Defender - MpComputerStatus

Paul Black · 16 Dec 2022

Just a really quick question for which I have investigated and I can't seem to find the answer.

In Microsoft Defender Antivirus [ MpComputerStatus ], what are the time intervals [ Days, Hours, Minutes, or Property Code ] for the below please ?

I have found everything else I wanted with regard to time intervals etc, just NOT the specified information for these.

Code:


SmartAppControlExpiration
TroubleShootingExpirationLeft

Thanks.

zebal · 16 Dec 2022

You can get same result with:

Code:

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace "ROOT\Microsoft\Windows\Defender"

TroubleShootingExpirationLeft is a string note property which is either set or not set, if it's set you'll get your days\hours\minutes.

ex:

Code:

# Query CIM server
$CimData = Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace "ROOT\Microsoft\Windows\Defender"

# Is it set?
$CimData | Select-Object SmartAppControlExpiration

# What's the type?
$CimData.TroubleShootingExpirationLeft.GetType() | Select-Object -ExpandProperty FullName

Unfortunately MS docs isn't useful for these 2 specific properties:
https://learn.microsoft.com/en-us/pr...computerstatus

See also:

Code:

$CimData | Select-Object -Property SmartAppControlExpiration | Get-Member

Where "SmartAppControlExpiration" says it's "null":

Code:

   TypeName: Selected.Microsoft.Management.Infrastructure.CimInstance

Name                      MemberType   Definition
----                      ----------   ----------
Equals                    Method       bool Equals(System.Object obj)
GetHashCode               Method       int GetHashCode()
GetType                   Method       type GetType()
ToString                  Method       string ToString()
SmartAppControlExpiration NoteProperty object SmartAppControlExpiration=null

Paul Black · 16 Dec 2022

Hello @zebal,

Thanks for the detailed explanation, it is appreciated.

zebal said:

See also:

Code:

$CimData | Select-Object -Property SmartAppControlExpiration | Get-Member

Where "SmartAppControlExpiration" says it's "null":

Code:

   TypeName: Selected.Microsoft.Management.Infrastructure.CimInstance

Name                      MemberType   Definition
----                      ----------   ----------
Equals                    Method       bool Equals(System.Object obj)
GetHashCode               Method       int GetHashCode()
GetType                   Method       type GetType()
ToString                  Method       string ToString()
SmartAppControlExpiration NoteProperty object SmartAppControlExpiration=null

So am I right in saying that SmartAppControlExpiration would be a value of either 0 or 1 if NOT NULL, or something else please ?

zebal · 16 Dec 2022

Paul Black said:

So am I right in saying that SmartAppControlExpiration would be a value of either 0 or 1 if NOT NULL, or something else please ?

That would be very likely incorrect conclusion because for the property to hold 0 or 1 the type would be [int32] or some other integral type rather than [string], even more likely [bool] for 0 and 1.

Reason why it is "string" is likely because the property is supposed to hold a formatted date and time instead of integral representation of a date or boolean value.

Therefore valid values for this property is either formatted date and time (if set) or NULL

See also this:
https://support.microsoft.com/en-gb/...e-6698afdb7003

This is likely the answer why it's NULL on windows 10:

Why is Smart App Control turned off?
Smart App Control is only available on clean installs of Windows 11.

Paul Black · 16 Dec 2022

Hello @zebal,

zebal said:

That would be very likely incorrect conclusion because for the property to hold 0 or 1 the type would be [int32] or some other integral type rather than [string], even more likely [bool] for 0 and 1.

Reason why it is "string" is likely because the property is supposed to hold a formatted date and time instead of integral representation of a date or boolean value.

Therefore valid values for this property is either formatted date and time (if set) or NULL

See also this:
https://support.microsoft.com/en-gb/...e-6698afdb7003

This is likely the answer why it's NULL on windows 10:

Perfect answer, thanks.

Marked as SOLVED.

zebal · 16 Dec 2022

Glad to hear it's resolved

Paul Black · 21 Dec 2022

I having been working on a Script for Defender information. I have pretty much finished it except I just can NOT seem to find the parameters for EACH of the below. By parameters, I mean for EXAMPLE 0=Disable, 1=Block, 2=Audit Mode. Information on the Net is NOT very forthcoming in respect to parameters for Get-MpComputerStatus: or Get-MpPreference:.

Get-MpComputerStatus:

Code:


DeviceControlDefaultEnforcement
DeviceControlState
TamperProtectionSource
TDT Mode
TDT Silo Type
TroubleShootingDailyMaxQuota
TroubleShootingDailyQuotaLeft
TroubleShootingMode
TroubleShootingModeSource
TroubleShootingQuotaResetTime

Get-MpPreference:

Code:


AttackSurfaceReductionRules_Actions
AttackSurfaceReductionRules_Actions
AttackSurfaceReductionRules_Ids
ControlledFolderAccessAllowedApplications
ControlledFolderAccessProtectedFolders
DefinitionUpdatesChannel
EngineUpdatesChannel
PlatformUpdatesChannel
SignatureBlobFileSharesSources
ThreatIDDefaultAction_Actions
ThreatIDDefaultAction_Ids
ThrottleForScheduledScanOnly
TrustLabelProtectionStatus

I think the below is . . .

0=Apply SIU [Security Intelligence Update], 1=Clean, 2=Quarantine, 3=Remove, 6=Allow, 8=UserDefined, 9=NoAction, 10=Block

. . . but I can NOT confirm it . . .

Get-MpPreference:

Code:


HighThreatDefaultAction
LowThreatDefaultAction
ModerateThreatDefaultAction
SevereThreatDefaultAction
UnknownThreatDefaultAction

Thanks.

garlin · 21 Dec 2022

Maybe you're not reading these links:
https://learn.microsoft.com/en-us/po...sserver2019-ps
https://learn.microsoft.com/en-us/pr...55323(v=vs.85)

Paul Black · 21 Dec 2022

Thanks @garlin,

Paul Black said:

I think the below is . . .

0=Apply SIU [Security Intelligence Update], 1=Clean, 2=Quarantine, 3=Remove, 6=Allow, 8=UserDefined, 9=NoAction, 10=Block

. . . but I can NOT confirm it . . .

Get-MpPreference:

Code:


HighThreatDefaultAction
LowThreatDefaultAction
ModerateThreatDefaultAction
SevereThreatDefaultAction
ThreatIDDefaultAction_Actions
ThreatIDDefaultAction_Ids
UnknownThreatDefaultAction

garlin said:

Maybe you're not reading these links:

https://learn.microsoft.com/en-us/po...sserver2019-ps
https://learn.microsoft.com/en-us/pr...55323(v=vs.85)

That confirms the above seven entries.

I looked at those as well, but obviously NOT closely enough. The strange thing is that my output shows as 0 for the above, but there is NO description for that, unless 0 means Read-Only !

garlin · 21 Dec 2022

anti virus - What do Windows Defender Powershell ThreatAction enums map to? - Server Fault

Ok, got the answer from Microsoft support. 0 is the same as NULL (example of the docs here), which means to follow the default that Microsoft applies to each threat. In other words, every virus/malware/etc. has a severity and threat action (i.e. mitigation) attached. A '0' in GetMpPreference means to use that mitigation and not whatever value you might have specified here to override that universally for each severity level. Hope that helps any future travelers.