????

Your IP : 3.149.253.148

Current Path : C:/Program Files/Windows Defender/en-US/
Upload File :
Current File : C:/Program Files/Windows Defender/en-US/ProtectionManagement.mfl

��#pragma autorecover

#pragma namespace("\\\\.\\root\\Microsoft\\Windows\\Defender")

instance of __namespace{ name="MS_409";};

#pragma namespace("\\\\.\\root\\Microsoft\\Windows\\Defender\\MS_409")



[Description("This is an abstract class that shows the base status.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class BaseStatus

{

};



[Description("This is an abstract class that shows the base status.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpComputerStatus : BaseStatus

{

  [Description("Computer ID created by MAPS") : Amended ToSubclass,key] string ComputerID;

  [Description("The current computer state") : Amended ToSubclass,BitValues{"CleanState", "PendingFullScan", "PendingReboot", "PendingManualSteps", "PendingOfflineScan", "CriticalFailure"} : Amended ToSubclass] uint32 ComputerState;

  [Description("Product version (major, minor, build, revision)") : Amended ToSubclass] string AMProductVersion;

  [Description("Service version (major, minor, build, revision)") : Amended ToSubclass] string AMServiceVersion;

  [Description("The Antispyware Signature version (major, minor, build, revision)") : Amended ToSubclass] string AntispywareSignatureVersion;

  [Description("Antispyware Signature age in days - if signatures have never been updated you will see an age of 65535 days") : Amended ToSubclass] uint32 AntispywareSignatureAge;

  [Description("Antispyware Last updated local time. If this has never updated you will see a null value in this property") : Amended ToSubclass] datetime AntispywareSignatureLastUpdated;

  [Description("The Antivirus Signature version (major, minor, build, revision)") : Amended ToSubclass] string AntivirusSignatureVersion;

  [Description("Antivirus Signature age in days- if signatures have never been updated you will see an age of 65535 days") : Amended ToSubclass] uint32 AntivirusSignatureAge;

  [Description("Antivirus Last updated local time - If this has never updated you will see a null value in this property") : Amended ToSubclass] datetime AntivirusSignatureLastUpdated;

  [Description("The NRI Signature version (major, minor, build, revision)") : Amended ToSubclass] string NISSignatureVersion;

  [Description("NRI Signature age in days- if signatures have never been updated you will see an age of 65535 days") : Amended ToSubclass] uint32 NISSignatureAge;

  [Description("NRI Last updated local time - If this has never updated you will see a null value in this property") : Amended ToSubclass] datetime NISSignatureLastUpdated;

  [Description("Time of last Full Scan start - If this has never updated you will see a null value in this property") : Amended ToSubclass] datetime FullScanStartTime;

  [Description("Time of last Full Scan end - If this has never updated you will see a null value in this property") : Amended ToSubclass] datetime FullScanEndTime;

  [Description("Last full scan age in days- if signatures have never been updated you will see an age of 65535 days") : Amended ToSubclass] uint32 FullScanAge;

  [Description("Last scan source") : Amended ToSubclass,Values{"Unknown", "User", "System", "Real-time", "IOAV"} : Amended ToSubclass] uint8 LastFullScanSource;

  [Description("Real-time scan direction enumeration") : Amended ToSubclass,Values{"Both", "Incoming", "Outcoming"} : Amended ToSubclass] uint8 RealTimeScanDirection;

  [Description("Time of last Quick Scan start - If this has never updated you will see a null value in this property") : Amended ToSubclass] datetime QuickScanStartTime;

  [Description("Time of last Quick Scan end - If this has never updated you will see a null value in this property") : Amended ToSubclass] datetime QuickScanEndTime;

  [Description("Last quick scan age in days- if signatures have never been updated you will see an age of 65535 days.") : Amended ToSubclass] uint32 QuickScanAge;

  [Description("Last scan source") : Amended ToSubclass,Values{"Unknown", "User", "System", "Real-time", "IOAV"} : Amended ToSubclass] uint8 LastQuickScanSource;

  [Description("The AM Engine version (major, minor, build, revision)") : Amended ToSubclass] string AMEngineVersion;

  [Description("If the AM Engine is enabled") : Amended ToSubclass] boolean AMServiceEnabled;

  [Description("Specifies whether the computer is monitoring file and program activity on your computer") : Amended ToSubclass] boolean OnAccessProtectionEnabled;

  [Description("Scan all downloaded files and attachments") : Amended ToSubclass] boolean IoavProtectionEnabled;

  [Description("Specifies whether behavior monitoring is enabled") : Amended ToSubclass] boolean BehaviorMonitorEnabled;

  [Description("Specifies whether Antivirus protection is enabled") : Amended ToSubclass] boolean AntivirusEnabled;

  [Description("Specifies whether Antispyware protection is enabled") : Amended ToSubclass] boolean AntispywareEnabled;

  [Description("Specifies whether the machine is a virtual machine") : Amended ToSubclass] boolean IsVirtualMachine;

  [Description("Specifies whether the machine has tamper protection on") : Amended ToSubclass] boolean IsTamperProtected;

  [Description("Specifies whether real-time protection is enabled") : Amended ToSubclass] boolean RealTimeProtectionEnabled;

  [Description("NRI Engine version (major, minor, build, revision)") : Amended ToSubclass] string NISEngineVersion;

  [Description("If the NRI Engine is enabled") : Amended ToSubclass] boolean NISEnabled;

};



[Version("1.0") : Amended,Description("Microsoft Defender Antivirus Event Indication Class") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpEvent

{

  [Description("Category of Notification.") : Amended ToSubclass,Values{"ScanStateNotifications", "ThreatStateNotifications", "SignatureStateNotifications", "ComputerStateNotifications"} : Amended ToSubclass,key] uint32 CategoryDiscriminant;

  [Description("Detailed Scan Notifications.") : Amended ToSubclass,BitValues{"ErrorOccurred", "ScanCompleted"} : Amended ToSubclass] uint32 ScanNotificationsValue;

  [Description("Detailed Threat Notifications.") : Amended ToSubclass,BitValues{"Detected", "Abandoned", "SuccessfulRemediation", "NonCriticalFailure", "CriticalFailure"} : Amended ToSubclass] uint32 ThreatNotificationsValue;

  [Description("Detailed Signature Notifications.") : Amended ToSubclass,BitValues{"SignaturesOutOfDate"} : Amended ToSubclass] uint32 SignatureNotificationsValue;

  [Description("Detailed Computer Notifications.") : Amended ToSubclass,BitValues{"RebootRequired", "FullScanRequired", "OfflineScanRequired", "ManualStepsRequired", "ScansOutOfDate", "ComponentsChanged", "StateRecovered"} : Amended ToSubclass] uint32 ComputerNotificationsValue;

  [Description("Date and time the WMI Event was generated") : Amended ToSubclass] datetime NotificationTime;

  [Description("Additional Data. At the moment, the only use is when the CategoryDiscriminant is equal to ThreatStateNotificationsthen this value will contains the ThreatID") : Amended ToSubclass] uint32 AdditionalData;

};



[Version("1.0") : Amended,Description("The Microsoft Defender Antivirus Heart Beat Class") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpHeartBeat

{

};



[Version("1.0") : Amended,Description("Microsoft Defender Antivirus Preferences Class") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpPreference

{

  [Description("Computer ID created by MAPS") : Amended ToSubclass,key] string ComputerID;

  [Description("Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.") : Amended ToSubclass] boolean DisableAutoExclusions;

  [Description("Allows an administrator to explicitly disable a scan from checking any of the paths listed.") : Amended ToSubclass] string ExclusionPath[];

  [Description("Allows an administrator to explicitly disable a scan from checking any of the extensions listed.") : Amended ToSubclass] string ExclusionExtension[];

  [Description("Allows an administrator to explicitly disable a scan from checking any of the processes listed.") : Amended ToSubclass] string ExclusionProcess[];

  [Description("Indicates how many days items should kept in Quarantine folder before being removed.") : Amended ToSubclass] uint32 QuarantinePurgeItemsAfterDelay;

  [Description("Real-time scan direction - Enumeration") : Amended ToSubclass,Values{"Both", "Incoming", "Outcoming"} : Amended ToSubclass] uint8 RealTimeScanDirection;

  [Description("Indicates what day of the week to perform the scheduled full scan to complete remediation.") : Amended ToSubclass,Values{"Every Day", "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Never"} : Amended ToSubclass] uint8 RemediationScheduleDay;

  [Description("Indicates what time to perform the scheduled full scan to complete remediation.") : Amended ToSubclass] datetime RemediationScheduleTime;

  [Description("Configure timeout for detections requiring additional action.") : Amended ToSubclass] uint32 ReportingAdditionalActionTimeOut;

  [Description("Time in minutes for a detection in the 'critically failed' state to move to either 'additional action' or 'cleared' state.") : Amended ToSubclass] uint32 ReportingCriticalFailureTimeOut;

  [Description("Time in minutes for a detection in the 'failed' state to move to the 'cleared' state.") : Amended ToSubclass] uint32 ReportingNonCriticalTimeOut;

  [Description("Specify the maximum percentage of CPU utilization during a scan. This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization.") : Amended ToSubclass] uint8 ScanAvgCPULoadFactor;

  [Description("When set, Microsoft Defender Antivirus will check for new signatures before running a scan.  If new signatures are found they will be downloaded and installed before the scan begins.  If no new signatures are found, the scan will start based on the existing signatures.") : Amended ToSubclass] boolean CheckForSignaturesBeforeRunningScan;

  [Description("Turn on removal of items from scan history folder. This setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed.") : Amended ToSubclass] uint32 ScanPurgeItemsAfterDelay;

  [Description("Run scheduled scans only if system is idle.") : Amended ToSubclass] boolean ScanOnlyIfIdleEnabled;

  [Description("Specify the scan type to use for a scheduled scan.") : Amended ToSubclass,Values{"Quick Scan", "Full Scan"} : Amended ToSubclass] uint8 ScanParameters;

  [Description("Specify the day of the week to run a scheduled scan.") : Amended ToSubclass,Values{"Every Day", "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Never"} : Amended ToSubclass] uint8 ScanScheduleDay;

  [Description("Specify the time of day to run a scheduled quick scan.") : Amended ToSubclass] datetime ScanScheduleQuickScanTime;

  [Description("Specify the time of day to run a scheduled scan.") : Amended ToSubclass] datetime ScanScheduleTime;

  [Description("Aborts any service-initiated update immediately after first install by the configured amount of time.") : Amended ToSubclass] uint32 SignatureFirstAuGracePeriod;

  [Description("Overrides CheckForSignatureBeforeRunningScan.  Aborts any service-initiated update if signature was updated successfully within this amount of time. Time in minutes.") : Amended ToSubclass] uint32 SignatureAuGracePeriod;

  [Description("Defines the file shares for downloading security intelligence updates. setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: {\\unc1 | \\unc2 }. The list is empty by default.") : Amended ToSubclass] string SignatureDefinitionUpdateFileSharesSources;

  [Description("When set to true, AM Service will not initiate security intelligence update on start-up, regardless of whether an Engine is present or not.") : Amended ToSubclass] boolean SignatureDisableUpdateOnStartupWithoutEngine;

  [Description("Define the order of sources for downloading security intelligence updates. This setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: 'InternalDefinitionUpdateServer'  'MicrosoftUpdateServer'  'MMPC'  'FileShares' ") : Amended ToSubclass] string SignatureFallbackOrder;

  [Description("Indicates the day of the week in which security intelligence updates occur. If set to zero (0x0) then security intelligence update occurs daily.") : Amended ToSubclass,Values{"Every Day", "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Never"} : Amended ToSubclass] uint8 SignatureScheduleDay;

  [Description("Specifies the time at which security intelligence update check happens. By default the signatures are checked before the scheduled scan.") : Amended ToSubclass] datetime SignatureScheduleTime;

  [Description("Defines the number of days after which a catch-up signature is warranted. Works with SignatureUpdateLastChecked. 0 = no catch-up;  1 = 1 day;  2 = 2 days, etc.") : Amended ToSubclass] uint32 SignatureUpdateCatchupInterval;

  [Description("The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).") : Amended ToSubclass] uint32 SignatureUpdateInterval;

  [Description("Join Microsoft MAPS.") : Amended ToSubclass,Values{"Disabled", "Basic", "Advanced"} : Amended ToSubclass] uint8 MAPSReporting;

  [Description("Consent for sample submission.") : Amended ToSubclass,Values{"AlwaysPrompt", "SendSafeSamples", "NeverSend", "SendAllSamples"} : Amended ToSubclass] uint8 SubmitSamplesConsent;

  [Description("Disable the privacy mode.") : Amended ToSubclass] boolean DisablePrivacyMode;

  [Description("This setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.") : Amended ToSubclass] boolean RandomizeScheduleTaskTimes;

  [Description("Disable behavior monitoring.") : Amended ToSubclass] boolean DisableBehaviorMonitoring;

  [Description("Disable intrusion prevention system.") : Amended ToSubclass] boolean DisableIntrusionPreventionSystem;

  [Description("Disable IOAV protection.") : Amended ToSubclass] boolean DisableIOAVProtection;

  [Description("Disable real-time monitoring.") : Amended ToSubclass] boolean DisableRealtimeMonitoring;

  [Description("Disable script scanning.") : Amended ToSubclass] boolean DisableScriptScanning;

  [Description("Disable archive scanning.") : Amended ToSubclass] boolean DisableArchiveScanning;

  [Description("Disable catch-up full scan.  A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.") : Amended ToSubclass] boolean DisableCatchupFullScan;

  [Description("Disable catch-up quick scan.  A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.") : Amended ToSubclass] boolean DisableCatchupQuickScan;

  [Description("Disable email scanning.") : Amended ToSubclass] boolean DisableEmailScanning;

  [Description("Disable removable drive scanning.") : Amended ToSubclass] boolean DisableRemovableDriveScanning;

  [Description("Disables restore point.") : Amended ToSubclass] boolean DisableRestorePoint;

  [Description("Disable running full scan on mapped network drives.") : Amended ToSubclass] boolean DisableScanningMappedNetworkDrivesForFullScan;

  [Description("Disables scanning network files.") : Amended ToSubclass] boolean DisableScanningNetworkFiles;

  [Description("Enable UI Lockdown mode.") : Amended ToSubclass] boolean UILockdown;

  [Description("The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids") : Amended ToSubclass] sint64 ThreatIDDefaultAction_Ids[];

  [Description("Default actions for threats upon which default action should not be taken when detected. The actions need to be in the same order as their respective Ids specified in the ThreatIDDefaultAction_Ids property.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 ThreatIDDefaultAction_Actions[];

  [Description("Default action for unknown threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 UnknownThreatDefaultAction;

  [Description("Default action for low severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 LowThreatDefaultAction;

  [Description("Default action for moderate severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 ModerateThreatDefaultAction;

  [Description("Default action for high severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 HighThreatDefaultAction;

  [Description("Default action for severe severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 SevereThreatDefaultAction;

  [Description("Specify PUA(Potentially Unwanted Application) protection mode.") : Amended ToSubclass,Values{"Disabled", "Enabled", "AuditMode"} : Amended ToSubclass] uint8 PUAProtection;

  [Description("Disable block at first seen.") : Amended ToSubclass] boolean DisableBlockAtFirstSeen;

  [Description("Configure cloud protection level.") : Amended ToSubclass,Values{"Default", "Moderate", "High", "High+", "Zero tolerance"} : Amended ToSubclass] uint8 CloudBlockLevel;

  [Description("Configure extended cloud check. Valid values 0-50 seconds.") : Amended ToSubclass] uint32 CloudExtendedTimeout;

  [Description("Configure Microsoft Defender Exploit Guard network protection feature.") : Amended ToSubclass,Values{"Disabled", "Enabled", "Audit Mode"} : Amended ToSubclass] uint8 EnableNetworkProtection;

  [Description("Configure the Controlled folder access feature.") : Amended ToSubclass,Values{"Disabled", "Enabled", "AuditMode", "BlockDiskModificationOnly", "AuditDiskModificationOnly"} : Amended ToSubclass] uint8 EnableControlledFolderAccess;

  [Description("Specify the exclusions for Attack Surface Reduction Rules(ASR).") : Amended ToSubclass] string AttackSurfaceReductionOnlyExclusions[];

  [Description("Specify Attack Surface Reduction Rule(ASR) Ids. The rule Ids need to be in the same order as their respective actions specified in the AttackSurfaceReductionRules_Actions property.") : Amended ToSubclass] string AttackSurfaceReductionRules_Ids[];

  [Description("Default actions for Attack Surface Reduction Rule(ASR). The actions need to be in the same order as their respective rule Ids specified in the AttackSurfaceReductionRules_Ids property.") : Amended ToSubclass,Values{"Disabled", "Enabled", "Audit Mode"} : Amended ToSubclass] uint8 AttackSurfaceReductionRules_Actions[];

  [Description("Add allowed applications to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessAllowedApplications[];

  [Description("Add protected folders to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessProtectedFolders[];

  [Description("Defines a file share for security intelligence in virtual environments.") : Amended ToSubclass] string SharedSignaturesPath;

  [Description("Configure whether low cpu priority should be used during scheduled scan.") : Amended ToSubclass] boolean EnableLowCpuPriority;

  [Description("Enables or disables file hash computation feature.") : Amended ToSubclass] boolean EnableFileHashComputation;

  uint32 Set([In,Description("Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.") : Amended ToSubclass] boolean DisableAutoExclusions,[In,Description("Allows an administrator to explicitly disable a scan from checking any of the paths listed.") : Amended ToSubclass] string ExclusionPath[],[In,Description("Allows an administrator to explicitly disable a scan from checking any of the extensions listed.") : Amended ToSubclass] string ExclusionExtension[],[In,Description("Allows an administrator to explicitly disable a scan from checking any of the processes listed.") : Amended ToSubclass] string ExclusionProcess[],[In,Description("Indicates how many days items should kept in Quarantine folder before being removed.") : Amended ToSubclass] uint32 QuarantinePurgeItemsAfterDelay,[In,Description("Real-time scan direction - Enumeration") : Amended ToSubclass,Values{"Both", "Incoming", "Outcoming"} : Amended ToSubclass] uint8 RealTimeScanDirection,[In,Description("Indicates what day of the week to perform the scheduled full scan to complete remediation.") : Amended ToSubclass,Values{"Every Day", "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Never"} : Amended ToSubclass] uint8 RemediationScheduleDay,[In,Description("Indicates what time to perform the scheduled full scan to complete remediation.") : Amended ToSubclass] datetime RemediationScheduleTime,[In,Description("Configure timeout for detections requiring additional action.") : Amended ToSubclass] uint32 ReportingAdditionalActionTimeOut,[In,Description("Time in minutes for a detection in the 'critically failed' state to move to either 'additional action' or 'cleared' state.") : Amended ToSubclass] uint32 ReportingCriticalFailureTimeOut,[In,Description("Time in minutes for a detection in the 'failed' state to move to the 'cleared' state.") : Amended ToSubclass] uint32 ReportingNonCriticalTimeOut,[In,Description("Specify the maximum percentage of CPU utilization during a scan. This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization.") : Amended ToSubclass] uint8 ScanAvgCPULoadFactor,[In,Description("When set, Microsoft Defender Antivirus will check for new signatures before running a scan.  If new signatures are found they will be downloaded and installed before the scan begins.  If no new signatures are found, the scan will start based on the existing signatures.") : Amended ToSubclass] boolean CheckForSignaturesBeforeRunningScan,[In,Description("Turn on removal of items from scan history folder. This setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed.") : Amended ToSubclass] uint32 ScanPurgeItemsAfterDelay,[In,Description("Run scheduled scans only if system is idle.") : Amended ToSubclass] boolean ScanOnlyIfIdleEnabled,[In,Description("Specify the scan type to use for a scheduled scan.") : Amended ToSubclass,Values{"Quick Scan", "Full Scan"} : Amended ToSubclass] uint8 ScanParameters,[In,Description("Specify the day of the week to run a scheduled scan.") : Amended ToSubclass,Values{"Every Day", "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Never"} : Amended ToSubclass] uint8 ScanScheduleDay,[In,Description("Specify the time of day to run a scheduled quick scan.") : Amended ToSubclass] datetime ScanScheduleQuickScanTime,[In,Description("Specify the time of day to run a scheduled scan.") : Amended ToSubclass] datetime ScanScheduleTime,[In,Description("Aborts any service-initiated update immediately after first install by the configured amount of time.") : Amended ToSubclass] uint32 SignatureFirstAuGracePeriod,[In,Description("Overrides CheckForSignatureBeforeRunningScan.  Aborts any service-initiated update if signature was updated successfully within this amount of time. Time in minutes.") : Amended ToSubclass] uint32 SignatureAuGracePeriod,[In,Description("Defines the file shares for downloading security intelligence updates. setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: {\\unc1 | \\unc2 }. The list is empty by default.") : Amended ToSubclass] string SignatureDefinitionUpdateFileSharesSources,[In,Description("When set to true, AM Service will not initiate security intelligence update on start-up, regardless of whether an Engine is present or not.") : Amended ToSubclass] boolean SignatureDisableUpdateOnStartupWithoutEngine,[In,Description("Define the order of sources for downloading security intelligence updates This setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: 'InternalDefinitionUpdateServer'  'MicrosoftUpdateServer'  'MMPC'  'FileShares' ") : Amended ToSubclass] string SignatureFallbackOrder,[In,Description("Indicates the day of the week in which security intelligence updates occur. If set to zero then security intelligence update occurs daily.") : Amended ToSubclass,Values{"Every Day", "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Never"} : Amended ToSubclass] uint8 SignatureScheduleDay,[In,Description("Specifies the time at which security intelligence update check happens. By default the signatures are checked before the scheduled scan.") : Amended ToSubclass] datetime SignatureScheduleTime,[In,Description("Defines the number of days after which a catch-up signature is warranted. Works with SignatureUpdateLastChecked. 0 = no catch-up,  1 = 1 day,  2 = 2 days, etc.") : Amended ToSubclass] uint32 SignatureUpdateCatchupInterval,[In,Description("The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).") : Amended ToSubclass] uint32 SignatureUpdateInterval,[In,Description("Join Microsoft MAPS.") : Amended ToSubclass,Values{"Disabled", "Basic", "Advanced"} : Amended ToSubclass] uint8 MAPSReporting,[In,Description("Consent for sample submission.") : Amended ToSubclass,Values{"AlwaysPrompt", "SendSafeSamples", "NeverSend", "SendAllSamples"} : Amended ToSubclass] uint8 SubmitSamplesConsent,[Description("Disable privacy mode.") : Amended ToSubclass,in] boolean DisablePrivacyMode,[In,Description("This setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.") : Amended ToSubclass] boolean RandomizeScheduleTaskTimes,[In,Description("Disable behavior monitoring.") : Amended ToSubclass] boolean DisableBehaviorMonitoring,[In,Description("Disable intrusion prevention system.") : Amended ToSubclass] boolean DisableIntrusionPreventionSystem,[In,Description("Disable IOAV protection.") : Amended ToSubclass] boolean DisableIOAVProtection,[In,Description("Disable real-time monitoring.") : Amended ToSubclass] boolean DisableRealtimeMonitoring,[In,Description("Disable script scanning.") : Amended ToSubclass] boolean DisableScriptScanning,[In,Description("Disable archive scanning.") : Amended ToSubclass] boolean DisableArchiveScanning,[In,Description("Disable catch-up full scan.  A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.") : Amended ToSubclass] boolean DisableCatchupFullScan,[In,Description("Disable catch-up quick scan.  A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.") : Amended ToSubclass] boolean DisableCatchupQuickScan,[In,Description("Disable email scanning.") : Amended ToSubclass] boolean DisableEmailScanning,[In,Description("Disable removable drive scanning.") : Amended ToSubclass] boolean DisableRemovableDriveScanning,[In,Description("Disables restore point.") : Amended ToSubclass] boolean DisableRestorePoint,[In,Description("Disable running full scan on mapped network drives.") : Amended ToSubclass] boolean DisableScanningMappedNetworkDrivesForFullScan,[In,Description("Disables scanning network files.") : Amended ToSubclass] boolean DisableScanningNetworkFiles,[In,Description("Enable UI Lockdown mode.") : Amended ToSubclass] boolean UILockdown,[In,Description("The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids") : Amended ToSubclass] sint64 ThreatIDDefaultAction_Ids[],[In,Description("Default actions for threats upon which default action should not be taken when detected. The actions need to be in the same order as their respective Ids specified in the ThreatIDDefaultAction_Ids property.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 ThreatIDDefaultAction_Actions[],[In,Description("Default action for unknown threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 UnknownThreatDefaultAction,[In,Description("Default action for low severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 LowThreatDefaultAction,[In,Description("Default action for moderate severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 ModerateThreatDefaultAction,[In,Description("Default action for high severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 HighThreatDefaultAction,[In,Description("Default action for severe severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 SevereThreatDefaultAction,[In,Description("Specify PUA(Potentially Unwanted Application) protection mode.") : Amended ToSubclass,Values{"Disabled", "Enabled", "AuditMode"} : Amended ToSubclass] uint8 PUAProtection,[In,Description("Disable block at first seen.") : Amended ToSubclass] boolean DisableBlockAtFirstSeen,[In,Description("Configure cloud protection level.") : Amended ToSubclass,Values{"Default", "Moderate", "High", "High+", "Zero tolerance"} : Amended ToSubclass] uint8 CloudBlockLevel,[In,Description("Configure extended cloud check. Valid values 0-50 seconds.") : Amended ToSubclass] uint32 CloudExtendedTimeout,[In,Description("Configure Microsoft Defender Exploit Guard network protection feature.") : Amended ToSubclass,Values{"Disabled", "Enabled", "Audit Mode"} : Amended ToSubclass] uint8 EnableNetworkProtection,[In,Description("Configure the Controlled folder access feature.") : Amended ToSubclass,Values{"Disabled", "Enabled", "AuditMode", "BlockDiskModificationOnly", "AuditDiskModificationOnly"} : Amended ToSubclass] uint8 EnableControlledFolderAccess,[In,Description("Specify the exclusions for Attack Surface Reduction Rules(ASR).") : Amended ToSubclass] string AttackSurfaceReductionOnlyExclusions[],[In,Description("Specify Attack Surface Reduction Rule(ASR) Ids. The rule Ids need to be in the same order as their respective actions specified in the AttackSurfaceReductionRules_Actions property.") : Amended ToSubclass] string AttackSurfaceReductionRules_Ids[],[In,Description("Default actions for Attack Surface Reduction Rule(ASR). The actions need to be in the same order as their respective rule Ids specified in the AttackSurfaceReductionRules_Ids property.") : Amended ToSubclass,Values{"Disabled", "Enabled", "Audit Mode"} : Amended ToSubclass] uint8 AttackSurfaceReductionRules_Actions[],[In,Description("Add allowed applications to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessAllowedApplications[],[In,Description("Add protected folders to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessProtectedFolders[],[Description("Defines a file share for security intelligence in virtual environments.") : Amended ToSubclass,in] string SharedSignaturesPath,[In,Description("Configure whether low cpu priority should be used during scheduled scan.") : Amended ToSubclass] boolean EnableLowCpuPriority,[In,Description("Enables or disables file hash computation feature.") : Amended ToSubclass] boolean EnableFileHashComputation,[In,Description("A user confirmation is sought by default by this cmdlet. If -Force is specified, the default confirmation is not sought from the user.") : Amended ToSubclass] boolean Force);

  uint32 Remove([In,Description("Allows an administrator to explicitly disable a scan from checking any of the paths listed.") : Amended ToSubclass] string ExclusionPath[],[In,Description("Allows an administrator to explicitly disable a scan from checking any of the extensions listed.") : Amended ToSubclass] string ExclusionExtension[],[In,Description("Allows an administrator to explicitly disable a scan from checking any of the processes listed.") : Amended ToSubclass] string ExclusionProcess[],[In,Description("The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids") : Amended ToSubclass] sint64 ThreatIDDefaultAction_Ids[],[In,Description("Default action for unknown threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] boolean UnknownThreatDefaultAction,[In,Description("Default action for low severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] boolean LowThreatDefaultAction,[In,Description("Default action for moderate severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] boolean ModerateThreatDefaultAction,[In,Description("Default action for high severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] boolean HighThreatDefaultAction,[In,Description("Default action for severe severity threats.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] boolean SevereThreatDefaultAction,[In,Description("Specify the exclusions for Attack Surface Reduction Rules.") : Amended ToSubclass] string AttackSurfaceReductionOnlyExclusions[],[In,Description("Specify Attack Surface Reduction Rule(ASR) Ids. The rule Ids need to be in the same order as their respective actions specified in the AttackSurfaceReductionRules_Actions property.") : Amended ToSubclass] string AttackSurfaceReductionRules_Ids[],[In,Description("Default actions for Attack Surface Reduction Rule(ASR). The actions need to be in the same order as their respective rule Ids specified in the AttackSurfaceReductionRules_Ids property.") : Amended ToSubclass,Values{"Disabled", "Enabled", "Audit Mode"} : Amended ToSubclass] uint8 AttackSurfaceReductionRules_Actions[],[In,Description("Add allowed applications to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessAllowedApplications[],[In,Description("Add protected folders to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessProtectedFolders[],[Description("Defines a file share for security intelligence in virtual environments.") : Amended ToSubclass,in] string SharedSignaturesPath,[In,Description("A user confirmation is sought by default by this cmdlet. If -Force is specified, the default confirmation is not sought from the user.") : Amended ToSubclass] boolean Force);

  uint32 Add([In,Description("Allows an administrator to explicitly disable a scan from checking any of the paths listed.") : Amended ToSubclass] string ExclusionPath[],[In,Description("Allows an administrator to explicitly disable a scan from checking any of the extensions listed.") : Amended ToSubclass] string ExclusionExtension[],[In,Description("Allows an administrator to explicitly disable a scan from checking any of the processes listed.") : Amended ToSubclass] string ExclusionProcess[],[In,Description("The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids") : Amended ToSubclass] sint64 ThreatIDDefaultAction_Ids[],[In,Description("Default actions for threats upon which default action should not be taken when detected. The actions need to be in the same order as their respective Ids specified in the ThreatIDDefaultAction_Ids property.") : Amended ToSubclass,Values{"Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 ThreatIDDefaultAction_Actions[],[In,Description("Specify the exclusions for Attack Surface Reduction Rules.") : Amended ToSubclass] string AttackSurfaceReductionOnlyExclusions[],[In,Description("Specify Attack Surface Reduction Rule(ASR) Ids. The rule Ids need to be in the same order as their respective actions specified in the AttackSurfaceReductionRules_Actions property.") : Amended ToSubclass] string AttackSurfaceReductionRules_Ids[],[In,Description("Default actions for Attack Surface Reduction Rule(ASR). The actions need to be in the same order as their respective rule Ids specified in the AttackSurfaceReductionRules_Ids property.") : Amended ToSubclass,Values{"Disabled", "Enabled", "Audit Mode"} : Amended ToSubclass] uint8 AttackSurfaceReductionRules_Actions[],[In,Description("Add allowed applications to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessAllowedApplications[],[In,Description("Add protected folders to the Controlled folder access feature.") : Amended ToSubclass] string ControlledFolderAccessProtectedFolders[],[Description("Defines a file share for security intelligence updates in virtual environments.") : Amended ToSubclass,in] string SharedSignaturesPath,[In,Description("A user confirmation is sought by default by this cmdlet. If -Force is specified, the default confirmation is not sought from the user.") : Amended ToSubclass] boolean Force);

};



[Version("1.0") : Amended,Description("The Microsoft Defender Antivirus Scan Class") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpScan

{

};



[Version("1.0") : Amended,Description("The Microsoft Defender Antivirus Signature Class") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpSignature

{

};



[Description("This is a singleton that represents the Microsoft Antimalware service infection status") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpThreat : BaseStatus

{

  [Description("The Schema Version") : Amended ToSubclass] string SchemaVersion;

  [Description("Unique Detection ID") : Amended ToSubclass,key] sint64 ThreatID;

  [Description("The name of the threat") : Amended ToSubclass] string ThreatName;

  [Description("Severity ID - Enumeration") : Amended ToSubclass,Values{"Unknown", "Low", "Moderate", "High", "Severe"} : Amended ToSubclass] uint8 SeverityID;

  [Description("Category ID - Enumeration") : Amended ToSubclass,Values{"INVALID", "ADWARE", "SPYWARE", "PASSWORDSTEALER", "TROJANDOWNLOADER", "WORM", "BACKDOOR", "REMOTEACCESSTROJAN", "TROJAN", "EMAILFLOODER", "KEYLOGGER", "DIALER", "MONITORINGSOFTWARE", "BROWSERMODIFIER", "COOKIE", "BROWSERPLUGIN", "AOLEXPLOIT", "NUKER", "SECURITYDISABLER", "JOKEPROGRAM", "HOSTILEACTIVEXCONTROL", "SOFTWAREBUNDLER", "STEALTHNOTIFIER", "SETTINGSMODIFIER", "TOOLBAR", "REMOTECONTROLSOFTWARE", "TROJANFTP", "POTENTIALUNWANTEDSOFTWARE", "ICQEXPLOIT", "TROJANTELNET", "FILESHARINGPROGRAM", "MALWARE_CREATION_TOOL", "REMOTE_CONTROL_SOFTWARE", "TOOL", "TROJAN_DENIALOFSERVICE", "TROJAN_DROPPER", "TROJAN_MASSMAILER", "TROJAN_MONITORINGSOFTWARE", "TROJAN_PROXYSERVER", "VIRUS", "KNOWN", "UNKNOWN", "SPP", "BEHAVIOR", "VULNERABILTIY", "POLICY"} : Amended ToSubclass] uint8 CategoryID;

  [Description("Type ID - Enumeration") : Amended ToSubclass,Values{"Known Bad", "Behavior", "Unknown", "Known Good", "NRI"} : Amended ToSubclass] uint8 TypeID;

  [Description("Threat Rollup Status") : Amended ToSubclass,BitValues{"ThreatClean", "RebootRequired", "OfflineScanRequired", "ManualStepsRequired", "FullScanRequired", "ReinfectionLoop", "Executed"} : Amended ToSubclass] uint32 RollupStatus;

  [Description("List of resources affected by the threat") : Amended ToSubclass] string Resources[];

  [Description("Specifies if threat has executed") : Amended ToSubclass] boolean DidThreatExecute;

  [Description("Specifies if the threat is active") : Amended ToSubclass] boolean IsActive;

};



[Description("This class represents the catalog of recognized threats") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpThreatCatalog : BaseStatus

{

  [Description("Unique Detection ID") : Amended ToSubclass,key] sint64 ThreatID;

  [Description("The name of the threat") : Amended ToSubclass] string ThreatName;

  [Description("Severity ID - Enumeration") : Amended ToSubclass,Values{"Unknown", "Low", "Moderate", "High", "Severe"} : Amended ToSubclass] uint8 SeverityID;

  [Description("Category ID - Enumeration") : Amended ToSubclass,Values{"INVALID", "ADWARE", "SPYWARE", "PASSWORDSTEALER", "TROJANDOWNLOADER", "WORM", "BACKDOOR", "REMOTEACCESSTROJAN", "TROJAN", "EMAILFLOODER", "KEYLOGGER", "DIALER", "MONITORINGSOFTWARE", "BROWSERMODIFIER", "COOKIE", "BROWSERPLUGIN", "AOLEXPLOIT", "NUKER", "SECURITYDISABLER", "JOKEPROGRAM", "HOSTILEACTIVEXCONTROL", "SOFTWAREBUNDLER", "STEALTHNOTIFIER", "SETTINGSMODIFIER", "TOOLBAR", "REMOTECONTROLSOFTWARE", "TROJANFTP", "POTENTIALUNWANTEDSOFTWARE", "ICQEXPLOIT", "TROJANTELNET", "FILESHARINGPROGRAM", "MALWARE_CREATION_TOOL", "REMOTE_CONTROL_SOFTWARE", "TOOL", "TROJAN_DENIALOFSERVICE", "TROJAN_DROPPER", "TROJAN_MASSMAILER", "TROJAN_MONITORINGSOFTWARE", "TROJAN_PROXYSERVER", "VIRUS", "KNOWN", "UNKNOWN", "SPP", "BEHAVIOR", "VULNERABILTIY", "POLICY"} : Amended ToSubclass] uint8 CategoryID;

  [Description("Type ID - Enumeration") : Amended ToSubclass,Values{"Known Bad", "Behavior", "Unknown", "Known Good", "NRI"} : Amended ToSubclass] uint8 TypeID;

};



[Description("This is a class that represents the current detailed state of a threat") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpThreatDetection : BaseStatus

{

  [Description("Unique Detection ID") : Amended ToSubclass,key] string DetectionID;

  [Description("Unique Threat ID") : Amended ToSubclass,key] sint64 ThreatID;

  [Description("The name of the process involved") : Amended ToSubclass] string ProcessName;

  [Description("The user who requested remediation") : Amended ToSubclass] string DomainUser;

  [Description("Detection Source Type ID - Enumeration") : Amended ToSubclass,Values{"Unknown", "User", "System", "Real-time", "IOAV", "NRI", "ELAM", "LocalAttestation", "RemoteAttestation"} : Amended ToSubclass] uint8 DetectionSourceTypeID;

  [Description("List of resources affected by the detection") : Amended ToSubclass] string Resources[];

  [Description("The initial threat detection time") : Amended ToSubclass] datetime InitialDetectionTime;

  [Description("The most recent time of the threat status change") : Amended ToSubclass] datetime LastThreatStatusChangeTime;

  [Description("The time of the remediation.") : Amended ToSubclass] datetime RemediationTime;

  [Description("Execution Status ID - Enumeration") : Amended ToSubclass,Values{"Unknown", "Blocked", "Allowed", "Executing", "NotExecuting"} : Amended ToSubclass] uint8 CurrentThreatExecutionStatusID;

  [Description("The Threat Status ID - Enumeration") : Amended ToSubclass,Values{"Unknown", "Detected", "Cleaned", "Quarantined", "Removed", "Allowed", "Blocked", "CleanFailed", "QuarantineFailed", "RemoveFailed", "AllowFailed", "Abandoned", "BlockedFailed"} : Amended ToSubclass] uint8 ThreatStatusID;

  [Description("The threat status error code") : Amended ToSubclass] sint32 ThreatStatusErrorCode;

  [Description("The cleaning action - Enumeration") : Amended ToSubclass,BitValues{"Unknown", "Clean", "Quarantine", "Remove", "Allow", "UserDefined", "NoAction", "Block"} : Amended ToSubclass] uint8 CleaningActionID;

  [Description("Product version (major, minor, build, revision)") : Amended ToSubclass] string AMProductVersion;

  [Description("Specifies if the cleaning action was successful") : Amended ToSubclass] boolean ActionSuccess;

  [Description("Additional actions required to complete remediation - Enumeration") : Amended ToSubclass,Values{"None", "FullScanRequired", "RebootRequired", "FullScanAndRebootRequired", "ManualStepsRequired", "FullScanAndManualStepsRequired", "RebootAndManualStepsRequired", "FullScanAndRebootAndManualStepsRequired", "OfflineScanRequired", "FullScanAndOfflineScanRequired", "RebootAndOfflineScanRequired", "FullScanAndRebootAndOfflineScanRequired", "ManualStepsAndOfflineScanRequired", "FullScanAndManualStepsAndOfflineScanRequired", "RebootAndManualStepsAndOfflineScanRequired", "FullScanAndRebootAndManualStepsAndOfflineScanRequired"} : Amended ToSubclass] uint32 AdditionalActionsBitMask;

};



[Version("1.0") : Amended,Description("The Microsoft Defender Antivirus WDO Scan Class") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] 

class MSFT_MpWDOScan

{

};