API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 17th, 2020
458
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 15.03 KB | None | 0 0
raw download clone embed print report
  1. <#
  2. .SYNOPSIS
  3. This script sets Windows Defender AV to enable most features for the evaluation of protection capabilities in Windows 10 using the Windows Defender AV cmdlets, described at https ://technet.microsoft.com/en-us/library/dn433280.aspx
  4.  
  5. .DESCRIPTION
  6. This script enables many protection capabilities of Microsoft's Defender Antivirus.
  7.  
  8. .PARAMETER Type
  9. Specifies type of run e.g.Consumer, Enterprise
  10.  
  11. .NOTES
  12. File Name   : DefenderEvaluationSettings.ps1
  13. Author      : Microsoft
  14. Email       : amcom@microsoft.com
  15. Requires    : PowerShell V1
  16.  
  17. .EXAMPLE
  18.     PSH[C:\foo] : .\DefenderEvaluationSettings.ps1
  19. #>
  20.  
  21. [CmdletBinding(DefaultParameterSetName = "Type")]
  22. param([Parameter(Mandatory                          = $true
  23.                 ,ParameterSetName                   = "Type"
  24.                 ,ValueFromPipeline                  = $true
  25.                 ,ValueFromPipelineByPropertyName    = $true
  26.                 ,HelpMessage                        = "Specifies type of environment e.g. Eval")]
  27. [ValidateNotNullOrEmpty()]
  28. [ValidateSet("Eval")]
  29. [string]
  30. $Type
  31. )
  32.  
  33. # =================================================================================================
  34. #                                              Functions
  35. # =================================================================================================
  36.  
  37. # Verifies that the script is running as admin
  38. function Check-IsElevated
  39. {
  40.     $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
  41.     $p  = New-Object System.Security.Principal.WindowsPrincipal($id)
  42.  
  43.     if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))
  44.     {
  45.         Write-Output $true
  46.     }
  47.     else
  48.     {
  49.         Write-Output $false
  50.     }
  51. }
  52.  
  53. # Verifies that script is running on Windows 10 or greater
  54. function Check-IsWindows10
  55. {
  56.     if ([System.Environment]::OSVersion.Version.Major -ge "10")
  57.     {
  58.         Write-Output $true
  59.     }
  60.     else
  61.     {
  62.         Write-Output $false
  63.     }
  64. }
  65.  
  66.  
  67. function Check-MinCAMPVersion()
  68. {
  69.     $AMserviceVer = ([system.version](Get-MpComputerStatus).AMServiceVersion)
  70.     $minExpectedVer = ([int](Get-Date -Format "yyMM")) - 4
  71.     if (($AMserviceVer.Build -ge $minExpectedVer) -and ($AMserviceVer.Major -ge 4) -and ($AMserviceVer.Minor -ge 18))
  72.     {
  73.         return $true
  74.     }
  75.     else
  76.     {
  77.         return $false
  78.     }
  79. }
  80.  
  81. function CheckAndUpdateCAMP()
  82. {
  83.     $retvCAMP = Check-MinCAMPVersion
  84.     if ($retvCAMP -eq $false)
  85.     {
  86.         LogAndConsole("`nDefender CAMP/Platform version is too old, trying to force CAMP bits update...it would take approx 30 secs`n")
  87.         #to force camp
  88.         Update-MpSignature -UpdateSource MMPC
  89.         Start-Sleep -s 30
  90.  
  91.         $retvCAMP = Check-MinCAMPVersion
  92.         if ($retvCAMP -eq $false)
  93.         {
  94.             LogErrorAndConsole("`n!!!Defender CAMP/Platform version is too old and could not be updated!!!`n")
  95.         }
  96.     }
  97. }
  98.  
  99. function Configure-ASR()
  100. {
  101.     LogAndConsole("Enabling Exploit Guard ASR rules")
  102.     Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
  103.     Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
  104.     Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
  105.     Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
  106.     Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
  107.     Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
  108.     Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
  109.     Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
  110.     Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
  111.     Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
  112.     Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled
  113.  
  114.     # New in 1809
  115.     Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
  116.     Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled
  117.     Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
  118.  
  119.     # New in 1903
  120.     Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
  121. }
  122.  
  123.  
  124. function Check-DefenderService()
  125. {
  126.     $defservice = Get-Service -Name Windefend
  127.     if ($defservice.status -eq "Stopped")
  128.     {
  129.         New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 2 -PropertyType DWORD -Force | Out-Null
  130.         Get-Service Windefend | Where {$defservice.status -eq "Stopped"} |  Start-Service
  131.     }
  132.  
  133.     $defservice = Get-Service -Name Windefend
  134.     if ($defservice.status -ne "Running")
  135.     {
  136.         LogErrorAndConsole("Unable to start defender service!!!")
  137.         throw "Unable to start defender service!!!"
  138.     }
  139.     else
  140.     {
  141.         Log("`nDefender service check passed`n")
  142.     }
  143. }
  144.  
  145. function Test-MeteredConnection
  146. {
  147.     [void][Windows.Networking.Connectivity.NetworkInformation, Windows, ContentType = WindowsRuntime]
  148.     $networkprofile = [Windows.Networking.Connectivity.NetworkInformation]::GetInternetConnectionProfile()
  149.    
  150.     if ($networkprofile -eq $null)
  151.     {
  152.         LogErrorAndConsole("Can't find any internet connection, Defender cloud protection will be impacted!")
  153.         return $false
  154.     }
  155.    
  156.     $cost = $networkprofile.GetConnectionCost()
  157.    
  158.    
  159.     if ($cost -eq $null)
  160.     {
  161.         Log("Can't find any internet connection type and whether it is metered or not!")
  162.         return $false
  163.     }
  164.    
  165.     if ($cost.Roaming -or $cost.OverDataLimit)
  166.     {
  167.         LogErrorAndConsole("Machine internet connection is a Meterered Connection - Defender will operate with reduced functionality!")
  168.         return $true
  169.     }
  170.    
  171.     if ($cost.NetworkCostType -eq [Windows.Networking.Connectivity.NetworkCostType]::Fixed -or
  172.     $cost.NetworkCostType -eq [Windows.Networking.Connectivity.NetworkCostType]::Variable)
  173.     {
  174.         LogErrorAndConsole("Machine internet connection is a Meterered Connection - Defender will operate with reduced functionality!")
  175.         return $true
  176.     }
  177.    
  178.     if ($cost.NetworkCostType -eq [Windows.Networking.Connectivity.NetworkCostType]::Unrestricted)
  179.     {
  180.         Log("Network Connection type unrestricted")
  181.         return $false
  182.     }
  183.    
  184.     Log("Network cost type is unknown!")
  185. }
  186.  
  187. #Log file name and location
  188. $LogFileName = "DefenderEvaluationSettings.log";
  189. $LogFilePath = Join-Path (Get-Item -Path ".\").FullName $LogFileName;
  190.  
  191. function Log
  192. {
  193.     param($message);
  194.     if (Test-Path $LogFilePath)
  195.     {
  196.         $LogFile    = Get-Item $LogFilePath;
  197.     }
  198.  
  199.     $currenttime    = Get-Date -format u;
  200.     $outputstring   = "[" + $currenttime + "] " + $message;
  201.     $outputstring | Out-File $LogFilepath -Append;
  202. }
  203.  
  204. function LogAndConsole($message)
  205. {
  206.     Write-Host $message -ForegroundColor Green
  207.     Log $message
  208. }
  209.  
  210. function LogErrorAndConsole($message)
  211. {
  212.     Write-Host $message -ForegroundColor Red
  213.     Log $message
  214. }
  215.  
  216. # =================================================================================================
  217. #                                              Main
  218. # =================================================================================================
  219. if (!(Check-IsElevated))
  220. {
  221.     throw "Please run this script from an elevated PowerShell prompt"
  222. }
  223.  
  224. if (!(Check-IsWindows10))
  225. {
  226.     throw "Please run this script on Windows 10"
  227. }
  228.  
  229. Write-Host "This script helps configure Windows Defender Antivirus in order to evaluate its protection capabilities. `nFor more information see the Windows Defender AV protection evaluation guide (https://aka.ms/evaluatewdav)`, You could consult Windows Defender AV documentation for configuration methods at https://aka.ms/wdavdocs"
  230. LogAndConsole("Type: $Type")
  231. Write-Host "Updating Windows Defender AV settings" -ForegroundColor Green
  232. Log("Updating Windows Defender AV settings")
  233.  
  234. #Test if a connection is Metered or not
  235. Test-MeteredConnection
  236.  
  237. #check and update CAMP/Platform version - to make sure it is not running too old unrealistic setup.
  238. CheckAndUpdateCAMP
  239.  
  240. #Ensure defender service is running
  241. Check-DefenderService
  242.  
  243. # trigger AV sig update
  244. Update-MpSignature
  245.  
  246. try
  247. {
  248.     LogAndConsole("Enable real-time monitoring")
  249.     Set-MpPreference -DisableRealtimeMonitoring $false
  250.  
  251.     LogAndConsole("Enable cloud-deliveredprotection")
  252.     Set-MpPreference -MAPSReporting Advanced
  253.  
  254.     LogAndConsole("Enable sample submission")
  255.     Set-MpPreference -SubmitSamplesConsent SendAllSamples
  256.  
  257.     LogAndConsole("Enable checking signatures before scanning")
  258.     Set-MpPreference -CheckForSignaturesBeforeRunningScan 1
  259.  
  260.     LogAndConsole("Enable behavior monitoring")
  261.     Set-MpPreference -DisableBehaviorMonitoring 0
  262.  
  263.     LogAndConsole("Enable IOAV protection")
  264.     Set-MpPreference -DisableIOAVProtection 0
  265.  
  266.     LogAndConsole("Enable script scanning")
  267.     Set-MpPreference -DisableScriptScanning 0
  268.  
  269.     LogAndConsole("Enable removable drive scanning")
  270.     Set-MpPreference -DisableRemovableDriveScanning 0
  271.  
  272.     LogAndConsole("Enable Block at first sight")
  273.     Set-MpPreference -DisableBlockAtFirstSeen 0
  274.  
  275.     LogAndConsole("Schedule signature updates every 2 hours")
  276.     Set-MpPreference -SignatureUpdateInterval 2
  277.  
  278.     LogAndConsole("Enable archive scanning")
  279.     Set-MpPreference -DisableArchiveScanning 0
  280.  
  281.     LogAndConsole("Enable email scanning")
  282.     Set-MpPreference -DisableEmailScanning 0
  283.  
  284.     LogAndConsole("Enable potentially unwanted apps")
  285.     Set-MpPreference -PUAProtection Enabled
  286.  
  287.     LogAndConsole("Set cloud block level to 'High'")
  288.     Set-MpPreference -CloudBlockLevel High
  289.  
  290.     LogAndConsole("Set cloud block timeout to 1 minute")
  291.     Set-MpPreference -CloudExtendedTimeout 55
  292.  
  293.     LogAndConsole("Enabling Controlled Folder Access and setting to block mode")
  294.     Set-MpPreference -EnableControlledFolderAccess Enabled
  295.    
  296.     LogAndConsole("Enabling Exploit Guard ASR rules and setting to block mode")
  297.     Configure-ASR
  298.  
  299.     LogAndConsole("Enabling Network Protection and setting to block mode")
  300.     Set-MpPreference -EnableNetworkProtection Enabled
  301.  
  302.     # Enable Exploit Protection
  303.     LogAndConsole("Enabling Exploit Protection")
  304.     Set-ProcessMitigation -PolicyFilePath .\ProcessMitigation-Selfhost-v5.xml
  305.        
  306.  
  307.     Write-Host "`Settings update complete"  -ForegroundColor Green
  308.  
  309.     # Log current configurations
  310.     Log("Log  current configurations")
  311.     $Preferences        = Get-MpPreference
  312.     $PreferenceNames    = $Preferences | Get-Member -MemberType Property | % Name
  313.  
  314.     foreach ($PreferenceName in $PreferenceNames)
  315.     {
  316.         $val =  $Preferences.$PreferenceName
  317.         Log("Name: $PreferenceName   Value: $val")
  318.     }
  319.  
  320.     # Log threats found
  321.     Log("Log threats found")
  322.     $Threats    = Get-MpThreat
  323.     foreach ($Threat in  $Threats)
  324.     {
  325.         $id     =  $Threat.ThreatID
  326.         $name   = $Threat.ThreatName
  327.         Log("Id: $id   Name: $name")
  328.     }
  329. }
  330. catch
  331. {
  332.     $ErrorMessage   = $_.Exception.Message
  333.     $Location       = $_.ScriptStackTrace
  334.     LogErrorAndConsole("Script failed with error: $ErrorMessage; $Location")
  335.     throw
  336. }
  337.  
  338. LogAndConsole("Script execution completed. Log file location: $LogFilePath")
  339.  
  340. #https://technet.microsoft.com/en-us/library/dn433280.aspx
  341. #Set-MpPreference Options
  342.  
  343. #[-ExclusionPath <string[]>]
  344. #[-ExclusionExtension <string[]>]
  345. #[-ExclusionProcess <string[]>]
  346. #[-RealTimeScanDirection {Both | Incoming | Outcoming}]
  347. #[-QuarantinePurgeItemsAfterDelay <uint32>]
  348. #[-RemediationScheduleDay {Everyday | Sunday |  Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
  349. #[-RemediationScheduleTime <datetime>]
  350. #[-ReportingAdditionalActionTimeOut <uint32>]
  351. #[-ReportingCriticalFailureTimeOut <uint32>]
  352. #[-ReportingNonCriticalTimeOut <uint32>]
  353. #[-ScanAvgCPULoadFactor <byte>]
  354. #[-CheckForSignaturesBeforeRunningScan <bool>]
  355. #[-ScanPurgeItemsAfterDelay <uint32>]
  356. #[-ScanOnlyIfIdleEnabled <bool>]
  357. #[-ScanParameters {QuickScan | FullScan}]
  358. #[-ScanScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
  359. #[-ScanScheduleQuickScanTime <datetime>]
  360. #[-ScanScheduleTime <datetime>]
  361. #[-SignatureFirstAuGracePeriod <uint32>]
  362. #[-SignatureAuGracePeriod <uint32>]
  363. #[-SignatureDefinitionUpdateFileSharesSources <string>]
  364. #[-SignatureDisableUpdateOnStartupWithoutEngine <bool>]
  365. #[-SignatureFallbackOrder <string>]
  366. #[-SignatureScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
  367. #[-SignatureScheduleTime <datetime>]
  368. #[-SignatureUpdateCatchupInterval <uint32>]
  369. #[-SignatureUpdateInterval <uint32>]
  370. #[-MAPSReporting {Disabled | Basic | Advanced}]
  371. #[-SubmitSamplesConsent {None | Always | Never}]
  372. #[-DisableAutoExclusions <bool>]
  373. #[-DisablePrivacyMode <bool>]
  374. #[-RandomizeScheduleTaskTimes <bool>]
  375. #[-DisableBehaviorMonitoring <bool>]
  376. #[-DisableIntrusionPreventionSystem <bool>]
  377. #[-DisableIOAVProtection <bool>]
  378. #[-DisableRealtimeMonitoring <bool>]
  379. #[-DisableScriptScanning <bool>]
  380. #[-DisableArchiveScanning <bool>]
  381. #[-DisableCatchupFullScan <bool>]
  382. #[-DisableCatchupQuickScan <bool>]
  383. #[-DisableEmailScanning <bool>]
  384. #[-DisableRemovableDriveScanning <bool>]
  385. #[-DisableRestorePoint <bool>]
  386. #[-DisableScanningMappedNetworkDrivesForFullScan <bool>]
  387. #[-DisableScanningNetworkFiles <bool>]
  388. #[-UILockdown <bool>]
  389. #[-ThreatIDDefaultAction_Ids <long[]>]
  390. #[-ThreatIDDefaultAction_Actions {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
  391. #[-UnknownThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
  392. #[-LowThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
  393. #[-ModerateThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
  394. #[-HighThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
  395. #[-SevereThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
  396. #[-Force]
  397. #[-DisableBlockAtFirstSeen <bool>]
  398. #[-PUAProtection {Disabled | Enabled | AuditMode}]
  399. #[-CimSession <CimSession[]>]
  400. #[-ThrottleLimit <int>] [-AsJob]  [<CommonParameters>]
  401.  
  402. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!