MpEnum - dump all threat families from Windows Defender

Forum for announcements and questions about tools and software.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

MpEnum - dump all threat families from Windows Defender

Post by EP_X0FF » Mon Aug 06, 2018 4:02 pm

https://github.com/hfiref0x/MpEnum

What it can: enumerate all "bad" threats (families) from AV DB, list it by category (> 50 categories) and save each category families list to file.
What it can't: enumerate actual definitions in each family. As you understand this is out of my interest.

Compiled binary included.

Mainly created when I was forced to bypass idiotic detection from Windows Defender on newest insider build.

Full categorized dump for WD AV Signature DB version 1.273.443.0

https://github.com/hfiref0x/MpEnum/tree/master/Dump

P.S.
There exist PowerShell command, https://technet.microsoft.com/en-us/lib ... .630).aspx which also can enumerate AV DB, however it output is messed up as it seems doesn't take MPTHREAT_CATEGORY into account/output.
Ring0 - the source of inspiration

_glmcdona
Posts: 10
Joined: Wed Apr 03, 2013 4:59 am

Re: MpEnum - dump all threat families from Windows Defender

Post by _glmcdona » Fri Aug 24, 2018 3:38 am

Cool tool! What was the idiotic detection name you were bypassing EP_X0FF? Will look into it. What was the FP on?

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: MpEnum - dump all threat families from Windows Defender

Post by EP_X0FF » Fri Aug 24, 2018 5:49 am

Windows Defender has a pure love to my WinObjEx64. MS schizophrenic automation sometimes cast various idiotic nonsense detection on it, because I use HDE/LDASM etc.
Ring0 - the source of inspiration

Post Reply