Defender Threat Catalog

Page 1 of 2 12 LastLast

  1. Posts : 18,044
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
       #1

    Defender Threat Catalog


    This post is more for information and curiosity than anything else.

    I was curious about the Defender Definitions and the Defender Definitions Database / Catalogue and decided to do some investigation. MY databases are up to date for the Antimalware Client, Engine Version, Antivirus Version, and Antispyware Version.

    I believe the Defender AV Signature Databases are stored here:

    > %ProgramData%\Microsoft\Windows Defender\Definition Updates\{GUID}\*. vdm

    I created a Script to extract ALL the entries in the Defender Definitions Database / Catalogue [ Output in the %Temp% directory with the filename A.txt ]:

    Code:
    
    @echo off
    echo.
    PowerShell ^
         $Tot=((Get-MpThreatCatalog) ^| Measure-Object).Count.ToString('#,##0'); ^
         $List=(Get-MpThreatCatalog  ^| Sort-Object -Property SeverityID, ThreatName ^| Format-Table -AutoSize ^
         @{L='Severity ID';E={;if([string]::IsNullOrWhiteSpace($_.SeverityID)) {'-'} else {$_.SeverityID}}}, ^
         @{L='Category ID';E={;if([string]::IsNullOrWhiteSpace($_.CategoryID)) {'-'} else {$_.CategoryID}}}, ^
         @{L='Type ID'    ;E={;if([string]::IsNullOrWhiteSpace($_.TypeID))     {'-'} else {$_.TypeID}}}, ^
         @{L='Threat Name';E={;if([string]::IsNullOrWhiteSpace($_.ThreatName)) {'-'} else {$_.ThreatName}}} ^| ^
    Out-String -Width 1000).Trim("""`r`n"""); ^
         if ($List.Length) {Write-Host """`n--- Defender Threat Catalog [$Tot] - Sorted by [SeverityID, ThreatName] ---`n`n `n`n$List"""} else ^
                           {Write-Host """`n--- NO Defender Threat Catalog Available ---"""; exit 1} >> %Temp%\A.txt
    
    echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit
    

    These are MY results sorted by SeverityID, ThreatName:

    SeverityID 0 = 1
    SeverityID 1 = 49
    SeverityID 2 = 390
    SeverityID 4 = 6,051
    SeverityID 5 = 239,049

    Total = 245,540

    SeverityID 3 does not show in MY output and the documentation relating to it is a bit ambiguous.

    > MSFT_MpThreatCatalog
    > MSFT_MpThreatCatalog Class
    > Investigate Windows Defenderís Malware Signature Definitions Database

    If you just want the totals for each in PowerShell ISE:

    Code:
    
    (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '0'}).Count,
    (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '1'}).Count,
    (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '2'}).Count,
    (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '3'}).Count,
    (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '4'}).Count,
    (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '5'}).Count,
    (Get-MpThreatCatalog).Count

    You might get a usage warning but the correct figures will be output.

    Defender Threat Catalog-image.png

    The Scripts will take a little while to run.

    I just thought that I would share this as I found it quite interesting !
    Last edited by Paul Black; 25 Apr 2023 at 06:35.
      My Computer


  2. Posts : 710
    Windows 7
       #2

    Everyone loves more details.
    Code:
    #Get-MpThreatCatalog | select CategoryID,SeverityID | Group-Object SeverityID,CategoryID | Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},@{l='CategoryID';e={$_.Group[0].CategoryID}},Count | Sort-Object SeverityID,CategoryID
    
    $ThreatCatalog = @{}
    
    Get-MpThreatCatalog -ErrorAction Ignore | ForEach-Object {
        $Severity = $_.SeverityID; $Category = $_.CategoryID
        if (-not $ThreatCatalog.ContainsKey($Severity)) {
            $ThreatCatalog[$Severity] += @{ $Category = 1 }
        }
        else {
            $ThreatCatalog[$Severity][$Category]++
        }
    }
    
    $Total = 0
    
    foreach ($Severity in ($ThreatCatalog.GetEnumerator() | select Name | sort Name)) {
        $Summary = @()
        $Subtotal = 0
        $Severity = $Severity.Name
    
        foreach ($Category in ($ThreatCatalog[$Severity].GetEnumerator() | select Name | sort Name)) {
            $Count = $ThreatCatalog[$Severity][$Category.Name]
            $Summary += [PSCustomObject]@{
                SeverityID = $Severity
                CategoryID = $Category.Name
                Count = $Count}
            $Subtotal += $Count
            $Total += $Count
        }
    
        ($Summary | Out-String) -replace "`n`r",""
        "{0,20} {1,6}" -f "Sub Total:", $Subtotal
    }
    
    "`n{0,20} {1,6}" -f "Total", $Total
    Code:
     SeverityID CategoryID Count
    ---------- ---------- -----
             0         44     1
    
              Sub Total:      1
    
    SeverityID CategoryID Count
    ---------- ---------- -----
             1          2     3
             1         27  1976
             1         33    44
             1         43     2
    
              Sub Total:   2025
    
    SeverityID CategoryID Count
    ---------- ---------- -----
             2          2     6
             2         13     1
             2         19   277
             2         22     1
             2         23    49
             2         34    49
             2         49     2
    
              Sub Total:    385
    
    SeverityID CategoryID Count
    ---------- ---------- -----
             4          1  1199
             4          2   170
             4          4     1
             4          5     1
             4          8   313
             4         13   564
             4         21   270
             4         23   559
             4         34  2978
    
              Sub Total:   6055
    
    SeverityID CategoryID Count
    ---------- ---------- -----
             5          2    26
             5          3  9414
             5          4 30437
             5          5 17213
             5          6 20404
             5          8 72413
             5          9   605
             5         11   141
             5         12   715
             5         13     5
             5         19     1
             5         22  1226
             5         23     6
             5         30 10029
             5         32   539
             5         34 10176
             5         36   784
             5         37  7514
             5         39  8612
             5         40  1570
             5         42 27544
             5         46 12752
             5         49    19
             5         50  5163
    
              Sub Total: 237308
    
                   Total 245774
      My Computer


  3. Posts : 18,044
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
    Thread Starter
       #3

    Hello @garlin,

    garlin said:
    Everyone loves more details.
    I DO.

    I REALLY like that.

    I might see if I can add ThreatName for informational purposes with a Split on : so it gives for example the below as they specifically relate to the CategoryID:

    Code:
    
    Threat Name                                                   
    -----------   
    Unknown
    FriendlyFiles
    RemoteAccess
    Spyware
    EUS
    Joke
    
    ...
    
    VirTool
    Virus
    Worm
      My Computer


  4. Posts : 710
    Windows 7
       #4

    Code:
    #Get-MpThreatCatalog | select CategoryID,SeverityID | Group-Object SeverityID,CategoryID | Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},@{l='CategoryID';e={$_.Group[0].CategoryID}},Count | Sort-Object SeverityID,CategoryID
    
    $Catalog = @{}
    
    Get-MpThreatCatalog -ErrorAction Ignore | ForEach-Object {
        $Severity = $_.SeverityID; $ThreatName = ($_.ThreatName -split ':')[0]
        if (-not $Catalog.ContainsKey($Severity)) {
            $Catalog[$Severity] += @{ $ThreatName = 1 }
        }
        else {
            $Catalog[$Severity][$ThreatName] = $Catalog[$Severity][$ThreatName] + 1
        }
    }
    
    $Total = 0
    
    foreach ($Severity in ($Catalog.GetEnumerator() | select Name | sort Name)) {
        $Summary = @()
        $Subtotal = 0
        $Severity = $Severity.Name
    
        foreach ($ThreatName in ($Catalog[$Severity].GetEnumerator() | select Name | sort Name)) {
            $Count = $Catalog[$Severity][$ThreatName.Name]
            $Summary += [PSCustomObject]@{
                SeverityID = $Severity
                ThreatName = '{0,-22}' -f $ThreatName.Name
                Count = $Count}
            $Subtotal += $Count
            $Total += $Count
        }
    
        ($Summary | Format-Table @{n='SeverityID';e={$_.SeverityID};align='center'},@{n='Threat Name';e={$_.ThreatName}},Count | Out-String) -replace "`n`r",""
        '{0,39}' -f "Sub Total: $Subtotal"
    }
    
    "`n{0,39}" -f "Total: $Total"
    Code:
    PS C:\Users\GARLIN\Downloads> .\Get-MpThreatCatalog.ps1
    
    SeverityID Threat Name            Count
    ---------- -----------            -----
        0      Unknown                    1
    
                               Sub Total: 1
    
    SeverityID Threat Name            Count
    ---------- -----------            -----
        1      App                        3
        1      FriendlyFiles              2
        1      Program                    5
        1      PUA                     1721
        1      PUAAdvertising            52
        1      PUABundler                43
        1      PUADlManager              75
        1      PUAMarketing               2
        1      PUAMiner                  48
        1      PUATorrent                27
        1      RemoteAccess              44
        1      Spyware                    3
    
                            Sub Total: 2025
    
    SeverityID Threat Name            Count
    ---------- -----------            -----
        2      EUS                        2
        2      Joke                     277
        2      SettingsModifier          49
        2      Spyware                    7
        2      Tool                      49
        2      TrojanClicker              1
    
                             Sub Total: 385
    
    SeverityID Threat Name            Count
    ---------- -----------            -----
        4      Adware                   778
        4      BrowserModifier          563
        4      HackTool                2978
        4      Misleading               384
        4      MisleadingAd              37
        4      Program                  559
        4      SoftwareBundler          270
        4      Spyware                  172
        4      Trojan                   308
        4      TrojanClicker              5
        4      Worm                       1
    
                            Sub Total: 6055
    
    SeverityID Threat Name            Count
    ---------- -----------            -----
        5      Backdoor               20405
        5      Behavior               12997
        5      Constructor              539
        5      DDoS                     354
        5      Dialer                   141
        5      DoS                      385
        5      EUS                       19
        5      Exploit                10029
        5      Flooder                   45
        5      MagicThreat_7ffe3a4b       1
        5      MonitoringTool           716
        5      Nuker                     45
        5      Phish                      2
        5      Program                    5
        5      PWS                     9414
        5      Ransom                  4929
        5      Rogue                    131
        5      SettingsModifier           1
        5      Spammer                  515
        5      Spoofer                   45
        5      Spyware                   28
        5      SupportScam              160
        5      Tool                       2
        5      Trojan                 72176
        5      TrojanClicker           1173
        5      TrojanDownloader       30436
        5      TrojanDropper           7514
        5      TrojanNotifier            53
        5      TrojanProxy             1570
        5      TrojanSpy               8613
        5      VirTool                10174
        5      Virus                  27542
        5      Worm                   17214
    
                          Sub Total: 237373
    
                              Total: 245839
      My Computer


  5. Posts : 18,044
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
    Thread Starter
       #5

    Hello @garlin,

    I think that produces a VERY nice informative report indeed. The only other thing that would be nice is the thousands separator, something like [ .ToString('#,##0') ]. I did get the main Count = $Count}.ToString('#,##0') to work but the alignment got adjusted to the left.

    I just hope people find it useful.
      My Computer


  6. Posts : 710
    Windows 7
       #6

    Paul Black said:
    Hello @garlin,
    I think that produces a VERY nice informative report indeed. The only other thing that would be nice is the thousands separator, something like [ .ToString('#,##0') ]. I did get the main Count = $Count}.ToString('#,##0') to work but the alignment got adjusted to the left.
    Thanks to King George III, we must disagree over numerical separators.

    Use the "{0,N}" or "{0,N0}" notation to format numbers based on your local settings.
    Code:
    #Get-MpThreatCatalog | select CategoryID,SeverityID | Group-Object SeverityID,CategoryID | Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},@{l='CategoryID';e={$_.Group[0].CategoryID}},Count | Sort-Object SeverityID,CategoryID
    
    $Catalog = @{}
    
    Get-MpThreatCatalog -ErrorAction Ignore | ForEach-Object {
        $Severity = $_.SeverityID; $ThreatName = ($_.ThreatName -split ':')[0]
        if (-not $Catalog.ContainsKey($Severity)) {
            $Catalog[$Severity] += @{ $ThreatName = 1 }
        }
        else {
            $Catalog[$Severity][$ThreatName] = $Catalog[$Severity][$ThreatName] + 1
        }
    }
    
    $Total = 0
    
    foreach ($Severity in ($Catalog.GetEnumerator() | select Name | sort Name)) {
        $Summary = @()
        $Subtotal = 0
        $Severity = $Severity.Name
    
        foreach ($ThreatName in ($Catalog[$Severity].GetEnumerator() | select Name | sort Name)) {
            $Count = $Catalog[$Severity][$ThreatName.Name]
            $Summary += [PSCustomObject]@{
                SeverityID = $Severity
                ThreatName = '{0,-22}' -f $ThreatName.Name
                Count = '{0,6:N0}' -f $Count}
            $Subtotal += $Count
            $Total += $Count
        }
    
        ($Summary | Format-Table @{n='SeverityID';e={$_.SeverityID};align='center'},@{n='Threat Name';e={$_.ThreatName}},@{n='Count';e={$_.Count};align='right'} | Out-String) -replace "`n`r",""
        '{0,40}' -f ('Sub Total: {0:N0}' -f $Subtotal)
    }
    
    "`n{0,40}" -f ('Total: {0:N0}' -f $Total)
      My Computer


  7. Posts : 18,044
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
    Thread Starter
       #7

    That works VERY nicely.

    Thanks to @garlin's time and effort, anybody that wants a nice report detailing the criteria and information for the Defender Threat Catalogue can now produce this by running his code above.
      My Computer


  8. Posts : 18,044
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
    Thread Starter
       #8

    Hello @garlin,

    I wanted a separate Script, so I tried to adapt your code to produce the information below but FAILED miserably. I then thought that I would write it in Batch [ Please don't laugh ].

    This is what I want it to look like [ Thousands Separators Included ]:

    Code:
    
     --- Antivirus - Microsoft Defender - Threat(s) Catalogue Entries [245,896] - Sorted by [SeverityID] ---
    
     Severity ID  Count
     -----------  -----
     0                1
     1               49
     2              390
     4            6,055
     5          239,401
     Total      245,896

    ... but I get this [ Thousands Separators NOT Included ]:

    Code:
    
     --- Antivirus - Microsoft Defender - Threat(s) Catalogue Entries [245,896] - Sorted by [SeverityID] ---
    
     Severity ID  Count
     -----------  -----
     0                1
     1               49
     2              390
     4             6055
     5           239401
     Total      245,896

    Here is the code:

    Code:
    
    @echo off
    echo.
    PowerShell ^
         $Tot=((Get-MpThreatCatalog) ^| Measure-Object).Count.ToString('#,##0'); ^
         $List=(Get-MpThreatCatalog  ^| Select SeverityID ^| Group-Object SeverityID, CategoryID ^| Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},Count ^| Sort-Object SeverityID ^| Format-Table -AutoSize ^
         @{L='Severity ID';E={;if([string]::IsNullOrWhiteSpace($_.SeverityID)) {'-'} else {$_.SeverityID}};A='Left'}, Count ^| ^
    Out-String -Width 1000).Trim("""`r`n"""); ^
         if ($List.Length) {Write-Host """`n`n--- Antivirus - Microsoft Defender - Threat(s) Catalogue Entries [$Tot] - Sorted by [SeverityID] ---`n`n `n`n$List"""} else  ^
                           {Write-Host """`n`n--- NO Antivirus - Microsoft Defender - Threat(s) Catalogue Entries Available ---"""; exit 1} >> %Temp%\A.txt
         for /f "delims=" %%i in (%Temp%\A.txt) do echo. %%i
    PowerShell ^
         $Total=((Get-MpThreatCatalog) ^| Measure-Object).Count.ToString('#,##0'); ^
         Write-Host """ Total """ -NoNewline; Write-Host  """"     "$Total"""
         del %Temp%\A.txt
    
    echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit
    
    
    

    What am I missing please ?
    Last edited by Paul Black; 27 Apr 2023 at 07:30.
      My Computer


  9. Posts : 710
    Windows 7
       #9

    You didn't use ToString() with Count.
    Code:
          @{L='Severity ID';E={;if([string]::IsNullOrWhiteSpace($_.SeverityID)) {'-'} else {$_.SeverityID}};A='Left'}, Count ^| ^

    There's an important distinction in using {0:N0} vs ToString('...'). {0:N0} preserves the data type as as a number, which means:
    - Strings are sorted in dictionary order. ie. Sorting 1, 2, 3, 1234 -> 1, 1234, 2, 3
    - Strings default to left alignment, and numbers to right. You're always adding align='Right' to every column view.
      My Computer


  10. Posts : 18,044
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
    Thread Starter
       #10

    garlin said:
    You didn't use ToString() with Count.
    That was obviously the first thing that I tried yesterday, along with many others in different positions. It gave this output:

    Code:
    
     At line:1 char:398
     + ... tyID)) {'-'} else {$_.SeverityID}};A='Left'}, Count.ToString() | Out- ...
     +                                                                  ~
     An expression was expected after '('.
         + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
         + FullyQualifiedErrorId : ExpectedExpression
    
     Format-Table : A positional parameter cannot be found that accepts argument '#,##0'.
     At line:1 char:251
     + ... everityID | Format-Table -AutoSize @{L='Severity ID';E={;if([string]: ...
     +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         + CategoryInfo          : InvalidArgument: (:) [Format-Table], ParameterBindingException
         + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.FormatTableCommand
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:05.
Find Us




Windows 10 Forums