New
#1
Defender Threat Catalog
This post is more for information and curiosity than anything else.
I was curious about theDefender Definitions
and theDefender Definitions Database / Catalogue
and decided to do some investigation. MY databases are up to date for theAntimalware Client
,Engine Version
,Antivirus Version
, andAntispyware Version
.
I believe theDefender AV Signature Databases
are stored here:
>%ProgramData%\Microsoft\Windows Defender\Definition Updates\{GUID}\*. vdm
I created a Script to extract ALL the entries in theDefender Definitions Database / Catalogue
[ Output in the%Temp%
directory with the filenameA.txt
]:
Code:@echo off echo. PowerShell ^ $Tot=((Get-MpThreatCatalog) ^| Measure-Object).Count.ToString('#,##0'); ^ $List=(Get-MpThreatCatalog ^| Sort-Object -Property SeverityID, ThreatName ^| Format-Table -AutoSize ^ @{L='Severity ID';E={;if([string]::IsNullOrWhiteSpace($_.SeverityID)) {'-'} else {$_.SeverityID}}}, ^ @{L='Category ID';E={;if([string]::IsNullOrWhiteSpace($_.CategoryID)) {'-'} else {$_.CategoryID}}}, ^ @{L='Type ID' ;E={;if([string]::IsNullOrWhiteSpace($_.TypeID)) {'-'} else {$_.TypeID}}}, ^ @{L='Threat Name';E={;if([string]::IsNullOrWhiteSpace($_.ThreatName)) {'-'} else {$_.ThreatName}}} ^| ^ Out-String -Width 1000).Trim("""`r`n"""); ^ if ($List.Length) {Write-Host """`n--- Defender Threat Catalog [$Tot] - Sorted by [SeverityID, ThreatName] ---`n`n `n`n$List"""} else ^ {Write-Host """`n--- NO Defender Threat Catalog Available ---"""; exit 1} >> %Temp%\A.txt echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit
These are MY results sorted bySeverityID, ThreatName
:
SeverityID 0 = 1
SeverityID 1 = 49
SeverityID 2 = 390
SeverityID 4 = 6,051
SeverityID 5 = 239,049
Total = 245,540
SeverityID 3
does not show in MY output and the documentation relating to it is a bit ambiguous.
> MSFT_MpThreatCatalog
> MSFT_MpThreatCatalog Class
> Investigate Windows Defender’s Malware Signature Definitions Database
If you just want the totals for each inPowerShell ISE
:
Code:(Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '0'}).Count, (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '1'}).Count, (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '2'}).Count, (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '3'}).Count, (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '4'}).Count, (Get-MpThreatCatalog | Where-Object {$_.SeverityID -eq '5'}).Count, (Get-MpThreatCatalog).Count
You might get a usage warning but the correct figures will be output.
The Scripts will take a little while to run.
I just thought that I would share this as I found it quite interesting !
Last edited by Paul Black; 25 Apr 2023 at 06:35.