Hey, Scripting Guy! Weekend Scripter: Scripting Microsoft Security Essentials

Hey, Scripting Guy! Weekend Scripter: Scripting Microsoft Security Essentials

  • Comments 4
  • Likes

Bookmark and Share


Microsoft Scripting Guy Ed Wilson here. Today, I finally had time to do something I have been wanting to do for a long time: I played around with Microsoft Security Essentials (the free downloadable anti-malware program from Microsoft). When I say “played around with,” I mean I began to look at seeing what I could do from a scripting perspective. I think Microsoft Security Essentials is pretty cool, and I have even installed it on my mom’s computer, which should let you know that I think it is an awesome program. The fact that it is free is just icing on the cake.

I also have it installed on computers in my lab, and because those computers are not always turned on, it is inconvenient when I power them on to have to sit and wait while they download signature updates, do scans, and so on. I wanted the ability to update the virus signature from a script. If I could also launch a quick scan, that would be even better.

As it turns out, there is not an API for Microsoft Security Essentials; however, there is a command-line utility. When using Windows PowerShell, having a command-line utility available to you is just about as good as having an API. I came up with the Invoke-SecurityEssentials.ps1 script seen here to update signatures, and to kick off default scans, quick scans, and full scans.

Invoke-SecurityEssentials.ps1

<#
  .Synopsis
    Runs Microsoft Security Essentials to scan or update anti-virus pattern
   .Example
    Invoke-SecurityEssentials.ps1 -UpdateSignature
    Updates antivirus and malicious software pattern
   .Example
    Invoke-SecurityEssentials.ps1 -DefaultScan
    Updates antivirus and malicious software pattern and performs default scan
   .Example
    Invoke-SecurityEssentials.ps1 -quickScan
    Updates antivirus and malicious software pattern and performs a quick scan
   .Example
    Invoke-SecurityEssentials.ps1 -fullScan
    Updates antivirus and malicious software pattern and performs a full scan
   .Notes
    NAME:  Invoke-SecurityEssentials.ps1
    AUTHOR: Ed Wilson
    LASTEDIT: 4/30/2010
    KEYWORDS: Windows PowerShell, Scripting Guy, security, antivirus, WES-5-16-10
   .Link
     Http://www.ScriptingGuys.com
     Http://bit.ly/hsgblog
     Http://bit.ly/WeekendScripter
 #Requires -Version 2.0
 #>
Param(
 [switch]$updateSignature,
 [switch]$defaultScan,
 [switch]$quickScan,
 [switch]$fullScan
)

Function Invoke-SecurityEssentials
{
 Param($action)
 $path = "c:\program files\microsoft security essentials\MPCMDRUN.EXE"
 Switch ($action)
  {
   $updateSignature { &$path -signatureUpdate }
   $defaultScan { &$path -scan }
   $quickScan { &$path -scan -scantype 1 }
   $fullScan { &$path -scan -scantype 2 }
  } #end switch
} #end function Invoke-SecurityEssentials

Function Get-Results
{
 Get-EventLog -LogName system -Source "Microsoft Anti-Malware" -Newest 2 |
 Format-Table -Property timewritten, message -Wrap -auto
} # end function Get-Results

# *** entry point to script ***
$quickScan = $true

If($updateSignature)
 { Invoke-SecurityEssentials -action $updateSignature ;  Exit }
If($defaultScan)
 { Invoke-SecurityEssentials -action $defaultScan ; Get-Results ; Exit }
If($quickScan)
 { Invoke-SecurityEssentials -action $quickScan ; Get-Results ; Exit }
If($fullScan)
 { Invoke-SecurityEssentials -action $fullScan ; Get-Results ; Exit }

The script itself uses command-line parameters to allow you to perform the different actions. An If statement looks for the command-line parameters and passes the appropriate action to the Invoke-SecurityEssentials function. This portion of the script is shown here:

# *** entry point to script ***

If($updateSignature)
 { Invoke-SecurityEssentials -action $updateSignature ;  Exit }
If($defaultScan)
 { Invoke-SecurityEssentials -action $defaultScan ; Get-Results ; Exit }
If($quickScan)
 { Invoke-SecurityEssentials -action $quickScan ; Get-Results ; Exit }
If($fullScan)
 { Invoke-SecurityEssentials -action $fullScan ; Get-Results ; Exit }

Inside the Invoke-SecurityEssentials function, a Switch statement is used to parse the input action and choose the appropriate command line. This is shown here:

Param($action)
 $path = "c:\program files\microsoft security essentials\MPCMDRUN.EXE"
 Switch ($action)
  {
   $updateSignature { &$path -signatureUpdate }
   $defaultScan { &$path -scan }
   $quickScan { &$path -scan -scantype 1 }
   $fullScan { &$path -scan -scantype 2 }
  } #end switch

After the appropriate command line has completed, control of the script returns to the calling code. When the function runs, no feedback is produced on the command line. The event log seen in the following image records the start time and the end time of the Security Essentials scan.

Image of event log that records start time and end time of scan


The Get-Results function is used to query for the two most recent events related to the antivirus program. This code is shown here:

Get-EventLog -LogName system -Source "Microsoft Antimalware" -Newest 2 |
Format-Table -Property timewritten, message -Wrap -auto

When the script has run, the results seen in the following image are displayed.

Image of results of script running


Because I used help tags when I was writing the script, you can receive command-line assistance from the Get-Help cmdlet. The help tags are shown here:

<#
  .Synopsis
    Runs Microsoft Security Essentials to scan or update anti-virus pattern
   .Example
    Invoke-SecurityEssentials.ps1 -UpdateSignature
    Updates antivirus and malicious software pattern
   .Example
    Invoke-SecurityEssentials.ps1 -DefaultScan
    Updates antivirus and malicious software pattern and performs default scan
   .Example
    Invoke-SecurityEssentials.ps1 -quickScan
    Updates antivirus and malicious software pattern and performs a quick scan
   .Example
    Invoke-SecurityEssentials.ps1 -fullScan
    Updates antivirus and malicious software pattern and performs a full scan
   .Notes
    NAME:  Invoke-SecurityEssentials.ps1
    AUTHOR: Ed Wilson
    LASTEDIT: 4/30/2010
    KEYWORDS: Windows PowerShell, Scripting Guy, security, antivirus, WES-5-16-10
   .Link
     Http://www.ScriptingGuys.com
     Http://bit.ly/hsgblog
     Http://bit.ly/WeekendScripter
 #Requires -Version 2.0
 #>

When you call the script with Get-Help, the output shown in the following image appears.

Image of output of calling script with Get-Help

 

Well, that is about all there is to playing around with Microsoft Security Essentials and Windows PowerShell. If you want to know exactly what we will be looking at tomorrow, follow us on Twitter or FaceBook. If you have any questions, send e-mail to us at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

 

Ed Wilson and Craig Liebendorfer, Scripting Guys

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Is there a way to query the status of Security Essentials from the command line or powershell? I've got Security Essentials running on computers in a lab (a mix of XP, 7 x32, and 7 x64). I'd like to create a report to show each of these four items for each computer in the lab:

    1) Real time protection status (e.g. On)

    2) Virus and spyware definitions (e.g. Up to date)

    3) Last scan (e.g. 5/16/2013)

    4) Next scheduled scan (e.g. 5/23/2013)

    Thanks in advance for any help!

  • @Dean look back at the article above. I am calling the command line: MPCMDRUN.EXE to see all it can do, use this MPCMDRUN.EXE /? to see the help. Note, this is not in your path by default, so you will need to go to the directory it installs.

    For checking when it ran, also see above where I query the appropriate events from the event log.

  • Ed, thanks for the response. The Get-Results function shows you the last two events. If I force a scan, then Get-Results will show me the results of the scan because they'll be latest two events. I'm trying to query status though without forcing any action so there is no guarantee Event 1001 is one of the two most recent events.

    I changed the powershell command to:

    Get-EventLog -LogName system -Source "Microsoft Antimalware" | Where-Object {$_.EventID -eq 1001} | Select-Object -first 1 | Format-Table -Property timewritten, message -Wrap -auto

    which gives me the results of the last scan. I'm looking to write just the time and date of the message into a text file. Is there an easy way to do that? Sorry if that's a dumb question, I'm new to PowerShell.

    I can use the same logic to get the current virus signature by changing the EventID to 2000. I need to extract the signature version for the text file which I imagine will be a similar method to extracting date/time above.

    How about the other two items I mentioned:

    1) Real time protection status (e.g. On)

    4) Next scheduled scan (e.g. 5/23/2013)

    Thanks again!

  • Just FYI They have changed the Path you have
    $path = "c:\program files\microsoft security essentials\MPCMDRUN.EXE"
    and it is now
    "c:\program files\microsoft security client\MPCMDRUN.EXE"
    everything else runs great just needs the new path.