminal once the process has started.

With the PowerShell command line scan, you have the option to do a Quick Scan, Full Scan, or Custom Scan. Just change the line in the code. Both of these two scripts utilize Sysinternals PSExec, which can be downloaded from Microsoft.

Endpoint Force Scan

`Clear-Host
while (1 -ne 2){
$Computer = $Null
$OS = $Null
$Computer = Read-Host “Enter Computer to Scan, or EXIT to quit”

if ($Computer -eq “EXIT”) {exit;}

Write-Host “”
Write-Host “Checking if computer is online…”

If (test-connection -count 1 -ComputerName $computer -Quiet) {$OS = gwmi win32_operatingsystem -ComputerName $computer | % caption }
if ($OS -eq $Null)

{Write-Host “Machine Offline”}
elseif ($OS -like “*Win*10*”)
{Write-Host “Windows 10 – Host Online”
PSexec.exe -s -h -d \$Computer -accepteula “$($env:programfiles)Windows DefenderMpCmdRun.exe” -Scan -ScanType 2
Wait-Event -Timeout 15

}

elseif ($OS -like “*Win*7*”)
{Write-Host “Windows 7 – Host Online”
PSexec.exe -s -h -d \$Computer -accepteula “$($env:programfiles)Microsoft Security ClientMpCmdRun.exe” -Scan -ScanType 2
Wait-Event -Timeout 15

}
} else{
Clear-Host
continue
}`

Endpoint Force Update (Combined Script with Endpoint Status Script)

`Clear-Host
while (1 -ne 2){
$Computer = $Null
$OS = $Null
$Computer = Read-Host “Enter Computer to Update, or EXIT to quit”
if ($Computer -eq “EXIT”) {exit;}

Write-Host “”
Write-Host “Checking if computer is online…”

If (test-connection -count 1 -ComputerName $computer -Quiet) {$OS = gwmi win32_operatingsystem -ComputerName $computer | % caption }
if ($OS -eq $Null)

{Write-Host “Machine Offline”}
elseif ($OS -like “*Win*10*”)
{Write-Host “Windows 10 – Host Online”
PSexec.exe -s -h -d \$Computer -accepteula “$($env:programfiles)Windows DefenderMpCmdRun.exe” -removedefinitions -dynamicsignatures
Write-Host “Removing old definitions”
Wait-Event -Timeout 10

PSexec.exe -s -h -d \$Computer -accepteula “$($env:programfiles)Windows DefenderMpCmdRun.exe” -SignatureUpdate
Write-Host “Forcing definition update”
Wait-Event -Timeout 15

}
elseif ($OS -like “*Win*7*”)
{Write-Host “Windows 7 – Host Online”
PSexec.exe -s -h -d \$Computer -accepteula “$($env:programfiles)Windows DefenderMpCmdRun.exe” -removedefinitions -dynamicsignatures
Write-Host “Removing old definitions”
Wait-Event -Timeout 10
PSexec.exe -s -h -d \$Computer -accepteula “$($env:programfiles)Microsoft Security ClientMpCmdRun.exe” -SignatureUpdate
Write-Host “Forcing definition update”
Wait-Event -Timeout 15

}

$PCHEALTH = Get-WmiObject -Query “select * from AntiMalwareHealthStatus” -Namespace “rootMicrosoftSecurityClient” -ComputerName $Computer | Select-Object PSComputerName,AntispywareEnabled,AntispywareSignatureUpdateDateTime,AntivirusEnabled,AntivirusSignatureUpdateDateTime,LastFullScanDateTimeEnd,RtpEnabled,NisEnabled,NisSignatureVersion,Version, AntispywareSignatureVersion, AntiVirusSignatureVersion, EngineVersion
$PCINFSTAT = Get-WmiObject -Query “select * from AntiMalwareInfectionStatus” -Namespace “rootMicrosoftSecurityClient” -ComputerName $Computer | Select-Object CriticallyFailedDetections,PendingFullScan,PendingReboot,RecentlyCleanedDetections
$PCDETECTION = Get-WmiObject -Query “select * from Malware” -Namespace “rootMicrosoftSecurityClient” -ComputerName $Computer | Select-Object ThreatName,path, SeverityID, User,DetectionTime,ActionSuccess
$Client = Get-WmiObject -Query “select * from AntiVirusProduct” -Namespace “rootSecurityCenter2” -ComputerName $Computer

$Object = New-Object PSObject -Property ([ordered]@{
ComputerName = $PCHEALTH.PSComputerName
Client = $Client.displayname
“Engine Version” = $PCHEALTH.EngineVersion
“AntiVirus Sig Version” = $PCHEALTH.AntiVirusSignatureVersion
“AntiSpyware Sig Version” = $PCHEALTH.AntispywareSignatureVersion
“AntiSpyware Enabled” = $PCHEALTH.AntispywareEnabled
“Spyware Definition Update” = $PCHealth.AntispywareSignatureUpdateDateTime
“AntiVirus Enabled” = $PCHealth.AntivirusEnabled
“AntiVirus Definitions” =$PCHealth.AntivirusSignatureUpdateDateTime
“Last Full Scan” = $PCHealth.LastFullScanDateTimeEnd
“RealTimeProtection” = $PCHealth.RtpEnabled
“AntiMaleware Enabled” = $PCHealth.NisEnabled
“AntiMalware Def” = $PCHealth.NisSignatureVersion
“Failed Detections” = $PCINFSTAT.CriticallyFailedDetections -join “`n”
“Pending Full Scan” = $PCINFSTAT.PendingFullScan
“Pending Reboot” = $PCINFSTAT.PendingReboot
“Recently Cleaned” = $PCINFSTAT.RecentlyCleanedDetections
“Threat Name” = $PCDETECTION.ThreatName -join “`n”
“Severity” = $PCDETECTION.SeverityID
“Path” = $PCDETECTION.Path -join “`n”
“User” = $PCDETECTION.User -join “`n”
“Infection Reported” = $PCDETECTION.DetectionTime -join “`n”
“Able To Clean” = $PCDETECTION.ActionSuccess
} )

Write-Output $Object
} else{

Clear-Host
continue
} `

Conclusion

This is by no means an “End All” to managing your machines. But it is very useful and helpful in a pinch. You should still be checking your reports on a regular basis as well.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel