Anti-Malware Scanner Powershell

Wrote By Taylor Chrisitan Newsome | Aka ClumsyLulz
Twitter.com/ClumsyLulz

This script is aimed to scan the following and include startup items, providing a more comprehensive examination of potential malware hiding spots. It also utilizes the RecursiveScan function to recursively search directories for suspicious files. The SuspiciousPatternDetected function can be further customized to enhance pattern detection capabilities.

# Check for administrative privileges
if (-not $PSRole.IsAdmin) {
Write-Host “This script requires administrator privileges. Please run it with elevated privileges.”
exit
}

# Define file extensions to consider as potentially unsafe
$unsafeFileExtensions = @(“exe”, “zip”, “rar”, “js”, “vbs”, “bat”, “ps1”)

# Define a custom function to recursively scan directories and check for suspicious files
function RecursiveScan($directoryPath) {
Get-ChildItem -Path $directoryPath -Recurse -Filter | ForEach-Object {
if ($unsafeFileExtensions -contains $_.Extension) {
Remove-Item -Path $_.FullName -Force
Write-Host “Removed potentially unsafe file: $_.FullName”
}

# Check file content for suspicious patterns or signatures
if ($_.Extension -match “SuspiciousPattern”) {
$fileContent = Get-Content -Path $_.FullName
# Implement custom logic to identify suspicious patterns or signatures in the file content
if (SuspiciousPatternDetected($fileContent)) {
Remove-Item -Path $_.FullName -Force
Write-Host “Removed potentially unsafe file: $_.FullName”
}
}
}
}

# Recursively scan the system for potentially unsafe files
RecursiveScan($env:USERPROFILE)
RecursiveScan($env:TEMP)
RecursiveScan($env:LOCALAPPDATA)

# Scan for malware in system memory and hidden memory
Start-Process -FilePath “C:\Program Files\Windows Defender\MpCmdRun.exe” -ArgumentList “-Scan -ScanType 2 -IncludeHiddenProcesses” -Wait
Write-Host “System memory and hidden memory scan complete.”

# Scan the BIOS for suspicious patterns
Get-WmiObject -Class Win32_BIOS | ForEach-Object {
if ($_.BiosVersion -match “SuspiciousPattern”) {
Write-Host “Suspicious pattern detected in BIOS version: $_.BiosVersion”
}
}

# Scan the cache memory for suspicious patterns
Get-WmiObject -Class Win32_CacheMemory | ForEach-Object {
if ($_.Size -gt 100MB) {
Write-Host “Large cache memory detected: $_.Size”
}
}

# Scan running services and processes for suspicious activity
Get-WmiObject -Class Win32_Service | ForEach-Object {
if ($_.Description -match “SuspiciousPattern”) {
Write-Host “Suspicious service detected: $_.Name”
}
}

Get-Process | ForEach-Object {
if ($_.Name -match “SuspiciousPattern”) {
Write-Host “Suspicious process detected: $_.Name”
}
}

# Scan bootloader processes for suspicious activity
Get-WmiObject -Class Win32_BootEnvironment | ForEach-Object {
if ($_.Process -match “SuspiciousPattern”) {
Write-Host “Suspicious bootloader process detected: $_.Process”
}
}

# Scan registry hives for suspicious entries
Get-ChildItem -Path “HKCU:\Software” -Recurse -Filter | ForEach-Object {
if ($_.Name -match “SuspiciousPattern”) {
Write-Host “Suspicious registry entry detected: $_.FullName”
}
}

Get-ChildItem -Path “HKLM:\Software” -Recurse -Filter | ForEach-Object {
if ($_.Name -match “SuspiciousPattern”) {
Write-Host “Suspicious registry entry detected: $_.FullName”
}
}

# Scan startup items for suspicious activity
Get-WmiObject -Class Win32_StartupCommand | ForEach-Object {
if ($_.Command -match “SuspiciousPattern”) {
Write-Host “Suspicious startup item detected: $_.Command”
}
}

Write-Host “Comprehensive system scan complete.”