Powershell : Automated Defender Log Analyser

My Windows Defender Log Analyzer is a comprehensive PowerShell script designed to automate the collection, extraction, and analysis of Windows Defender logs. This powerful tool helps system administrators and security professionals quickly identify potential security issues, scan anomalies, and performance problems within their Windows Defender installations.

Key Features

Automated Log Collection

1.    Executes the Windows Defender diagnostic tool (MpCmdRun -getfiles)
2.    Automatically locates and extracts the generated diagnostic files
3.    Uses multiple extraction methods to ensure compatibility across different Windows environments

Comprehensive Log Analysis

1. Scans through all Windows Defender log files systematically
2. Detects errors, warnings, and critical issues
3. Identifies abnormal scan patterns and unscheduled scans
4.  Analyzes both text logs and Windows event logs (.evtx files)

Detailed Reporting

1. Creates separate log files for different types of issues:
   
   Error details log
   Warning details log
   Critical issues log
   Scan activity log
   
   Generates a concise summary report with actionable recommendations
2. Provides counts of different issue types for quick assessment
   

This reporting will be in easy to read text files as shown below:

System Status Check

1. Retrieves the current Windows Defender configuration
2. Checks for outdated virus definitions
3. Verifies real-time protection status
4. Reviews recent scan history and scheduled scan configuration

The Process Flow

The Windows Defender Log Analyzer script operates through a series of logical steps, each building on the previous one to create a comprehensive analysis system:

1. Initialization Phase
   • The script creates a dedicated output directory in the same location where it's run
   • It establishes log files for tracking the analysis process and findings
   • All paths and variables are set up to ensure proper operation across different systems
2. Log Collection Phase
   • The script locates and executes the MpCmdRun.exe utility with the -getfiles parameter
   • This command instructs Windows Defender to compile its diagnostic information
   • The script monitors the process to ensure successful completion
   • The result is a CAB file containing compressed Windows Defender logs
3. Extraction Phase
   • The script searches for the generated CAB file, typically in the Windows Defender Support directory
   • It implements multiple extraction methods (expand.exe, COM object, and 7-Zip if available)
   • These fallback mechanisms ensure the script works across different Windows environments
   • The logs are extracted to an organized folder structure for analysis
4. Analysis Phase
   • The script systematically examines each extracted log file through specialized functions:
     • Text logs are processed with pattern matching to identify issues
     • Event logs (.evtx) are analyzed using Get-WinEvent for structured data extraction
     • Current Windows Defender status is retrieved using PowerShell cmdlets
   • During analysis, the script tracks:
     • Error counts and detailed error messages
     • Warning and critical issue identification
     • Scan patterns, including abnormal or interrupted scans
     • Unscheduled security operations
5. Classification Phase
   • As issues are identified, they're categorized by severity and type
   • Each issue is recorded in dedicated log files for easy review:
     • Errors go to DefenderErrorDetails.log
     • Warnings go to DefenderWarningDetails.log
     • Critical issues go to DefenderCriticalDetails.log
     • Scan information goes to DefenderScanDetails.log
6. Reporting Phase
• The script generates a concise summary report (DefenderQuickSummary.txt)
• The summary includes counts of issues found and links to detailed logs
• Custom recommendations are provided based on the specific issues detected
• Output includes paths to all log files and extracted data for further investigation

Data Flow

Information flows through the script in a consistent manner:

1. Raw logs are collected from Windows Defender →
2. Logs are extracted and organized →
3. Pattern matching and event analysis extract relevant data →
4. Issues are categorized and recorded in specific log files →
5. Statistical analysis creates summary information →
6. Recommendations are generated based on findings →
7. User-friendly reports are created for review

This logical approach transforms complex, scattered log data into organized, actionable security intelligence that helps maintain Windows Defender's effectiveness and overall system security.

These are some screenshots of the script running, this is the initial stage:

Then we move on to the next two phases as below:

Then we move on to step 4 and 5 as below:

Then the final stage is the reporting data for you to look at manually if required:

You will also receive recommendations as you can see these are mine:

RECOMMENDATIONS:

URGENT: Review the 163 critical issues found in the logs

    (see detailed entries in
C:\Quarantine\DefenderLogAnalyser\DefenderLogsAnalysis\DefenderCriticalDetails.log)

  * Investigate 9505 abnormal scan events

    (scans that were cancelled, stopped, or failed)

    (see detailed entries in C:\Quarantine\DefenderLogAnalyser\DefenderLogsAnalysis\DefenderScanDetails.log)

  * Review the high number of errors (15999) found in the logs

    (see detailed entries in C:\Quarantine\DefenderLogAnalyser\DefenderLogsAnalysis\DefenderErrorDetails.log)

      * Ensure Windows Defender is up-to-date and real-time protection is enabled

  * Run a full scan if one hasn't been completed recently

  * Ensure scheduled scans are properly configured

Where is the script ? 

If you would like the script please let me know by using the contact form on the website navigation.