Hi,
Is there any way that we can auto update windows defender virus definition and apply to the relevant machines at some time frequency .
Right now Windows defender update wizard download the latest definition whichever is available at given point of time.
basically need to update the prefetch block to get the latest definition data for an open action
No direct option but using external source specifically using ps script can be achieved -
Above all should be part of ps script and configure schedule task on master server which will invoke this ps script to run on certain time of period.
It was implemented long back for one of our client, I didn’t find the script else could have shared it.
You could also execute the signature update when the local defs are over x days old so not need worry about the full MPAM and the complications of that being updated by MS 3 times a day. Unfortunately its a WMI based inspection but if the definition age is either -1 (indicates no defs are is use) or > 3 then the the endpoint is relevant ro un th update command.
(it = -1 or it > 3) of (string value of select "AntispywareSignatureAge from AntimalwareHealthStatus" of wmi "root\Microsoft\SecurityClient" as integer | 0)
The update command pulls the patch of the service to pull the current signatures from the MS public location. If within a certain number of days old, it will use the delta update so not require the full MPAM.
waithidden "{preceding text of last "\" of substrings separated by "%22" of (expand x64 environment strings of (values "ImagePath" of keys (("HKLM\System\CurrentControlSet\Services\" & it) of service names of services ("WinDefend")) of native registry as string)) & "\MpCmdRun.exe"}" -signatureupdate -mmpcrefresh
This isn’t a silver bullet but it can help in some cases.
I do use this approach too, as well as having clients try the internal signaure update from the command line.
I have a fixlet with secure parameters that is only relevant on the main server and will download the MPAMs from Microsoft, copy them the uploads folder pull the file infomation and create an XML to update an existing custom fixlet via REST. The XML to update the fixlet is uploaded using IEMCLI.exe then an XML to deploy the fixlet action to all relevant computers is uploaded. It uses secure paratmers as the ops can supply their password which is passed to IEMCLI.exe so it can upload the XMLs. The fixlet will reapplly every 3 days so its alwasy deploying a current MPAM to the endpoints that are out of date.
I’ve removed any company specific refrences to the fixlet I created. If anyone wants to use / adapt it to their own use case, https://github.com/RobG-BF/Bigfix/blob/main/[PROD]%20MPAM%20-%20Definition%20Download%20%26%20Deployment%20(As%20current%20op).bes
Update line 42 of the BES file with the fixlet ID you want it to update.
Update line 199 and 217 of the BES file with the sitename of the fixlet ID (current uses “IT Support”)
The fixlet that updates endpoints also adds a counter under HKEY_LOCAL_MACHINE\SOFTWARE\Company\Bigfix. Update this with a path of your choice, or remove it if you don’t worry how many times an endpoint is getting fixed this way (line 116)
Fixlets that build other Fixlets are some of my favorite!
Do you clean out the old action when taking the new one?
I wonder if your action might want to only target windows machines instead of all computers?
I’ll be the first to admit there are certainly areas for improvement with this one @brolly33 and tweaking the relevance for the child fixlet is certainly one of those. The action deployed from the child fixlet does expire after 3 days and for us, we wanted to have that history for an interim period and manually cleanup…better still, automate with another REST API solution 