Public/Get-MpAllowedThreats.ps1
|
function Get-MpAllowedThreats { <# .SYNOPSIS Gets threats allowed by Windows Defender. .DESCRIPTION Returns a list of threats that have been explicitly allowed in Windows Defender settings. .EXAMPLE Get-MpAllowedThreats .OUTPUTS System.Object[] #> [CmdletBinding()] param() try { # Initialize the MP threats data $initResult = Initialize-MPThreats if (-not $initResult) { Write-Error "Failed to initialize threat data" return $null } # Access script-scoped variables $mpallow = $Script:mpallow $mpthreats = $Script:mpthreats # Create array to hold allowed threats $allowedThreats = @() # Process allowed threats for ($i = 0; $i -lt $mpallow.ThreatIDDefaultAction_Ids.Count; $i++) { $allow_tid = $mpallow.ThreatIDDefaultAction_Ids[$i] if ($mpallow.ThreatIDDefaultAction_Actions[$i] -eq 6) { $allow_threat = $mpthreats | Where-Object { $_.ThreatID -eq $allow_tid } if ($null -ne $allow_threat) { # Add threat with name to results $allowedThreats += [PSCustomObject]@{ ThreatID = $allow_threat.ThreatID ThreatName = $allow_threat.ThreatName } } else { # Add threat without name to results $allowedThreats += [PSCustomObject]@{ ThreatID = $allow_tid ThreatName = "Unknown" } } } } return $allowedThreats } catch { Write-Error "An error occurred while getting allowed threats: $_" return $null } } |