Defender Threat Catalog

Paul Black · 25 Apr 2023

This post is more for information and curiosity than anything else.

I was curious about the Defender Definitions and the Defender Definitions Database / Catalogue and decided to do some investigation. MY databases are up to date for the Antimalware Client, Engine Version, Antivirus Version, and Antispyware Version.

I believe the Defender AV Signature Databases are stored here:

> %ProgramData%\Microsoft\Windows Defender\Definition Updates\{GUID}\*. vdm

I created a Script to extract ALL the entries in the Defender Definitions Database / Catalogue [ Output in the %Temp% directory with the filename A.txt ]:

Code:


@echo off
echo.
PowerShell ^
     $Tot=((Get-MpThreatCatalog) ^| Measure-Object).Count.ToString('#,##0'); ^
     $List=(Get-MpThreatCatalog  ^| Sort-Object -Property SeverityID, ThreatName ^| Format-Table -AutoSize ^
     @{L='Severity ID';E={;if([string]::IsNullOrWhiteSpace($_.SeverityID)) {'-'} else {$_.SeverityID}}}, ^
     @{L='Category ID';E={;if([string]::IsNullOrWhiteSpace($_.CategoryID)) {'-'} else {$_.CategoryID}}}, ^
     @{L='Type ID'    ;E={;if([string]::IsNullOrWhiteSpace($_.TypeID))     {'-'} else {$_.TypeID}}}, ^
     @{L='Threat Name';E={;if([string]::IsNullOrWhiteSpace($_.ThreatName)) {'-'} else {$_.ThreatName}}} ^| ^
Out-String -Width 1000).Trim("""`r`n"""); ^
     if ($List.Length) {Write-Host """`n--- Defender Threat Catalog [$Tot] - Sorted by [SeverityID, ThreatName] ---`n`n `n`n$List"""} else ^
                       {Write-Host """`n--- NO Defender Threat Catalog Available ---"""; exit 1} >> %Temp%\A.txt

echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit

These are MY results sorted by SeverityID, ThreatName:

SeverityID 0 = 1
SeverityID 1 = 49
SeverityID 2 = 390
SeverityID 4 = 6,051
SeverityID 5 = 239,049

Total = 245,540

SeverityID 3 does not show in MY output and the documentation relating to it is a bit ambiguous.

> MSFT_MpThreatCatalog
> MSFT_MpThreatCatalog Class
> Investigate Windows Defender’s Malware Signature Definitions Database

If you just want the totals for each in PowerShell ISE:

Code:


(Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '0'}).Count,
(Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '1'}).Count,
(Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '2'}).Count,
(Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '3'}).Count,
(Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '4'}).Count,
(Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '5'}).Count,
(Get-MpThreatCatalog).Count

You might get a usage warning but the correct figures will be output.

The Scripts will take a little while to run.

I just thought that I would share this as I found it quite interesting !

garlin · 25 Apr 2023

Everyone loves more details.

Code:

#Get-MpThreatCatalog | select CategoryID,SeverityID | Group-Object SeverityID,CategoryID | Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},@{l='CategoryID';e={$_.Group[0].CategoryID}},Count | Sort-Object SeverityID,CategoryID

$ThreatCatalog = @{}

Get-MpThreatCatalog -ErrorAction Ignore | ForEach-Object {
    $Severity = $_.SeverityID; $Category = $_.CategoryID
    if (-not $ThreatCatalog.ContainsKey($Severity)) {
        $ThreatCatalog[$Severity] += @{ $Category = 1 }
    }
    else {
        $ThreatCatalog[$Severity][$Category]++
    }
}

$Total = 0

foreach ($Severity in ($ThreatCatalog.GetEnumerator() | select Name | sort Name)) {
    $Summary = @()
    $Subtotal = 0
    $Severity = $Severity.Name

    foreach ($Category in ($ThreatCatalog[$Severity].GetEnumerator() | select Name | sort Name)) {
        $Count = $ThreatCatalog[$Severity][$Category.Name]
        $Summary += [PSCustomObject]@{
            SeverityID = $Severity
            CategoryID = $Category.Name
            Count = $Count}
        $Subtotal += $Count
        $Total += $Count
    }

    ($Summary | Out-String) -replace "`n`r",""
    "{0,20} {1,6}" -f "Sub Total:", $Subtotal
}

"`n{0,20} {1,6}" -f "Total", $Total

Code:

 SeverityID CategoryID Count
---------- ---------- -----
         0         44     1

          Sub Total:      1

SeverityID CategoryID Count
---------- ---------- -----
         1          2     3
         1         27  1976
         1         33    44
         1         43     2

          Sub Total:   2025

SeverityID CategoryID Count
---------- ---------- -----
         2          2     6
         2         13     1
         2         19   277
         2         22     1
         2         23    49
         2         34    49
         2         49     2

          Sub Total:    385

SeverityID CategoryID Count
---------- ---------- -----
         4          1  1199
         4          2   170
         4          4     1
         4          5     1
         4          8   313
         4         13   564
         4         21   270
         4         23   559
         4         34  2978

          Sub Total:   6055

SeverityID CategoryID Count
---------- ---------- -----
         5          2    26
         5          3  9414
         5          4 30437
         5          5 17213
         5          6 20404
         5          8 72413
         5          9   605
         5         11   141
         5         12   715
         5         13     5
         5         19     1
         5         22  1226
         5         23     6
         5         30 10029
         5         32   539
         5         34 10176
         5         36   784
         5         37  7514
         5         39  8612
         5         40  1570
         5         42 27544
         5         46 12752
         5         49    19
         5         50  5163

          Sub Total: 237308

               Total 245774

Paul Black · 26 Apr 2023

Hello @garlin,

garlin said:

Everyone loves more details.

I DO.

I REALLY like that.

I might see if I can add ThreatName for informational purposes with a Split on : so it gives for example the below as they specifically relate to the CategoryID:

Code:


Threat Name                                                   
-----------   
Unknown
FriendlyFiles
RemoteAccess
Spyware
EUS
Joke

...

VirTool
Virus
Worm

garlin · 26 Apr 2023

Code:

#Get-MpThreatCatalog | select CategoryID,SeverityID | Group-Object SeverityID,CategoryID | Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},@{l='CategoryID';e={$_.Group[0].CategoryID}},Count | Sort-Object SeverityID,CategoryID

$Catalog = @{}

Get-MpThreatCatalog -ErrorAction Ignore | ForEach-Object {
    $Severity = $_.SeverityID; $ThreatName = ($_.ThreatName -split ':')[0]
    if (-not $Catalog.ContainsKey($Severity)) {
        $Catalog[$Severity] += @{ $ThreatName = 1 }
    }
    else {
        $Catalog[$Severity][$ThreatName] = $Catalog[$Severity][$ThreatName] + 1
    }
}

$Total = 0

foreach ($Severity in ($Catalog.GetEnumerator() | select Name | sort Name)) {
    $Summary = @()
    $Subtotal = 0
    $Severity = $Severity.Name

    foreach ($ThreatName in ($Catalog[$Severity].GetEnumerator() | select Name | sort Name)) {
        $Count = $Catalog[$Severity][$ThreatName.Name]
        $Summary += [PSCustomObject]@{
            SeverityID = $Severity
            ThreatName = '{0,-22}' -f $ThreatName.Name
            Count = $Count}
        $Subtotal += $Count
        $Total += $Count
    }

    ($Summary | Format-Table @{n='SeverityID';e={$_.SeverityID};align='center'},@{n='Threat Name';e={$_.ThreatName}},Count | Out-String) -replace "`n`r",""
    '{0,39}' -f "Sub Total: $Subtotal"
}

"`n{0,39}" -f "Total: $Total"

Code:

PS C:\Users\GARLIN\Downloads> .\Get-MpThreatCatalog.ps1

SeverityID Threat Name            Count
---------- -----------            -----
    0      Unknown                    1

                           Sub Total: 1

SeverityID Threat Name            Count
---------- -----------            -----
    1      App                        3
    1      FriendlyFiles              2
    1      Program                    5
    1      PUA                     1721
    1      PUAAdvertising            52
    1      PUABundler                43
    1      PUADlManager              75
    1      PUAMarketing               2
    1      PUAMiner                  48
    1      PUATorrent                27
    1      RemoteAccess              44
    1      Spyware                    3

                        Sub Total: 2025

SeverityID Threat Name            Count
---------- -----------            -----
    2      EUS                        2
    2      Joke                     277
    2      SettingsModifier          49
    2      Spyware                    7
    2      Tool                      49
    2      TrojanClicker              1

                         Sub Total: 385

SeverityID Threat Name            Count
---------- -----------            -----
    4      Adware                   778
    4      BrowserModifier          563
    4      HackTool                2978
    4      Misleading               384
    4      MisleadingAd              37
    4      Program                  559
    4      SoftwareBundler          270
    4      Spyware                  172
    4      Trojan                   308
    4      TrojanClicker              5
    4      Worm                       1

                        Sub Total: 6055

SeverityID Threat Name            Count
---------- -----------            -----
    5      Backdoor               20405
    5      Behavior               12997
    5      Constructor              539
    5      DDoS                     354
    5      Dialer                   141
    5      DoS                      385
    5      EUS                       19
    5      Exploit                10029
    5      Flooder                   45
    5      MagicThreat_7ffe3a4b       1
    5      MonitoringTool           716
    5      Nuker                     45
    5      Phish                      2
    5      Program                    5
    5      PWS                     9414
    5      Ransom                  4929
    5      Rogue                    131
    5      SettingsModifier           1
    5      Spammer                  515
    5      Spoofer                   45
    5      Spyware                   28
    5      SupportScam              160
    5      Tool                       2
    5      Trojan                 72176
    5      TrojanClicker           1173
    5      TrojanDownloader       30436
    5      TrojanDropper           7514
    5      TrojanNotifier            53
    5      TrojanProxy             1570
    5      TrojanSpy               8613
    5      VirTool                10174
    5      Virus                  27542
    5      Worm                   17214

                      Sub Total: 237373

                          Total: 245839

Paul Black · 26 Apr 2023

Hello @garlin,

I think that produces a VERY nice informative report indeed. The only other thing that would be nice is the thousands separator, something like [ .ToString('#,##0') ]. I did get the main Count = $Count}.ToString('#,##0') to work but the alignment got adjusted to the left.

I just hope people find it useful.

garlin · 26 Apr 2023

Paul Black said:

Hello @garlin,
I think that produces a VERY nice informative report indeed. The only other thing that would be nice is the thousands separator, something like [ .ToString('#,##0') ]. I did get the main Count = $Count}.ToString('#,##0') to work but the alignment got adjusted to the left.

Thanks to King George III, we must disagree over numerical separators.

Use the "{0,N}" or "{0,N0}" notation to format numbers based on your local settings.

Code:

#Get-MpThreatCatalog | select CategoryID,SeverityID | Group-Object SeverityID,CategoryID | Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},@{l='CategoryID';e={$_.Group[0].CategoryID}},Count | Sort-Object SeverityID,CategoryID

$Catalog = @{}

Get-MpThreatCatalog -ErrorAction Ignore | ForEach-Object {
    $Severity = $_.SeverityID; $ThreatName = ($_.ThreatName -split ':')[0]
    if (-not $Catalog.ContainsKey($Severity)) {
        $Catalog[$Severity] += @{ $ThreatName = 1 }
    }
    else {
        $Catalog[$Severity][$ThreatName] = $Catalog[$Severity][$ThreatName] + 1
    }
}

$Total = 0

foreach ($Severity in ($Catalog.GetEnumerator() | select Name | sort Name)) {
    $Summary = @()
    $Subtotal = 0
    $Severity = $Severity.Name

    foreach ($ThreatName in ($Catalog[$Severity].GetEnumerator() | select Name | sort Name)) {
        $Count = $Catalog[$Severity][$ThreatName.Name]
        $Summary += [PSCustomObject]@{
            SeverityID = $Severity
            ThreatName = '{0,-22}' -f $ThreatName.Name
            Count = '{0,6:N0}' -f $Count}
        $Subtotal += $Count
        $Total += $Count
    }

    ($Summary | Format-Table @{n='SeverityID';e={$_.SeverityID};align='center'},@{n='Threat Name';e={$_.ThreatName}},@{n='Count';e={$_.Count};align='right'} | Out-String) -replace "`n`r",""
    '{0,40}' -f ('Sub Total: {0:N0}' -f $Subtotal)
}

"`n{0,40}" -f ('Total: {0:N0}' -f $Total)

Paul Black · 26 Apr 2023

That works VERY nicely.

Thanks to @garlin's time and effort, anybody that wants a nice report detailing the criteria and information for the Defender Threat Catalogue can now produce this by running his code above.

Paul Black · 27 Apr 2023

Hello @garlin,

I wanted a separate Script, so I tried to adapt your code to produce the information below but FAILED miserably. I then thought that I would write it in Batch [ Please don't laugh ].

This is what I want it to look like [ Thousands Separators Included ]:

Code:


 --- Antivirus - Microsoft Defender - Threat(s) Catalogue Entries [245,896] - Sorted by [SeverityID] ---

 Severity ID  Count
 -----------  -----
 0                1
 1               49
 2              390
 4            6,055
 5          239,401
 Total      245,896

... but I get this [ Thousands Separators NOT Included ]:

Code:


 --- Antivirus - Microsoft Defender - Threat(s) Catalogue Entries [245,896] - Sorted by [SeverityID] ---

 Severity ID  Count
 -----------  -----
 0                1
 1               49
 2              390
 4             6055
 5           239401
 Total      245,896

Here is the code:

Code:


@echo off
echo.
PowerShell ^
     $Tot=((Get-MpThreatCatalog) ^| Measure-Object).Count.ToString('#,##0'); ^
     $List=(Get-MpThreatCatalog  ^| Select SeverityID ^| Group-Object SeverityID, CategoryID ^| Select-Object @{l='SeverityID';e={$_.Group[0].SeverityID}},Count ^| Sort-Object SeverityID ^| Format-Table -AutoSize ^
     @{L='Severity ID';E={;if([string]::IsNullOrWhiteSpace($_.SeverityID)) {'-'} else {$_.SeverityID}};A='Left'}, Count ^| ^
Out-String -Width 1000).Trim("""`r`n"""); ^
     if ($List.Length) {Write-Host """`n`n--- Antivirus - Microsoft Defender - Threat(s) Catalogue Entries [$Tot] - Sorted by [SeverityID] ---`n`n `n`n$List"""} else  ^
                       {Write-Host """`n`n--- NO Antivirus - Microsoft Defender - Threat(s) Catalogue Entries Available ---"""; exit 1} >> %Temp%\A.txt
     for /f "delims=" %%i in (%Temp%\A.txt) do echo. %%i
PowerShell ^
     $Total=((Get-MpThreatCatalog) ^| Measure-Object).Count.ToString('#,##0'); ^
     Write-Host """ Total """ -NoNewline; Write-Host  """"     "$Total"""
     del %Temp%\A.txt

echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit

What am I missing please ?

garlin · 27 Apr 2023

You didn't use ToString() with Count.

Code:

      @{L='Severity ID';E={;if([string]::IsNullOrWhiteSpace($_.SeverityID)) {'-'} else {$_.SeverityID}};A='Left'}, Count ^| ^

There's an important distinction in using {0:N0} vs ToString('...'). {0:N0} preserves the data type as as a number, which means:
- Strings are sorted in dictionary order. ie. Sorting 1, 2, 3, 1234 -> 1, 1234, 2, 3
- Strings default to left alignment, and numbers to right. You're always adding align='Right' to every column view.

Paul Black · 27 Apr 2023

garlin said:

You didn't use ToString() with Count.

That was obviously the first thing that I tried yesterday, along with many others in different positions. It gave this output:

Code:


 At line:1 char:398
 + ... tyID)) {'-'} else {$_.SeverityID}};A='Left'}, Count.ToString() | Out- ...
 +                                                                  ~
 An expression was expected after '('.
     + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
     + FullyQualifiedErrorId : ExpectedExpression

 Format-Table : A positional parameter cannot be found that accepts argument '#,##0'.
 At line:1 char:251
 + ... everityID | Format-Table -AutoSize @{L='Severity ID';E={;if([string]: ...
 +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidArgument: (:) [Format-Table], ParameterBindingException
     + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.FormatTableCommand