Add MS Defender Exclusions

Discussion in 'Scripting' started by l33tissw00t, Nov 9, 2017.

  1. l33tissw00t

    l33tissw00t MDL Senior Member

    Dec 6, 2012
    483
    266
    10
    So until now I thought the only way to add defender exclusions (non-gui) was via registry keys, and that was annoying because administrator didn't have permission to write to those keys, so had to elevate to system or trustedinstaller (or change permission to those keys, not a great idea). But now it seems there's a powershell script that does it. Was there a cmd way to do it as well? Just scoping out the topic, maybe I'll learn more :)

    Code:
    Registry/CMD:
    
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v %SystemRoot%\system32\SppExtComObjPatcher.exe /d 0 /t "REG_DWORD"
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v %SystemRoot%\system32\SppExtComObjHook.dll /d 0 /t "REG_DWORD"
    
    
    Powershell:
    
    powershell Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp\SppExtComObjHook.dll"
    
     
  2. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    14,328
    18,151
    340
    No real way in CMD since it's a Powershell Module, but can be used directly from a CMD file (as your example shows).

    There are two ways to communicate with Defender, via the EXE and via the PS Module. The Registry way is more complicated and only useful to check the exclusions made.

    Code:
    powershell Get-ItemProperty 'hklm:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' ^| Select * -exclude PS* ^| Format-List
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    14,328
    18,151
    340
    Some more commands to maintain Defender:

    Update using MMPC as source (works with WU Service disabled):
    Code:
    powershell "Update-MpSignature -UpdateSource MMPC -Verbose"
    Defender Scan:
    Code:
    powershell "Start-MpScan -ScanType QuickScan"
    powershell "Start-MpScan -ScanType FullScan"
    powershell "Start-MpScan -ScanPath %scanpath% -ScanType CustomScan -Verbose"
    
    List Quarantine:
    Code:
    "%programfiles%\windows defender\mpcmdrun.exe" -restore -listall
    
    Show Threats:
    Code:
    powershell "Get-MpThreat | select ThreatName,Resources,DidThreatExecute,IsActive
    Settings:
    Code:
    powershell Get-MpPreference
    powershell Set-MpPreference -DisableArchiveScanning $true -Verbose
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...