HomeWinBuzzer TipsHow to Run Microsoft Defender from the Command Line (CMD) in Windows...

How to Run Microsoft Defender from the Command Line (CMD) in Windows 11 and Windows 10

We show you how to perform various tasks with the Windows Defender CMD tool, including how to use the scan command, update, rollback, and un-quarantine.

-

Knowing how to run Defender (formerly Windows Defender) from the command line can be very useful. Perhaps you've been locked out of its UI due to malware, are trying to run a scan from recovery media, or are using a GUI-less Windows Server install. In any of these situations, knowing a scan command or two can save you a lot of trouble.

Though Microsoft Defender is easier to control from the Windows Security app, command-line antivirus is also quite simple and presents many of the same options. Importantly, it also allows you to automate your anti-malware tasks if you wish. You could create a script to automatically perform a quick scan at a certain time, for example, or to perform the same scans across multiple PCs.

In this tutorial, we'll be showing how to update Microsoft Defender with CMD, as well as how to perform a quick, full, or custom scan. By the end of it, you should have a good idea of how command-line antivirus works.

⚠️ Please note: The process described below is the same in Windows 11 as it is in Windows 10. However, bear in mind that we'll be using screenshots from Windows 10, so your UI may look a little different. We'll point out any changes you need to be aware of as they come up.

How to Check for Updates for Microsoft Defender in the Command Line

One task that admins are particularly eager to automate is updates. Knowing how to update Microsoft Defender from the command line will allow you to build it into an automatic update script so you never forget.

  1. Open Command Prompt
     

    Press Start and then type “Command Prompt”. With the application selected, click “Run as administrator” in the sidebar.

  2. Open and update the command line antivirus
     

    To open the location of the command line anti-virus in CMD, paste the following:

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

    Now you can run a Windows Defender command-line update by typing:

    MpCmdRun -SignatureUpdate

    The tool will check for the most recent update and download and install it automatically if one is available.

  3. How to remove previously installed Microsoft Defender updates
     

    So you know how to install updates, but what if you downloaded a faulty one? You can uninstall the most recent definitions with CMD.
     
    First, open CMD by typing “Command Prompt” in your Start menu and then clicking “Run as administrator” on the right-hand side.
     

  4. Navigate to the Windows Defender folder and run the remove command
     

    In your CMD window, type the following to navigate to your Windows Defender folder.

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

    Then, run the following command to uninstall the most recent definitions:

    MpCmdRun -RemoveDefinitions -All

    The -All option restores previous definitions from the default set of signatures.

  5. Rollback the engine version
     

    To roll back the engine version, type the following and press Enter:

    MpCmdRun -RemoveDefinitions -Engine

  6. Remove dynamic signature updates
     

    You can uninstall only dynamic signatures by typing the following command and pressing Enter:

    MpCmdRun -RemoveDefinitions -DynamicSignatures

How to Perform a Quick Virus Scan with the CMD Scan Command

In most cases, you should run a quick scan before any other type. This will cause Windows Defender to scan the most commonly infected files so you can quickly take action. You can use Windows Defender in the Command line to start one in less than a minute.

  1. Open Command Prompt
     

    Press the Start button and type “Command Prompt”, then click “Run as administrator” on the right-hand side.

  2. Navigate to the Windows Defender folder and run the quick scan command
     

    First, we need to navigate to the folder where Windows Defender is installed.

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

    Now we're ready to run the CMD quick scan command:

    MpCmdRun -Scan -ScanType 1

    The scan will begin, stopping itself automatically if it takes longer than a day.

How to Perform a Full Virus Scan via a Microsoft Defender CMD Command

So, your quick scan found some issues or found no issues, but you're still seeing virus symptoms. The full scan will check every file on your PC for malware. Here's how you can run it with a CMD scan command:

  1. Open Command Prompt
     

    Press Start and then type “Command Prompt”. With the application selected, click “Run as administrator” in the sidebar.
     

  2. Open the Windows Defender folder and run the full CMD scan command
     

    Before we can run our CMD scan, we need to navigate to the folder our anti-virus tool lives in:

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

    Now we can run our full command-line anti-virus scan:

    MpCmdRun -Scan -ScanType 2

    If you followed the quick scan section, you'll notice that this command is identical, except the scan type has been changed from 1 to 2.

    The scan will start and will take a very long time. The more files you have on your PC, the longer it will take.

How to Perform a Custom Command Line AntiVirus Scan

If you just want to tell if a file you just downloaded is safe, you can perform a custom CMD scan by pointing it to a specific folder or file.

  1. Open Command Prompt
     

    Press the Start button, type Command Prompt, then click “Run as administrator” on the right-hand side with it selected.

  2. Run the custom malware scan
     

    In your CMD window, type the following to navigate to your Windows Defender folder.

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

    Now run the following command, switching C:/file/or/folder/path with the path to your file or folder.

    MpCmdRun -Scan -ScanType 3 -File C:\file\or\folder\path

    The scan will start, and shouldn't take too long if there are only a few files.

  3. Optional: Run the custom scan command with a timeout option
     

    You can also define a timeout period for your scan in case it takes too long. Simply navigate to your Defender folder with cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18* and run the following command:

    MpCmdRun -Scan -ScanType 3 -File C:\your\folder\or\file\path -Timeout 1

    Remember to switch the file path for the folder of your choice and that the timeout number represents days, not hours.

How to Perform a Boot Sector Malware Scan with the Microsoft Defender Command Line Tool

If you have a particularly nasty virus, it may have attacked your boot sector – the part of your PC that stores instructions that inform the startup process. Because such modifications can make it difficult to boot into your OS and cause other unwanted behavior, this can be hard to fix.

Thankfully, Windows Defender has a specific tool to find and resolve these issues – the boot sector scan. Even better, you can run it from the command line if you can't access your normal OS. Here's how:

  1. Open Command Prompt
     

    Press Start and type “Command Prompt”, then click “Run as administrator” in the right-hand panel of the Start menu.
     

  2. Run a boot sector CMD scan
     

    First, navigate to the Windows Defender folder with:

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

    Then, run the following command:

    MpCmdRun -Scan -ScanType -BootSectorScan

    The command line anti-virus tool will then scan your boot sector for any malicious code and remove it if it can.
     

How to Restore Quarantined Items via a Microsoft Defender CMD Command

Last but not least, the Windows Defender Command-line tool lets you list and restore items that have been automatically quarantined. This can be useful if you're sure a safe item has been removed.

  1. Open Command Prompt
     

    Press Start, then type Command Prompt. With the tool selected, press “Run as administrator” on the right-hand side.
     

  2. Restore quarantined items
     

    Navigate to the Microsoft Defender folder with the following command:

    cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18*

    Now you can run the following command to view your quarantined items:

    MpCmdRun -Restore -ListAll

    Reference the list and type the following to restore a specific quarantined item:

    MpCmdRun -Restore -Name ITEM-NAME

    Alternatively, restore a file to a specific path with:

    MpCmdRun -Restore -Name ITEM-NAME -FilePath PATH\TO\RESTORE

    Your items will be returned to their original or specified location.

    With that, you should have all the tools you need to perform command line antivirus activities. However, to get the most out of Windows Defender, you may want to learn how to perform a scheduled scan or turn on the hidden adware scanner.

FAQ – Frequently Asked Questions about Microsoft Defender CMD Usage

How can I schedule regular Microsoft Defender scans using CMD?

Use Windows Task Scheduler to create a task that runs the appropriate MpCmdRun command at your desired frequency. This isn't covered in the tutorial but leverages the commands shown.

What are the differences between dynamic signatures and regular updates?

Dynamic signatures are frequently updated definitions to respond to emerging threats, while regular updates are more comprehensive but less frequent updates to Defender's threat database.

Can I use CMD to configure Microsoft Defender's real-time protection settings?

CMD doesn't directly allow you to change real-time protection settings. These settings are typically adjusted through the Windows Security app or Group Policy Editor.

How do I check the health and status of Microsoft Defender via CMD?

Run “MpCmdRun -GetFiles” in CMD. This generates a report with information about Defender's health and status, including recent activity and detection statistics.

Is it possible to update Microsoft Defender offline using CMD?

Yes, you can download the latest update package on another computer, transfer it to the offline machine, and use CMD to apply the update manually.

How do I disable Microsoft Defender using CMD?

Disabling Defender via CMD is not recommended and typically requires Group Policy changes. However, it can be temporarily turned off via the Windows Security app.

Can CMD commands be used to manage Microsoft Defender on remote computers?

Directly managing Defender on remote computers via CMD isn't straightforward. It usually involves remote desktop or network management tools.

How do I interpret the scan results provided by CMD?

The CMD output will list detected threats and actions taken. For detailed analysis, refer to the Defender security logs in the Windows Event Viewer.

Can I use CMD to add or remove exclusions in Microsoft Defender?

Adding or removing exclusions via CMD isn't directly supported. Use the Windows Security app for managing exclusions.

How do I restore Microsoft Defender to its default settings using CMD?

There's no direct CMD command to reset Defender to default settings. This typically requires manual adjustments in the Windows Security app.

Is it possible to use CMD to view the update history of Microsoft Defender?

CMD doesn't provide a direct way to view update history. This information can be found in the Windows Security app under the virus & threat protection updates section.

Can I use CMD to check which version of Microsoft Defender I am running?

Yes, navigate to the Defender folder in CMD and run “MpCmdRun -GetFiles”; this generates a report that includes version information.

How do I troubleshoot Microsoft Defender issues using CMD?

Use “MpCmdRun -GetFiles” to generate a detailed report for troubleshooting. For more complex issues, Windows Event Viewer or the Security app may provide additional insights.

Can CMD be used to manage Microsoft Defender's cloud-based protection?

Managing cloud-based protection settings is not directly possible through CMD. These settings are typically configured in the Windows Security app.

Is there a way to use CMD to view all currently active Defender settings?

CMD doesn't provide a comprehensive view of all active Defender settings. For a complete overview, use the Windows Security app or Group Policy Editor.

Related: How to Exclude a File or Folder from Microsoft Defender Scans

Microsoft Defender, formerly known as Windows Defender is incredibly useful for a free tool, providing Windows 10 users with competitive anti-virus technology and protecting against rootkits, ransomware, unwanted programs, and more. However, occasionally the program will keep flagging a file or folder that you know is safe. In these cases, it's useful to know how to exclude a folder from Microsoft Defender scans.

Featured - How to exclude files and folders from Windows Defender Antivirus scans

 

Last Updated on April 22, 2024 1:22 pm CEST

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.
Table of Contents:
Mastodon