From 83d37b392829e0c4319e4a861f5f6e40b1532021 Mon Sep 17 00:00:00 2001
From: Danny de Kooker <d.dekooker@dcomputers.nl>
Date: Wed, 6 Sep 2023 15:26:27 +0200
Subject: [PATCH] Add Check_scripts/Win - Defender status report.ps1

---
 .../Win - Defender status report.ps1          | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 Check_scripts/Win - Defender status report.ps1

diff --git a/Check_scripts/Win - Defender status report.ps1 b/Check_scripts/Win - Defender status report.ps1
new file mode 100644
index 0000000..5c76829
--- /dev/null
+++ b/Check_scripts/Win - Defender status report.ps1	
@@ -0,0 +1,55 @@
+<#
+    .SYNOPSIS
+        Check the status of Windows Defender and report back to TRMM
+
+    .DESCRIPTION 
+        This script will check if there have been any viruses found by Windows defender in the last x days, 
+        This script should be deployed as a Check Script. 
+
+        By default the script will check upto 1 day back in the log, 
+        if you specify the first argument of the script it's the amount of days it will search back.
+
+    .OUTPUTS
+        This script will report back if it found any of the event logs on the machine with the message of that log entry. 
+        If it doesn't find any viruses (hopefully) it will report back status 0 (No virus found)
+
+        Errorcodes: 
+        0 - All OK
+        1 - Virus found, {Log information}
+
+    .EXAMPLE
+        Win - Defender status report.ps1 {Ammount of days to check back}
+        Win - Defender status report.ps1 7
+
+    .NOTES
+        Source: Tactical RMM repository
+
+    .CHANGELOG
+        24-06-2022 - Copied from TRMM repo, tweaked for my customers. 
+#>
+
+#region Parameters, functions and global variables
+    $param1 = $args[0]
+    $ErrorActionPreference = 'silentlycontinue'
+#endregion
+#region script
+    if ($Args.Count -eq 0) {
+        $TimeSpan = (Get-Date) - (New-TimeSpan -Day 1)
+    }
+    else {
+        $TimeSpan = (Get-Date) - (New-TimeSpan -Day $param1)
+    }
+
+    if (Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1122','1012','1009','1119','1118','1008','1006','1116','1121','1015','1124','1123','1160';StartTime=$TimeSpan}) {
+    Write-Output "Virus Found or Issue with Defender"
+    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1122','1012','1009','1119','1118','1008','1006','1121','1116','1015','1124','1123','1160';StartTime=$TimeSpan} | Select-Object -ExpandProperty Message -First 1
+    exit 1
+    }
+    else {
+    Write-Output "No Virus Found, Defender is Healthy"
+    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1150','1001';StartTime=$TimeSpan}
+    exit 0
+    }
+
+    Exit $LASTEXITCODE
+#endregion
\ No newline at end of file