<# .SYNOPSIS Check the status of Windows Defender and report back to TRMM .DESCRIPTION This script will check if there have been any viruses found by Windows defender in the last x days, This script should be deployed as a Check Script. By default the script will check upto 1 day back in the log, if you specify the first argument of the script it's the amount of days it will search back. .OUTPUTS This script will report back if it found any of the event logs on the machine with the message of that log entry. If it doesn't find any viruses (hopefully) it will report back status 0 (No virus found) Errorcodes: 0 - All OK 1 - Virus found, {Log information} .EXAMPLE Win - Defender status report.ps1 {Ammount of days to check back} Win - Defender status report.ps1 7 .NOTES Source: Tactical RMM repository .CHANGELOG 24-06-2022 - Copied from TRMM repo, tweaked for my customers. #> #region Parameters, functions and global variables $param1 = $args[0] $ErrorActionPreference = 'silentlycontinue' #endregion #region script if ($Args.Count -eq 0) { $TimeSpan = (Get-Date) - (New-TimeSpan -Day 1) } else { $TimeSpan = (Get-Date) - (New-TimeSpan -Day $param1) } if (Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1122','1012','1009','1119','1118','1008','1006','1116','1121','1015','1124','1123','1160';StartTime=$TimeSpan}) { Write-Output "Virus Found or Issue with Defender" Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1122','1012','1009','1119','1118','1008','1006','1121','1116','1015','1124','1123','1160';StartTime=$TimeSpan} | Select-Object -ExpandProperty Message -First 1 exit 1 } else { Write-Output "No Virus Found, Defender is Healthy" Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1150','1001';StartTime=$TimeSpan} exit 0 } Exit $LASTEXITCODE #endregion