-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathDefenderNotify.ps1
More file actions
21 lines (18 loc) · 978 Bytes
/
DefenderNotify.ps1
File metadata and controls
21 lines (18 loc) · 978 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$DefenderNotify = @{
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Action = {
Add-Type -AssemblyName System.Windows.Forms
$global:balmsg = New-Object System.Windows.Forms.NotifyIcon
$path = (Get-Process -id $pid).Path
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = ‘MS Defender has been disabled remotely'
$balmsg.BalloonTipTitle = "Alert from Administrator for $Env:USERNAME"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(20000)
}
Namespace = 'root\microsoft\windows\defender'
SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @DefenderNotify
#Uninstall: Unregister-Event Defender.DisableRealtimeMonitoring