Introduction

If you’re securing a small/medium enterprise with Microsoft Defender for Business, downloading a detected malicious file for further analysis is an important step in the incident response process.

Normally, the Download File response action is available only for Defender for Endpoint P2, but we can achieve the same effect by combining features present in Defender for Business: Live Response and PowerShell scripts.

Prerequisites

• Live Response and Live Response unsigned script execution need to be enabled within Settings → Endpoints → Advanced Features.
• The incident responder needs to have at least the Security Administrator role.

Process

For demonstration, I download the EICAR test file. Within the Evidence and Response tab of the malware incident, we find the full path of the offending file before it was quarantined: C:\Users\narek\Desktop\test.txt

The steps to retrieve this file are as follows:

1. Creating a temporary directory on the endpoint, which is excluded from Defender scanning
2. Restoring the quarantined file to the temporary directory
3. Leveraging the getfile command in Live Response to retrieve the file
4. Removing the exclusion and the directory

restore.ps1

The script for steps 1 and 2:

param(
    [Parameter(Position=0,mandatory=$true)]
    [string]$QuarantinedPath
)

$irTempPath = (New-Item -Path "$env:TEMP\IR_Temp" -ItemType Directory -Force).FullName
if ($null -ne $irTempPath) {
    Write-Output "[+] Temporary directory created at $irTempPath"
    Add-MpPreference -ExclusionPath $irTempPath
    Write-Output "[+] Directory $irTempPath added as Defender for Endpoint exclusion."

    $fileName = Split-Path -Path $QuarantinedPath -Leaf
    & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -Restore -FilePath $QuarantinedPath -Path "$irTempPath"

    Write-Output "[+] Retrieval command: getfile `"$irTempPath\$fileName`""
    Write-Output "[+] Cleanup command: run cleanup.ps1 -parameters `"-RestoredPath $irTempPath\$fileName`""
} else {
    Write-Host "[!] Failed to create directory!"
}

cleanup.ps1

The script for step 4:

param(
    [Parameter(Position=0,mandatory=$true)]
    [string]$RestoredPath
)

$irTempPath = Split-Path -Path $RestoredPath -Parent

Write-Output "[+] Removing exclusion path $irTempPath"
Remove-MpPreference -ExclusionPath $irTempPath

Write-Output "[+] Deleting $irTempPath"
Remove-Item -Path "$irTempPath" -Recurse -Force

Keep in mind that before using these scripts, you need to upload them to your Live Response library. I suggest filling in the file and parameter descriptions, so that their purpose is easily understandable when viewing in your Library Management page.

NOTE: As of March 2026, the Library Management page is a preview feature for Defender for Business. If you don’t see it under Settings → Endpoints, enable Preview Features under Advanced Features.

Demonstration

Here’s the log of my Live Response terminal when performing this process

C:\> run restore.ps1 -parameters "-QuarantinedPath C:\Users\narek\Desktop\test.txt"
Transcript started, output file is C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\...
[+] Temporary directory created at C:\WINDOWS\TEMP\IR_Temp
[+] Directory C:\WINDOWS\TEMP\IR_Temp added as Defender for Endpoint exclusion.
Restoring the following quarantined items to C:\WINDOWS\TEMP\IR_Temp:

ThreatName = Virus:DOS/EICAR_Test_File
   file:C:\Users\narek\Desktop\test.txt quarantined at 3/12/2026 12:13:25 PM (UTC) was restored
[+] Retrieval command: getfile "C:\WINDOWS\TEMP\IR_Temp\test.txt"
[+] Cleanup command: run cleanup.ps1 -parameters "-RestoredPath C:\WINDOWS\TEMP\IR_Temp\test.txt"


C:\> getfile "C:\WINDOWS\TEMP\IR_Temp\test.txt"
Downloading cached copy of the file


C:\> run cleanup.ps1 -parameters "-RestoredPath C:\WINDOWS\TEMP\IR_Temp\test.txt"
Transcript started, output file is C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\...
[+] Removing exclusion path C:\WINDOWS\TEMP\IR_Temp
[+] Deleting C:\WINDOWS\TEMP\IR_Temp