{"id":534768,"date":"2025-09-30T18:41:06","date_gmt":"2025-09-30T18:41:06","guid":{"rendered":"https:\/\/www.ninjaone.com\/?post_type=script_hub&p=534768"},"modified":"2025-09-30T18:41:06","modified_gmt":"2025-09-30T18:41:06","slug":"lancer-une-analyse-windows-defender-avec-powershell","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/fr\/script-hub\/lancer-une-analyse-windows-defender-avec-powershell\/","title":{"rendered":"Comment lancer une analyse Windows Defender avec PowerShell"},"content":{"rendered":"

La d\u00e9tection des logiciels malveillants et la protection des terminaux sont des piliers essentiels du paysage informatique, en particulier pour les entreprises qui g\u00e8rent un r\u00e9seau distribu\u00e9 de terminaux. Qu’il s’agisse de prot\u00e9ger les appareils contre les ransomwares ou d’assurer la conformit\u00e9 avec les cadres de cybers\u00e9curit\u00e9<\/a>, l’ex\u00e9cution d’analyses antivirus r\u00e9guli\u00e8res est une t\u00e2che non n\u00e9gociable. L’automatisation de ces analyses au moyen de scripts permet non seulement de r\u00e9duire les frais g\u00e9n\u00e9raux, mais aussi d’assurer la coh\u00e9rence entre les environnements. Cet article de blog se penche sur un script PowerShell complet qui permet aux professionnels de l’informatique de lancer une analyse Windows Defender<\/strong>, de g\u00e9rer le temps d’ex\u00e9cution et d’enregistrer les r\u00e9sultats, le tout par le biais de l’automatisation.<\/p>\n

Contexte<\/h2>\n

Microsoft Defender, anciennement connu sous le nom de Windows Defender<\/a>, est int\u00e9gr\u00e9 \u00e0 tous les syst\u00e8mes d’exploitation Windows modernes et constitue une solide base de protection antivirus. Cependant, la gestion et le d\u00e9clenchement des analyses Defender \u00e0 grande \u00e9chelle, sur une flotte d’appareils distants, peuvent s’av\u00e9rer fastidieux en l’absence d’automatisation. Ce script est destin\u00e9 aux administrateurs informatiques et aux fournisseurs de services g\u00e9r\u00e9s (MSP) qui utilisent des outils tels que NinjaOne pour rationaliser les op\u00e9rations de s\u00e9curit\u00e9.<\/p>\n

Le script PowerShell exploite les capacit\u00e9s de la ligne de commande de Defender et les am\u00e9liore avec l’analyse du journal des \u00e9v\u00e9nements, le formatage des r\u00e9sultats et l’int\u00e9gration optionnelle avec les champs personnalis\u00e9s WYSIWYG de NinjaOne. Il r\u00e9sout deux probl\u00e8mes majeurs :<\/p>\n

    \n
  1. Automatisation<\/strong> – D\u00e9clencher des analyses de mani\u00e8re programmatique.<\/li>\n
  2. Responsabilit\u00e9<\/strong> – Saisir les r\u00e9sultats d\u00e9taill\u00e9s pour l’audit ou les rapports de tableau de bord.<\/li>\n<\/ol>\n

    Le script\u00a0:<\/h2>\n
    #Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n    Starts a Windows Defender scan.\r\n.DESCRIPTION\r\n    This script starts a Windows Defender scan based on the specified scan type and path. It also handles timeouts and saves the scan results to a Wysiwyg custom field if specified.\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n\r\n.PARAMETER PathToScan\r\n    The path to scan. This is only required if the scan type is Custom.\r\n\r\n.PARAMETER ScanType\r\n    The type of scan to perform. Options are Quick, Full, or Custom. Default is Quick.\r\n\r\n.PARAMETER TimeoutInMinutes\r\n    The timeout in minutes for the scan. Default is 120 minutes.\r\n\r\n.PARAMETER ForceStopOnTimeout\r\n    If specified, the scan will be forcefully stopped if it exceeds the timeout.\r\n\r\n.PARAMETER WysiwygCustomFieldName\r\n    The name of the Wysiwyg custom field to store the scan results.\r\n\r\n.EXAMPLE\r\n    -ScanType \"Quick\"\r\n    ## EXAMPLE OUTPUT WITH pathToScanForCustomScan ##\r\n    [Info] Installed Antivirus: Windows Defender\r\n    [Info] Starting Windows Defender scan:\r\n    [Info] Quick selected, will scan the system drive(C:), and will timeout in 120 minutes.\r\n    [Info] Starting job for a Quick scan on the system drive.\r\n    [Info] Job completed.\r\n    [Info] Scan completed successfully.\r\n    [Info] Scan results:\r\n\r\n    Name   : Virus:DOS\/EICAR_Test_File\r\n    Action : Quarantine\r\n    Path   : C:\\test\\eicarcom2.zip\r\n            C:\\test\\eicarcom2.zip->eicar_com.zip->eicar.com\r\n    Time   : 3\/24\/2025 10:12:32 AM\r\n    SHA1   : bec1b52d350d721c7e22a6d4bb0a92909893a3ae\r\n    SHA256 : e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397\r\n\r\n.EXAMPLE\r\n    -ScanType \"Full\"\r\n    ## EXAMPLE OUTPUT WITH scanType ##\r\n    [Info] Installed Antivirus: Windows Defender\r\n    [Info] Starting Windows Defender scan:\r\n    [Info] Full selected, will scan the system drive(C:), and will timeout in 120 minutes.\r\n    [Info] Starting job for a Full scan on the system drive.\r\n    [Info] Job completed.\r\n    [Info] Scan completed successfully.\r\n    [Info] Scan results:\r\n\r\n    Name   : Virus:DOS\/EICAR_Test_File\r\n    Action : Quarantine\r\n    Path   : C:\\test\\eicarcom2.zip\r\n            C:\\test\\eicarcom2.zip->eicar_com.zip->eicar.com\r\n    Time   : 3\/24\/2025 10:12:32 AM\r\n    SHA1   : bec1b52d350d721c7e22a6d4bb0a92909893a3ae\r\n    SHA256 : e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397\r\n\r\n.EXAMPLE\r\n    -ScanType \"Custom\" -PathToScan \"C:\\test\"\r\n    ## EXAMPLE OUTPUT WITH scanType ##\r\n    [Info] Installed Antivirus: Windows Defender\r\n    [Info] Starting Windows Defender scan:\r\n    [Info] Custom selected, will scan the path provided(C:\\test), and will timeout in 120 minutes.\r\n    [Info] Starting job for a Custom scan on the system drive.\r\n    [Info] Job completed.\r\n    [Info] Scan completed successfully.\r\n    [Info] Scan results:\r\n\r\n    Name   : Virus:DOS\/EICAR_Test_File\r\n    Action : Quarantine\r\n    Path   : C:\\test\\eicarcom2.zip\r\n            C:\\test\\eicarcom2.zip->eicar_com.zip->eicar.com\r\n    Time   : 3\/24\/2025 10:12:32 AM\r\n    SHA1   : bec1b52d350d721c7e22a6d4bb0a92909893a3ae\r\n    SHA256 : e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397\r\n\r\n.EXAMPLE\r\n    -ForceStopOnTimeout -TimeoutInMinutes 120\r\n    ## EXAMPLE OUTPUT WITH forceStopOnTimeout ##\r\n    [Info] Installed Antivirus: Windows Defender\r\n    [Info] Starting Windows Defender scan:\r\n    [Info] Quick selected, will scan the system drive(C:), and will timeout in 120 minutes.\r\n    [Info] Starting job for a Quick scan on the system drive.\r\n    [Info] Job completed.\r\n    [Error] Scan exceeded the timeout of 120 minutes. Stopping the scan.\r\n\r\n.EXAMPLE\r\n    -WysiwygCustomFieldName \"WindowsDefenderScanResults\"\r\n    ## EXAMPLE OUTPUT WITH wysiwygCustomFieldName ##\r\n    [Info] Installed Antivirus: Windows Defender\r\n    [Info] Starting Windows Defender scan:\r\n    [Info] Quick selected, will scan the system drive(C:), and will timeout in 120 minutes.\r\n    [Info] Starting job for a Quick scan on the system drive.\r\n    [Info] Job completed.\r\n    [Info] Scan completed successfully.\r\n    [Info] Attempting to set Custom Field 'WindowsDefenderScanResults'.\r\n    [Info] Successfully set Custom Field 'WindowsDefenderScanResults'!\r\n    [Info] Scan results:\r\n\r\n    Name   : Virus:DOS\/EICAR_Test_File\r\n    Action : Quarantine\r\n    Path   : C:\\test\\eicarcom2.zip\r\n            C:\\test\\eicarcom2.zip->eicar_com.zip->eicar.com\r\n    Time   : 3\/24\/2025 10:12:32 AM\r\n    SHA1   : bec1b52d350d721c7e22a6d4bb0a92909893a3ae\r\n    SHA256 : e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397\r\n\r\n\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 10, Windows Server 2016\r\n    Release Notes: Initial Release\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    [string]$PathToScan,\r\n    [string]$ScanType,\r\n    [int]$TimeoutInMinutes,\r\n    [switch]$ForceStopOnTimeout,\r\n    [string]$WysiwygCustomFieldName\r\n)\r\n\r\nbegin {\r\n\r\n    function Set-CustomField {\r\n        [CmdletBinding()]\r\n        Param(\r\n            [Parameter(Mandatory = $True)]\r\n            [String]$Name,\r\n            [Parameter()]\r\n            [String]$Type,\r\n            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]\r\n            $Value,\r\n            [Parameter()]\r\n            [String]$DocumentName,\r\n            [Parameter()]\r\n            [Switch]$Piped\r\n        )\r\n        # Remove the non-breaking space character\r\n        if ($Type -eq \"WYSIWYG\") {\r\n            $Value = $Value -replace '\u00a0', '&nbsp;'\r\n        }\r\n        \r\n        # Measure the number of characters in the provided value\r\n        $Characters = $Value | ConvertTo-Json | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n    \r\n        # Throw an error if the value exceeds the character limit of 200,000 characters\r\n        if ($Piped -and $Characters -ge 200000) {\r\n            throw [System.ArgumentOutOfRangeException]::New(\"Character limit exceeded: the value is greater than or equal to 200,000 characters.\")\r\n        }\r\n    \r\n        if (!$Piped -and $Characters -ge 45000) {\r\n            throw [System.ArgumentOutOfRangeException]::New(\"Character limit exceeded: the value is greater than or equal to 45,000 characters.\")\r\n        }\r\n        \r\n        # Initialize a hashtable for additional documentation parameters\r\n        $DocumentationParams = @{}\r\n    \r\n        # If a document name is provided, add it to the documentation parameters\r\n        if ($DocumentName) { $DocumentationParams[\"DocumentName\"] = $DocumentName }\r\n        \r\n        # Define a list of valid field types\r\n        $ValidFields = \"Attachment\", \"Checkbox\", \"Date\", \"Date or Date Time\", \"Decimal\", \"Dropdown\", \"Email\", \"Integer\", \"IP Address\", \"MultiLine\", \"MultiSelect\", \"Phone\", \"Secure\", \"Text\", \"Time\", \"URL\", \"WYSIWYG\"\r\n    \r\n        # Warn the user if the provided type is not valid\r\n        if ($Type -and $ValidFields -notcontains $Type) { Write-Warning \"$Type is an invalid type. Please check here for valid types: https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality\" }\r\n        \r\n        # Define types that require options to be retrieved\r\n        $NeedsOptions = \"Dropdown\"\r\n    \r\n        # If the property is being set in a document or field and the type needs options, retrieve them\r\n        if ($DocumentName) {\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1\r\n            }\r\n        }\r\n        else {\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1\r\n            }\r\n        }\r\n        \r\n        # Throw an error if there was an issue retrieving the property options\r\n        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }\r\n            \r\n        # Process the property value based on its type\r\n        switch ($Type) {\r\n            \"Checkbox\" {\r\n                # Convert the value to a boolean for Checkbox type\r\n                $NinjaValue = [System.Convert]::ToBoolean($Value)\r\n            }\r\n            \"Date or Date Time\" {\r\n                # Convert the value to a Unix timestamp for Date or Date Time type\r\n                $Date = (Get-Date $Value).ToUniversalTime()\r\n                $TimeSpan = New-TimeSpan (Get-Date \"1970-01-01 00:00:00\") $Date\r\n                $NinjaValue = $TimeSpan.TotalSeconds\r\n            }\r\n            \"Dropdown\" {\r\n                # Convert the dropdown value to its corresponding GUID\r\n                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n                $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID\r\n            \r\n                # Throw an error if the value is not present in the dropdown options\r\n                if (!($Selection)) {\r\n                    throw [System.ArgumentOutOfRangeException]::New(\"Value is not present in dropdown options.\")\r\n                }\r\n            \r\n                $NinjaValue = $Selection\r\n            }\r\n            default {\r\n                # For other types, use the value as is\r\n                $NinjaValue = $Value\r\n            }\r\n        }\r\n            \r\n        # Set the property value in the document if a document name is provided\r\n        if ($DocumentName) {\r\n            $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1\r\n        }\r\n        else {\r\n            try {\r\n                # Otherwise, set the standard property value\r\n                if ($Piped) {\r\n                    $CustomField = $NinjaValue | Ninja-Property-Set-Piped -Name $Name 2>&1\r\n                }\r\n                else {\r\n                    $CustomField = Ninja-Property-Set -Name $Name -Value $NinjaValue 2>&1\r\n                }\r\n            }\r\n            catch {\r\n                Write-Host -Object \"[Error] Failed to set custom field.\"\r\n                throw $_.Exception.Message\r\n            }\r\n        }\r\n            \r\n        # Throw an error if setting the property failed\r\n        if ($CustomField.Exception) {\r\n            throw $CustomField\r\n        }\r\n    }\r\n\r\n    function Get-DefenderScanResults {\r\n\r\n        $EventTypes = @(\r\n            # Windows Defender event types:\r\n            # https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/troubleshoot-microsoft-defender-antivirus\r\n            [PSCustomObject]@{Id = 1006; Name = \"MALWARE_DETECTED\" }\r\n            [PSCustomObject]@{Id = 1007; Name = \"MALWARE_ACTION_TAKEN\" }\r\n            [PSCustomObject]@{Id = 1119; Name = \"MALWARE_ACTION_FAILED\" }\r\n            [PSCustomObject]@{Id = 1009; Name = \"QUARANTINE_RESTORE\" }\r\n            [PSCustomObject]@{Id = 1010; Name = \"QUARANTINE_RESTORE_FAILED\" }\r\n            [PSCustomObject]@{Id = 1011; Name = \"QUARANTINE_DELETE\" }\r\n            [PSCustomObject]@{Id = 1012; Name = \"QUARANTINE_DELETE_FAILED\" }\r\n            [PSCustomObject]@{Id = 1013; Name = \"MALWARE_HISTORY_DELETE\" }\r\n            [PSCustomObject]@{Id = 1014; Name = \"MALWARE_HISTORY_DELETE_FAILED\" }\r\n            [PSCustomObject]@{Id = 1015; Name = \"BEHAVIOR_DETECTED\" }\r\n            [PSCustomObject]@{Id = 1116; Name = \"STATE_MALWARE_DETECTED\" }\r\n            [PSCustomObject]@{Id = 1117; Name = \"STATE_MALWARE_ACTION_TAKEN\" }\r\n            [PSCustomObject]@{Id = 1118; Name = \"STATE_MALWARE_ACTION_FAILED\" }\r\n            [PSCustomObject]@{Id = 1119; Name = \"STATE_MALWARE_ACTION_CRITICALLY_FAILED\" }\r\n        )\r\n\r\n        # Get the last scan start event (Event ID 1000)\r\n        $lastScan = Get-WinEvent -FilterHashtable @{\r\n            LogName = 'Microsoft-Windows-Windows Defender\/Operational'\r\n            ID      = 1000\r\n        } -ErrorAction SilentlyContinue | Sort-Object TimeCreated -Descending | Select-Object -First 1\r\n\r\n        if (-not $lastScan) {\r\n            # Warn if no scan start event is found\r\n            Write-Host \"[Warn] No scan start event (ID 1000) found in event logs.\"\r\n            return\r\n        }\r\n\r\n        $scanStartTime = $lastScan.TimeCreated\r\n\r\n        # Get detection events (Event ID 1119) that occurred after the scan started\r\n        $detectionEvents = Get-WinEvent -FilterHashtable @{\r\n            LogName = 'Microsoft-Windows-Windows Defender\/Operational'\r\n            ID      = $EventTypes.Id\r\n        } -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -ge $scanStartTime }\r\n\r\n        # Process each event to extract Name, Action, and Path using regex\r\n        $results = foreach ($event in $detectionEvents) {\r\n            $message = $event.Message\r\n\r\n            $name = ([regex]::Match($message, \"Name:\\s*(.+)\").Groups[1].Value).Trim()\r\n            $action = ([regex]::Match($message, \"Action:\\s*(.+)\").Groups[1].Value).Trim()\r\n            $path = ([regex]::Match($message, \"Path:\\s*(.+)\").Groups[1].Value).Trim()\r\n\r\n            if ($name -and $path) {\r\n                # Create a custom object with the extracted information\r\n                [PSCustomObject]@{\r\n                    Name   = $name\r\n                    Action = \"$(\r\n                        if ($action) {\r\n                            $action\r\n                        } else {\r\n                            $(\r\n                                # Get the event name based on the event ID\r\n                                $eventTypes | Where-Object { $_.Id -eq $event.Id } | Select-Object -ExpandProperty Name -First 1\r\n                            ) -replace '_', ' '\r\n                        }\r\n                        # Convert to uppercase using the casing rules of the invariant culture.\r\n                        )\".ToUpperInvariant()\r\n                    Path   = $path -replace '[a-z]+:_' -split ';'\r\n                    Time   = $event.TimeCreated\r\n                }\r\n            }\r\n        }\r\n        return $results\r\n    }\r\n\r\n    function Get-DetectedThreats {\r\n        [CmdletBinding()]\r\n        Param()\r\n\r\n        # Initialize a list to store parsed threat information\r\n        $Threats = Get-DefenderScanResults\r\n\r\n        # Initialize lists to store parsed results\r\n        $parsedSDNQuery = [System.Collections.Generic.List[PSCustomObject]]::new()\r\n\r\n        # Get the path to the Windows Defender logs\r\n        $MpLogsPath = \"$env:ProgramData\\Microsoft\\Windows Defender\\Support\"\r\n\r\n        # Get the Windows Defender logs\r\n        $MpLogs = Get-ChildItem -Path $MpLogsPath -Filter \"MpLog*.log\" -File -ErrorAction SilentlyContinue\r\n\r\n        # Begin Resource Scan\r\n        $MpLogs | ForEach-Object {\r\n            # Read the file line by line\r\n            $lines = Get-Content -Path $_.FullName\r\n\r\n            foreach ($line in $lines) {\r\n                # Parse SDN query events (now includes both SHA1 and SHA256)\r\n                if ($line -match \"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z?) SDN:Issuing SDN query for (\\\\?.+?) \\((\\\\?.+?)\\) \\(sha1=(\\w{40}), sha2=(\\w{64})\\)\") {\r\n                    $timestamp = ($matches[1] | Get-Date).ToUniversalTime()\r\n                    $filePath = $matches[2]\r\n                    $sha1 = $matches[4]\r\n                    $sha256 = $matches[5]\r\n\r\n                    # Store SDN query result\r\n                    $parsedSDNQuery.Add(\r\n                        [PSCustomObject]@{\r\n                            Timestamp = $timestamp\r\n                            Path      = $filePath -replace '\\\\\\\\\\?\\\\'\r\n                            SHA1      = $sha1\r\n                            SHA256    = $sha256\r\n                        }\r\n                    )\r\n                }\r\n            }\r\n        }\r\n\r\n        # Process each threat to add SHA1 and SHA256 hashes if available\r\n        $Threats | ForEach-Object {\r\n            $ThreatInfo = $_\r\n            # Find the corresponding SHA1 and SHA256 hashes by matching the path\r\n            $SHAs = $parsedSDNQuery | Where-Object { $($_.Path | Split-Path -Leaf) -in $($ThreatInfo.Path | Split-Path -Leaf) } | Select-Object -First 1\r\n\r\n            if ($SHAs) {\r\n                $ThreatInfo | Add-Member -MemberType NoteProperty -Name \"SHA1\" -Value ($SHAs | Select-Object -ExpandProperty SHA1)\r\n                $ThreatInfo | Add-Member -MemberType NoteProperty -Name \"SHA256\" -Value ($SHAs | Select-Object -ExpandProperty SHA256)\r\n                $ThreatInfo | Add-Member -MemberType NoteProperty -Name \"Link\" -Value \"https:\/\/www.virustotal.com\/gui\/search\/$($SHAs | Select-Object -ExpandProperty SHA1)\"\r\n            }\r\n            else {\r\n                $ThreatInfo | Add-Member -MemberType NoteProperty -Name \"SHA1\" -Value \"Unavailable\"\r\n                $ThreatInfo | Add-Member -MemberType NoteProperty -Name \"SHA256\" -Value \"Unavailable\"\r\n                $ThreatInfo | Add-Member -MemberType NoteProperty -Name \"Link\" -Value \"\"\r\n            }\r\n\r\n            # Output the results\r\n            Write-Output $ThreatInfo\r\n        }\r\n    }\r\n\r\n    function ConvertTo-HtmlTable {\r\n        param (\r\n            [Parameter(Mandatory = $true)]\r\n            [System.Collections.Generic.List[Object]]\r\n            $Objects\r\n        )\r\n        $StringBuilder = New-Object System.Text.StringBuilder\r\n\r\n        # Create the HTML table header\r\n        $StringBuilder.Append('<table><thead><tr>') | Out-Null\r\n        $($Objects | Select-Object -First 1).PSObject.Properties.Name | ForEach-Object { $StringBuilder.Append(\"<th>$_<\/th>\") | Out-Null }\r\n        $StringBuilder.Append('<\/tr><\/thead><tbody>') | Out-Null\r\n\r\n        # Loop through each object and create a table row for each\r\n        $Objects | ForEach-Object {\r\n            $CurrentObject = $_\r\n\r\n            $StringBuilder.Append(\"<tr>\") | Out-Null\r\n            $CurrentObject.PSObject.Properties.Name | ForEach-Object {\r\n                $Name = $_\r\n                $StringBuilder.Append(\"<td>$($CurrentObject.$Name)<\/td>\") | Out-Null\r\n            }\r\n            $StringBuilder.Append('<\/tr>') | Out-Null\r\n        }\r\n        # Create the HTML table footer\r\n        $StringBuilder.Append('<\/tbody><\/table>') | Out-Null\r\n\r\n        # Return the HTML table as a string\r\n        return $StringBuilder.ToString()\r\n    }\r\n\r\n    # Output the installed antivirus products\r\n    $(\r\n        if ($PSVersionTable.PSVersion.Major -lt 3) {\r\n            Get-WmiObject -Class antivirusproduct -Namespace root\\securitycenter2 -ErrorAction SilentlyContinue\r\n        }\r\n        else {\r\n            Get-CimInstance -ClassName antivirusproduct -Namespace root\\securitycenter2 -ErrorAction SilentlyContinue\r\n        }\r\n    ) | Select-Object -Property displayName | ForEach-Object {\r\n        Write-Host \"[Info] Installed Antivirus: $($_.displayName)\"\r\n    }\r\n\r\n    # Check if the Windows Defender module is available\r\n    if ($(Get-Command -Module Defender).Count -eq 0) {\r\n        Write-Host \"[Error] The Windows Defender is not available. Please ensure that the Windows Defender is installed.\"\r\n        exit 1\r\n    }\r\n\r\n    # Check if Windows Defender is enabled, regardless of the operating system\r\n    $DefenderStatus = Get-MpComputerStatus\r\n\r\n    # Check if Windows Defender is enabled\r\n    if ($DefenderStatus.AntivirusEnabled -eq $false -and $DefenderStatus.AntispywareEnabled -eq $false) {\r\n        Write-Host \"[Error] Windows Defender is not enabled. Please enable Windows Defender before starting a scan.\"\r\n        exit 1\r\n    }\r\n    if ($DefenderStatus.AMRunningMode -like \"Not running\" -or $DefenderStatus.AMRunningMode -like \"Disabled\") {\r\n        Write-Host \"[Error] Windows Defender is disabled or is not running. Please start Windows Defender before starting a scan.\"\r\n        exit 1\r\n    }\r\n\r\n    # Get script variables from environment variables\r\n    if (\"$env:pathToScanForCustomScan\".Trim()) {\r\n        $PathToScan = \"$env:pathToScanForCustomScan\".Trim()\r\n    }\r\n\r\n    # Check if the path to scan exists\r\n    if ($PathToScan -and -not (Test-Path $PathToScan)) {\r\n        Write-Host \"[Error] The path ($PathToScan) does not exist.\"\r\n        exit 1\r\n    }\r\n\r\n    if ($env:scanType) {\r\n        $ScanType = $env:scanType\r\n    }\r\n\r\n    if ($ScanType -notlike \"Custom\" -and $PathToScan) {\r\n        Write-Host \"[Error] The path to scan ($PathToScan) can only be used when the scan type is Custom.\"\r\n        exit 1\r\n    }\r\n\r\n    if ($env:timeoutInMinutes) {\r\n        try {\r\n            [int]$value = $env:timeoutInMinutes\r\n        }\r\n        catch {\r\n            Write-Host \"[Error] The Timeout In Minutes value ($env:timeoutInMinutes) is not a valid integer. Must be a positive integer and less than ($([int]::MaxValue)).\"\r\n            exit 1\r\n        }\r\n        if ($value -gt [int]::MaxValue) {\r\n            $TimeoutInMinutes = [int]::MaxValue\r\n        }\r\n        elseif ($env:timeoutInMinutes -lt 1) {\r\n            Write-Host \"[Error] The Timeout In Minutes value ($env:timeoutInMinutes) is less than 1. Must be a positive integer and greater than 0.\"\r\n            exit 1\r\n        }\r\n        else {\r\n            $TimeoutInMinutes = $env:timeoutInMinutes\r\n        }\r\n        \r\n    }\r\n    if ($env:forceStopOnTimeout -like \"true\") {\r\n        $ForceStopOnTimeout = $true\r\n    }\r\n    if (\"$env:wysiwygCustomFieldName\".Trim()) {\r\n        $WysiwygCustomFieldName = \"$env:wysiwygCustomFieldName\".Trim()\r\n    }\r\n\r\n    if ($TimeoutInMinutes -gt 2880) {\r\n        Write-Host \"[Error] The timeout ($TimeoutInMinutes) exceeds 2880 minutes. The scan will not be performed.\"\r\n        exit 1\r\n    }\r\n    if ($TimeoutInMinutes -gt 240) {\r\n        Write-Host \"[Warn] The timeout ($TimeoutInMinutes) exceeds 240 minutes.\" -NoNewline\r\n        if ($env:wysiwygCustomFieldName) {\r\n            Write-Host \" The scan results may not be saved to the WYSIWYG custom field when the timeout exceeds 240 minutes.\" -NoNewline\r\n        }\r\n        Write-Host \" Scan results may not be returned to the Activity Feed.\"\r\n        Write-Host \"[Info] The scan will still be performed.\"\r\n    }\r\n\r\n}\r\nprocess {\r\n\r\n    # Set the default scan type\r\n    if (-not $ScanType) {\r\n        $ScanType = \"Quick\"\r\n    }\r\n\r\n    # If the scan type is Custom, the path to scan is required\r\n    if ($ScanType -like \"Custom\" -and -not $PathToScan) {\r\n        Write-Host \"[Error] The path to scan is required when the scan type is Custom.\"\r\n        exit 1\r\n    }\r\n\r\n    # Set the default timeout\r\n    if (-not $TimeoutInMinutes) {\r\n        $TimeoutInMinutes = 120\r\n    }\r\n\r\n    Write-Host \"[Info] Starting Windows Defender scan:\"\r\n    if ($ScanType -like \"Custom\") {\r\n        Write-Host \"[Info] $ScanType selected, will scan the path provided($PathToScan), and will timeout in $TimeoutInMinutes minutes.\"\r\n    }\r\n    else {\r\n        Write-Host \"[Info] $ScanType selected, will scan the system drive($env:SystemDrive), and will timeout in $TimeoutInMinutes minutes.\"\r\n    }\r\n\r\n    # Initialize variables to track the scan status\r\n    $ScanFailedToRun = $false\r\n    $ScanFailedToRunMessage = \"\"\r\n\r\n    # Start the scan, wait for it to complete, and get the scan job\r\n    try {\r\n        # Start the scan job\r\n        if ($ScanType -like \"Custom\") {\r\n            # Start a custom scan with the specified path\r\n            Write-Host \"[Info] Starting job for a $ScanType scan on $PathToScan.\"\r\n            $Job = Start-MpScan -ScanType \"$($ScanType)Scan\" -ScanPath $PathToScan -AsJob | Wait-Job -Timeout $($TimeoutInMinutes * 60)\r\n            Write-Host \"[Info] Job completed.\"\r\n        }\r\n        else {\r\n            # Start the scan without a specified path\r\n            Write-Host \"[Info] Starting job for a $ScanType scan on the system drive.\"\r\n            $Job = Start-MpScan -ScanType \"$($ScanType)Scan\" -AsJob | Wait-Job -Timeout $($TimeoutInMinutes * 60)\r\n            Write-Host \"[Info] Job completed.\"\r\n        }\r\n    }\r\n    catch {\r\n        Write-Host \"[Error] Failed to start the scan.\"\r\n        Write-Host \"[Error] $($_.Exception.Message)\"\r\n        # Set the scan status to failed and save the error message\r\n        $ScanFailedToRunMessage = $_.Exception.Message\r\n        $ScanFailedToRun = $true\r\n    }\r\n\r\n    if ($Job.Finished) {\r\n        $ScanTimedOut = $false\r\n    }\r\n    else {\r\n        $ScanTimedOut = $true\r\n        # Stop the scan if it exceeds the timeout, but only if the scan did not fail to run\r\n        if ($ForceStopOnTimeout -and $ScanFailedToRun -eq $false) {\r\n            Write-Host \"[Error] Scan exceeded the timeout of $TimeoutInMinutes minutes. Stopping the scan.\"\r\n            & \"$env:ProgramFiles\\Windows Defender\\MpCmdRun.exe\" -Scan -Cancel 2>&1 | Out-Null\r\n        }\r\n    }\r\n\r\n    # Initialize variables to track the scan status\r\n    $ErrorScanning = $false\r\n    $ErrorSaving = $false\r\n\r\n    # Check the scan status\r\n    switch ($Job.State) {\r\n        \"Completed\" { Write-Host \"[Info] Scan completed successfully.\" }\r\n        \"Failed\" { Write-Host \"[Error] Scan failed.\" ; $ErrorScanning = $true }\r\n        \"Stopped\" { Write-Host \"[Info] Scan stopped.\" }\r\n        Default { Write-Host \"[Error] Scan did not complete.\" }\r\n    }\r\n\r\n    # Get the scan results\r\n    $ScanResults = if ($ScanTimedOut) {\r\n        Write-Output \"Scan exceeded the timeout of $TimeoutInMinutes minutes.\"\r\n\r\n        Write-Host \"[Error] Scan exceeded the timeout of $TimeoutInMinutes minutes.\"\r\n    }\r\n    elseif ($ErrorScanning) {\r\n        Write-Output \"Scan failed.\"\r\n\r\n        Write-Host \"[Error] Scan failed.\"\r\n    }\r\n    elseif ($ScanFailedToRun) {\r\n        Write-Output \"Failed to start the scan. Reason: $ScanFailedToRunMessage\"\r\n\r\n        Write-Host \"[Error] Failed to start the scan. Reason: $ScanFailedToRunMessage\"\r\n    }\r\n    else {\r\n\r\n        # Wait for more events to be logged\r\n        Start-Sleep -Seconds 60\r\n\r\n        $Results = Get-DetectedThreats | ForEach-Object {\r\n            [PSCustomObject]@{\r\n                Name          = $_.Name\r\n                Action        = $_.Action\r\n                Path          = $_.Path -join [System.Environment]::NewLine # Join paths with a newline character\r\n                Time          = $_.Time\r\n                SHA1          = $_.SHA1\r\n                SHA256        = $_.SHA256\r\n                \"Virus Total\" = $_.Link\r\n            }\r\n        }\r\n        if ($Results) {\r\n            Write-Output $Results\r\n        }\r\n        else {\r\n            Write-Output \"No threats detected from latest scan.\"\r\n\r\n            Write-Host \"[Info] No threats detected from latest scan.\"\r\n        }\r\n    }\r\n\r\n    # Save the scan results to a Wysiwyg custom field\r\n    if ($WysiwygCustomFieldName) {\r\n        # Save the scan results to the Wysiwyg custom field\r\n        try {\r\n            Write-Host \"[Info] Attempting to set Custom Field '$WysiwygCustomFieldName'.\"\r\n            if ($ScanResults -is [String]) {\r\n                Set-CustomField -Name $WysiwygCustomFieldName -Value $ScanResults -Type \"WYSIWYG\"\r\n            }\r\n            else {\r\n                # Convert the scan results to HTML and set the custom field\r\n                $HtmlTable = ConvertTo-HtmlTable -Objects $(\r\n                    $ScanResults | Select-Object Name, Action, @{\r\n                        # Convert list of paths to an HTML table\r\n                        Name       = \"Path\"\r\n                        Expression = { $_.Path -split [System.Environment]::NewLine -join \"<br>\" }\r\n                    }, Time, @{\r\n                        Name       = \"SHA1\"\r\n                        Expression = {\r\n                            if ($_.\"Virus Total\") {\r\n                                # Create a link to VirusTotal for SHA1\r\n                                \"<a href='$($_.\"Virus Total\")' target='_blank' rel='nofollow noopener noreferrer'>$($_.SHA1)&nbsp;&nbsp;<i class='fas fa-arrow-up-right-from-square'><\/i><\/a>\"\r\n                            }\r\n                            else { \"Unavailable\" }\r\n                        }\r\n                    }, SHA256\r\n                )\r\n                # Add icons to the table headers and set widths\r\n                $HtmlTable = $HtmlTable -replace '<th>Name', \"<th style='width: 10em'><i class='fa-solid fa-file'><\/i>&nbsp;&nbsp;Name\"\r\n                $HtmlTable = $HtmlTable -replace '<th>Path', \"<th style='width: 20em'><i class='fa-solid fa-folder'><\/i>&nbsp;&nbsp;Path\"\r\n                $HtmlTable = $HtmlTable -replace '<th>Time', \"<th style='width: 19em'><i class='fa-solid fa-clock'><\/i>&nbsp;&nbsp;Time\"\r\n                $HtmlTable = $HtmlTable -replace '<th>Action', \"<th style='width: 7em'><i class='fa-solid fa-shield-virus'><\/i>&nbsp;&nbsp;Action\"\r\n                $HtmlTable = $HtmlTable -replace '<th>SHA1', \"<th style='width: 19em'>SHA1&nbsp;&nbsp;<i class='fa-solid fa-arrow-up-right-from-square'><\/i>\"\r\n                $HtmlTable = $HtmlTable -replace '<th>SHA256', \"<th style='width: 19em'>SHA256\"\r\n                $HtmlTable = $HtmlTable -replace \"<table>\", \"<table style='white-space:nowrap;'>\"\r\n\r\n                # Add a card wrapper around the HTML table\r\n                $HtmlTable = \"<div class='card flex-grow-1'>\r\n    <div class='card-title-box'>\r\n        <div class='card-title'><i class='fa-solid fa-book'><\/i>&nbsp;&nbsp;Windows Defender Scan Results<\/div>\r\n    <\/div>\r\n    <div class='card-body' style='white-space: nowrap'>\r\n        $HtmlTable\r\n    <\/div>\r\n<\/div>\"\r\n                Set-CustomField -Name $WysiwygCustomFieldName -Value $HtmlTable -Type \"WYSIWYG\" -Piped\r\n            }\r\n            Write-Host \"[Info] Successfully set Custom Field '$WysiwygCustomFieldName'!\"\r\n        }\r\n        catch {\r\n            Write-Host \"[Error] $($_.Exception.Message)\"\r\n            $ErrorSaving = $true\r\n        }\r\n    }\r\n\r\n    if ($Results) {\r\n        Write-Host \"[Info] Scan results:\"\r\n        Write-Host \"\"\r\n        \"$($Results | Select-Object -Property Name, Action, Path, Time, SHA1, SHA256 | Format-List | Out-String -Width 4000)\".Trim() | Write-Host\r\n        Write-Host \"\"\r\n    }\r\n\r\n    # Exit with an error code if there was an error scanning or the scan timed out\r\n    if ($ErrorScanning -or $ScanTimedOut -or $ScanFailedToRun -or $ErrorSaving) {\r\n        exit 1\r\n    }\r\n    else {\r\n        exit 0\r\n    }\r\n}\r\nend {\r\n    \r\n    \r\n    \r\n}<\/pre>\n
     <\/p>\n\n
    Description d\u00e9taill\u00e9e<\/h2>\n
    Le script est structur\u00e9 avec des fonctions modulaires permettant d’effectuer un cycle de vie complet de l’analyse, de l’initialisation \u00e0 l’enregistrement des r\u00e9sultats. Voici comment cela fonctionne :<\/p>\n
    D\u00e9finitions des param\u00e8tres<\/h3>\n