55 lines
2.1 KiB
PowerShell
55 lines
2.1 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Check the status of Windows Defender and report back to TRMM
|
|
|
|
.DESCRIPTION
|
|
This script will check if there have been any viruses found by Windows defender in the last x days,
|
|
This script should be deployed as a Check Script.
|
|
|
|
By default the script will check upto 1 day back in the log,
|
|
if you specify the first argument of the script it's the amount of days it will search back.
|
|
|
|
.OUTPUTS
|
|
This script will report back if it found any of the event logs on the machine with the message of that log entry.
|
|
If it doesn't find any viruses (hopefully) it will report back status 0 (No virus found)
|
|
|
|
Errorcodes:
|
|
0 - All OK
|
|
1 - Virus found, {Log information}
|
|
|
|
.EXAMPLE
|
|
Win - Defender status report.ps1 {Ammount of days to check back}
|
|
Win - Defender status report.ps1 7
|
|
|
|
.NOTES
|
|
Source: Tactical RMM repository
|
|
|
|
.CHANGELOG
|
|
24-06-2022 - Copied from TRMM repo, tweaked for my customers.
|
|
#>
|
|
|
|
#region Parameters, functions and global variables
|
|
$param1 = $args[0]
|
|
$ErrorActionPreference = 'silentlycontinue'
|
|
#endregion
|
|
#region script
|
|
if ($Args.Count -eq 0) {
|
|
$TimeSpan = (Get-Date) - (New-TimeSpan -Day 1)
|
|
}
|
|
else {
|
|
$TimeSpan = (Get-Date) - (New-TimeSpan -Day $param1)
|
|
}
|
|
|
|
if (Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1122','1012','1009','1119','1118','1008','1006','1116','1121','1015','1124','1123','1160';StartTime=$TimeSpan}) {
|
|
Write-Output "Virus Found or Issue with Defender"
|
|
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1122','1012','1009','1119','1118','1008','1006','1121','1116','1015','1124','1123','1160';StartTime=$TimeSpan} | Select-Object -ExpandProperty Message -First 1
|
|
exit 1
|
|
}
|
|
else {
|
|
Write-Output "No Virus Found, Defender is Healthy"
|
|
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1150','1001';StartTime=$TimeSpan}
|
|
exit 0
|
|
}
|
|
|
|
Exit $LASTEXITCODE
|
|
#endregion |