Check if the firewall is enabled

$firewallStatus = (Get-NetFirewallProfile).Enabled

if ($firewallStatus -eq $true) {

Write-Host "Windows Firewall is enabled." -ForegroundColor Green

} else {

Write-Host "Windows Firewall is not enabled." -ForegroundColor Red

}

Check if there are any updates to be installed

$updateSession = New-Object -ComObject Microsoft.Update.Session

$updateSearcher = $updateSession.CreateUpdateSearcher()

$searchResult = $updateSearcher.Search("IsInstalled=0 and Type='Software' and IsHidden=0")

$searchResult.updates|select -ExpandProperty Title

($searchResult.Updates.Count -gt 0) {

Write-Host "There are updates that need to be installed" -ForegroundColor Red

}

else {

Write-Host "All updates are installed" -ForegroundColor Green

}

Check Windows Defender status

$defender = Get-MpComputerStatus

if ($defender.DefenderEnabled) {

Write-Host "Windows Defender is enabled" -ForegroundColor Green

# Perform full scan in the background and export results to C:\scanresults.txt

Start-Process -FilePath "powershell.exe" -ArgumentList "-Command `"Start-MpScan -ScanType FullScan | Out-File -FilePath 'C:\scanresults.txt' -Append`"" -NoNewWindow -PassThru

}

else {

Write-Host "Windows Defender is not enabled" -ForegroundColor Red

# Store the current Defender status

$currentStatus = $defender.DefenderEnabled

# Enable Windows Defender

Set-MpPreference -DisableRealtimeMonitoring $False

# Perform full scan in the background and export results to C:\scanresults.txt

Start-Process -FilePath "powershell.exe" -ArgumentList "-Command `"Start-MpScan -ScanType FullScan | Out-File -FilePath 'C:\scanresults.txt' -Append`"" -NoNewWindow -PassThru

# Restore Defender status

Set-MpPreference -DisableRealtimeMonitoring $currentStatus

}

Try this instead:

# Check if the firewall is enabled
$Message = if ((Get-NetFirewallProfile -EA 0).Enabled -eq $true) { 'enabled' } else { 'not enabled' }
Write-Output ('Windows Firewall is',"$Message." -join ' ')

# Use default Windows Update query to check for available updates
$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$SearchResult = $updateSearcher.Search("IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and " +
    "DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and " +
    "RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1")
$Message = if ($searchResult.Updates.Count -gt 0) {
    Write-Output 'There are Windows updates that need to be installed:'
    $SearchResult.Updates | Select-Object -ExpandProperty Title
} else {
    Write-Output 'All updates are installed.'
}
Write-Output $Message

$ArgumentList = '-Command "Start-MpScan -ScanType FullScan | Out-File -FilePath C:\scanresults.txt -Append"'
# Perform full scan in the background and export results to C:\scanresults.txt
$Defender = Get-MpComputerStatus -EA 0
$Message = if ($Defender -and $Defender.DefenderEnabled) {
    Write-Output 'Windows Defender is enabled.'
    Start-Process -FilePath powershell.exe -ArgumentList $ArgumentList -PassThru | ForEach-Object {
        "Started Defender scan. [$($_.Id): $($_.Name)]"
    }
} elseif ($Defender) {
    # Enable defender, scan, and set back to disabled
    Write-Output 'Windows Defender is not enabled.'
    $CurrentStatus = $Defender.DefenderEnabled
    Set-MpPreference -DisableRealtimeMonitoring $False
    Start-Process -FilePath powershell.exe -ArgumentList $ArgumentList -PassThru | ForEach-Object {
        "Started Defender scan. [$($_.Id): $($_.Name)]"
    }
    Set-MpPreference -DisableRealtimeMonitoring $CurrentStatus
} else {
    Write-Output 'Windows Defender PowerShell module is not available.'
}
Write-Output $Message

Updated to fix Set-MpPreference : Cannot process argument transformation on parameter 'DisableRealtimeMonitoring'. Cannot convert value "" to type "System.Boolean". Boolean parameters accept only Boolean values and numbers, such as $True, $False, 1 or 0. error.

Based on running Start-MpScan on my local computer, I don't believe it outputs anything. The "progress bar" that's displayed in the window cannot be redirected, so I removed the attempt to output to C:\scanresults.txt. After a scan, you'll need to find the results using Get-MpThreat.

# Check if the firewall is enabled
$Message = if ((Get-NetFirewallProfile -EA 0).Enabled -eq $true) { 'enabled' } else { 'not enabled' }
Write-Output ('Windows Firewall is',"$Message." -join ' ')

# Use default Windows Update query to check for available updates
$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$SearchResult = $updateSearcher.Search("IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and " +
    "DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and " +
    "RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1")
$Message = if ($searchResult.Updates.Count -gt 0) {
    Write-Output 'There are Windows updates that need to be installed:'
    $SearchResult.Updates | Select-Object -ExpandProperty Title
} else {
    Write-Output 'All Windows updates are installed.'
}
Write-Output $Message

# Perform full scan in the background
$Defender = Get-MpComputerStatus -EA 0
if ($Defender) {
    $Message = if ($Defender.RealTimeProtectionEnabled -eq $true) { 'enabled' } else { 'not enabled' }
    Write-Output ('Windows Defender real-time protection is',"$Message." -join ' ')
    $Param = @{
        FilePath = 'powershell.exe'
        ArgumentList = '-Command "Start-MpScan -ScanType FullScan"'
        PassThru = $true
    }
    Start-Process @Param | ForEach-Object { "Started Defender scan. [$($_.Id): $($_.Name)]" }
} else {
    Write-Output 'Windows Defender PowerShell module is not available. Unable to perform scan.'
}

Hey thanks for all the effort that you have put in.

I was altering the code a little bit in order to make it closer to how I want it to be.

I have now the below form , the only spike i have is that the output is being generated while the scan is in progress, so i don't know if theoretically this is how it should work and "if it will continue to populate the csv file given the fact that more detections are found".

I would appreciate if you could have a look and maybe also run it.

Check if the firewall is enabled

$Message = if ((Get-NetFirewallProfile -EA 0).Enabled -eq $true) {

Write-Host 'Windows Firewall is enabled' -ForegroundColor Green

} else {

Write-Host 'Windows Firewall is not enabled' -ForegroundColor Red

}

Use default Windows Update query to check for available updates

$UpdateSession = New-Object -ComObject Microsoft.Update.Session

$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()

$SearchResult = $updateSearcher.Search("IsInstalled=0 and DeploymentAction='Installation'

or IsPresent=1 and " + "DeploymentAction='Uninstallation' or

IsInstalled=1 and DeploymentAction='Installation' and " +

"RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1")

$Message = if ($searchResult.Updates.Count -gt 0)

{ Write-Host 'There are Windows updates that need to be installed:' -ForegroundColor Red

$SearchResult.Updates | Select-Object -ExpandProperty Title }

else

{ Write-Host 'All Windows updates are installed.' -ForegroundColor Green

}

Check if Windows Defender real-time protection is enabled

$Defender = Get-MpComputerStatus -EA 0

if ($Defender) {

$Message = if ($Defender.RealTimeProtectionEnabled -eq $true) {

    Write-Host 'Windows Defender real-time protection is enabled'

-ForegroundColor Green

} else {

    Write-Host 'Windows Defender real-time protection is not enabled'

-ForegroundColor Red

    # Enable Windows Defender real-time protection

    Set-MpPreference -DisableRealtimeMonitoring $false

    Write-Host 'Windows Defender real-time protection has been enabled'

-ForegroundColor Green

}

# Perform full scan in the background

$Param = @{

    FilePath = 'powershell.exe'

    ArgumentList = '-Command "Start-MpScan -ScanType FullScan"'

    PassThru = $true

}

Start-Process @Param | ForEach-Object { "Started Defender scan. [$($_.

Id): $($_.Name)]" }

# Wait for scan to complete

while ((Get-MpComputerStatus).ThreatDetectionState -eq 'Completed') {

    Start-Sleep -Seconds 1

}

# Export Threat Detection to a CSV file

Get-MpThreatDetection | Export-Csv -Path

"C:\DefenderThreatDetection.csv"

} else {

Write-Host 'Windows Defender PowerShell module is not available. Unable

to perform scan.' -ForegroundColor Red

}

Στις Δευ 30 Ιαν 2023 στις 7:42 μ.μ., ο/η bk-cs @.***> έγραψε:

Try this instead:

Check if the firewall is enabled$Message = if ((Get-NetFirewallProfile -EA 0).Enabled -eq $true) { 'enabled' } else { 'not enabled' }Write-Output ('Windows Firewall is',"$Message." -join ' ')

Use default Windows Update query to check for available updates$UpdateSession = New-Object -ComObject Microsoft.Update.Session$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()$SearchResult = $updateSearcher.Search("IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and " +
"DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and " +
"RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1")$Message = if ($searchResult.Updates.Count -gt 0) {
Write-Output 'There are Windows updates that need to be installed:'
$SearchResult.Updates | Select-Object -ExpandProperty Title
} else { Write-Output 'All updates are installed.' }Write-Output $Message $ArgumentList = '-Command "Start-MpScan -ScanType FullScan | Out-File -FilePath C:\scanresults.txt -Append"'# Perform full scan in the background and export results to C:\scanresults.txt$Defender = Get-MpComputerStatus -EA 0$Message = if ($Defender -and $Defender.DefenderEnabled) { Write-Output 'Windows Defender is enabled.' Start-Process -FilePath powershell.exe -ArgumentList $ArgumentList -PassThru | ForEach-Object { "Started Defender scan. [$($.Id): $($.Name)]" } } elseif ($Defender) {

Enable defender, scan, and set back to disabled
Write-Output 'Windows Defender is not enabled.'
$CurrentStatus = $defender.DefenderEnabled
Set-MpPreference -DisableRealtimeMonitoring $False
Start-Process -FilePath powershell.exe -ArgumentList $ArgumentList -PassThru | ForEach-Object {
    "Started Defender scan. [$($_.Id): $($_.Name)]"
}
Set-MpPreference -DisableRealtimeMonitoring $CurrentStatus
} else { Write-Output 'Windows Defender PowerShell module is not available.' }Write-Output $Message

— Reply to this email directly, view it on GitHub https://github.com/nikochal88/nikochal/issues/1#issuecomment-1409048839, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5RRLJVKX3ZZQFWGO4SZ5OLWU74Q5ANCNFSM6AAAAAAUK2TOIY . You are receiving this because you authored the thread.Message ID: @.***>

You can't wait for the scan to complete inside of this script. It will take too long and will time out in Real-time Response -- the same problem that led to using Start-Process. You can instead use Start-Process to launch a more complex script that starts the scan and creates another process to wait for it to complete:

# Perform full scan in the background
$Param = @{
    FilePath = 'powershell.exe'
    ArgumentList = '-Command "Start-MpScan -ScanType FullScan"'
    PassThru = $true
}
Start-Process @Param | ForEach-Object {
    "Started Defender scan. [$($_.Id): $($_.Name)]"
    Start-Process -FilePath powershell.exe -ArgumentList "Wait-Process -Id $($_.Id); Get-MpThreatDetection | Export-Csv -Path
C:\DefenderThreatDetection.csv" -PassThru | ForEach-Object {
        "Started process to wait for scan results. [$($_.Id): $($_.Name)]"
    }
}

Write-Host will not produce any output within RTR and generally shouldn't be used. You need to use Write-Output, as I did in my examples.

Hi again, after many attempts i can confirm that the script works and exports on my personal computer. (no crowdstrike sensor installed)

On the vm that has the sensor installed it runs however the csv returns the output as blank. This can happen for 2 reasons: a) there are no threats from " Get-MpThreatDetection" b) the part that says enable real time protections does not work

And i believe this is the case because when i am running "Get-MpCompterStatus" RealTimeProtectionEnabled is at $false

On RTR it stops after displaying the firewall status with error code: Exception from HRESULT: 0x8024402C

This is more of a defender question at this point. Everything is executing via RTR, but it seems like settings aren't properly being applied for Defender itself. Why not use Falcon on-demand scans instead?

nikochal88 / nikochal

windows defender scan #1

Check if the firewall is enabled

Check if there are any updates to be installed

Check Windows Defender status

Check if the firewall is enabled

Use default Windows Update query to check for available updates

Check if Windows Defender real-time protection is enabled

Check if the firewall is enabled$Message = if ((Get-NetFirewallProfile -EA 0).Enabled -eq $true) { 'enabled' } else { 'not enabled' }Write-Output ('Windows Firewall is',"$Message." -join ' ')

Use default Windows Update query to check for available updates$UpdateSession = New-Object -ComObject Microsoft.Update.Session$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()$SearchResult = $updateSearcher.Search("IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and " +

Enable defender, scan, and set back to disabled