Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <#
- .SYNOPSIS
- This script sets Windows Defender AV to enable most features for the evaluation of protection capabilities in Windows 10 using the Windows Defender AV cmdlets, described at https ://technet.microsoft.com/en-us/library/dn433280.aspx
- .DESCRIPTION
- This script enables many protection capabilities of Microsoft's Defender Antivirus.
- .PARAMETER Type
- Specifies type of run e.g.Consumer, Enterprise
- .NOTES
- File Name : DefenderEvaluationSettings.ps1
- Author : Microsoft
- Email : amcom@microsoft.com
- Requires : PowerShell V1
- .EXAMPLE
- PSH[C:\foo] : .\DefenderEvaluationSettings.ps1
- #>
- [CmdletBinding(DefaultParameterSetName = "Type")]
- param([Parameter(Mandatory = $true
- ,ParameterSetName = "Type"
- ,ValueFromPipeline = $true
- ,ValueFromPipelineByPropertyName = $true
- ,HelpMessage = "Specifies type of environment e.g. Eval")]
- [ValidateNotNullOrEmpty()]
- [ValidateSet("Eval")]
- [string]
- $Type
- )
- # =================================================================================================
- # Functions
- # =================================================================================================
- # Verifies that the script is running as admin
- function Check-IsElevated
- {
- $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
- $p = New-Object System.Security.Principal.WindowsPrincipal($id)
- if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))
- {
- Write-Output $true
- }
- else
- {
- Write-Output $false
- }
- }
- # Verifies that script is running on Windows 10 or greater
- function Check-IsWindows10
- {
- if ([System.Environment]::OSVersion.Version.Major -ge "10")
- {
- Write-Output $true
- }
- else
- {
- Write-Output $false
- }
- }
- function Check-MinCAMPVersion()
- {
- $AMserviceVer = ([system.version](Get-MpComputerStatus).AMServiceVersion)
- $minExpectedVer = ([int](Get-Date -Format "yyMM")) - 4
- if (($AMserviceVer.Build -ge $minExpectedVer) -and ($AMserviceVer.Major -ge 4) -and ($AMserviceVer.Minor -ge 18))
- {
- return $true
- }
- else
- {
- return $false
- }
- }
- function CheckAndUpdateCAMP()
- {
- $retvCAMP = Check-MinCAMPVersion
- if ($retvCAMP -eq $false)
- {
- LogAndConsole("`nDefender CAMP/Platform version is too old, trying to force CAMP bits update...it would take approx 30 secs`n")
- #to force camp
- Update-MpSignature -UpdateSource MMPC
- Start-Sleep -s 30
- $retvCAMP = Check-MinCAMPVersion
- if ($retvCAMP -eq $false)
- {
- LogErrorAndConsole("`n!!!Defender CAMP/Platform version is too old and could not be updated!!!`n")
- }
- }
- }
- function Configure-ASR()
- {
- LogAndConsole("Enabling Exploit Guard ASR rules")
- Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled
- # New in 1809
- Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled
- Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
- # New in 1903
- Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
- }
- function Check-DefenderService()
- {
- $defservice = Get-Service -Name Windefend
- if ($defservice.status -eq "Stopped")
- {
- New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 2 -PropertyType DWORD -Force | Out-Null
- Get-Service Windefend | Where {$defservice.status -eq "Stopped"} | Start-Service
- }
- $defservice = Get-Service -Name Windefend
- if ($defservice.status -ne "Running")
- {
- LogErrorAndConsole("Unable to start defender service!!!")
- throw "Unable to start defender service!!!"
- }
- else
- {
- Log("`nDefender service check passed`n")
- }
- }
- function Test-MeteredConnection
- {
- [void][Windows.Networking.Connectivity.NetworkInformation, Windows, ContentType = WindowsRuntime]
- $networkprofile = [Windows.Networking.Connectivity.NetworkInformation]::GetInternetConnectionProfile()
- if ($networkprofile -eq $null)
- {
- LogErrorAndConsole("Can't find any internet connection, Defender cloud protection will be impacted!")
- return $false
- }
- $cost = $networkprofile.GetConnectionCost()
- if ($cost -eq $null)
- {
- Log("Can't find any internet connection type and whether it is metered or not!")
- return $false
- }
- if ($cost.Roaming -or $cost.OverDataLimit)
- {
- LogErrorAndConsole("Machine internet connection is a Meterered Connection - Defender will operate with reduced functionality!")
- return $true
- }
- if ($cost.NetworkCostType -eq [Windows.Networking.Connectivity.NetworkCostType]::Fixed -or
- $cost.NetworkCostType -eq [Windows.Networking.Connectivity.NetworkCostType]::Variable)
- {
- LogErrorAndConsole("Machine internet connection is a Meterered Connection - Defender will operate with reduced functionality!")
- return $true
- }
- if ($cost.NetworkCostType -eq [Windows.Networking.Connectivity.NetworkCostType]::Unrestricted)
- {
- Log("Network Connection type unrestricted")
- return $false
- }
- Log("Network cost type is unknown!")
- }
- #Log file name and location
- $LogFileName = "DefenderEvaluationSettings.log";
- $LogFilePath = Join-Path (Get-Item -Path ".\").FullName $LogFileName;
- function Log
- {
- param($message);
- if (Test-Path $LogFilePath)
- {
- $LogFile = Get-Item $LogFilePath;
- }
- $currenttime = Get-Date -format u;
- $outputstring = "[" + $currenttime + "] " + $message;
- $outputstring | Out-File $LogFilepath -Append;
- }
- function LogAndConsole($message)
- {
- Write-Host $message -ForegroundColor Green
- Log $message
- }
- function LogErrorAndConsole($message)
- {
- Write-Host $message -ForegroundColor Red
- Log $message
- }
- # =================================================================================================
- # Main
- # =================================================================================================
- if (!(Check-IsElevated))
- {
- throw "Please run this script from an elevated PowerShell prompt"
- }
- if (!(Check-IsWindows10))
- {
- throw "Please run this script on Windows 10"
- }
- Write-Host "This script helps configure Windows Defender Antivirus in order to evaluate its protection capabilities. `nFor more information see the Windows Defender AV protection evaluation guide (https://aka.ms/evaluatewdav)`, You could consult Windows Defender AV documentation for configuration methods at https://aka.ms/wdavdocs"
- LogAndConsole("Type: $Type")
- Write-Host "Updating Windows Defender AV settings" -ForegroundColor Green
- Log("Updating Windows Defender AV settings")
- #Test if a connection is Metered or not
- Test-MeteredConnection
- #check and update CAMP/Platform version - to make sure it is not running too old unrealistic setup.
- CheckAndUpdateCAMP
- #Ensure defender service is running
- Check-DefenderService
- # trigger AV sig update
- Update-MpSignature
- try
- {
- LogAndConsole("Enable real-time monitoring")
- Set-MpPreference -DisableRealtimeMonitoring $false
- LogAndConsole("Enable cloud-deliveredprotection")
- Set-MpPreference -MAPSReporting Advanced
- LogAndConsole("Enable sample submission")
- Set-MpPreference -SubmitSamplesConsent SendAllSamples
- LogAndConsole("Enable checking signatures before scanning")
- Set-MpPreference -CheckForSignaturesBeforeRunningScan 1
- LogAndConsole("Enable behavior monitoring")
- Set-MpPreference -DisableBehaviorMonitoring 0
- LogAndConsole("Enable IOAV protection")
- Set-MpPreference -DisableIOAVProtection 0
- LogAndConsole("Enable script scanning")
- Set-MpPreference -DisableScriptScanning 0
- LogAndConsole("Enable removable drive scanning")
- Set-MpPreference -DisableRemovableDriveScanning 0
- LogAndConsole("Enable Block at first sight")
- Set-MpPreference -DisableBlockAtFirstSeen 0
- LogAndConsole("Schedule signature updates every 2 hours")
- Set-MpPreference -SignatureUpdateInterval 2
- LogAndConsole("Enable archive scanning")
- Set-MpPreference -DisableArchiveScanning 0
- LogAndConsole("Enable email scanning")
- Set-MpPreference -DisableEmailScanning 0
- LogAndConsole("Enable potentially unwanted apps")
- Set-MpPreference -PUAProtection Enabled
- LogAndConsole("Set cloud block level to 'High'")
- Set-MpPreference -CloudBlockLevel High
- LogAndConsole("Set cloud block timeout to 1 minute")
- Set-MpPreference -CloudExtendedTimeout 55
- LogAndConsole("Enabling Controlled Folder Access and setting to block mode")
- Set-MpPreference -EnableControlledFolderAccess Enabled
- LogAndConsole("Enabling Exploit Guard ASR rules and setting to block mode")
- Configure-ASR
- LogAndConsole("Enabling Network Protection and setting to block mode")
- Set-MpPreference -EnableNetworkProtection Enabled
- # Enable Exploit Protection
- LogAndConsole("Enabling Exploit Protection")
- Set-ProcessMitigation -PolicyFilePath .\ProcessMitigation-Selfhost-v5.xml
- Write-Host "`Settings update complete" -ForegroundColor Green
- # Log current configurations
- Log("Log current configurations")
- $Preferences = Get-MpPreference
- $PreferenceNames = $Preferences | Get-Member -MemberType Property | % Name
- foreach ($PreferenceName in $PreferenceNames)
- {
- $val = $Preferences.$PreferenceName
- Log("Name: $PreferenceName Value: $val")
- }
- # Log threats found
- Log("Log threats found")
- $Threats = Get-MpThreat
- foreach ($Threat in $Threats)
- {
- $id = $Threat.ThreatID
- $name = $Threat.ThreatName
- Log("Id: $id Name: $name")
- }
- }
- catch
- {
- $ErrorMessage = $_.Exception.Message
- $Location = $_.ScriptStackTrace
- LogErrorAndConsole("Script failed with error: $ErrorMessage; $Location")
- throw
- }
- LogAndConsole("Script execution completed. Log file location: $LogFilePath")
- #https://technet.microsoft.com/en-us/library/dn433280.aspx
- #Set-MpPreference Options
- #[-ExclusionPath <string[]>]
- #[-ExclusionExtension <string[]>]
- #[-ExclusionProcess <string[]>]
- #[-RealTimeScanDirection {Both | Incoming | Outcoming}]
- #[-QuarantinePurgeItemsAfterDelay <uint32>]
- #[-RemediationScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
- #[-RemediationScheduleTime <datetime>]
- #[-ReportingAdditionalActionTimeOut <uint32>]
- #[-ReportingCriticalFailureTimeOut <uint32>]
- #[-ReportingNonCriticalTimeOut <uint32>]
- #[-ScanAvgCPULoadFactor <byte>]
- #[-CheckForSignaturesBeforeRunningScan <bool>]
- #[-ScanPurgeItemsAfterDelay <uint32>]
- #[-ScanOnlyIfIdleEnabled <bool>]
- #[-ScanParameters {QuickScan | FullScan}]
- #[-ScanScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
- #[-ScanScheduleQuickScanTime <datetime>]
- #[-ScanScheduleTime <datetime>]
- #[-SignatureFirstAuGracePeriod <uint32>]
- #[-SignatureAuGracePeriod <uint32>]
- #[-SignatureDefinitionUpdateFileSharesSources <string>]
- #[-SignatureDisableUpdateOnStartupWithoutEngine <bool>]
- #[-SignatureFallbackOrder <string>]
- #[-SignatureScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
- #[-SignatureScheduleTime <datetime>]
- #[-SignatureUpdateCatchupInterval <uint32>]
- #[-SignatureUpdateInterval <uint32>]
- #[-MAPSReporting {Disabled | Basic | Advanced}]
- #[-SubmitSamplesConsent {None | Always | Never}]
- #[-DisableAutoExclusions <bool>]
- #[-DisablePrivacyMode <bool>]
- #[-RandomizeScheduleTaskTimes <bool>]
- #[-DisableBehaviorMonitoring <bool>]
- #[-DisableIntrusionPreventionSystem <bool>]
- #[-DisableIOAVProtection <bool>]
- #[-DisableRealtimeMonitoring <bool>]
- #[-DisableScriptScanning <bool>]
- #[-DisableArchiveScanning <bool>]
- #[-DisableCatchupFullScan <bool>]
- #[-DisableCatchupQuickScan <bool>]
- #[-DisableEmailScanning <bool>]
- #[-DisableRemovableDriveScanning <bool>]
- #[-DisableRestorePoint <bool>]
- #[-DisableScanningMappedNetworkDrivesForFullScan <bool>]
- #[-DisableScanningNetworkFiles <bool>]
- #[-UILockdown <bool>]
- #[-ThreatIDDefaultAction_Ids <long[]>]
- #[-ThreatIDDefaultAction_Actions {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
- #[-UnknownThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
- #[-LowThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
- #[-ModerateThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
- #[-HighThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
- #[-SevereThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
- #[-Force]
- #[-DisableBlockAtFirstSeen <bool>]
- #[-PUAProtection {Disabled | Enabled | AuditMode}]
- #[-CimSession <CimSession[]>]
- #[-ThrottleLimit <int>] [-AsJob] [<CommonParameters>]
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement