Windows Defender WMI Probe Action

Microsoft.WindowsDefender.AntimalwareWMIProbeActionModuleType (ProbeActionModuleType)

WMI probe for Windows Defender

Element properties:

Member Modules:

Overrideable Parameters:

Source Code:

<ProbeActionModuleType ID="Microsoft.WindowsDefender.AntimalwareWMIProbeActionModuleType" Accessibility="Internal" RunAs="SC!Microsoft.SystemCenter.LocalAgentElevatedAccount" Batching="false" PassThrough="false">

  <Configuration>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="ComputerName" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="DelayTime" type="xsd:positiveInteger"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="MonitorName" type="xsd:string"/>

  </Configuration>

  <OverrideableParameters>

    <OverrideableParameter ID="DelayTime" Selector="$Config/DelayTime$" ParameterType="int"/>

  </OverrideableParameters>

  <ModuleImplementation Isolation="Any">

    <Composite>

      <MemberModules>

        <ProbeAction ID="PassThrough" TypeID="System!System.PassThroughProbe"/>

        <ProbeAction ID="probe" TypeID="Windows!Microsoft.Windows.PowerShellPropertyBagProbe">

          <ScriptName>WindowsDefenderHealthMonitorProbe.ps1</ScriptName>

          <ScriptBody><Script>

                #Requires -Version 2.0



                &lt;#

                .SYNOPSIS

                Get Antimalware Health Status



                .DESCRIPTION

                This script is to query the Windows Defender WMI interfaces and returns

                basic information about the protection status of the machine.



                .PARAMETER ComputerName

                Specifies the computer name to get antimalware health status



                .PARAMETER MonitorName

                Specifies the monitonr name that triggers this script



                .PARAMETER DelayTime

                Specifies how much time would we wait before we query the status.

                As when there's malware detected, it may take some time for the WMI instance to be updated with the latest status.



                .OUTPUTS

                GetMalwareStatus.ps1 will return a MOM Property Bag including the following values

                AMServiceEnabled

                RealTimeProtectionEnabled

                OnAccessProtectionEnabled

                AntivirusSignatureAge

                QuickScanAge

                FullScanAge

                AntivirusSignatureUpdateDateTime

                AntivirusSignatureVersion



                #&gt;



                Param($ComputerName,$MonitorName,$DelayTime)                

              

                $LogFileName = "WindowsDefender-AntimalwareWMIProbe-" + $MonitorName + ".log"

                $LogFilePath = Join-Path "$Env:temp" $LogFileName

                $EnableLog = "0"

                

                if (Test-Path "HKLM:\SOFTWARE\Microsoft\MSAMMP")

                {

                    $EnableLog = (Get-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\MSAMMP").DebugLogging

                }

               

                $error.clear()

                

                function CheckError

                {

                if($error)

                {

                Log "Error: $($error)"

                Write-Host "Error: $($error)"

                $error.clear()

                }

                }

                

                function Log

                {

                param($message)

                if ($EnableLog -eq "1")

                {

                if (Test-Path $LogFilePath)

                {

                $LogFile = Get-Item $LogFilePath

                #recreate log file when it's larger than 64M

                if ($LogFile.length -gt 1024*1024*64)

                {

                Remove-Item $LogFile

                }

                }

                $currenttime = Get-Date -format u

                $outputstring = "[" +  $currenttime + "] " + $message

                $outputstring | Out-File $LogFilepath -Append

                CheckError                

                }

                }             



                Log "ComputerName: $($ComputerName)"

                Log "MonitorName: $($MonitorName)"

                Log "Delaytime: $($Delaytime)"



                $api = New-Object -comObject 'MOM.ScriptAPI'

                $bag = $api.CreatePropertyBag()

                

                CheckError

                

                #Sleep for delay time

                Log "Sleep for $($Delaytime) seconds..."

                Start-Sleep -s $Delaytime

                Log "Command Line: Get-WmiObject -Class MSFT_MpComputerStatus -Namespace root/Microsoft/Windows/Defender -ComputerName $($ComputerName)"

                $Properties = Get-WmiObject -Class MSFT_MpComputerStatus -Namespace root/Microsoft/Windows/Defender -ComputerName $ComputerName

                if ($error)

                {

                Log "Error: $($error)"

                Log "Cannot get instances. It means the Windows Defender is disabled"

                $bag.AddValue('ProductStatus','false')

                }

                else

                {

                foreach ($property in $Properties)

                {

                Log "Product Status:`t$($property.AMServiceEnabled)"

                $bag.AddValue('ProductStatus',$property.AMServiceEnabled)

                Log "RTPEnabled:`t$($property.RealTimeProtectionEnabled)"

                $bag.AddValue('RtpEnabled',$property.RealTimeProtectionEnabled)

                Log "OnAccessProtectionEnabled:`t$($property.OnAccessProtectionEnabled)"

                $bag.AddValue('OnAccessProtectionEnabled',$property.OnAccessProtectionEnabled)

                Log "AntivirusSignatureAge:`t$($property.AntivirusSignatureAge)"

                $bag.AddValue('AntivirusSignatureAge',$property.AntivirusSignatureAge)

                Log "LastQuickScanAge:`t$($property.QuickScanAge)"

                $bag.AddValue('LastQuickScanAge',[string]$property.QuickScanAge)

                Log "LastFullScanAge:`t$($property.FullScanAge)"

                $bag.AddValue('LastFullScanAge',[string]$property.FullScanAge)

                Log "AntivirusSignatureUpdateDateTime:`t$($property.AntivirusSignatureLastUpdated)"

                $bag.AddValue('AntivirusSignatureUpdateDateTime',[string]$property.AntivirusSignatureLastUpdated)

                Log "AntivirusSignatureVersion:`t$($property.AntivirusSignatureVersion)"

                $bag.AddValue('AntivirusSignatureVersion',[string]$property.AntivirusSignatureVersion)

                #There should be only one instance

                break

                }                

                }

                CheckError

                Log "AntimalwareHealthWMIProbe successful"

                $api.AddItem($bag)

                # Return property bag

                $bag

                </Script></ScriptBody>

          <Parameters>

            <Parameter>

              <Name>ComputerName</Name>

              <Value>$Config/ComputerName$</Value>

            </Parameter>

            <Parameter>

              <Name>MonitorName</Name>

              <Value>$Config/MonitorName$</Value>

            </Parameter>

            <Parameter>

              <Name>DelayTime</Name>

              <Value>$Config/DelayTime$</Value>

            </Parameter>

          </Parameters>

          <TimeoutSeconds>600</TimeoutSeconds>

        </ProbeAction>

      </MemberModules>

      <Composition>

        <Node ID="probe">

          <Node ID="PassThrough"/>

        </Node>

      </Composition>

    </Composite>

  </ModuleImplementation>

  <OutputType>System!System.PropertyBagData</OutputType>

  <TriggerOnly>true</TriggerOnly>

</ProbeActionModuleType>