Can I use MSE/WD with Command Prompt? – Part 1


Many people ask- “Whether MSE/WD can be used with Command Prompt?”. Answer is ‘Yes’. But do we really need it? Well, the answer again is ‘Yes’. It is reasonable because in many cases when MSE/WD GUI (the interface you see) is not accessible or its corrupted or its not functioning well (because of malware attacks, incorrect installation, etc.), in these cases you can use MSE/WD using Command Prompt to get some details about the error.

Now before we jump into all that command stuff we need to know something; some terminology and technologies to understand commands easily. So here we go:

1. What are definitions and signatures?
An easy explanation, a signature is something that is unique in a malware (or multiple malwares) and can be used to identify it/them, compare it with fingerprints for humans. Definitions are files that consists of signatures along with other information. When you update your antivirus you basically download these definitions. Say if your PC was last updated on 31st Sept. (hypothetical date, <wink>) then it would not be able to detect malwares released in Oct. Thus, you should update your antivirus regularly.

2. What is MAPS and Dynamic Signature?
Suppose a process has some evil intentions and tries to invade into your sensitive Operating System files and registry. MSE/WD, with its heuristic detections (certain set of rules to identify evil processes as suspects, even though they are not yet identified as malware), will detect, “Hmmm, this process doesn’t seems to be a decent one, let’s open its history and geography”. At that point, MSE/WD contacts MAPS (Microsoft Active Protection Service) and asks them, “Hey buddy, have you seen this particular process before?”. Now hold a second, what is MAPS? Actually, MAPS is a service of Microsoft where suspicious programs (which are yet to be identified as malware) are reported and a member of MAPS gets protection from those yet-to-be-identified evils. So continuing, if MAPS has identified that particular program or process as ‘suspicious’ then it creates a ‘Dynamic’ signature (well, you now know what signature is) which contains instructions to remove, restrict or quarantine that process/program. Therefore, MAPS is also known as Dynamic Signature Service.

Now time for commands in MpCmdRun.exe. MpCmdRun basically has 11 commands:

  1. -Scan
  2. -Trace
  3. -GetFiles
  4. -RemoveDefinitions
  5. -SignatureUpdate
  6. -Restore
  7. -AddDynamicSignature
  8. -ListAllDynamicSignature
  9. -RemoveDynamicSignature
  10. -EnableIntegrityService
  11. -SubmitSample

Now, I’ll explain each of them.

1. -Scan
As name suggests, it is used to scan file/folder.
Usage: mpcmdrun.exe -scan -scantype X -path <path> -disableremediation

-scantype defines which type of scan you want, quick scan, full scan or custom scan. ‘X‘ is a number ranging from 0 to 3. All options are explained below:

  • 0 – Default Scan.
    Now explaining this is really a big topic. A whole separate blog will be based on this. All I can say right now is ‘Default scan’ is by default Full Scan for MSE and Quick Scan for Windows Defender in Windows 8. It can’t be changed using GUI, but can be using a complex process.
  • 1 – Quick Scan.
    Quick scans your PC.
    * I have seen many people who think Quick Scan scans whole PC for a severe threats only and do not scan for minor threats, thereby reducing scan time (and I was among one of them). But, instead Quick Scan scans PC’s critical areas (like critical Windows files, registry, etc.) for all known threats (whether severe or minor) and thereby reduce scan time.
  • 2 – Full Scan.
    Scan your whole PC.
    * According to my opinion, full scan is only needed when quick scan detects something. OK, you would say what if a malware is hidden in my documents in D: drive. I would say until & unless Quick Scan didn’t find it you can consider that malware as inactive (as Quick Scan scans for areas that a malware affects). If its inactive (ex. : when its in a compressed file) then you have no threat with it. Whenever you will reach that file (or unzip a file containing malware) then MSE/WD’s Real Time Protection will detect the malware and take necessary action. So no need of a Full Scan. However, I recommend oneĀ  Full Scan after installing antivirus and one each month or in two months.
  • 3 – Custom Scan.
    Scan only the file/folder you define in <path>.

-file defines the path for custom scan, therefore its needed with -scantype 3.

-disableremediation option is catch-everything-do-nothing kind of thing. With this option (its available with Custom Scan i.e -scantype 3 only) scan will not leave even excluded files. It will scan archive files (files inside archive), ignore exclusions set by you, event entries in Event Manager are not written (007 kind of thing, huh?) and (as name says) it do not take any action on any malware found.

Some examples:

  • For a normal Full Scan:
    mpcmdrun.exe -scan -scantype 2
  • For a Custom Scan of C:\Windows folder:
    mpcmdrun.exe -scan -scantype 3 -path C:\Windows
    [you need to enclose <path> in quotes if path contain a blank space, like "C:\Program Files"]
  • For a Custom Scan of a ‘E:\Test Folder’ without removing any malware found:
    mpcmdrun.exe -scan -scantype 3 -path “E:\Test Folder” -disableremediation[notice quotes for path]

A better example to show what difference -disableremediation makes:
I downloaded EICAR test virus and placed it in folder ‘E:\New Folder’. I excluded ‘E:\New Folder’ in Windows Defender settings.
exclu_mpcmdrun_scan_sample

After this, I scanned the folder twice, once without -disableremediation and once with it. See its results yourself:
cmd_mpcmdrun_scan_sampleAs you can clearly see first scan doesn’t found anything (the folder is excluded) but with that argument it found one threat (EICAR test virus).

2. -Trace

I’ll not discuss much about this command because its of no use for us. When you will type ‘mpcmdrun.exe -trace’ and hit enter you will a screen with message like “Tracing started. Press any key to stop…” and when you will press any key it will stop. After running this command, open C:\ProgramData\Microsoft\Microsoft Security Client (or Windows Defender)\Support and you will see a file like MPTrace-XXXXXXXX-XXXXXX.bin (where ‘X’ are some digits). This is the ‘trace’ i.e. record of every activity Windows Defender has performed after you pressed enter (after entering mpcmdrun.exe -trace command) and pressed any key to stop tracing. Its pretty large file and is of no use for us. Actually, this file can’t be decoded (read) until you have some special files which only Microsoft has and it doesn’t distribute it. So it is used only when Microsoft asks for trace file in Paid Supports, etc.

3. -GetFiles

Now this is most important feature of mpcmdrun.exe, according to me. It gathers all log files related to MSE/WD, pack them in an archive and place them in C:\ProgramData\Microsoft\Microsoft Security Client (or Windows Defender)\Support with file name MPSupportFiles.cab. The following log files are collected:

  1. Traces of MS Antimalware service.
    Files in this category are numerous. Some are files with names like MpWppTracing-XXXXXXX…..bin and are useless like -trace command. Some are MpCmdRun.log, MpCmdRun-System.log and MpCmdRun-NetworkService.log. Some are MpLogXXXX….log. Some are MpCacheStats.log. Means almost anything that contains MS Antimalware service in its log is listed in this.
  2. Windows Update history.
    Saved with name WindowsUpdate.log.
  3. MS Antimalware service events.
    Saved with name MPWHCEvents.txt and MPOperationalEvents.txt.
  4. MS Antimalware registry entries.Saved with name MPRegistry.txt and WSCInfo.txt.
  5. Log file of tool gathering all information.
    Saved with name cbs.log.
  6. Log of signature update helper tool (MpSigStub.exe).
    Saved with name MpSigStub.log.

Now this is actually more than enough for now. Explanation for other commands and some more secrets are about to be revealed in my next blog.

Till then I would request you to please provide feedback on this first part, so please comment your views on it. If you have anything to ask then don’t hesitate. Anything about this blog will be helpful.

About these ads

7 thoughts on “Can I use MSE/WD with Command Prompt? – Part 1

  1. Thanks for nice post.

    I have problem with one machine running unschedule scan per day. Its using the same policy like hundred other machines so cant find where i should look to troubleshoot that why its running the scan every day. Our policy says the scan should run every friday.

    • Hi capricorn,

      Thanks for rating my post nice. About your problem, sorry, I can’t help until I have some more details. I would recommend you to create a new question in Virus & Malware forum in Microsoft Community (http://answers.microsoft.com/en-us/protect/forum). Please include as much information as possible. You may want to reply with link to your question to ensure I see your thread.

      Other option is that we can communicate via mails. But I would recommend you to go with first option as other experienced users of forum will also help you.

  2. Thanks for your reply.
    I will create question in the forum.
    The details related to that machine is that we are using SCCM 2012 and system centre endpoint protection 2012 and the we have antivirus policy which says that it should run the scan on friday and if the computer misses that day scan it should do it anytime next after it when its power on. Now one machine is running the daily scan which is not right. The right policy is applied on that machine and everything looks fine.
    I was troubleshooting this via mpcmdrun.exe and checking the logs but didnt any entry for the reason saying the scan runs everything on that one computer.
    Not much information about this on google.
    I saw your post and thought to check with your if its possible to see why computer is scanning daily or any log entry telling why scan kick off.

    Thanks,

    • Hi capricon,
      I can see that that thread is pretty old. Please start you own new thread in order to get best assistance. In addition, I would admit that I am expert in Consumer products only. Although Enterprise and Consumer products look pretty similar, they have some differences and your problem falls in one of them. So I can’t help you with your problem. All I can do is to redirect you to a suitable forum and you found it. Thanks for appreciating my post but that’s all I can do.

      All the best! :-)

  3. Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s